CVE-2025-31136 is a cross-site scripting (XSS) vulnerability affecting FreshRSS, a popular self-hosted RSS feed aggregator, in versions prior to 1.26.2. The vulnerability arises from improper sanitization of SVG favicons downloaded from attacker-controlled RSS feeds. Specifically, the vulnerable component is the 'f.php' script, which fails to neutralize malicious <script> tags embedded inside SVG favicons. This flaw is compounded by the absence of a Content Security Policy (CSP) in 'f.php' and the use of an iframe with sandbox attributes 'allow-scripts allow-same-origin', which allows script execution within the iframe context. An attacker must control an RSS feed that the victim subscribes to and the victim must have an account on the FreshRSS instance. Two exploitation scenarios exist: one requiring user interaction (clicking the malicious feed entry) under default settings, and another that triggers immediately after feed addition or user login by leveraging lazy image loading to bypass interaction requirements. Successful exploitation enables arbitrary JavaScript execution in the victim's browser, potentially allowing account takeover. If the victim is an administrator, the attacker could delete all users or execute arbitrary server-side code by manipulating the update URL via fetch() calls through the XSS vector. The vulnerability has a CVSS 3.1 score of 6.7 (medium severity) reflecting network attack vector, high confidentiality and integrity impact, low availability impact, requiring low privileges and user interaction in one scenario. The issue was patched in FreshRSS version 1.26.2.

For European organizations using FreshRSS instances, especially those self-hosting the service internally or for teams, this vulnerability poses a significant risk. An attacker controlling an RSS feed can execute arbitrary JavaScript in the context of authenticated users, leading to account compromise. For regular users, this could mean exposure of sensitive information such as feed subscriptions or personal data. For administrators, the impact escalates to potential deletion of all users or remote code execution on the server, which could lead to full system compromise, data loss, or lateral movement within the network. Given FreshRSS's role in aggregating external content, the attack surface includes any subscribed feeds, increasing the risk of supply chain style attacks. The lack of CSP and iframe sandboxing weaknesses exacerbate the threat. European organizations with compliance obligations under GDPR must consider the confidentiality breach implications and potential regulatory penalties. The medium CVSS score reflects the need for user interaction or feed control, but the severity of possible outcomes, especially for admins, is high.

Organizations should immediately upgrade all FreshRSS instances to version 1.26.2 or later, where the vulnerability is patched. Administrators must audit subscribed feeds and remove any untrusted or suspicious sources to reduce exposure. Implementing strict Content Security Policies on the FreshRSS web interface can help mitigate script injection risks. Additionally, disabling or restricting iframe sandbox attributes that allow scripts and same-origin access can limit attack vectors. Monitoring user activity for unusual behavior, especially admin accounts, is advised. Employ network-level controls to restrict outbound connections from the FreshRSS server to untrusted sources, minimizing malicious feed injection. Regularly review and harden user permissions to limit the impact of compromised accounts. Finally, educate users about the risks of subscribing to untrusted feeds and the importance of cautious interaction with feed entries.