VYPR
Vendor

flaskBlog

Products
1
CVEs
8
Across products
8
Status
Private

Products

1

Recent CVEs

8
  • CVE-2025-55737MedAug 19, 2025
    risk 0.42cvss 6.5epss 0.00

    flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the…

  • CVE-2025-55736MedAug 19, 2025
    risk 0.42cvss 6.5epss 0.00

    flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.

  • CVE-2025-55734MedAug 19, 2025
    risk 0.42cvss 6.5epss 0.00

    flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to…

  • CVE-2025-28101MedApr 17, 2025
    risk 0.42cvss 6.5epss 0.00

    An arbitrary file deletion vulnerability in the /post/{postTitle} component of flaskBlog v2.6.1 allows attackers to delete article titles created by other users via supplying a crafted POST request.

  • CVE-2024-22414MedJan 17, 2024
    risk 0.42cvss 6.5epss 0.00

    flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the `/user/` page allows a user's comments to execute arbitrary javascript code. The html template `user.html` contains the following code snippet to render comments made by a user: `<div…

  • CVE-2025-28102MedApr 21, 2025
    risk 0.40cvss 6.1epss 0.00

    A cross-site scripting (XSS) vulnerability in flaskBlog v2.6.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the postContent parameter at /createpost.

  • CVE-2025-55735MedAug 19, 2025
    risk 0.35cvss 5.4epss 0.00

    flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the…

  • CVE-2025-53631MedAug 14, 2025
    risk 0.35cvss 5.4epss 0.00

    flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitting POST requests to /createpost leads to arbitrary JavaScript execution (XSS) on all pages the post is reflected on including /, /post/[ID], /admin/posts, and…