CI Report:
https://ci-tests.linuxserver.io/linuxserver/freshrss/1.26.2-ls268/index.html
LinuxServer Changes:
Rebase to Alpine 3.20. Existing users should update their nginx confs to avoid http2 deprecation warnings.
Remote Changes:
This is a security-focussed release for FreshRSS 1.26.x, addressing several CVEs (thanks @Inverle) 🛡
A few highlights ✨:
- Implement JSON string concatenation with & operator
- Support multiple JSON fragments in HTML+XPath+JSON mode (e.g. JSON-LD)
- Multiple security fixes with CVEs
- Bug fixes
Notes ℹ:
- Favicons will be reconstructed automatically when feeds gets refreshed. After that, you may need to refresh your Web browser as well.
This release has been made by @Alkarex, @Frenzie, @hkcomori, @loviuz, @math-GH
and newcomers @dezponia, @glyn, @Inverle, @Machou, @mikropsoft
Full changelog:
- Features
- Bug fixing
- SimplePie
- Fix support for feeds with XML preamble + DTD #7515, simplepie#914
- Merged upstream #7434
- Upstream fix simplepie#912
- Security
- Disallow
<iframe srcdoc="">#7494, CVE-2025-32015 - Disallow
<button formaction="">#7506 - Improve favicons hash to avoid favicon pollution #7505, CVE-2025-46339
- Add
Content-Security-PolicyHTTP headers to favicons #7471, CVE-2025-31136 - Web scraping forbid security HTTP headers in cURL #7496, CVE-2025-46341
- Add some HTTP headers
Referrer-Policy: same-origin#6303, #7478 - Use HTTP POST for logout #7489, CVE-2025-31482
- Make update URL read-only #7477
- Fix for extensions: Restrict valid paths in
ext.php#7479, CVE-2025-31134 - Fix for extensions: Secure serving of user files #7495
- Disallow
- Extensions
- Deployment
- Apache: add check for
mod_filterto ensure thatAddOutputFilterByTypeworks #7419
- Apache: add check for
- UI
- I18n
- Misc.