VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 15, 2026

CVE-2026-50873

CVE-2026-50873

Description

Flatnotes v5.5.4 allows authenticated users to upload .html or .svg files, which are served from the same origin, enabling stored cross-site scripting (XSS).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Flatnotes v5.5.4 allows authenticated users to upload .html or .svg files, which are served from the same origin, enabling stored cross-site scripting (XSS).

Vulnerability

Flatnotes v5.5.4 allows authenticated users to upload attachments via the /api/attachments endpoint. The filesystem backend does not restrict file extensions such as .html or .svg. Uploaded files are served from the application origin with their native content type (e.g., text/html, image/svg+xml), making them executable in the browser context of flatnotes. This arbitrary file upload bug enables stored same-origin script execution. [1]

Exploitation

An attacker must have a valid flatnotes account with attachment upload permissions. They upload a crafted file (e.g., poc.html with embedded JavaScript or poc.svg with active content) via the /api/attachments route. The file is stored and later retrieved via /attachments/{filename}. When any authenticated user opens the uploaded attachment in a browser, the file is rendered within the flatnotes origin, executing the embedded script. [1]

Impact

Successful exploitation results in stored cross-site scripting (XSS) within the flatnotes application origin. The attacker's script can perform actions on behalf of the viewing user, such as reading notes, modifying content, or exfiltrating session tokens. The compromise is limited to the browser security context and the privileges of the authenticated victim. [1]

Mitigation

No official patch for flatnotes v5.5.4 has been released as of this writing. The application should implement a file extension/content-type allowlist that denies uploads of active web content (e.g., .html, .svg, .xml). As a workaround, administrators can restrict attachment upload permissions to trusted users only, or use a reverse proxy to block requests for those file types from the attachments endpoint. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]

References
  1. Reference for CVE-2026-50873

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Flatnotes/Flatnotesinferred2 versions
    = 5.5.4+ 1 more
    • (no CPE)range: = 5.5.4
    • (no CPE)range: <=5.5.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing extension/content-type restriction on uploaded attachments allows same-origin serving of browser-executable files."

Attack vector

An authenticated attacker uploads a file with an active extension (`.html` or `.svg`) through the `/api/attachments` endpoint. The server stores the file and serves it via `FileResponse` with a content type (e.g., `text/html` or `image/svg+xml`) that the browser interprets as executable content from the flatnotes origin. When another authenticated user opens the attachment URL, the attacker's script executes within the flatnotes security context, subject to the viewing user's session [ref_id=1].

Affected code

The attachment API routes `/api/attachments/{filename}` and `/attachments/{filename}` in flatnotes v5.5.4 serve uploaded files via `FileResponse` without restricting active web content extensions such as `.html` or `.svg`. The filesystem attachment backend validates filename shape but does not enforce an extension/content-type policy that would prevent browser-executable documents from being served from the application origin [ref_id=1].

What the fix does

The advisory does not include a published patch. The recommended fix is to implement an extension/content-type policy that either blocks active web content extensions (`.html`, `.svg`, etc.) at upload time or forces such files to be served with a `Content-Disposition: attachment` header and an inert content type, preventing the browser from interpreting them as same-origin executable documents [ref_id=1].

Preconditions

  • authAttacker must have a valid authenticated session on the flatnotes instance
  • inputAttacker must be able to upload attachments through the /api/attachments endpoint
  • inputA victim user must open the uploaded attachment URL in a browser while authenticated to the same flatnotes instance

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.