CRITICAL🇵🇱 Wersja polska

CVE-2025-55736

CVSS 9.3v4.0pub. 2025-08-19upd. 2025-08-22

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Dogukanurker Flaskblog

    APP
    Dogukanurker
    ≤ 2.8.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-28104CRITICAL9.1PL ✓ten sam produkt

Nieprawidłowa kontrola dostępu w FlaskBlog — ujawnienie nazw użytkowników

CVE-2025-55737MEDIUM6.9ten sam produkt

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation...

CVE-2025-55734MEDIUM6.9ten sam produkt

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" onl...

CVE-2025-55735MEDIUM5.3ten sam produkt

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of...

CVE-2025-53631MEDIUM5.3ten sam produkt

flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent wh...