CVE-2025-46339

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2", "name": "https://github.com/FreshRSS/FreshRSS/commit/3776e1e48f33e80eb4b674bb64b419caf3b5a4e2", "tags": ["Patch"], "refsource": ""}, {"url": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4", "name": "https://github.com/FreshRSS/FreshRSS/security/advisories/GHSA-8f79-3q3w-43c4", "tags": ["Exploit", "Vendor Advisory"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it's possible to poison feed favicons by adding a given URL as a feed with the proxy set to an attacker-controlled one and disabled SSL verifying. The favicon hash is computed by hashing the feed URL and the salt, whilst not including the following variables: proxy address, proxy protocol, and whether SSL should be verified. Therefore it's possible to poison a favicon of a given feed by simply intercepting the response of the feed, and changing the website URL to one where a threat actor controls the feed favicon. Feed favicons can be replaced for all users by anyone. Version 1.26.2 fixes the issue."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-349"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2025-46339", "ASSIGNER": "security-advisories@github.com"}}, "impact": {}, "publishedDate": "2025-06-04T20:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:freshrss:freshrss:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.26.2"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-08-12T15:33Z"}