VYPR
← All advisories
Medium severityNVD Advisory· Published Dec 11, 2025· Updated Apr 15, 2026

CVE-2024-58291

CVE-2024-58291

Description

Flatboard 3.2 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts in forum information fields. Attackers can insert JavaScript payloads that execute when other users view the forum, potentially stealing session cookies and executing client-side scripts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Flatboard 3.2 allows authenticated administrators to inject stored XSS via the forum information field, enabling session theft and arbitrary client-side script execution.

Root

Cause Flatboard 3.2 fails to sanitize user input in the forum information field. This field is intended to allow administrators to add a description or note for a forum, but the application does not properly neutralize HTML or JavaScript content before storing and later rendering it for other users. [2]

Exploitation

An authenticated administrator can craft a malicious payload, such as ">, and insert it into the Information field when creating or editing a forum. The payload is stored server-side and subsequently rendered in the context of other users' browsers without validation, causing the injected script to execute. [3]

Impact

When a victim visits the affected forum page, the injected script executes in their browser session. This allows the attacker to steal session cookies, perform actions on behalf of the victim, or otherwise manipulate the client-side environment. The vulnerability can lead to account compromise and further privilege escalation within the forum. [2]

Mitigation

The vendor has released Flatboard 5.6.0, which likely addresses this issue. Users are strongly advised to upgrade to the latest version [1]. No workaround is available for version 3.2.

References
  1. PHP Forum Software — No Database, No SQL | Flatboard
  2. Flatboard 3.2 Authenticated Stored Cross-Site Scripting via Forum Information Field
  3. OffSec’s Exploit Database Archive

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.