CVE-2025-55735
BaseFortify
Publication date: 2025-08-19
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dogukanurker | flaskblog | to 2.8.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in flaskBlog versions 2.8.0 and earlier. When creating a post, the application does not validate the content stored in the variable "postContent". Later, when displaying the post content, it uses the | safe filter in the template, which prevents escaping of the content. This allows an attacker to inject malicious scripts that get stored and executed when other users view the post, leading to a stored Cross-Site Scripting (XSS) vulnerability.
How can this vulnerability impact me? :
This stored XSS vulnerability can allow attackers to execute malicious scripts in the context of users viewing the blog posts. This can lead to theft of user credentials, session hijacking, defacement of the website, or distribution of malware, thereby compromising user security and trust.