PatchSiren

flaskbb CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH flaskbb CVE published 2026-07-10

CVE-2026-22660

A logic flaw vulnerability was discovered in FlaskBB, a web framework, which allows authenticated administrators to delete all built-in authorization groups. This is achieved by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares received JSON integer group IDs against string literals, causing the protection check to always pass. As a res [truncated]

HIGH flaskbb CVE published 2026-07-10

CVE-2026-22659

FlaskBB, a bulletin board software, was found to have an authorization bypass vulnerability. This vulnerability allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. The vulnerability was fixed in commit acc88cf. The issue arises from the software's handling of batch requests, which can be exploited to execute actions [truncated]