Cross-Site Scripting (XSS) in flatpressblog/flatpress
Description
File upload XSS in FlatPress CMS admin panel allows attackers to upload files with malicious JavaScript in filename, leading to cross-site scripting when accessed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
File upload XSS in FlatPress CMS admin panel allows attackers to upload files with malicious JavaScript in filename, leading to cross-site scripting when accessed.
Vulnerability
The vulnerability exists in the file upload functionality of FlatPress CMS admin panel (version latest, prior to 1.4.dev). The uploader does not sanitize filenames properly, allowing an attacker to include JavaScript payloads within the filename. When the uploaded file is accessed by other users, the malicious script executes in the context of the CMS admin panel, leading to XSS. The commit f364391 adds a sanitize_filename function and a prevent_directory_traversal function to mitigate this [1].
Exploitation
An attacker must have access to the admin panel (likely authenticated as an admin or with upload permissions). The attacker can upload a file with a crafted filename containing JavaScript, e.g., ">.jpg. No additional user interaction is required beyond viewing the uploaded file. The attack vector is through the file upload form in the admin panel.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the FlatPress admin panel for any user who views the uploaded file. This can lead to session theft, unauthorized admin actions, or other malicious activities within the CMS. The impact is limited to the admin panel scope but could compromise administrative accounts.
Mitigation
The fix is included in version 1.4.dev, which sanitizes filenames by removing disallowed characters and preventing directory traversal [1]. Users should upgrade to this version or later. No workarounds are documented. The vulnerability is not listed in the CISA KEV.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- flatpressblog/flatpressblog/flatpressv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The file upload functionality did not properly sanitize filenames, allowing JavaScript payloads to be embedded."
Attack vector
An attacker can upload a file with a crafted filename containing JavaScript code. When other users access this uploaded file through the FlatPress CMS admin panel, the embedded JavaScript will execute in their browser. This leads to a Cross-Site Scripting (XSS) attack, potentially allowing the attacker to steal session cookies or perform actions on behalf of the user [ref_id=1].
Affected code
The vulnerability lies within the `onupload` function in the `admin_uploader_default` class. The changes in the patch modify this function by adding calls to `prevent_directory_traversal` and `sanitize_filename` before processing the uploaded file's name [ref_id=1].
What the fix does
The patch introduces a new `sanitize_filename` function that removes disallowed characters from filenames. It also ensures that only the base name of the file is used via `prevent_directory_traversal`. These changes prevent the injection of malicious characters or code within filenames, thereby mitigating the XSS vulnerability by ensuring that filenames are safe before they are processed or displayed [ref_id=1].
Preconditions
- authThe attacker must be logged in as a user with upload privileges.
- inputThe attacker must upload a file with a specially crafted filename containing JavaScript.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.