Home > Vulnerability Database > CVE-2025-57769

Mend.io Vulnerability Database

CVE-2025-57769

Good to know:

Date: September 29, 2025

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below contain a vulnerability where a specially crafted page can trick a user into executing arbitrary JS code or promoting a user in FreshRSS by obscuring UI elements in iframes. If embedding an authenticated iframe is possible, this may lead to privilege escalation via obscuring the promote user button in the admin UI or XSS by tricking the user to drag content into the UserJS text area. This is fixed in version 1.27.0

Severity Score

5.4

Related Resources (5)

Url: https://github.com/FreshRSS/FreshRSS/pull/7677

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-57769

Url: https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0

Url: https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-wm5p-7pr7-c8rw

Url: https://www.mend.io/vulnerability-database/CVE-2025-57769

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Restriction of Rendered UI Layers or Frames

CWE-1021

Top Fix

Upgrade Version

Upgrade to version https://github.com/FreshRSS/FreshRSS.git - 1.27.0

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-57769

Good to know:

Date: September 29, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?