Skip to main content

FlatPress CVE-2026-56785

| EUVDEUVD-2026-38634 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-23 VulnCheck GHSA-gf5w-3f8w-9fm6
8.4
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.2 HIGH

Network-reachable stored XSS submittable without auth (PR:N), requires a victim to view the affected page (UI:R), and the script executes in the admin's authenticated context, changing scope (S:C) with high confidentiality impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 22:46 vuln.today
Analysis Generated
Jun 23, 2026 - 22:46 vuln.today

DescriptionCVE.org

FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.

AnalysisAI

Stored cross-site scripting in FlatPress (commits prior to 10be83c) allows unauthenticated remote attackers to inject persistent HTML and JavaScript via the name, URL, and email fields of comment and contact forms. The payloads execute in any viewer's browser - including administrators reviewing comments in the admin panel - and weak URL scheme validation additionally permits javascript: and data: URI injection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify public FlatPress blog with comments enabled
Delivery
Submit comment with javascript: URI or HTML payload in name/url/email
Exploit
Payload stored unescaped in flat-file backend
Execution
Admin opens comment-list panel or visitor loads post
Persist
Script executes in victim browser context
Impact
Steal admin session or perform CMS actions

Vulnerability AssessmentAI

Exploitation The target FlatPress site must expose either the public comment form on a blog post or the contact form, both of which are enabled by default, and the attacker must be able to submit at least one comment/contact entry (no account required). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 score of 8.4 (AV:N/AC:L/PR:N/UI:P/VC:H/VI:L/SC:H) reflects an unauthenticated, network-reachable stored XSS where the victim is most likely an authenticated administrator viewing the comment list - hence the high subsequent-system confidentiality impact (admin session/cookie theft, CMS takeover via the admin panel). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a comment on a public FlatPress blog post, placing a payload such as a javascript: URI in the URL field or an HTML/script fragment in the name field. When an administrator later opens the admin comment-list panel - or any reader views the post's comments - the payload executes in their browser context and can exfiltrate session cookies, perform CSRF-style actions against the admin panel, or pivot to full site takeover. …
Remediation Upstream fix available (commit 10be83c); released patched version not independently confirmed, so update FlatPress to a build that includes commit 10be83cbaac5ce0e51250b9d57de7f257b8f34f8 or later from https://github.com/flatpressblog/flatpress. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all FlatPress installations and verify current version (check if prior to commit 10be83c). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-0947 CRITICAL POC
9.8 Feb 22

Path Traversal in GitHub repository flatpressblog/flatpress prior to 1.3. Rated critical severity (CVSS 9.8), this vulne

CVE-2022-4606 CRITICAL POC
9.8 Dec 18

PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3. Rated critical severity (CVSS 9.8),

CVE-2024-4023 HIGH POC
8.1 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. Rated high severity (CV

CVE-2023-1105 HIGH POC
8.1 Mar 01

External Control of File Name or Path in GitHub repository flatpressblog/flatpress prior to 1.3. Rated high severity (CV

CVE-2024-9847 HIGH POC
8.0 Mar 20

FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable

CVE-2022-40048 HIGH POC
7.2 Sep 29

Flatpress v1.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the Upload File function. Rate

CVE-2025-29602 MEDIUM POC
6.1 May 07

flatpress 1.3.1 is vulnerable to Cross Site Scripting (XSS) in Administration area via Manage categories. Rated medium s

CVE-2024-25412 MEDIUM POC
6.1 Sep 27

A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML v

CVE-2024-25411 MEDIUM POC
6.1 Sep 27

A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML v

CVE-2023-1106 MEDIUM POC
6.1 Mar 02

Cross-site Scripting (XSS) - Reflected in GitHub repository flatpressblog/flatpress prior to 1.3. Rated medium severity

CVE-2022-4748 CRITICAL
9.8 Dec 27

A vulnerability was found in FlatPress. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,

CVE-2022-40047 MEDIUM POC
5.4 Oct 11

Flatpress v1.2.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the page parameter a

Share

CVE-2026-56785 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy