8.4
CVE-2026-56785
- EPSS 0.24%
- Veröffentlicht 23.06.2026 22:09:35
- Zuletzt bearbeitet 25.06.2026 19:25:34
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
FlatPress - Stored Cross-Site Scripting via Unescaped Comment and Contact Form Fields
FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerFlatPress
≫
Produkt
FlatPress
Default Statusunaffected
Version
0
Version <
10be83c
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.152 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| disclosure@vulncheck.com | 8.4 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| disclosure@vulncheck.com | 8.2 | 2.8 | 4.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/flatpressblog/flatpress/commit/10be83cbaac5ce0e51250b9d57de7f257b8f34f8
https://github.com/dilipk5/flatpressd-cms-sxss
https://www.vulncheck.com/advisories/flatpress-stored-cross-site-scripting-via-unescaped-comment-and-contact-form-fields