Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Flare: Malicious files can steal user data through stored XSS
CVE-2026-26993
Summary
Flare versions 1.7.0 and below allow attackers to embed malicious code in uploaded files, which can steal user data when viewed in a special mode. This issue has been fixed in version 1.7.1. To protect your users, update Flare to the latest version as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| flintsh | flare | <= 1.7.1 | – |
Original title
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or saniti...
Original description
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG (or other active content formats such as HTML or XML), an attacker can achieve script execution in the context of the application's origin when a victim views the file in “raw” mode. This results in a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to exfiltrate user data. This issue has been fixed in version 1.7.1.
nvd CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/FlintSH/Flare/commit/7763d7b954799552f287ab9260bb1353f8880163 Patch
- https://github.com/FlintSH/Flare/releases/tag/v1.7.1 Product Release Notes
- https://github.com/FlintSH/Flare/security/advisories/GHSA-q8fp-w6m5-4gjm Exploit Vendor Advisory
Published: 20 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026