Flare has XSS vulnerability in Raw File Preview_CVE-2026-26993

4.6 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Description

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG (or other active content formats such as HTML or XML), an attacker can achieve script execution in the context of the application's origin when a victim views the file in “raw” mode. This results in a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to exfiltrate user data. This issue has been fixed in version 1.7.1.

Basic Information

ID CVE-2026-26993

Source GitHub_M

Published Feb 20, 2026 at 02:33

Affected Product

Vendor FlintSH

Product Flare

Version 1.7.1

Affected Versions FlintSH Flare 1.7.1

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG (or other active content formats such as HTML or XML), an attacker can achieve script execution in the context of the application's origin when a victim views the file in \u201craw\u201d mode. This results in a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to exfiltrate user data. This issue has been fixed in version 1.7.1.",
    "published": "2026-02-20T02:33:16.709Z",
    "modified": "2026-02-20T02:33:16.709Z",
    "type": "cve",
    "title": "Flare has XSS vulnerability in Raw File Preview",
    "source": "GitHub_M",
    "references": "https://github.com/FlintSH/Flare/security/advisories/GHSA-q8fp-w6m5-4gjm\nhttps://github.com/FlintSH/Flare/commit/7763d7b954799552f287ab9260bb1353f8880163\nhttps://github.com/FlintSH/Flare/releases/tag/v1.7.1",
    "id": "CVE-2026-26993",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "FlintSH Flare 1.7.1",
    "sourceHref": "",
    "cvss": {
        "score": 4.6,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Flare",
    "version": "1.7.1",
    "vendor": "FlintSH",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}