PatchSiren cyber security CVE debrief
CVE-2026-36728 fastapi-admin CVE debrief
CVE-2026-36728 is a markdown based cross-site scripting (XSS) vulnerability in the AI assistant chat function of FastapiAdmin v2.2.0. This vulnerability allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a chat message. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 5.4, indicating a MEDIUM severity level. The vulnerability was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-36728) and last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-36728).
- Vendor
- fastapi-admin
- Product
- fastapi-admin v2.2.0
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Users of FastapiAdmin v2.2.0 AI assistant chat function should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability is caused by improper sanitization of user input in the chat function, allowing attackers to inject malicious scripts. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates provided by the vendor to fix the vulnerability.
- Implement proper input validation and sanitization for user input in the chat function.
- Monitor the chat function for suspicious activity and implement additional security measures as needed.
Evidence notes
The vulnerability is classified as CWE-79, which is a type of cross-site scripting (XSS) vulnerability.
Official resources
-
CVE-2026-36728 CVE record
CVE.org
-
CVE-2026-36728 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-36728 was published on 2026-06-09T19:17:43.327Z and last modified on 2026-06-10T20:15:58.353Z.