Skip to main content

Flaskbb

2 CVEs product

Monthly

CVE-2026-22659 HIGH PATCH This Week

Authorization bypass in FlaskBB through 2.2.0 lets authenticated moderators perform lock, unlock, delete, or hide actions on topics in forums they have no authority over. By anchoring a crafted batch request with a low-ID topic from a permitted forum, the attacker slips past a permission check that is applied only to the first result. No public exploit is identified at time of analysis, and the flaw is fixed in commit acc88cf.

Authentication Bypass Flaskbb
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-22660 HIGH PATCH This Week

Authorization-model destruction in FlaskBB forum software (versions up to and including 2.2.0) lets an authenticated administrator wipe all six built-in permission groups through the management bulk-delete AJAX endpoint. Because the endpoint compares JSON integer group IDs against string literals, the guard meant to protect built-in groups never matches and silently allows their removal, collapsing the forum's entire permission model and potentially bricking the site. No public exploit identified at time of analysis; the flaw was reported by VulnCheck and is fixed in commit a5da9a5.

Information Disclosure Flaskbb
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.3%
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Authorization bypass in FlaskBB through 2.2.0 lets authenticated moderators perform lock, unlock, delete, or hide actions on topics in forums they have no authority over. By anchoring a crafted batch request with a low-ID topic from a permitted forum, the attacker slips past a permission check that is applied only to the first result. No public exploit is identified at time of analysis, and the flaw is fixed in commit acc88cf.

Authentication Bypass Flaskbb
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authorization-model destruction in FlaskBB forum software (versions up to and including 2.2.0) lets an authenticated administrator wipe all six built-in permission groups through the management bulk-delete AJAX endpoint. Because the endpoint compares JSON integer group IDs against string literals, the guard meant to protect built-in groups never matches and silently allows their removal, collapsing the forum's entire permission model and potentially bricking the site. No public exploit identified at time of analysis; the flaw was reported by VulnCheck and is fixed in commit a5da9a5.

Information Disclosure Flaskbb
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy