FlatPress - Stored Cross-Site Scripting via Unescaped Comment and Contact Form Fields | Advisories

Advisories

FlatPress - Stored Cross-Site Scripting via Unescaped Comment and Contact Form Fields

severity: high
date: 6/23/2026
Affecting: FlatPress <= commit 10be83c
CVE: CVE-2026-56785
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS: 8.4
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
References: Patch Commit
Vendor Advisory
Credit: Fraenkiman, Dilipkumar Choudhary
Description: FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo