Blog 安全漏洞

Blog is a personal blogging system by Xuzijia Individual Developers in China. A security vulnerability exists in Blog version 3.0.1-SNAPSHOT, which stems from an authentication bypass that could lead to unauthorized access to the API...

CVE-2024-50644

zhisheng17 blog 3.0.1-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token...

PT-2025-34446 · Unknown · Zhisheng17 Blog

Name of the Vulnerable Software and Affected Versions: zhisheng17 blog version 3.0.1-SNAPSHOT Description: The software contains an authentication bypass issue that allows an attacker to access the API without a token. Recommendations: At the moment, there is no information about a newer version...

CVE-2024-50644

zhisheng17 blog 3.0.1-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token...

CVE-2025-55736

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges e.g. delete users, posts, comments etc.. The problem is in the routes/adminPanelUsers file...

CVE-2025-9151

A security flaw has been discovered in LiuYuYang01 ThriveX-Blog up to 3.1.7. Affected by this vulnerability is the function updateJsonValueByName of the file /webconfig/json/name/web. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The...

CVE-2025-51510

MoonShine was discovered to contain a SQL injection vulnerability under the Blog - Categories page when using the moonshine-tree-resource version 2.0.2 component...

How to Automate Phishing Detection to Prevent Data Theft

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings...

CVE-2025-9101

A weakness has been identified in zhenfeng13 My-Blog up to 1.0.0. This issue affects some unknown processing of the file /admin/tags/save of the component Tag Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the publi...

CVE-2025-9100

A security flaw has been discovered in zhenfeng13 My-Blog 1.0.0. This vulnerability affects unknown code of the file /blog/comment of the component Frontend Blog Article Comment Handler. The manipulation leads to authentication bypass by capture-replay. The attack can be initiated remotely. The...

CVE-2025-55737

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code...

CVE-2025-55735

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escap...

CVE-2025-55736

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges e.g. delete users, posts, comments etc.. The problem is in the routes/adminPanelUsers file...

CVE-2025-55734

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page,...

CVE-2025-55737 flaskBlog arbitrary comment delete

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code...

CVE-2025-55736

CVE-2025-55736 affects flaskBlog up to version 2.8.0 (and earlier). The root cause is in the routes/adminPanelUsers file, where an arbitrary user can elevate their role to admin , gaining high-privilege capabilities (e.g., delete users, posts, comments). Connected sources confirm the affected sof...

CVE-2025-55735 flaskBlog Stored XSS Vulnerability

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escap...

CVE-2025-55735 flaskBlog Stored XSS Vulnerability

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escap...

CVE-2025-55734 flaskBlo Authorization Bypass

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page,...

CVE-2025-55734

CVE-2025-55734 affects flaskBlog (versions ≤ 2.8.0). The root cause is a missing authorization check on admin subroutes: the RBAC check runs only for the /admin page in routes/adminPanel.py, while routes/adminPanelComments.py and routes/adminPanelPosts.py are not protected. This allows unauthoriz...