CVE-2026-30942

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/filename allows any logged-in user to read arbitrary files from within the application container. The filename URL...

PT-2026-24251

Name of the Vulnerable Software and Affected Versions Flare versions prior to 1.7.3 Description Flare is a Next.js-based, self-hostable file sharing platform. A path traversal issue exists in the /api/avatars/filename endpoint, allowing authenticated users to read arbitrary files within the...

CVE-2026-30231 Flare: Private File IDOR via raw/direct endpoints

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the...

EUVD-2026-10077

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the...

CVE-2026-30231

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the...

CVE-2026-30231

CVE-2026-30231 affects Flare, a Next.js-based self-hosted file sharing platform. Before version 1.7.2, raw and direct file routes failed to block authenticated non-owners who know a private file URL, enabling access that should be restricted. The issue is a private-file IDOR via raw/direct endpoi...

EUVD-2026-10076

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing...

CVE-2026-30230

Flare is a Next.js-based self-hosted file sharing platform. Prior to version 1.7.2, the thumbnail endpoint did not validate the password for password-protected files; it only checked ownership/admin status for private files and skipped password verification, allowing thumbnails to be accessed wit...

Flare 安全漏洞

Flare is a file-sharing platform developed by Zachary Lowery. Versions of Flare prior to 1.7.2 contained security vulnerabilities. These vulnerabilities stemmed from the fact that raw and direct file routing only prevented unauthenticated users from accessing private files. This allowed any...

PT-2026-23755

Name of the Vulnerable Software and Affected Versions Flare versions prior to 1.7.2 Description Flare, a Next.js-based file sharing platform, had a flaw where the thumbnail endpoint did not properly verify passwords for password-protected files. The system checked for ownership or administrator...

CVE-2026-26993

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG or other active content formats such as HTML...

CVE-2026-26993

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG or other active content formats such as HTML...

CVE-2026-26993 Flare has XSS vulnerability in Raw File Preview

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG or other active content formats such as HTML...

CVE-2026-26993

CVE-2026-26993 affects the Flare file sharing platform (Next.js-based) up to version 1.7.0. An attacker can embed malicious JavaScript in an SVG (or HTML/XML) and trigger script execution in the app’s origin when a file is viewed in “raw” mode, enabling stored XSS and potential user data exfiltra...