Under My Watch
Search
More
Recently published
Recently updated
Known Exploited Vulnerabilities
Ranked by EPSS
Browse by Year
CVE-2025-31136
Public Exploit
FreshRSS vulnerable to Cross-site Scripting by
'ing a vulnerable same-origin page in a feed entry</div> </header> <section class=card> <div class=card-header> <h2 class="text-lg font-semibold text-gray-900 dark:text-white">Description</h2> </div> <div class="card-content p-6"> <p class>FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to run arbitrary JavaScript on the feeds page. This occurs by combining a cross-site scripting (XSS) issue that occurs in `f.php` when SVG favicons are downloaded from an attacker-controlled feed containing `<script>` tags inside of them that aren't sanitized, with the lack of CSP in `f.php` by embedding the malicious favicon in an iframe (that has `sandbox="allow-scripts allow-same-origin"` set as its attribute). An attacker needs to control one of the feeds that the victim is subscribed to, and also must have an account on the FreshRSS instance. Other than that, the iframe payload can be embedded as one of two options. The first payload requires user interaction (the user clicking on the malicious feed entry) with default user configuration, and the second payload fires instantly right after the user adds the feed or logs into the account while the feed entry is still visible. This is because of lazy image loading functionality, which the second payload bypasses. An attacker can gain access to the victim's account by exploiting this vulnerability. If the victim is an admin it would be possible to delete all users (cause damage) or execute arbitrary code on the server by modifying the update URL using fetch() via the XSS. Version 1.26.2 has a patch for the issue.</p> </div> </section> <section class=card> <div class=card-header> <h2 class="text-lg font-semibold text-gray-900 dark:text-white">Category</h2> </div> <div class="card-content p-6"> <div class="grid grid-cols-1 gap-2" data-accordion=collapse data-active-classes="bg-white dark:bg-gray-800 text-gray-900 dark:text-white" data-inactive-classes="text-gray-500 dark:text-gray-400"> <h3 id=accordion-cwe-heading-1> <button type=button class="text-secondary flex w-full items-center justify-between text-left font-medium" data-accordion-target=#accordion-cwe-CWE-79-body aria-expanded=false aria-controls=accordion-cwe-CWE-79-body> <span>CWE-79 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</span> <svg data-accordion-icon class="h-3 w-3 shrink-0 rotate-180" aria-hidden=true xmlns=http://www.w3.org/2000/svg fill=none viewbox="0 0 10 6"> <path stroke=currentColor stroke-linecap=round stroke-linejoin=round stroke-width=2 d="M9 5 5 1 1 5"/> </svg> </button> </h3> <div id=accordion-cwe-CWE-79-body class=hidden aria-labelledby=accordion-cwe-CWE-79> <div class="border-t border-gray-200 pt-3 dark:border-gray-700"> <p class="text-sm text-gray-500 dark:text-gray-400">The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.</p> </div> </div> </div> </div> </section> </div> <section class="card mt-14 items-stretch overflow-visible"> <div class="relative z-5 -mt-8 mb-8 flex w-full flex-col items-center"> <div id=cvss-colored-line class="absolute top-1/2 left-0 z-3 h-1 w-full rounded-t-lg"></div> <div class="relative z-5 flex h-16 w-32 items-center justify-center"> <div id=cvss-background-circle class="absolute h-32 w-32 rounded-full"></div> <div id=cvss-colored-circle class="absolute h-32 w-32 rounded-full"></div> <div class="bg-front absolute flex h-28 w-28 flex-col items-center justify-center rounded-full"> <span id=cvss-score class="text-3xl font-bold text-gray-500"> 6.7 </span> <div class="text-secondary text-xs">CVSS</div> </div> </div> </div> <div class=px-4> <div class=text-center>Severity: <span class="cvss-colored font-bold">Medium</span></div> </div> <div class="my-4 grid grid-cols-2 gap-2 px-4 text-center"> <div> <div data-tooltip-target=tooltip-cvss-3.1 data-cvss=6.7 class="badge-cvss me-2 inline-block rounded-sm px-2.5 py-0.5 text-sm font-light"> CVSS 3.1 • </div> <div id=tooltip-cvss-3.1 role=tooltip class="tooltip invisible absolute z-10 inline-block rounded-lg bg-gray-900 px-3 py-2 text-sm font-medium text-white opacity-0 shadow-xs transition-opacity duration-300 dark:bg-gray-700"> CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L <div class=tooltip-arrow data-popper-arrow></div> </div> </div> </div> <div class="grid grid-cols-1 gap-2 p-4"> <div class="flex items-center gap-2"> <span class=font-semibold>EPSS</span> <svg data-tooltip-target=tooltip-epss xmlns=http://www.w3.org/2000/svg class="h-4 w-4" fill=currentColor viewbox="0 0 256 256"> <path d=M142,176a6,6,0,0,1-6,6,14,14,0,0,1-14-14V128a2,2,0,0,0-2-2,6,6,0,0,1,0-12,14,14,0,0,1,14,14v40a2,2,0,0,0,2,2A6,6,0,0,1,142,176ZM124,94a10,10,0,1,0-10-10A10,10,0,0,0,124,94Zm106,34A102,102,0,1,1,128,26,102.12,102.12,0,0,1,230,128Zm-12,0a90,90,0,1,0-90,90A90.1,90.1,0,0,0,218,128Z></path> </svg> <div id=tooltip-epss role=tooltip class="tooltip invisible absolute z-10 inline-block rounded-lg bg-gray-900 px-3 py-2 text-sm font-medium text-white opacity-0 shadow-xs transition-opacity duration-300 dark:bg-gray-700"> Probability of exploitation activity in the next 30 days. <div class=tooltip-arrow data-popper-arrow></div> </div> <span>0.04%</span> </div> </div> <div class="grid grid-cols-1 p-4 lg:grid-cols-2"> <span> <span class="inline bg-gradient-to-r from-amber-500 to-pink-400 bg-clip-text font-semibold text-transparent"> Vendor Advisory </span> </span> <span class=text-right> <a href=https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-f6r4-jrvc-cfmr target=_blank rel="noopener noreferrer nofollow" class="inline-flex items-center gap-2"> github.com <svg xmlns=http://www.w3.org/2000/svg class="text-secondary inline h-4 w-4" fill=currentColor viewbox="0 0 256 256"> <path d=M222,104a6,6,0,0,1-12,0V54.49l-69.75,69.75a6,6,0,0,1-8.48-8.48L201.51,46H152a6,6,0,0,1,0-12h64a6,6,0,0,1,6,6Zm-38,26a6,6,0,0,0-6,6v72a2,2,0,0,1-2,2H48a2,2,0,0,1-2-2V80a2,2,0,0,1,2-2h72a6,6,0,0,0,0-12H48A14,14,0,0,0,34,80V208a14,14,0,0,0,14,14H176a14,14,0,0,0,14-14V136A6,6,0,0,0,184,130Z></path> </svg> </a> </span> </div> <div class="card-content border-top mt-2 grid grid-cols-1 gap-2 p-4 text-sm"> <div><span class=font-semibold>Affected:</span> FreshRSS FreshRSS</div> </div> <div class="card-content border-top text-secondary grid grid-cols-2 p-4 text-sm"> <div data-tooltip-target=tooltip-published class="smartdate flex items-center justify-center gap-1" data-format=date data-datetime=2025-06-04T19:42:15.077000+00:00> <span class=sr-only>Published at:</span> <svg xmlns=http://www.w3.org/2000/svg class="h-4 w-4" fill=currentColor viewbox="0 0 256 256"> <path d=M208,34H182V24a6,6,0,0,0-12,0V34H86V24a6,6,0,0,0-12,0V34H48A14,14,0,0,0,34,48V208a14,14,0,0,0,14,14H208a14,14,0,0,0,14-14V48A14,14,0,0,0,208,34ZM48,46H74V56a6,6,0,0,0,12,0V46h84V56a6,6,0,0,0,12,0V46h26a2,2,0,0,1,2,2V82H46V48A2,2,0,0,1,48,46ZM208,210H48a2,2,0,0,1-2-2V94H210V208A2,2,0,0,1,208,210Zm-50-58a6,6,0,0,1-6,6H134v18a6,6,0,0,1-12,0V158H104a6,6,0,0,1,0-12h18V128a6,6,0,0,1,12,0v18h18A6,6,0,0,1,158,152Z></path> </svg> </div> <div id=tooltip-published role=tooltip class="tooltip invisible absolute z-10 inline-block rounded-lg bg-gray-900 px-3 py-2 text-sm font-medium text-white opacity-0 shadow-xs transition-opacity duration-300 dark:bg-gray-700"> Published at:<br>2025-06-04T19:42:15.077000+00:00 <div class=tooltip-arrow data-popper-arrow></div> </div> <div data-tooltip-target=tooltip-updated class="smartdate flex items-center justify-center gap-1" data-format=timeago data-datetime=2025-06-10T15:08:13.370000+00:00> <span class=sr-only>Updated at:</span> <svg xmlns=http://www.w3.org/2000/svg class="h-4 w-4" fill=currentColor viewbox="0 0 256 256"> <path d=M134,80v44.6l37.09,22.25a6,6,0,0,1-6.18,10.3l-40-24A6,6,0,0,1,122,128V80a6,6,0,0,1,12,0Zm90-22a6,6,0,0,0-6,6V87.36c-7.48-8.83-14.94-17.13-23.53-25.83a94,94,0,1,0-1.95,134.83,6,6,0,0,0-8.24-8.72A82,82,0,1,1,186,70c9.24,9.36,17.18,18.3,25.31,28H184a6,6,0,0,0,0,12h40a6,6,0,0,0,6-6V64A6,6,0,0,0,224,58Z></path> </svg> </div> <div id=tooltip-updated role=tooltip class="tooltip invisible absolute z-10 inline-block rounded-lg bg-gray-900 px-3 py-2 text-sm font-medium text-white opacity-0 shadow-xs transition-opacity duration-300 dark:bg-gray-700"> Last updated at:<br>2025-06-10T15:08:13.370000+00:00 <div class=tooltip-arrow data-popper-arrow></div> </div> </div> </section> </div> <section class=card> <div class=card-header> <h2 class="text-lg font-semibold text-gray-900 dark:text-white">References</h2> </div> <div class=p-6> <div class="max-w-full overflow-hidden"> <table class="w-full table-fixed text-left text-sm text-gray-500 rtl:text-right dark:text-gray-400"> <thead class="bg-gray-50 text-xs text-gray-700 uppercase dark:bg-gray-700 dark:text-gray-400"> <tr> <th scope=col class="w-3/4 px-6 py-3">Link</th> <th scope=col class="w-1/4 px-6 py-3">Tags</th> </tr> </thead> <tbody> <tr class="border-b border-gray-200 bg-white dark:border-gray-700 dark:bg-gray-800"> <td class="flex items-center gap-1 overflow-hidden px-6 py-3 whitespace-nowrap"> <a href=https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-f6r4-jrvc-cfmr target=_blank rel="noopener noreferrer nofollow" class=truncate> https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-f6r4-jrvc-cfmr </a> <svg xmlns=http://www.w3.org/2000/svg class="text-secondary h-4 w-4 shrink-0" fill=currentColor viewbox="0 0 256 256"> <path d=M222,104a6,6,0,0,1-12,0V54.49l-69.75,69.75a6,6,0,0,1-8.48-8.48L201.51,46H152a6,6,0,0,1,0-12h64a6,6,0,0,1,6,6Zm-38,26a6,6,0,0,0-6,6v72a2,2,0,0,1-2,2H48a2,2,0,0,1-2-2V80a2,2,0,0,1,2-2h72a6,6,0,0,0,0-12H48A14,14,0,0,0,34,80V208a14,14,0,0,0,14,14H176a14,14,0,0,0,14-14V136A6,6,0,0,0,184,130Z></path> </svg> </td> <td class="px-6 py-3"> <span class="me-2 inline-block rounded-full bg-gray-100 px-2.5 py-0.5 text-xs font-medium whitespace-nowrap text-gray-800 dark:bg-gray-700 dark:text-gray-300">vendor advisory</span> <span class="me-2 inline-block rounded-full bg-gray-100 px-2.5 py-0.5 text-xs font-medium whitespace-nowrap text-gray-800 dark:bg-gray-700 dark:text-gray-300">exploit</span> </td> </tr> <tr class="border-b border-gray-200 bg-white dark:border-gray-700 dark:bg-gray-800"> <td class="flex items-center gap-1 overflow-hidden px-6 py-3 whitespace-nowrap"> <a href=https://github.com/FreshRSS/FreshRSS/commit/426e3054c237c2b98667ebeacbbdb5caa88e7b1f target=_blank rel="noopener noreferrer nofollow" class=truncate> https://github.com/FreshRSS/FreshRSS/commit/426e3054c237c2b98667ebeacbbdb5caa88e7b1f </a> <svg xmlns=http://www.w3.org/2000/svg class="text-secondary h-4 w-4 shrink-0" fill=currentColor viewbox="0 0 256 256"> <path d=M222,104a6,6,0,0,1-12,0V54.49l-69.75,69.75a6,6,0,0,1-8.48-8.48L201.51,46H152a6,6,0,0,1,0-12h64a6,6,0,0,1,6,6Zm-38,26a6,6,0,0,0-6,6v72a2,2,0,0,1-2,2H48a2,2,0,0,1-2-2V80a2,2,0,0,1,2-2h72a6,6,0,0,0,0-12H48A14,14,0,0,0,34,80V208a14,14,0,0,0,14,14H176a14,14,0,0,0,14-14V136A6,6,0,0,0,184,130Z></path> </svg> </td> <td class="px-6 py-3"> <span class="me-2 inline-block rounded-full bg-gray-100 px-2.5 py-0.5 text-xs font-medium whitespace-nowrap text-gray-800 dark:bg-gray-700 dark:text-gray-300">patch</span> </td> </tr> </tbody> </table> </div> </div> </section> <section class=card> <div class=card-header> <h2 class="text-lg font-semibold text-gray-900 dark:text-white">Frequently Asked Questions</h2> </div> <div class=p-6> <dl class="divide-y divide-gray-200 text-gray-900 dark:divide-gray-700 dark:text-white"> <div class="flex flex-col pb-3"> <dt class="mb-1 font-semibold text-gray-500 md:text-lg dark:text-gray-400">What is the severity of CVE-2025-31136?</dt> <dd class> CVE-2025-31136 has been scored as a <span class=cvss-colored>medium</span> severity vulnerability. </dd> </div> <div class="flex flex-col py-3"> <dt class="mb-1 font-semibold text-gray-500 md:text-lg dark:text-gray-400">How to fix CVE-2025-31136?</dt> <dd class> To fix CVE-2025-31136, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available. </dd> </div> <div class="flex flex-col py-3"> <dt class="mb-1 font-semibold text-gray-500 md:text-lg dark:text-gray-400">Is CVE-2025-31136 being actively exploited in the wild?</dt> <dd class> It is possible that CVE-2025-31136 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days. </dd> </div> <div class="flex flex-col pt-3"> <dt class="mb-1 font-semibold text-gray-500 md:text-lg dark:text-gray-400">What software or system is affected by CVE-2025-31136?</dt> <dd class>CVE-2025-31136 affects FreshRSS FreshRSS.</dd> </div> </dl> </div> </section> </div> <div class="border-top mx-auto my-20 max-w-screen-sm rounded-lg"></div> <div class="mx-auto mb-10 max-w-screen-xl px-4"> <ul class="flex flex-wrap items-center justify-center space-x-4"> <li><a class=text-secondary href=/about>About</a></li> <li><a class=text-secondary href=/terms>Terms of Use</a></li> <li><a class=text-secondary href=/privacy>Privacy Policy</a></li> </ul> <div class="text-muted mt-4 text-xs"> This platform uses data from the <a href=http://nvd.nist.gov/ target=_blank rel="noopener noreferrer nofollow" class="text-muted font-bold">NIST NVD</a>, <a href=http://cve.mitre.org/ target=_blank rel="noopener noreferrer nofollow" class="text-muted font-bold">MITRE CVE</a>, <a href=http://cwe.mitre.org/ target=_blank rel="noopener noreferrer nofollow" class="text-muted font-bold">MITRE CWE</a>, <a href=https://www.first.org/epss/ target=_blank rel="noopener noreferrer nofollow" class="text-muted font-bold">First.org</a> and <a href=https://www.cisa.gov/known-exploited-vulnerabilities-catalog target=_blank rel="noopener noreferrer nofollow" class="text-muted font-bold">CISA KEV</a> but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. </div> <div class="text-secondary mt-4 text-xs">© 2025 Under My Watch. All Rights Reserved.</div> </div> <script src=/static/bundle.js></script> <script src=https://cdn.jsdelivr.net/npm/flowbite@3.1.2/dist/flowbite.min.js integrity="sha512-2BLyJtjYu+hH3j3qJVPeCmJ30uvZqSdSOusGQqCrB6Ylfc71lENbkJt6WWYzPI3PA6eYV5cet5e30EZMIiMiGQ==" crossorigin=anonymous referrerpolicy=no-referrer></script> </body> </html>