Description
FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.
Published: 2026-06-23
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FlatPress versions prior to the commit 10be83c store the name, URL, and email fields from comments and contact forms without proper output encoding in Smarty templates, creating a stored cross‑site scripting flaw. An attacker can submit malicious HTML or JavaScript through these fields, which is later rendered when a page containing the stored comment or contact form is viewed, allowing the script to execute in the victim’s browser. The vulnerability also permits bypassing URL scheme validation, enabling injection of javascript: or data: URIs.

Affected Systems

All installations of FlatPress running a version before the commit 10be83c are affected. The flaw exists in the core application and is present regardless of the site’s configuration, meaning any publicly accessible comment or contact form is exploitable.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. EPSS data is not available and the vulnerability is not listed in CISA KEV. The attack vector is inferred to be through normal user interaction; a malicious user can submit a comment or contact entry containing XSS payloads that are stored and later executed when the page is viewed. Administrators are impacted because their browsers will execute the stored script upon visiting the site. No evidence of active exploitation is present in the CVE description, so the primary risk is the potential for widespread XSS if the flaw is utilized.

Generated by OpenCVE AI on June 24, 2026 at 09:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the FlatPress patch by updating the code to the state of commit 10be83c and redeploy the updated files
  • Disable the comment and contact form features until the patch is applied to eliminate the injection points
  • Restart the FlatPress web server so the updated code and configuration changes take effect

Generated by OpenCVE AI on June 24, 2026 at 09:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs. FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.
Title FlatPress - Stored Cross-Site Scripting via Unescaped Comment and Contact Form Fields
First Time appeared Flatpress
Flatpress flatpress
Weaknesses CWE-79
CPEs cpe:2.3:a:flatpress:flatpress:*:*:*:*:*:*:*:*
Vendors & Products Flatpress
Flatpress flatpress
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Flatpress Flatpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T13:36:17.904Z

Reserved: 2026-06-23T01:24:27.651Z

Link: CVE-2026-56785

cve-icon Vulnrichment

Updated: 2026-06-24T13:05:15.344Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')