Primary

Context

FreshRSS Clickjacking Vulnerability Leading to XSS and Privilege Escalation

Vulnerability

Patched

A clickjacking vulnerability has been identified in FreshRSS, a self-hosted RSS aggregator, affecting versions through 1.26.3. This vulnerability allows a specially crafted page to deceive users into executing arbitrary JavaScript or promoting a user within FreshRSS. The issue arises from obscuring user interface elements in iframes. If an authenticated iframe can be embedded, this could result in privilege escalation by hiding the 'promote user' button in the admin interface or cross-site scripting (XSS) by manipulating the UserJS text area.

Impact

Exploitation of this vulnerability could lead to cross-site scripting (XSS) or privilege escalation, depending on the attacker's actions.

Remediation

Users can upgrade to FreshRSS version 1.27.0 to address this vulnerability.

Added: Sep 29, 2025, 10:20 PM

Updated: Sep 29, 2025, 10:20 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.7

exploitability

7.7

remediation

7.7

relevance

0.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

1.7

exploitability

7.7

remediation

7.7

relevance

0.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FreshRSS Clickjacking Vulnerability Leading to XSS and Privilege Escalation

Vulnerability

Impact

Remediation

Affected Products

FreshRSS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating