flaskBlog
by flaskBlog
Source repositories
CVEs (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-55737 | Med | 0.42 | 6.5 | 0.00 | Aug 19, 2025 | flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the… | ||
| CVE-2025-55736 | Med | 0.42 | 6.5 | 0.00 | Aug 19, 2025 | flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file. | ||
| CVE-2025-55734 | Med | 0.42 | 6.5 | 0.00 | Aug 19, 2025 | flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to… | ||
| CVE-2025-28101 | Med | 0.42 | 6.5 | 0.00 | Apr 17, 2025 | An arbitrary file deletion vulnerability in the /post/{postTitle} component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request. | ||
| CVE-2024-22414 | Med | 0.42 | 6.5 | 0.00 | Jan 17, 2024 | flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the `/user/` page allows a user's comments to execute arbitrary javascript code. The html template `user.html` contains the following code snippet to render comments made by a user: `<div… | ||
| CVE-2025-28102 | Med | 0.40 | 6.1 | 0.00 | Apr 21, 2025 | A cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost. | ||
| CVE-2025-55735 | Med | 0.35 | 5.4 | 0.00 | Aug 19, 2025 | flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the… | ||
| CVE-2025-53631 | Med | 0.35 | 5.4 | 0.00 | Aug 14, 2025 | flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitting POST requests to /createpost leads to arbitrary JavaScript execution (XSS) on all pages the post is reflected on including /, /post/[ID], /admin/posts, and… |
- risk 0.42cvss 6.5epss 0.00
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the…
- risk 0.42cvss 6.5epss 0.00
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.
- risk 0.42cvss 6.5epss 0.00
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to…
- risk 0.42cvss 6.5epss 0.00
An arbitrary file deletion vulnerability in the /post/{postTitle} component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request.
- risk 0.42cvss 6.5epss 0.00
flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the `/user/` page allows a user's comments to execute arbitrary javascript code. The html template `user.html` contains the following code snippet to render comments made by a user: `<div…
- risk 0.40cvss 6.1epss 0.00
A cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost.
- risk 0.35cvss 5.4epss 0.00
flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the…
- risk 0.35cvss 5.4epss 0.00
flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitting POST requests to /createpost leads to arbitrary JavaScript execution (XSS) on all pages the post is reflected on including /, /post/[ID], /admin/posts, and…