Description
A markdown based cross-site scripting (XSS) vulnerability in the /system/notice/create endpoint of FastapiAdmin v2.2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the notice_content parameter.
Published: 2026-06-09
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A markdown‑based cross‑site scripting vulnerability exists in the /system/notice/create endpoint of FastapiAdmin v2.2.0. Attackers can inject crafted payloads into the notice_content field, which are rendered as raw HTML. When a privileged user views the notice, the injected script executes in the browser context, allowing the attacker to steal session data, perform actions on behalf of the user, or redirect traffic.

Affected Systems

FastapiAdmin version 2.2.0 is affected.

Risk and Exploitability

The vulnerability can be exploited with minimal skill by providing a malicious notice via an authenticated session. No EPSS score is available, but the lack of mitigation in the application and absence from the CISA KEV list does not reduce the potential impact. Attackers can steal credentials, deface the UI, or execute further attacks in the target environment. The CVSS score of 6.1 indicates a moderate severity.

Generated by OpenCVE AI on June 9, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of FastapiAdmin that sanitizes or escapes notice_content or removes markdown rendering.
  • Implement server‑side validation to strip or encode HTML tags and attributes from notice_content before storage.
  • Configure a web application firewall to detect and block requests containing script tags or other suspicious HTML in notice_content.
  • Add a content‑security‑policy header that restricts script execution to trusted sources.

Generated by OpenCVE AI on June 9, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Fastapiadmin
Fastapiadmin fastapiadmin
Vendors & Products Fastapiadmin
Fastapiadmin fastapiadmin

Tue, 09 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Markdown XSS in FastapiAdmin /system/notice/create Endpoint

Tue, 09 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Title Markdown XSS in FastapiAdmin /system/notice/create Endpoint
Weaknesses CWE-79

Tue, 09 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description A markdown based cross-site scripting (XSS) vulnerability in the /system/notice/create endpoint of FastapiAdmin v2.2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the notice_content parameter.
References

Subscriptions

Fastapiadmin Fastapiadmin
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-09T19:40:13.064Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-36725

cve-icon Vulnrichment

Updated: 2026-06-09T19:40:08.069Z

cve-icon NVD

Status : Received

Published: 2026-06-09T19:17:42.980

Modified: 2026-06-09T21:17:10.890

Link: CVE-2026-36725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:22:42Z

Weaknesses