PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56785 FlatPress CVE debrief

CVE-2026-56785 is a stored cross-site scripting vulnerability in FlatPress, a content management system. The vulnerability exists in the comment and contact forms, where the name, URL, and email fields are rendered without proper output encoding in Smarty templates. This allows attackers to inject arbitrary HTML and JavaScript, which can be executed in the browsers of viewers, including administrators. The vulnerability has a CVSS score of 8.4 and is classified as HIGH severity. The CVE was published on 2026-06-23T23:16:50.020Z and last modified on 2026-06-25T19:25:34.880Z.

Vendor
FlatPress
Product
Unknown
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-23
Original CVE updated
2026-06-25
Advisory published
2026-06-23
Advisory updated
2026-06-25

Who should care

Administrators and users of FlatPress should be aware of this vulnerability, as it can allow attackers to inject malicious scripts and potentially take control of user sessions or steal sensitive information. Users who have not updated to the latest version of FlatPress should take immediate action to patch the vulnerability. Additionally, users who have not properly configured their Smarty templates may be more vulnerable to this exploit.

Technical summary

The vulnerability exists in the comment and contact forms of FlatPress, where the name, URL, and email fields are not properly encoded. This allows attackers to inject arbitrary HTML and JavaScript, which can be executed in the browsers of viewers. The vulnerability is caused by the lack of output encoding in Smarty templates. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

High priority should be given to patching this vulnerability, as it can allow attackers to inject malicious scripts and potentially take control of user sessions or steal sensitive information. Administrators should update to the latest version of FlatPress and ensure that Smarty templates are properly configured to prevent this exploit.

Recommended defensive actions

  • Update to the latest version of FlatPress
  • Ensure Smarty templates are properly configured to prevent injection of malicious scripts
  • Monitor for suspicious activity on the website
  • Implement additional security measures, such as web application firewalls and intrusion detection systems
  • Educate users on the risks of this vulnerability and the importance of patching

Evidence notes

The CVE-2026-56785 vulnerability was reported by Vulncheck and is classified as a stored cross-site scripting vulnerability. The vulnerability exists in the comment and contact forms of FlatPress, where the name, URL, and email fields are not properly encoded. The CVSS score for this vulnerability is 8.4, and it is classified as HIGH severity. The CVE was published on 2026-06-23T23:16:50.020Z and last modified on 2026-06-25T19:25:34.880Z.

Official resources

This article is AI-assisted and based on the supplied source corpus.