Scan free
HIGHCVE-2025-54593CVSS 7.2

CVE-2025-54593: RCE in FreshRSS Self-Hosted RSS Aggregator

Platform

php

Component

freshrss

Fixed in

1.26.3

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026
View on NVD
Save

CVE-2025-54593 describes a Remote Code Execution (RCE) vulnerability in FreshRSS, a self-hostable RSS aggregator. An authenticated administrator can exploit this flaw to execute arbitrary code on the server, leading to potential data breaches and system compromise. This vulnerability impacts versions 1.26.1 and earlier, and a fix is available in version 1.26.2.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-54593 allows an attacker to gain complete control over the FreshRSS server. By modifying the update URL to a malicious server, an administrator can trigger the execution of arbitrary code during the update process. This could involve downloading and executing a malicious script, enabling the attacker to steal sensitive data, including hashed passwords, deface the website, or establish a persistent backdoor. The blast radius extends to any data stored within the FreshRSS instance, and potentially to other systems accessible from the compromised server.

Exploitation Context

CVE-2025-54593 was publicly disclosed on 2025-08-01. There is currently no indication of active exploitation campaigns targeting this vulnerability. Public proof-of-concept (POC) code is not yet available, but the relatively straightforward nature of the exploit suggests that it is likely to emerge. The vulnerability has not been added to the CISA KEV catalog as of this writing.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.30% (53% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H7.2HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentfreshrss
VendorFreshRSS
Affected rangeFixed in
< 1.26.2 – < 1.26.21.26.3

Weakness Classification (CWE)

CWE-94

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-54593 is to immediately upgrade FreshRSS to version 1.26.2 or later. If upgrading is not immediately feasible, consider restricting administrator access to the FreshRSS instance and closely monitoring update logs for any suspicious activity. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block requests with suspicious update URLs could provide an additional layer of defense. After upgrading, verify the fix by attempting an update and confirming that the server does not execute any unauthorized code.

How to fix

Actualice FreshRSS a la versión 1.26.2 o superior. Esta versión corrige la vulnerabilidad de ejecución remota de código. La actualización se puede realizar a través de la interfaz de administración de FreshRSS o descargando la última versión del sitio web oficial y reemplazando los archivos.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-54593 — RCE in FreshRSS?

CVE-2025-54593 is a Remote Code Execution vulnerability affecting FreshRSS versions 1.26.1 and below. An authenticated administrator can execute arbitrary code by manipulating the update URL.

Am I affected by CVE-2025-54593 in FreshRSS?

You are affected if you are running FreshRSS version 1.26.1 or earlier. Upgrade to version 1.26.2 to mitigate the risk.

How do I fix CVE-2025-54593 in FreshRSS?

Upgrade FreshRSS to version 1.26.2 or later. If immediate upgrade is not possible, restrict administrator access and monitor update logs.

Is CVE-2025-54593 being actively exploited?

There is currently no confirmed evidence of active exploitation, but the vulnerability's simplicity suggests it may be targeted in the future.

Where can I find the official FreshRSS advisory for CVE-2025-54593?

Refer to the FreshRSS project's official website and security advisories for the latest information and updates regarding CVE-2025-54593.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs