VDB
CVE-2025-31483
CVE-2025-31483
PUBLISHED
CVSS 4.800000190734863 MEDIUM
Miniflux is a feed reader. Due to a weak Content Security Policy on the /proxy/* route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. To mitigate the vulnerability, the CSP for the media proxy has been changed from default-src 'self' to default-src 'none'; form-action 'none'; sandbox;. This vulnerability is fixed in 2.2.7.
EPSS 0.11% · 28.9th percentile
Risk Scores
CVSS v4.0
4.800000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
EPSS Score
0.11%
28.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| miniflux.app | v2 | 0, 0 |
| miniflux | v2 | < 2.2.7, * |
Timeline
- Apr 3, 2025 CVE Published
- Apr 3, 2025 PoC Published
- Apr 3, 2025 PoC Published
- Apr 4, 2025 EPSS Score
- Apr 17, 2025 EPSS Score
- Apr 30, 2025 EPSS Score
- May 12, 2025 EPSS Score
- May 25, 2025 EPSS Score
- Jun 7, 2025 EPSS Score
- Jun 20, 2025 EPSS Score
- Jul 2, 2025 EPSS Score
- Jul 15, 2025 EPSS Score