CVE-2025-28104

Critical CVSS: 9.1

Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input.

Vendor

Product

CWE

Yayın Tarihi

2025-04-21 18:15:22

Güncelleme

2025-05-28 15:49:14

Source Identifier

cve@mitre.org

KEV Date Added

CWE-284 Flaskblog CRITICAL Dogukanurker 2025

https://gist.github.com/coleak2021/d5fea0f7d32a2de38130da089f4fb735 https://github.com/DogukanUrker/flaskBlog/issues/130

Medium

CVE-2025-55737

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ow…

Medium

CVE-2025-55734

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when vis…

Medium

CVE-2025-55735

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the conte…

Critical

CVE-2025-55736

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving…

Medium

CVE-2025-53631

flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitt…

Medium

CVE-2025-28103

Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request.