55 matches found
EUVD-2025-28608
Malicious code in bioql PyPI...
EUVD-2025-14828
Malicious code in bioql PyPI...
EUVD-2025-28607
Malicious code in bioql PyPI...
EUVD-2025-12361
Malicious code in bioql PyPI...
CVE-2025-55735
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escap...
CVE-2025-55737
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code...
CVE-2025-55737
CVE-2025-55737 affects flaskBlog versions prior to 2.8.0. The root cause is missing ownership validation when deleting comments, enabling any user to delete another user’s comment by intercepting the delete request and altering the commentID in routes/post.py. Documents consistently describe the ...
CVE-2025-55737 flaskBlog arbitrary comment delete
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code...
CVE-2025-55737 flaskBlog arbitrary comment delete
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code...
CVE-2025-55736 flaskBlog allows arbitrary privilege escalation
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges e.g. delete users, posts, comments etc.. The problem is in the routes/adminPanelUsers file...
CVE-2025-55736 flaskBlog allows arbitrary privilege escalation
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges e.g. delete users, posts, comments etc.. The problem is in the routes/adminPanelUsers file...
CVE-2025-55736 flaskBlog allows arbitrary privilege escalation
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges e.g. delete users, posts, comments etc.. The problem is in the routes/adminPanelUsers file...
CVE-2025-55735
CVE-2025-55735 affects flaskBlog (Python/Flask) up to version 2.8.0. The stored XSS vulnerability arises from unvalidated postContent content rendered with the Jinja2 | safe filter in template/routes.html, which disables escaping. Impact is stored XSS within post content. Remediation: upgrade fla...
CVE-2025-55735 flaskBlog Stored XSS Vulnerability
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escap...
CVE-2025-55734 flaskBlo Authorization Bypass
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page,...
CVE-2025-55734 flaskBlo Authorization Bypass
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page,...
FlaskBlog 安全漏洞
FlaskBlog is a simple blogging application built using Flask by Doğukan Ürker, an individual developer. A security vulnerability exists in FlaskBlog 2.8.0 and earlier versions, which stems from the fact that an arbitrary user may be elevated to the administrator role...
PT-2025-33855 · Flaskblog · Flaskblog
Name of the Vulnerable Software and Affected Versions: flaskBlog versions prior to 2.8.0 Description: flaskBlog is a blog application built with Flask. A flaw exists where there is no validation of comment ownership during deletion. This allows any user to delete comments belonging to other users...
PT-2025-33845 · Flaskblog · Flaskblog
Name of the Vulnerable Software and Affected Versions: flaskBlog versions 2.8.0 and earlier Description: The application checks the userRole for "admin" privileges only when accessing the /admin page, but not its subroutes. Specifically, the check is performed in routes/adminPanel.py, but not in...
FlaskBlog 安全漏洞
FlaskBlog is a simple blogging application built using Flask by Doğukan Ürker, an individual developer. A security vulnerability exists in FlaskBlog 2.8.0 and earlier versions that stems from unchecked user roles and could lead to bypassing access control...