CVE-2018-16516
Description
Flask-Admin 1.5.2 is vulnerable to reflected XSS via a crafted URL, allowing attackers to inject arbitrary web script.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Flask-Admin 1.5.2 is vulnerable to reflected XSS via a crafted URL, allowing attackers to inject arbitrary web script.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in helpers.py of Flask-Admin version 1.5.2 [1][2]. The flaw allows an attacker to inject arbitrary JavaScript into a page by crafting a malicious URL, which the application then reflects unsafely in its response [1][3]. No authentication or special configuration is required for the vulnerable code path to be reached [1].
Exploitation
An attacker with network access to a Flask-Admin instance can craft a URL containing malicious script parameters. When a victim visits this crafted URL, the injected script is executed in the victim's browser context [1][3]. No prior authentication or user interaction beyond clicking the link is needed [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session [1][3]. This can lead to theft of session cookies, defacement of the admin interface, or further attacks against the application and its users [1].
Mitigation
As of the available references, no official patch has been released for Flask-Admin 1.5.2; users should upgrade to a version newer than 1.5.2 if available or apply input sanitization to the URL parameters manually [3]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Flask-AdminPyPI | < 1.5.3 | 1.5.3 |
Affected products
1Patches
18af10e0b0224Merge pull request #1699 from lbhsot/master
2 files changed · +21 −2
flask_admin/helpers.py+14 −2 modified@@ -1,4 +1,4 @@ -from re import sub +from re import sub, compile from jinja2 import contextfunction from flask import g, request, url_for, flash from wtforms.validators import DataRequired, InputRequired @@ -9,6 +9,8 @@ VALID_SCHEMES = ['http', 'https'] +_substitute_whitespace = compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub +_fix_multiple_slashes = compile(r'(^([^/]+:)?//)/*').sub def set_current_view(view): @@ -131,8 +133,18 @@ def prettify_class_name(name): def is_safe_url(target): + # prevent urls like "\\www.google.com" + # some browser will change \\ to // (eg: Chrome) + # refs https://stackoverflow.com/questions/10438008 + target = target.replace('\\', '/') + + # handle cases like "j a v a s c r i p t:" + target = _substitute_whitespace('', target) + + # Chrome and FireFox "fix" more than two slashes into two after protocol + target = _fix_multiple_slashes(lambda m: m.group(1), target, 1) + # prevent urls starting with "javascript:" - target = target.strip() target_info = urlparse(target) target_scheme = target_info.scheme if target_scheme and target_scheme not in VALID_SCHEMES:
flask_admin/tests/test_helpers.py+7 −0 modified@@ -11,7 +11,14 @@ def test_is_safe_url(): assert helpers.is_safe_url('https://127.0.0.1/admin/car/') assert helpers.is_safe_url('/admin/car/') assert helpers.is_safe_url('admin/car/') + assert helpers.is_safe_url('http////www.google.com') assert not helpers.is_safe_url('http://127.0.0.2/admin/car/') assert not helpers.is_safe_url(' javascript:alert(document.domain)') assert not helpers.is_safe_url('javascript:alert(document.domain)') + assert not helpers.is_safe_url('javascrip\nt:alert(document.domain)') + assert not helpers.is_safe_url(r'\\www.google.com') + assert not helpers.is_safe_url(r'\\/www.google.com') + assert not helpers.is_safe_url('/////www.google.com') + assert not helpers.is_safe_url('http:///www.google.com') + assert not helpers.is_safe_url('https:////www.google.com')
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-894g-6j7q-2hx6ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UJIYCWIH3BRLI2QNC53CQXLKVP27X7EH/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZU2VKULURVXEU4YFTLMBQGYMPSXQ4MBN/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2018-16516ghsaADVISORY
- github.com/flask-admin/flask-admin/commit/8af10e0b022464fdcb2da3d0ea5bbd2f11c0acd1ghsaWEB
- github.com/flask-admin/flask-admin/pull/1699ghsax_refsource_MISCWEB
- github.com/flask-admin/flask-admin/releases/tag/v1.5.3ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/flask-admin/PYSEC-2018-54.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIYCWIH3BRLI2QNC53CQXLKVP27X7EHghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZU2VKULURVXEU4YFTLMBQGYMPSXQ4MBNghsaWEB
News mentions
0No linked articles in our index yet.