Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable stored XSS submittable without auth (PR:N), requires a victim to view the affected page (UI:R), and the script executes in the admin's authenticated context, changing scope (S:C) with high confidentiality impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.
AnalysisAI
Stored cross-site scripting in FlatPress (commits prior to 10be83c) allows unauthenticated remote attackers to inject persistent HTML and JavaScript via the name, URL, and email fields of comment and contact forms. The payloads execute in any viewer's browser - including administrators reviewing comments in the admin panel - and weak URL scheme validation additionally permits javascript: and data: URI injection. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target FlatPress site must expose either the public comment form on a blog post or the contact form, both of which are enabled by default, and the attacker must be able to submit at least one comment/contact entry (no account required). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 score of 8.4 (AV:N/AC:L/PR:N/UI:P/VC:H/VI:L/SC:H) reflects an unauthenticated, network-reachable stored XSS where the victim is most likely an authenticated administrator viewing the comment list - hence the high subsequent-system confidentiality impact (admin session/cookie theft, CMS takeover via the admin panel). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker submits a comment on a public FlatPress blog post, placing a payload such as a javascript: URI in the URL field or an HTML/script fragment in the name field. When an administrator later opens the admin comment-list panel - or any reader views the post's comments - the payload executes in their browser context and can exfiltrate session cookies, perform CSRF-style actions against the admin panel, or pivot to full site takeover. … |
| Remediation | Upstream fix available (commit 10be83c); released patched version not independently confirmed, so update FlatPress to a build that includes commit 10be83cbaac5ce0e51250b9d57de7f257b8f34f8 or later from https://github.com/flatpressblog/flatpress. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all FlatPress installations and verify current version (check if prior to commit 10be83c). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Path Traversal in GitHub repository flatpressblog/flatpress prior to 1.3. Rated critical severity (CVSS 9.8), this vulne
PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3. Rated critical severity (CVSS 9.8),
A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. Rated high severity (CV
External Control of File Name or Path in GitHub repository flatpressblog/flatpress prior to 1.3. Rated high severity (CV
FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable
Flatpress v1.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the Upload File function. Rate
flatpress 1.3.1 is vulnerable to Cross Site Scripting (XSS) in Administration area via Manage categories. Rated medium s
A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML v
A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML v
Cross-site Scripting (XSS) - Reflected in GitHub repository flatpressblog/flatpress prior to 1.3. Rated medium severity
A vulnerability was found in FlatPress. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable,
Flatpress v1.2.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the page parameter a
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38634
GHSA-gf5w-3f8w-9fm6