CVE-2025-54875

Опубликовано: 29 сент. 2025

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hidden field used only in the user management admin page, new_user_is_admin. This is fixed in version 1.27.0.

Ссылки

https://github.com/FreshRSS/FreshRSS/pull/7783
Patch
https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0
Release Notes
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-h625-ghr3-jppq
Exploit
Third Party Advisory
Vendor Advisory
https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-h625-ghr3-jppq
Exploit
Third Party Advisory
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:freshrss:freshrss:*:*:*:*:*:*:*:*

Версия от 1.16.0 (включая) до 1.27.0 (исключая)

EPSS

Процентиль: 29%

0.00103

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-284

NVD-CWE-noinfo

Связанные уязвимости