Path Traversal in Flintsh Flare

CVE-2026-30942

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/[filename] allows any logged-in user to read arbitrary files…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.002 (47.6th percentile) — read the EPSS interpretation.

Affected products

Flintsh Flare — versions < 1.7.3

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/FlintSH/Flare/security/advisories/GHSA-h639-p7m9-mpgp (x_refsource_CONFIRM)
https://github.com/FlintSH/Flare/commit/cd894cc480619aef958be5de72b1445222fd8d36 (x_refsource_MISC)
https://github.com/FlintSH/Flare/releases/tag/v1.7.3 (x_refsource_MISC)