Impact
An arbitrary file upload flaw exists in the attachment handling component of Flatnotes v5.5.4. The vulnerability allows an attacker to upload a specially crafted HTML or SVG file that is ultimately processed and rendered by the application, resulting in the execution of arbitrary code. This weakness is a classic example of an insecure file upload (CWE-434) and can compromise confidentiality, integrity, and availability of the entire system by enabling full script execution.
Affected Systems
The defect affects Flatnotes version 5.5.4. No other product or vendor information is available. The vulnerability is confined to the attachment handling functionality and does not extend to other Flatnotes components unless they perform similar processing of uploaded content.
Risk and Exploitability
The CVSS score of 9.8 indicates a high severity scenario and the EPSS score of < 1% shows a low, yet non‑zero, likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description and typical web application patterns, the likely attack vector is the web interface that accepts file uploads; an authenticated or unauthenticated user who can reach the upload endpoint could craft an HTML or SVG file and trigger the vulnerable code path. No additional prerequisites such as social engineering or pre‑existing credentials are specified in the provided data.
OpenCVE Enrichment