Draft a new security advisory online, or report security issues to alexandre@alapetite.fr (PGP public key if relevant).
Security: FreshRSS/FreshRSS
Security
SECURITY.md
-
Authentication bypass due to truncated bcrypt hash [edge branch]GHSA-pcq9-mq6m-mvmp published
Mar 8, 2026 by AlkarexCritical -
IDOR allows for viewing feeds of any user and leaking tokens when anonymous viewing of default user is enabledGHSA-w743-fg6g-mhwh published
Mar 8, 2026 by AlkarexHigh -
Weak cryptographic randomness in remember-me token and nonce generationGHSA-j9wc-gwc6-p786 published
Dec 26, 2025 by AlkarexLow -
Globally deny access to feed via proxy modifying to 429 Retry-AfterGHSA-qw34-frg7-gf78 published
Dec 24, 2025 by AlkarexModerate -
Logout CSRF leads to DoS via <track src>GHSA-w7f5-8vf9-f966 published
Dec 18, 2025 by AlkarexModerate -
Authenticated RCE via path traversal inside include()GHSA-6c8h-w3j5-j293 published
Dec 15, 2025 by AlkarexCritical -
Directory enumeration by setting path in theme fieldGHSA-w35p-p867-qr4f published
Sep 27, 2025 by AlkarexLow -
XSS due to lack of CSP on HTML query pageGHSA-rwhf-vjjx-gmm9 published
Sep 27, 2025 by AlkarexModerate -
Unauthorized creation of admin user when registration is enabledGHSA-h625-ghr3-jppq published
Sep 27, 2025 by AlkarexCritical -
Unauthenticated users are able to read information about feeds/tags of the default userGHSA-jf4v-f8p2-8xvq published
Sep 27, 2025 by AlkarexHigh
Learn more about advisories related to FreshRSS/FreshRSS in the GitHub Advisory Database