CVE-2026-56785
Received Received - Intake
Stored XSS in FlatPress Comment and Contact Forms

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: VulnCheck

Description
FlatPress versions prior to commit 10be83c, contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-56785
EUVD
EUVD-2026-38634
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
flatpress flatpress to 10be83c (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FlatPress versions prior to commit 10be83c and is a stored cross-site scripting (XSS) issue. It occurs in the comment and contact forms where the name, URL, and email fields are rendered without proper output encoding in Smarty templates. Because of this, attackers can inject arbitrary HTML and JavaScript code through these fields.

The injected malicious scripts can then execute in the browsers of anyone viewing the affected pages, including administrators. Additionally, attackers can bypass URL scheme validation to inject javascript: or data: URIs, which can lead to further exploitation.

Impact Analysis

This vulnerability can have serious impacts including the execution of malicious scripts in the browsers of users and administrators who view the affected pages. This can lead to theft of sensitive information, session hijacking, defacement, or other malicious actions performed on behalf of the victim.

Because the vulnerability allows injection of arbitrary HTML and JavaScript, attackers can manipulate the website content or perform actions that compromise the security and integrity of the site and its users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56785. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart