{"vulnerability": "CVE-2026-50873", "sightings": [{"uuid": "e343305d-49b7-42c5-96b9-fbd3f6ec46f1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-50873", "type": "seen", "source": "https://gist.github.com/pyuysig/ab0af5b10877fb906941e05a69b202a7", "content": "# Vulnerability Report: CVE-2026-50873 - flatnotes - Active HTML and SVG attachments can execute script in users browsers\n\n## Vulnerability Summary\nflatnotes 5.5.4 contains a cross-site scripting issue in attachment handling. A remote authenticated attacker can upload an HTML or SVG attachment and cause a victim to open the attachment URL, resulting in execution of attacker-controlled script in the victim browser context.\n\n## Affected Product\n- **Vendor**: Adam Dullage\n- **Product**: flatnotes\n- **Version**: 5.5.4\n- **Vulnerable Component**: /api/attachments, /attachments/{filename}, server/attachments/file_system/file_system.py\n\n## Vulnerability Details\n- **Vulnerability Type**: Cross Site Scripting (XSS)\n- **Weakness**: CWE-79\n- **Attack Conditions**: Upload a malicious HTML or SVG attachment through /api/attachments and induce a victim to open /attachments/{filename}.\n\n## Report Body\n\n### Summary\nflatnotes 5.5.4 contains a cross-site scripting issue in attachment handling. A remote authenticated attacker can upload an HTML or SVG attachment and cause a victim to open the attachment URL, resulting in execution of attacker-controlled script in the victim browser context.\n\n### Details\nAttachment upload and serving allow active content types to be retrievable in a way that browsers can render as HTML or SVG. Without safe Content-Type or Content-Disposition controls or content restrictions, uploaded active content can run script.\n\n### PoC\n1. Prepare an environment matching the affected product and version above.\n2. Trigger the vulnerable component under the attack conditions described for CVE-2026-50873.\n3. Confirm the security result: A malicious HTML or SVG file uploaded as an attachment executes script when the generated attachment URL is opened by a victim.\n\n### Impact\nStored or hosted active content execution in a victim browser when the uploaded attachment URL is opened.\n\n## Remediation\nBlock active HTML/SVG attachments or serve untrusted attachments with safe content types and Content-Disposition: attachment. Apply strict CSP and content sniffing protections.\n\n## Credit\n- Discoverer(s): Yuming Zhang and Song Li of Zhejiang University\n\n## Notes\nThis public reference is intended to support the CVE record with concise, factual vulnerability details. It intentionally avoids a full exploit release.\n", "creation_timestamp": "2026-06-13T12:45:39.000000Z"}]}