CVE-2025-32015 is a cross-site scripting (XSS) vulnerability affecting FreshRSS, a self-hosted RSS feed aggregator, in versions prior to 1.26.2. The vulnerability arises from improper sanitization of HTML content within the <iframe srcdoc> attribute. Specifically, the sanitization fails to adequately neutralize malicious input, allowing an attacker to inject and execute arbitrary JavaScript code by loading a UserJS script inside a <script src> element. Exploitation requires the attacker to control one of the victim's RSS feeds and possess an account on the same FreshRSS instance. Once exploited, the attacker can hijack the victim's session and gain access to their account. If the victim holds administrative privileges, the attacker could perform destructive actions such as deleting all users or executing arbitrary code on the server by manipulating the update URL via fetch() calls within the XSS payload. This elevates the threat from a typical XSS to a potentially severe compromise of the entire FreshRSS instance. The vulnerability has been addressed in FreshRSS version 1.26.2, which includes proper sanitization to prevent this attack vector. The CVSS 3.1 base score is 6.7 (medium severity), reflecting the network attack vector, the requirement for low privileges and user interaction, and the high impact on confidentiality and integrity, with limited impact on availability. No known exploits are currently reported in the wild.

For European organizations using FreshRSS, especially those self-hosting the service for internal or public RSS feed aggregation, this vulnerability poses a significant risk. An attacker controlling a malicious feed and having an account could compromise user accounts, leading to unauthorized access to sensitive information aggregated in FreshRSS. Administrative account compromise could result in deletion of user accounts, disrupting operations, or even remote code execution on the server hosting FreshRSS, potentially leading to broader network compromise. This risk is heightened in environments where FreshRSS is integrated with other internal systems or where sensitive or proprietary information is aggregated. The requirement for an attacker to have an account limits the attack surface but does not eliminate risk, as account creation may be open or weakly controlled. The vulnerability could be exploited in targeted attacks against organizations relying on FreshRSS for information dissemination or monitoring, impacting confidentiality, integrity, and availability of their information systems.

European organizations should immediately upgrade all FreshRSS instances to version 1.26.2 or later to apply the official patch that corrects the sanitization flaw. Additionally, organizations should audit user account creation policies to ensure only trusted users can register or be granted access, reducing the likelihood of attacker account creation. Implementing strict input validation and content security policies (CSP) can help mitigate the impact of any residual XSS vulnerabilities. Monitoring logs for unusual feed submissions or script injection attempts can provide early detection of exploitation attempts. For critical environments, consider isolating FreshRSS instances within segmented network zones to limit potential lateral movement if compromise occurs. Regular backups of user data and configurations should be maintained to enable recovery in case of destructive attacks. Finally, educating users and administrators about the risks of malicious feeds and the importance of applying security updates promptly is essential.