CVE-2025-55736

Critical CVSS: 9.3

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.

Vendor

Dogukanurker

Product

Flaskblog

CWE

CWE-425

Yayın Tarihi

2025-08-19 19:15:37

Güncelleme

2025-08-22 20:56:14

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-425 Flaskblog CRITICAL Dogukanurker 2025

Referanslar

https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-6q83-vfmq-wf72

Benzer Kayıtlar

Medium

CVE-2025-55737

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ow…

Medium

CVE-2025-55734

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when vis…

Medium

CVE-2025-55735

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the conte…

Medium

CVE-2025-53631

flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitt…

Medium

CVE-2025-28103

Incorrect access control in laskBlog v2.6.1 allows attackers to arbitrarily delete user accounts via a crafted request.

Critical

CVE-2025-28104

Incorrect access control in laskBlog v2.6.1 allows attackers to access all usernames via a crafted input.