CVE-2025-55736 | THREATINT

Description

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.

PUBLISHED Reserved 2025-08-14 | Published 2025-08-19 | Updated 2025-08-19 | Assigner GitHub_M

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-425: Direct Request ('Forced Browsing')

CWE-807: Reliance on Untrusted Inputs in a Security Decision

Product status

<= 2.8.0

affected

References

github.com/...skBlog/security/advisories/GHSA-6q83-vfmq-wf72

cve.org (CVE-2025-55736)

nvd.nist.gov (CVE-2025-55736)

Download JSON