Description
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG (or other active content formats such as HTML or XML), an attacker can achieve script execution in the context of the application's origin when a victim views the file in “raw” mode. This results in a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to exfiltrate user data. This issue has been fixed in version 1.7.1.
Published: 2026-02-20
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) that executes script in the application’s origin.
Action: Apply Patch
AI Analysis

Impact

Flare, a self‑hosted file sharing application, allowed the upload of files without validating or sanitizing content. By embedding malicious JavaScript inside an SVG or other active content advertised as a raw file, an attacker can cause the script to run with the application’s origin when any user opens the file in raw mode. This stored XSS flaw enables the exfiltration of sensitive information or impersonation of the victim in the context of the site. The failure is a classic input validation weakness, classified as CWE‑79.

Affected Systems

FlintSH’s Flare platform, versions 1.7.0 and earlier, are affected. The vulnerability is present in the general file preview functionality and is not limited to any particular deployment configuration. Version 1.7.1 remedies the issue.

Risk and Exploitability

The CVSS score is 4.6, indicating moderate severity, and the EPSS score is below 1 %, showing a low probability of exploitation at this time. The vulnerability is not yet listed in CISA’s KEV catalog. The attack vector is inferred as a pre‑existing upload path; an attacker must first upload a crafted file to a Flare instance, then persuade a victim user to view the file in raw mode. Because the flaw involves stored input, anyone with write access can embed malicious payloads, and any authenticated or anonymous user who opens the file will be affected.

Generated by OpenCVE AI on April 17, 2026 at 17:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flare to release 1.7.1 or later to get the author’s patch.
  • If an update is not immediately feasible, disable raw file preview for untrusted users or delete files that were uploaded before the fix.
  • Implement server‑side validation and HTML sanitization on all uploaded content to remove executable scripts before storage.

Generated by OpenCVE AI on April 17, 2026 at 17:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flintsh:flare:*:*:*:*:*:*:*:*

Mon, 23 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Flintsh
Flintsh flare
Vendors & Products Flintsh
Flintsh flare

Fri, 20 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG (or other active content formats such as HTML or XML), an attacker can achieve script execution in the context of the application's origin when a victim views the file in “raw” mode. This results in a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to exfiltrate user data. This issue has been fixed in version 1.7.1.
Title Flare has XSS vulnerability in Raw File Preview
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Flintsh Flare
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-23T18:09:14.053Z

Reserved: 2026-02-17T01:41:24.606Z

Link: CVE-2026-26993

cve-icon Vulnrichment

Updated: 2026-02-23T18:09:08.264Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T03:16:01.153

Modified: 2026-03-03T17:35:32.257

Link: CVE-2026-26993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses