Flaskblog Security Vulnerabilities and Issues — Flaskblog CVE List

Lucene search

DogukanurkerFlaskblog

10 matches found

CVE•added 2025/04/17 6:15 p.m.•48 views

CVE-2025-28101

An arbitrary file deletion vulnerability in the /post/{postTitle} component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request.

6.5CVSS6.6AI score0.00048EPSS

Web

CVE•added 2025/04/21 6:15 p.m.•43 views

CVE-2025-28103

Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request.

6.4CVSS6.8AI score0.0004EPSS

CVE•added 2025/04/21 6:15 p.m.•39 views

CVE-2025-28104

Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input.

9.1CVSS6.7AI score0.00065EPSS

CVE•added 2025/04/21 5:15 p.m.•36 views

CVE-2025-28102

A cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost.

6.1CVSS5.6AI score0.00063EPSS

CVE•added 2024/01/17 9:15 p.m.•35 views

CVE-2024-22414

flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the /user/ page allows a user's comments to execute arbitrary javascript code. The html template user.html contains the following code snippet to render comments made by a user: {{comment[2]|safe}}. Use of the "safe"...

6.5CVSS6AI score0.002EPSS

Web

CVE•added 2025/08/19 7:15 p.m.•8 views

CVE-2025-55736

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.

9.3CVSS7.2AI score0.00053EPSS

Web

CVE•added 2025/08/14 4:15 p.m.•7 views

CVE-2025-53631

flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitting POST requests to /createpost leads to arbitrary JavaScript execution (XSS) on all pages the post is reflected on including /, /post/[ID], /admin/posts, and /user/[ID] of the u...

5.4CVSS6.9AI score0.00035EPSS

Web

CVE•added 2025/08/19 7:15 p.m.•5 views

CVE-2025-55734

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page, b...

6.9CVSS7.2AI score0.00035EPSS

CVE•added 2025/08/19 7:15 p.m.•5 views

CVE-2025-55735

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escape ...

5.4CVSS6.2AI score0.00038EPSS

CVE•added 2025/08/19 8:15 p.m.•4 views

CVE-2025-55737

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code th...

6.9CVSS6.9AI score0.00047EPSS