Description
An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An arbitrary file upload flaw exists in the attachment handling component of Flatnotes v5.5.4. The vulnerability allows an attacker to upload a specially crafted HTML or SVG file that is ultimately processed and rendered by the application, resulting in the execution of arbitrary code. This weakness is a classic example of an insecure file upload (CWE-434) and can compromise confidentiality, integrity, and availability of the entire system by enabling full script execution.

Affected Systems

The defect affects Flatnotes version 5.5.4. No other product or vendor information is available. The vulnerability is confined to the attachment handling functionality and does not extend to other Flatnotes components unless they perform similar processing of uploaded content.

Risk and Exploitability

The CVSS score of 9.8 indicates a high severity scenario and the EPSS score of < 1% shows a low, yet non‑zero, likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description and typical web application patterns, the likely attack vector is the web interface that accepts file uploads; an authenticated or unauthenticated user who can reach the upload endpoint could craft an HTML or SVG file and trigger the vulnerable code path. No additional prerequisites such as social engineering or pre‑existing credentials are specified in the provided data.

Generated by OpenCVE AI on June 17, 2026 at 23:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain the latest security patch or upgrade Flatnotes to a patched version from the official release channel
  • Configure the application to reject unsafe MIME types; enable strict MIME type validation for uploaded files
  • Disable the rendering of uploaded HTML or SVG files or place them in a sandboxed environment to prevent script execution

Generated by OpenCVE AI on June 17, 2026 at 23:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Flatnotes
Flatnotes flatnotes
Vendors & Products Flatnotes
Flatnotes flatnotes

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Arbitrary File Upload Enabling Remote Code Execution in Flatnotes v5.5.4

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Arbitrary File Upload Enabling Remote Code Execution in Flatnotes v5.5.4

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file.
References

Subscriptions

Flatnotes Flatnotes
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T13:06:01.196Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50873

cve-icon Vulnrichment

Updated: 2026-06-16T13:05:51.018Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:30.097

Modified: 2026-06-16T15:50:58.757

Link: CVE-2026-50873

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:22Z

Weaknesses
  • CWE-434

    Unrestricted Upload of File with Dangerous Type