FlatPress – Stored Cross-Site Scripting via Unescaped Comment and Contact...

8.4 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Description

FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.

Basic Information

ID CVE-2026-56785

Source VulnCheck

Published Jun 23, 2026 at 22:09

Affected Product

Vendor FlatPress

Product FlatPress

Affected Versions FlatPress FlatPress 0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.",
    "published": "2026-06-23T22:09:35.831Z",
    "modified": "2026-06-23T22:09:35.831Z",
    "type": "cve",
    "title": "FlatPress - Stored Cross-Site Scripting via Unescaped Comment and Contact Form Fields",
    "source": "VulnCheck",
    "references": "https://github.com/flatpressblog/flatpress/commit/10be83cbaac5ce0e51250b9d57de7f257b8f34f8\nhttps://github.com/dilipk5/flatpressd-cms-sxss\nhttps://www.vulncheck.com/advisories/flatpress-stored-cross-site-scripting-via-unescaped-comment-and-contact-form-fields",
    "id": "CVE-2026-56785",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "FlatPress FlatPress 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.4,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FlatPress",
    "version": "0",
    "vendor": "FlatPress",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

FlatPress – Stored Cross-Site Scripting via Unescaped Comment and Contact Form Fields_CVE-2026-56785