Vulnerabilities

CVE Alert: CVE-2025-31136

An Ad-Free Experience: No more interruptions like this.
Exclusive Perks: Access to special content.
Direct Support: Help us grow and improve by supporting our work directly.

June 5, 2025

Vulnerability Summary: CVE-2025-31136

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it’s possible to run arbitrary JavaScript on the feeds page. This occurs by combining a cross-site scripting (XSS) issue that occurs in `f.php` when SVG favicons are downloaded from an attacker-controlled feed containing `