CVE-2026-56785
Deferred Deferred - Pending Action

Stored XSS in FlatPress Comment and Contact Forms

Vulnerability report for CVE-2026-56785, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-24

Assigner: VulnCheck

Description

FlatPress contains a stored cross-site scripting vulnerability in comment and contact forms where name, URL, and email fields are rendered without proper output encoding in Smarty templates. Attackers can inject arbitrary HTML and JavaScript through these fields to execute malicious scripts in browsers of viewers including administrators, or bypass URL scheme validation to inject javascript: or data: URIs.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-24
Generated
2026-07-14
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
flatpress flatpress to 10be83c (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in FlatPress versions prior to commit 10be83c and is a stored cross-site scripting (XSS) issue. It occurs in the comment and contact forms where the name, URL, and email fields are rendered without proper output encoding in Smarty templates. Because of this, attackers can inject arbitrary HTML and JavaScript code through these fields.

The injected malicious scripts can then execute in the browsers of anyone viewing the affected pages, including administrators. Additionally, attackers can bypass URL scheme validation to inject javascript: or data: URIs, which can lead to further exploitation.

Impact Analysis

This vulnerability can have serious impacts including the execution of malicious scripts in the browsers of users and administrators who view the affected pages. This can lead to theft of sensitive information, session hijacking, defacement, or other malicious actions performed on behalf of the victim.

Because the vulnerability allows injection of arbitrary HTML and JavaScript, attackers can manipulate the website content or perform actions that compromise the security and integrity of the site and its users.

Detection Guidance

This vulnerability can be detected by inspecting the comment and contact form fields (name, URL, and email) in FlatPress CMS for improper output encoding or the presence of injected HTML or JavaScript code.

Specifically, you can test by submitting payloads containing script tags or javascript: URIs in these fields and then checking if the input is rendered unescaped in the browser, which would indicate vulnerability.

There are no specific commands provided in the available resources, but manual testing or using web vulnerability scanners that detect stored XSS in form inputs could be effective.

Mitigation Strategies

The immediate mitigation step is to apply the official patch provided by the FlatPress maintainers, which fixes the vulnerability by improving input sanitization and URL validation.

  • Update FlatPress CMS to include the commit 10be83c or later, which contains the fix.
  • Ensure that user inputs in comment and contact forms are properly sanitized and escaped before rendering, especially the name, URL, and email fields.
  • Validate URLs strictly to allow only http and https schemes and reject javascript: or data: URIs.

If immediate patching is not possible, consider disabling or restricting the comment and contact forms temporarily to prevent exploitation.

Compliance Impact

The provided information does not specify how the CVE-2026-56785 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56785. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart