Vulnerability Description
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG (or other active content formats such as HTML or XML), an attacker can achieve script execution in the context of the application's origin when a victim views the file in “raw” mode. This results in a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to exfiltrate user data. This issue has been fixed in version 1.7.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Flintsh | Flare | < 1.7.1 |
Related Weaknesses (CWE)
References
- https://github.com/FlintSH/Flare/commit/7763d7b954799552f287ab9260bb1353f8880163Patch
- https://github.com/FlintSH/Flare/releases/tag/v1.7.1ProductRelease Notes
- https://github.com/FlintSH/Flare/security/advisories/GHSA-q8fp-w6m5-4gjmExploitVendor Advisory
FAQ
What is CVE-2026-26993?
CVE-2026-26993 is a vulnerability with a CVSS score of 4.6 (MEDIUM). Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitizat...
How severe is CVE-2026-26993?
CVE-2026-26993 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-26993?
Check the references section above for vendor advisories and patch information. Affected products include: Flintsh Flare.