What is CVE-2026-26993?

CVE-2026-26993 is a medium-severity vulnerability in Flintsh Flare, classified under Cross-site Scripting. CVSS score: 4.6/10. Published 2026-02-20.

How severe is CVE-2026-26993?

Medium severity. CVSS v3 base score is 4.6 out of 10.

XSS in Flintsh Flare

CVE-2026-26993

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (3.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.6 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.

Affected products

Flintsh Flare — versions 1.7.1

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/FlintSH/Flare/security/advisories/GHSA-q8fp-w6m5-4gjm (x_refsource_CONFIRM)
https://github.com/FlintSH/Flare/commit/7763d7b954799552f287ab9260bb1353f8880163 (x_refsource_MISC)
https://github.com/FlintSH/Flare/releases/tag/v1.7.1 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-26993?: CVE-2026-26993 is a medium-severity vulnerability in Flintsh Flare, classified under Cross-site Scripting. CVSS score: 4.6/10. Published 2026-02-20.
How severe is CVE-2026-26993?: Medium severity. CVSS v3 base score is 4.6 out of 10.