CVE-2026-36728

A markdown based cross-site scripting XSS vulnerability in the AI assistant chat function of FastapiAdmin v2.2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a chat message...

CVE-2026-36725

A markdown based cross-site scripting XSS vulnerability in the /system/notice/create endpoint of FastapiAdmin v2.2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the noticecontent parameter...

FastApiAdmin 跨站脚本漏洞

FastApiAdmin is a full-stack rapid development platform based on FastAPI, developed by fastapiadmin. Version 2.2.0 of FastApiAdmin contains a cross-site scripting vulnerability. This vulnerability stems from the /system/notice/create endpoint, which has a cross-site scripting vulnerability relate...

CVE-2026-36725

CVE-2026-36725 describes a markdown-based cross-site scripting (XSS) vulnerability in the FastapiAdmin package, specifically affecting v2.2.0. The issue resides in the /system/notice/create endpoint where an attacker can inject a crafted payload into the notice_content parameter to execute arbitr...

CVE-2026-2979 FastApiAdmin Scheduled Task API controller.py user_avatar_upload_controller unrestricted upload

A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function useravataruploadcontroller of the file /backend/app/api/v1/modulesystem/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched...

CVE-2026-2979

A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function useravataruploadcontroller of the file /backend/app/api/v1/modulesystem/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched...

CVE-2026-2978 FastApiAdmin Scheduled Task API controller.py upload_file_controller unrestricted upload

A vulnerability was detected in FastApiAdmin up to 2.2.0. This vulnerability affects the function uploadfilecontroller of the file /backend/app/api/v1/modulesystem/params/controller.py of the component Scheduled Task API. Performing a manipulation results in unrestricted upload. The attack can be...

CVE-2026-2978 FastApiAdmin Scheduled Task API controller.py upload_file_controller unrestricted upload

A vulnerability was detected in FastApiAdmin up to 2.2.0. This vulnerability affects the function uploadfilecontroller of the file /backend/app/api/v1/modulesystem/params/controller.py of the component Scheduled Task API. Performing a manipulation results in unrestricted upload. The attack can be...

CVE-2026-2978

CVE-2026-2978 relates to FastApiAdmin (up to 2.2.0) and affects the file path /backend/app/api/v1/module_system/params/controller.py, specifically the upload_file_controller function of the Scheduled Task API. The vulnerability arises from input manipulation that permits unrestricted file uploads...

CVE-2026-2976

A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function downloadcontroller of the file /backend/app/api/v1/modulecommon/file/controller.py of the component Download Endpoint. This manipulation of the argument filepath causes information disclosure. It is...

CVE-2026-2976 FastApiAdmin Download Endpoint controller.py download_controller information disclosure

A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function downloadcontroller of the file /backend/app/api/v1/modulecommon/file/controller.py of the component Download Endpoint. This manipulation of the argument filepath causes information disclosure. It is...

CVE-2026-2975

FastApiAdmin (up to 2.2.0) contains a vulnerability in the Custom Documentation Endpoint. The affected area is the function reset_api_docs in /backend/app/plugin/init_app.py, which allows information disclosure. The vulnerability can be exploited remotely, and public exploits are available. No re...

PT-2026-21503

A security vulnerability has been detected in FastApiAdmin up to 2.2.0. This affects the function upload controller of the file /backend/app/api/v1/module common/file/controller.py of the component Scheduled Task API. Such manipulation leads to unrestricted upload. It is possible to launch the...

FastAPI Admin 访问控制错误漏洞

FastAPI Admin is an open-source management dashboard based on FastAPI and TortoiseORM. Versions of FastAPI Admin 2.2.0 and earlier contained a access control vulnerability. This vulnerability stemmed from incorrect handling of the filepath parameter in the downloadcontroller function of the...

FastAPI Admin 代码问题漏洞

FastAPI Admin is an open-source management dashboard based on FastAPI and TortoiseORM. Versions of FastAPI Admin 2.2.0 and earlier have code vulnerabilities. These vulnerabilities stem from improper handling of the uploadcontroller function in the...

FastAPI Admin 代码问题漏洞

FastAPI Admin is an open-source management dashboard based on FastAPI and TortoiseORM. Versions of FastAPI Admin 2.2.0 and earlier have code vulnerabilities. These vulnerabilities stem from improper handling of the uploadfilecontroller function in the...

FastAPI Admin 访问控制错误漏洞

FastAPI Admin is an open-source management dashboard based on FastAPI and TortoiseORM. Versions of FastAPI Admin 2.2.0 and earlier contained a access control vulnerability. This vulnerability stemmed from incorrect operations on the resetapidocs function in the component’s Custom Documentation...

FastAPI Admin 代码问题漏洞

FastAPI Admin is an open-source management dashboard based on FastAPI and TortoiseORM. Versions of FastAPI Admin 2.2.0 and earlier have code vulnerabilities. These vulnerabilities stem from improper handling of the useravatarUploadController function in the file...

CVE-2024-42816

A cross-site scripting XSS vulnerability in the Create Product function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter...

CVE-2024-42818

A cross-site scripting XSS vulnerability in the Config-Create function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter...