9 matches found
CVE-2026-22659
FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted...
CVE-2026-22660
FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares...
CVE-2026-22659
FlaskBB up to version 2.2.0 is vulnerable to an authorization bypass. The issue arises when an attacker manipulates a batch request with crafted topic ID lists, causing a low-ID topic from a permitted forum to be used as an anchor and bypass the permission check applied only to the first result. ...
CVE-2026-22660 FlaskBB Logic Flaw Authorization Group Deletion via Bulk AJAX Endpoint
FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares...
EUVD-2026-42877
FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares...
Server-side Request Forgery (SSRF)
Overview FlaskBB is an A classic Forum Software in Python using Flask. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the getimageinfo function. An attacker can access internal network resources and sensitive cloud metadata by supplying a crafted URL as t...
flaskbb-plugin-atom (>=0.1.0 <=0.2.0), flaskbb-plugin-conversations (=2.0.1) +6 more potentially affected by CVE-2026-46556 via flaskbb (=2.2.0)
flaskbb PYPI version =2.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on flaskbb and may be impacted: - flaskbb-plugin-atom =0.1.0, =0.0.1, =0.1.0, =0.0.1, =0.1.0 Source cves: CVE-2026-46556 Source advisory: OSV:GHSA-XQ32-9G7Q-7297...
PT-2026-42653
Summary A Server-Side Request Forgery SSRF vulnerability in get image info allows any authenticated user to force the server to send HTTP requests to arbitrary internal endpoints, including cloud metadata services e.g., AWS 169.254.169.254. This is a blind SSRF with confirmed internal port scanni...
CVE-2026-46556
creationtimestamp| type| source ---|---|--- 2026-05-19 12:24:55+00:00| published-proof-of-concept| https://github.com/flaskbb/flaskbb/security/advisories/GHSA-xq32-9g7q-7297...