Description
FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.
Published: 2026-06-23
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FlatPress contains a stored cross‑site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.

Affected Systems

All installations of FlatPress are potentially affected; the CVE record does not specify which versions contain the vulnerability, so any version could be impacted until patched. The flaw exists in the core application and is present regardless of the site’s configuration, meaning any publicly accessible comment or contact form is exploitable.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. The EPSS score of < 1% indicates a very low exploitation probability, and the vulnerability is not listed in CISA KEV. The attack vector is inferred to be through normal user interaction; a malicious user can submit a comment or contact entry containing XSS payloads that are stored and later executed when the page is viewed. Administrators are impacted because their browsers will execute the stored script upon visiting the site. No evidence of active exploitation is present in the CVE description, so the primary risk is the potential for widespread XSS if the flaw is utilized.

Generated by OpenCVE AI on June 24, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the FlatPress patch by updating the code to the state of commit 10be83c and redeploy the updated files
  • Disable the comment and contact form features until the patch is applied to eliminate the injection points
  • Restart the FlatPress web server so the updated code and configuration changes take effect

Generated by OpenCVE AI on June 24, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs. FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.
Title FlatPress - Stored Cross-Site Scripting via Unescaped Comment and Contact Form Fields
First Time appeared Flatpress
Flatpress flatpress
Weaknesses CWE-79
CPEs cpe:2.3:a:flatpress:flatpress:*:*:*:*:*:*:*:*
Vendors & Products Flatpress
Flatpress flatpress
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}


Subscriptions

Flatpress Flatpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T13:36:17.904Z

Reserved: 2026-06-23T01:24:27.651Z

Link: CVE-2026-56785

cve-icon Vulnrichment

Updated: 2026-06-24T13:05:15.344Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')