Stored Cross-Site Scripting in FlatPress by FlatPress Team
CVE-2026-56785

8.4HIGH

Key Information:

Vendor: Flatpress
Status: Flatpress
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-56785?

FlatPress, a popular blogging software, is susceptible to a stored cross-site scripting (XSS) vulnerability in its comment and contact forms. This issue arises from the lack of adequate output encoding within Smarty templates, enabling attackers to inject arbitrary HTML and JavaScript into the fields for name, URL, and email. Consequently, these malicious scripts could execute in the browsers of users interacting with the compromised forms, including administrators. Moreover, attackers can exploit this flaw to bypass URL scheme validation, allowing the injection of javascript: or data: URIs, which heightens the risk of exploitation.

Affected Version(s)

FlatPress 0 <= 10be83c

References

https://github.com/flatpressblog/flatpress/commit/10be83c...

patch

https://github.com/dilipk5/flatpressd-cms-sxss

vendor-advisory

https://www.vulncheck.com/advisories/flatpress-stored-cro...

third-party-advisory

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 23, 2026

Credit

Fraenkiman

Dilipkumar Choudhary

CVE-2026-56785 Data

JSON