flaskBlog allows arbitrary privilege escalation_CVE-2025-55736

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.

Basic Information

ID CVE-2025-55736

Source GitHub_M

Published Aug 19, 2025 at 19:04

Modified Aug 19, 2025 at 19:29

Affected Product

Vendor DogukanUrker

Product FlaskBlog

Version <= 2.8.0

Affected Versions DogukanUrker FlaskBlog <= 2.8.0

CWE Classification

CWE-425 CWE-807

References

github.com /DogukanUrker/FlaskBlog/security/advisories/GHSA-6q83-vfmq-wf72

{
    "lastseen": "",
    "description": "flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to \"admin\", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.",
    "published": "2025-08-19T19:04:00.564Z",
    "modified": "2025-08-19T19:29:09.500Z",
    "type": "cve",
    "title": "flaskBlog allows arbitrary privilege escalation",
    "source": "GitHub_M",
    "references": "https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-6q83-vfmq-wf72",
    "id": "CVE-2025-55736",
    "bulletinFamily": "",
    "cwe": [
        "CWE-425",
        "CWE-807"
    ],
    "cvelist": null,
    "sourceData": "DogukanUrker FlaskBlog <= 2.8.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FlaskBlog",
    "version": "<= 2.8.0",
    "vendor": "DogukanUrker",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}