QwikSec

Security Database

CVE

CWE

Training

CVE-2025-61586

Published: Sep 29, 2025

Modified: Sep 30, 2025

PUBLISHED

Description

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below are vulnerable to directory enumeration by setting path in theme field, allowing attackers to gain additional information about the server by checking if certain directories exist. This issue is fixed in version 1.27.0.

Vendor	Product	Versions
FreshRSS	FreshRSS	affected `< 1.27.0`

Weaknesses (CWE)

References

https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-w35p-p867-qr4f

x_refsource_CONFIRM

https://github.com/FreshRSS/FreshRSS/pull/7722

x_refsource_MISC

https://github.com/FreshRSS/FreshRSS/commit/6549932d59aef3b72a9da29294af0f30ffb77af5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

CVE-2025-61586 - Security Vulnerability | QwikSec