CVE-2025-68932 - FreshRSS has weak cryptographic randomness in remember-me token and nonce genera...

CVE ID : CVE-2025-68932 Published : Dec. 27, 2025, 12:15 a.m. | 34 minutes ago Description : FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators (mt_rand() and uniqid()) to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to account takeover through persistent session hijacking. The remember-me tokens provide permanent authentication and are the sole credential for

Source: Telegram CVE Monitor