CVE-2026-26993

Published: Feb 20, 2026

Modified: Feb 23, 2026

PUBLISHED

CVSS v3.1

4.6

MEDIUM

Description

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG (or other active content formats such as HTML or XML), an attacker can achieve script execution in the context of the application's origin when a victim views the file in “raw” mode. This results in a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to exfiltrate user data. This issue has been fixed in version 1.7.1.

Vendor	Product	Versions
FlintSH	Flare	affected `1.7.1`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/FlintSH/Flare/security/advisories/GHSA-q8fp-w6m5-4gjm

x_refsource_CONFIRM

https://github.com/FlintSH/Flare/commit/7763d7b954799552f287ab9260bb1353f8880163

x_refsource_MISC

https://github.com/FlintSH/Flare/releases/tag/v1.7.1

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-26993

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References