CVE-2025-31136
FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, it’s possible to run arbitrary JavaScript on the feeds page.
This occurs by combining a cross-site scripting (XSS) issue that occurs in `f.php` when SVG favicons are downloaded from an attacker-controlled feed containing `
More information : https://github.com/FreshRSS/FreshRSS/commit/426e3054c237c2b98667ebeacbbdb5caa88e7b1f