CVE-2025-55737

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code...

CVE-2025-55735

CVE-2025-55735 affects flaskBlog (Python/Flask) up to version 2.8.0. The stored XSS vulnerability arises from unvalidated postContent content rendered with the Jinja2 | safe filter in template/routes.html, which disables escaping. Impact is stored XSS within post content. Remediation: upgrade fla...

CVE-2024-22414

flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the /user/ page allows a user's comments to execute arbitrary javascript code. The html template user.html contains the following code snippet to render comments made by a user: comment2|safe . Use of the "safe" ta...

CVE-2025-28101

An arbitrary file deletion vulnerability in the /post/postTitle component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request...

CVE-2025-28102

A cross-site scripting XSS vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost...

CVE-2025-28102

A cross-site scripting XSS vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost...

CVE-2025-28102

FlaskBlog v2.6.1 is affected by a cross-site scripting (XSS) vulnerability exposed via the postContent parameter at /createpost. The issue stems from allowing arbitrary script/HTML injection, enabling attackers to run client-side code. Available connected reports confirm the affected software ver...

PT-2025-17454 · Flaskblog · Flaskblog

Name of the Vulnerable Software and Affected Versions: laskBlog version 2.6.1 Description: The issue is related to incorrect access control, allowing attackers to delete user accounts arbitrarily via a crafted request. Recommendations: For laskBlog version 2.6.1, consider restricting access to th...

CVE-2025-28101

An arbitrary file deletion vulnerability in the /post/postTitle component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request...

CVE-2025-28101

An arbitrary file deletion vulnerability in the /post/postTitle component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request...

CVE-2025-28101

An arbitrary file deletion vulnerability in the /post/postTitle component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request...

CVE-2025-28101

An arbitrary file deletion vulnerability in the /post/postTitle component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request...

PT-2025-17223 · Flaskblog · Flaskblog

Name of the Vulnerable Software and Affected Versions: flaskBlog version 2.6.1 Description: The issue allows attackers to delete article titles created by other users by supplying a crafted POST request to the "/post/postTitle" component. Recommendations: For flaskBlog version 2.6.1, consider...