CVE-2025-55736

Summary

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file.

Affected Software

VendorProductVersion RangeStatus
DogukanUrkerFlaskBlog<= 2.8.0affected

Weaknesses

  • CWE-425: CWE-425: Direct Request ('Forced Browsing')
  • CWE-807: CWE-807: Reliance on Untrusted Inputs in a Security Decision

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References