CVE-2025-54592CRITICAL 9.8EPSS p37.8%

CVE-2025-54592CVE-2025-54592

Description

FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused by an attacker if a new session were to be started. This failure to invalidate the session can lead to session hijacking and fixation vulnerabilities. This issue is fixed in version 1.27.0

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.48% probability of exploitation · percentile 37.8% · 2026-06-19T12:03:05Z
Published2025-09-29
Last modified2025-10-03

Underlying weaknesses· 1

CWE-613

References

  1. https://github.com/FreshRSS/FreshRSS/pull/7762
  2. https://github.com/FreshRSS/FreshRSS/releases/tag/1.27.0
  3. https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr
  4. https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-42v4-65f8-5wgr

1

TypeTargetConfidenceTier
WeaknessInsufficient Session Expirationcwe-6130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-68932
CVE
CVE-2025-54875
CVE
CVE-2025-58173
CVE
CVE-2025-54761
CVE
CVE-2025-41429
CVE
CVE-2025-26961
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.