CVE-2025-28103

Medium CVSS: 6.4

Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request.

Vendor

Product

CWE

Yayın Tarihi

2025-04-21 18:15:22

Güncelleme

2025-05-28 15:49:20

Source Identifier

cve@mitre.org

KEV Date Added

CWE-862 Flaskblog MEDIUM Dogukanurker 2025

https://gist.github.com/coleak2021/77895b7a7b335ae17eb57390f4a94917 https://github.com/DogukanUrker/flaskBlog/issues/130

Medium

CVE-2025-55737

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ow…

Medium

CVE-2025-55734

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when vis…

Medium

CVE-2025-55735

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the conte…

Critical

CVE-2025-55736

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving…

Medium

CVE-2025-53631

flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitt…

Critical

CVE-2025-28104

Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input.