VYPR
Unrated severityNVD Advisory· Published Mar 10, 2026· Updated Mar 10, 2026

Flare has a Path Traversal in /api/avatars/[filename]

CVE-2026-30942

Description

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/[filename] allows any logged-in user to read arbitrary files from within the application container. The filename URL parameter is passed to path.join() without sanitization, and getFileStream() performs no path validation, enabling %2F-encoded ../ sequences to escape the uploads/avatars/ directory and read any file accessible to the nextjs process under /app/. Authentication is enforced by Next.js middleware. However, on instances with open registration enabled (the default), any attacker can self-register and immediately exploit this. This vulnerability is fixed in 1.7.3.

Affected products

2
  • Flintsh/Flarellm-fuzzy2 versions
    <1.7.3+ 1 more
    • (no CPE)range: <1.7.3
    • (no CPE)range: < 1.7.3

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.