CVE-2025-54875

216.73.216.36

· Published 29/09/2025 22:15 · Modified 30/09/2025 15:15

Labels: CVE-2025-54875 2025-09-29 CVE-2025-54875 CWE-284 [email protected]

Essential information

Published: 29/09/2025 22:15
Modified: 30/09/2025 15:15
Author: —
Creator: —
CVSS: 9.8 CRITICAL (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.16.0 and above through 1.26.3, an unprivileged attacker can create a new admin user when registration is enabled through the use of a hidden field used only in the user management admin page, new_user_is_admin. This is fixed in version 1.27.0.

NVD status

Status: Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
freshrss / freshrss	`cpe:2.3:a:freshrss:freshrss:1.16.0-1.26.3:::::::*`
freshrss / freshrss	`cpe:2.3:a:freshrss:freshrss:1.27.0:::::::*`