CVE-2026-36725
Description
FastapiAdmin v2.2.0 is vulnerable to XSS via the notice_content parameter, allowing script execution in user browsers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FastapiAdmin v2.2.0 is vulnerable to XSS via the notice_content parameter, allowing script execution in user browsers.
Vulnerability
A markdown-based Cross-Site Scripting (XSS) vulnerability exists in FastapiAdmin versions 2.2.0 and earlier. The vulnerability resides in the /system/notice/create endpoint, where the notice_content parameter is accepted without proper sanitization or validation. This allows for the injection of arbitrary web scripts or HTML, which are then stored and rendered by the wangEditor component on the frontend without further sanitization [1].
Exploitation
An authenticated attacker can exploit this vulnerability by crafting a malicious payload containing JavaScript code and submitting it via the notice_content parameter to the /system/notice/create endpoint. When a user views the notice containing this payload, the injected script will execute in their browser [1].
Impact
Successful exploitation allows an attacker to execute arbitrary web scripts in the context of the victim's browser. This can lead to various security compromises, including session hijacking, credential theft, or performing malicious actions on behalf of the victim, depending on the privileges of the user viewing the notice [1].
Mitigation
To mitigate this vulnerability, it is recommended to implement HTML sanitization using libraries like DOMPurify before rendering content with wangEditor, or to use a markdown editor with built-in XSS protection such as mavonEditor. Additionally, implementing Content Security Policy (CSP) headers can help reduce the impact of XSS attacks. The fixed version and release date are not yet disclosed in the available references [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =2.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The notice_content parameter is not sanitized before being rendered by the wangEditor component, allowing for script injection."
Attack vector
An authenticated attacker can inject arbitrary web scripts or HTML into the notice_content parameter when creating a notice via the /api/v1/system/notice/create endpoint. The application stores this unsanitized content directly in the database. When a user views the notice detail, the content is rendered by the wangEditor component without further sanitization, executing the injected script in the victim's browser [ref_id=1].
Affected code
The vulnerability lies in the system notice functionality, specifically the /api/v1/system/notice/create endpoint. The frontend components involved are /frontend/src/views/module_system/notice/index.vue and /frontend/src/components/WangEditor/index.vue. The notice content is rendered using the wangEditor component without proper sanitization [ref_id=1].
What the fix does
The advisory recommends implementing HTML sanitization using libraries like DOMPurify before rendering content with wangEditor, or using a markdown editor with built-in XSS protection such as mavonEditor. Additionally, implementing Content Security Policy (CSP) headers is suggested as a mitigation strategy. The patch does not show specific code changes, but these measures would prevent the execution of injected scripts.
Preconditions
- authThe attacker must be authenticated.
- inputThe attacker must be able to craft a malicious payload for the notice_content parameter.
Reproduction
Create a notice with content `<img src=x onerror='alert(1)' />` using the following request:
View notice detail on the client side, causing a pop-up window: [ref_id=1]
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.