Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
A markdown based cross-site scripting (XSS) vulnerability in the /system/notice/create endpoint of FastapiAdmin v2.2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the notice_content parameter.
AnalysisAI
Cross-site scripting via unsanitized markdown rendering in FastapiAdmin v2.2.0 allows unauthenticated remote attackers to inject arbitrary JavaScript or HTML through the notice_content parameter of the /system/notice/create endpoint. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in a browser security context distinct from the vulnerable component itself, enabling session hijacking, credential theft, or defacement against any user who views the crafted notice. No confirmed active exploitation (CISA KEV) exists at time of analysis, though a researcher-published reference on GitHub likely documents a proof-of-concept payload.
Technical ContextAI
FastapiAdmin v2.2.0 is an administrative panel framework built on FastAPI (Python). The vulnerability resides in the /system/notice/create endpoint, which accepts a notice_content parameter rendered as markdown. The root cause (CWE-79: Improper Neutralization of Input During Web Page Generation) is the failure to sanitize or escape markdown-to-HTML output before reflecting it in the browser - common markdown libraries permit raw HTML passthrough or support link/image syntax that can embed JavaScript handlers (e.g., [text](javascript:...) or <script> blocks). The NVD CPE assignment is currently blank (cpe:2.3:a:n/a:n/a), meaning NVD has not yet formally catalogued the affected product in its dictionary, which limits automated vulnerability scanner coverage. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N classifies this as a network-reachable, low-complexity, no-privilege attack requiring victim interaction with Changed scope.
RemediationAI
No vendor-released patch has been identified at time of analysis. Operators should monitor the FastapiAdmin project repository for a remediated release and upgrade immediately upon availability. As compensating controls: restrict network access to the /system/notice/create endpoint to trusted administrative IP ranges or internal networks only - this directly addresses the AV:N attack vector and eliminates unauthenticated remote reach (trade-off: reduces administrative flexibility). If markdown rendering is not a required feature, disable it in the notice creation workflow and enforce plain-text input only, which eliminates the markdown injection surface entirely (trade-off: loss of notice formatting capability). Implement a Content Security Policy (CSP) header with script-src 'self' on the admin panel to limit the damage from any successful XSS injection (trade-off: may break legitimate inline scripts). Input validation and output encoding for the notice_content parameter should be applied at the application layer as a permanent fix. The researcher's disclosure at https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-6 should be reviewed for specific payload patterns to build WAF rules against.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today