Skip to main content

FastapiAdmin CVE-2026-36725

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 mitre
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 21:41 vuln.today
CVSS changed
Jun 09, 2026 - 21:22 NVD
6.1 (MEDIUM)
CVE Published
Jun 09, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionNVD

A markdown based cross-site scripting (XSS) vulnerability in the /system/notice/create endpoint of FastapiAdmin v2.2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the notice_content parameter.

AnalysisAI

Cross-site scripting via unsanitized markdown rendering in FastapiAdmin v2.2.0 allows unauthenticated remote attackers to inject arbitrary JavaScript or HTML through the notice_content parameter of the /system/notice/create endpoint. The Changed scope (S:C) in the CVSS vector confirms the injected script executes in a browser security context distinct from the vulnerable component itself, enabling session hijacking, credential theft, or defacement against any user who views the crafted notice. No confirmed active exploitation (CISA KEV) exists at time of analysis, though a researcher-published reference on GitHub likely documents a proof-of-concept payload.

Technical ContextAI

FastapiAdmin v2.2.0 is an administrative panel framework built on FastAPI (Python). The vulnerability resides in the /system/notice/create endpoint, which accepts a notice_content parameter rendered as markdown. The root cause (CWE-79: Improper Neutralization of Input During Web Page Generation) is the failure to sanitize or escape markdown-to-HTML output before reflecting it in the browser - common markdown libraries permit raw HTML passthrough or support link/image syntax that can embed JavaScript handlers (e.g., [text](javascript:...) or <script> blocks). The NVD CPE assignment is currently blank (cpe:2.3:a:n/a:n/a), meaning NVD has not yet formally catalogued the affected product in its dictionary, which limits automated vulnerability scanner coverage. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N classifies this as a network-reachable, low-complexity, no-privilege attack requiring victim interaction with Changed scope.

RemediationAI

No vendor-released patch has been identified at time of analysis. Operators should monitor the FastapiAdmin project repository for a remediated release and upgrade immediately upon availability. As compensating controls: restrict network access to the /system/notice/create endpoint to trusted administrative IP ranges or internal networks only - this directly addresses the AV:N attack vector and eliminates unauthenticated remote reach (trade-off: reduces administrative flexibility). If markdown rendering is not a required feature, disable it in the notice creation workflow and enforce plain-text input only, which eliminates the markdown injection surface entirely (trade-off: loss of notice formatting capability). Implement a Content Security Policy (CSP) header with script-src 'self' on the admin panel to limit the damage from any successful XSS injection (trade-off: may break legitimate inline scripts). Input validation and output encoding for the notice_content parameter should be applied at the application layer as a permanent fix. The researcher's disclosure at https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-6 should be reviewed for specific payload patterns to build WAF rules against.

Share

CVE-2026-36725 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy