CVE-2025-55735

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escape the rendered content. This can lead to a stored XSS inside the content of the post. The code that causes the problem is in template/routes.html.

CVSS

No CVSS.

References

Link	Resource
https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-gj9v-qhc3-gcfx

Configurations

No configuration.

History

20 Aug 2025, 14:40

Type	Values Removed	Values Added
Summary		(es) flaskBlog es una aplicación de blog desarrollada con Flask. En la versión 2.8.0 y anteriores, al crear una entrada, no se valida el contenido almacenado en la variable "postContent". La vulnerabilidad surge al mostrar el contenido de la entrada mediante el filtro \| safe, que indica al motor que no escape el contenido renderizado. Esto puede generar un XSS almacenado dentro del contenido de la entrada. El código que causa el problema se encuentra en template/routes.html.

19 Aug 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-19 19:15

Updated : 2025-08-20 14:40

NVD link : CVE-2025-55735

Mitre link : CVE-2025-55735

CVE.ORG link : CVE-2025-55735

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-807

Reliance on Untrusted Inputs in a Security Decision

{"id": "CVE-2025-55735", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-19T19:15:37.620", "references": [{"url": "https://github.com/DogukanUrker/FlaskBlog/security/advisories/GHSA-gj9v-qhc3-gcfx", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-807"}]}], "descriptions": [{"lang": "en", "value": "flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable \"postContent\". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escape the rendered content. This can lead to a stored XSS inside the content of the post. The code that causes the problem is in template/routes.html."}, {"lang": "es", "value": "flaskBlog es una aplicaci\u00f3n de blog desarrollada con Flask. En la versi\u00f3n 2.8.0 y anteriores, al crear una entrada, no se valida el contenido almacenado en la variable \"postContent\". La vulnerabilidad surge al mostrar el contenido de la entrada mediante el filtro | safe, que indica al motor que no escape el contenido renderizado. Esto puede generar un XSS almacenado dentro del contenido de la entrada. El c\u00f3digo que causa el problema se encuentra en template/routes.html."}], "lastModified": "2025-08-20T14:40:17.713", "sourceIdentifier": "security-advisories@github.com"}