• Milestone

This is a security-focussed release for FreshRSS 1.26.x, addressing several CVEs (thanks @Inverle) 🛡

A few highlights ✨:

• Implement JSON string concatenation with & operator
• Support multiple JSON fragments in HTML+XPath+JSON mode (e.g. JSON-LD)
• Multiple security fixes with CVEs
• Bug fixes

Notes ℹ:

• Favicons will be reconstructed automatically when feeds gets refreshed. After that, you may need to refresh your Web browser as well.

This release has been made by @Alkarex, @Frenzie, @hkcomori, @loviuz, @math-GH
and newcomers @dezponia, @glyn, @Inverle, @Machou, @mikropsoft

Full changelog:

• Features
  • Implement JSON string concatenation with & operator #7414
  • Support multiple JSON fragments in HTML+XPath+JSON mode #7369
• Bug fixing
  • Fix escaping of tag search #7468
  • Fix CLI parsing of Boolean flags #7430
  • Fix API for labels with slash #7437
• SimplePie
  • Fix support for feeds with XML preamble + DTD #7515, simplepie#914
  • Merged upstream #7434
    • Upstream fix simplepie#912
• Security
  • Disallow <iframe srcdoc=""> #7494, CVE-2025-32015
  • Disallow <button formaction=""> #7506
  • Improve favicons hash to avoid favicon pollution #7505, CVE-2025-46339
  • Add Content-Security-Policy HTTP headers to favicons #7471, CVE-2025-31136
  • Web scraping forbid security HTTP headers in cURL #7496, CVE-2025-46341
  • Add some HTTP headers Referrer-Policy: same-origin #6303, #7478
  • Use HTTP POST for logout #7489, CVE-2025-31482
  • Make update URL read-only #7477
  • Fix for extensions: Restrict valid paths in ext.php #7479, CVE-2025-31134
  • Fix for extensions: Secure serving of user files #7495
• Extensions
  • Fix file serving for symlinked extensions #7545
  • Catch extension exceptions in override #7475
  • JavaScript: new event to detect context loaded #7452
• Deployment
  • Apache: add check for mod_filter to ensure that AddOutputFilterByType works #7419
• UI
  • Accessibility: Add :focus style to some dropdown menus #7491
  • New size option for the Mark as read button #7314
  • Update bcrypt.js from 2.4.4 to 3.0.2 #7449
  • Various UI and style improvements: #7168, #7526
• I18n
  • Rework credits #7426
  • Improve French #7432
  • Improve Italian #7540
  • Improve Polish #7508
  • Improve Turkish #7442
• Misc.
  • Improve PHP code #7431, #7488, #7534
  • Update dev dependencies #7480, #7482, #7483,
    #7484, #7485, #7486,
    #7487, #7533, #7535,
    #7536, #7537, #7538