Back to overview

CVE-2026-22660

HIGH Exploitation: PoC
7.2
CVSS 3.1
Description
FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares received JSON integer group IDs against string literals, causing the protection check to always pass, which allows deletion of all six built-in groups and destroys the forum's permission model, potentially rendering the site unusable.

Metadata

CVE ID
CVE-2026-22660
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-01-08 19:04 UTC
Published
2026-07-10 13:26 UTC
Last updated
2026-07-10 14:18 UTC
Primary CWE
CWE-697
Incorrect Comparison
Vendor / Product
flaskbb / flaskbb
Sources
cve.org  ·  NVD

Severity & Metrics

7.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
flaskbb flaskbb 0 ≤ 2.2.0, https://github.com/flaskbb/flaskbb/commit/a5da9a52
Weakness (CWE)
CWESourceDescription
CWE-697 cna Incorrect Comparison
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.6 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
7.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Back to overview