Unrated severityNVD Advisory· Published Feb 20, 2026· Updated Feb 23, 2026
Flare has XSS vulnerability in Raw File Preview
CVE-2026-26993
Description
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG (or other active content formats such as HTML or XML), an attacker can achieve script execution in the context of the application's origin when a victim views the file in “raw” mode. This results in a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to exfiltrate user data. This issue has been fixed in version 1.7.1.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/FlintSH/Flare/commit/7763d7b954799552f287ab9260bb1353f8880163mitrex_refsource_MISC
- github.com/FlintSH/Flare/releases/tag/v1.7.1mitrex_refsource_MISC
- github.com/FlintSH/Flare/security/advisories/GHSA-q8fp-w6m5-4gjmmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.