Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    4 vulnerabilities by flaskbb

    CVE-2026-22660 (GCVE-0-2026-22660)

    Vulnerability from nvd – Published: 2026-07-10 13:26 – Updated: 2026-07-10 14:18 X_Open Source
    VLAI
    Title
    FlaskBB Logic Flaw Authorization Group Deletion via Bulk AJAX Endpoint
    Summary
    FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares received JSON integer group IDs against string literals, causing the protection check to always pass, which allows deletion of all six built-in groups and destroys the forum's permission model, potentially rendering the site unusable.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    flaskbb flaskbb Affected: 0 , ≤ 2.2.0 (semver)
    Unaffected: https://github.com/flaskbb/flaskbb/commit/a5da9a52 (git)
    Create a notification for this product.
    Date Public
    2026-07-10 00:00
    Credits
    Hamed Kohi (@0xHamy) VulnCheck
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22660",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T14:18:30.364694Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T14:18:33.452Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/flaskbb/flaskbb/security/advisories/GHSA-r9cf-jxr6-5h3r"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "flaskbb",
              "repo": "https://github.com/flaskbb/flaskbb",
              "vendor": "flaskbb",
              "versions": [
                {
                  "lessThanOrEqual": "2.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "https://github.com/flaskbb/flaskbb/commit/a5da9a52",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hamed Kohi (@0xHamy)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulnCheck"
            }
          ],
          "datePublic": "2026-07-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares received JSON integer group IDs against string literals, causing the protection check to always pass, which allows deletion of all six built-in groups and destroys the forum\u0027s permission model, potentially rendering the site unusable."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-697",
                  "description": "Incorrect Comparison",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T13:26:50.593Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-r9cf-jxr6-5h3r)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/flaskbb/flaskbb/security/advisories/GHSA-r9cf-jxr6-5h3r"
            },
            {
              "name": "Patch Commit",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/flaskbb/flaskbb/commit/a5da9a529adddc65fe31e275192b642a4e32de64"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/flaskbb-logic-flaw-authorization-group-deletion-via-bulk-ajax-endpoint"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "FlaskBB Logic Flaw Authorization Group Deletion via Bulk AJAX Endpoint",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-22660",
        "datePublished": "2026-07-10T13:26:31.423Z",
        "dateReserved": "2026-01-08T19:04:26.364Z",
        "dateUpdated": "2026-07-10T14:18:33.452Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22659 (GCVE-0-2026-22659)

    Vulnerability from nvd – Published: 2026-07-10 13:31 – Updated: 2026-07-10 13:31 X_Open Source
    VLAI
    Title
    FlaskBB Authorization Bypass via Topic ID Manipulation
    Summary
    FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted forum as an anchor in a batch request, causing the permission check applied only to the first result to pass, and then execute lock, unlock, delete, or hide actions against topics in unmoderated forums.
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    flaskbb flaskbb Affected: 0 , ≤ 2.2.0 (semver)
    Unaffected: https://github.com/flaskbb/flaskbb/commit/a5da9a52 (git)
    Create a notification for this product.
    Date Public
    2026-07-10 00:00
    Credits
    Hamed Kohi (@0xHamy) VulnCheck
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "flaskbb",
              "repo": "https://github.com/flaskbb/flaskbb",
              "vendor": "flaskbb",
              "versions": [
                {
                  "lessThanOrEqual": "2.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "https://github.com/flaskbb/flaskbb/commit/a5da9a52",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hamed Kohi (@0xHamy)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulnCheck"
            }
          ],
          "datePublic": "2026-07-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted forum as an anchor in a batch request, causing the permission check applied only to the first result to pass, and then execute lock, unlock, delete, or hide actions against topics in unmoderated forums."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T13:31:02.784Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-9rjj-9p2h-6c55)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/flaskbb/flaskbb/security/advisories/GHSA-9rjj-9p2h-6c55"
            },
            {
              "name": "Patch Commit",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/flaskbb/flaskbb/commit/acc88cfedd011124395e0101cb27432a47f712be"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/flaskbb-authorization-bypass-via-topic-id-manipulation"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "FlaskBB Authorization Bypass via Topic ID Manipulation",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-22659",
        "datePublished": "2026-07-10T13:31:02.784Z",
        "dateReserved": "2026-01-08T19:04:26.364Z",
        "dateUpdated": "2026-07-10T13:31:02.784Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22659 (GCVE-0-2026-22659)

    Vulnerability from cvelistv5 – Published: 2026-07-10 13:31 – Updated: 2026-07-10 13:31 X_Open Source
    VLAI
    Title
    FlaskBB Authorization Bypass via Topic ID Manipulation
    Summary
    FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted forum as an anchor in a batch request, causing the permission check applied only to the first result to pass, and then execute lock, unlock, delete, or hide actions against topics in unmoderated forums.
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    flaskbb flaskbb Affected: 0 , ≤ 2.2.0 (semver)
    Unaffected: https://github.com/flaskbb/flaskbb/commit/a5da9a52 (git)
    Create a notification for this product.
    Date Public
    2026-07-10 00:00
    Credits
    Hamed Kohi (@0xHamy) VulnCheck
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "flaskbb",
              "repo": "https://github.com/flaskbb/flaskbb",
              "vendor": "flaskbb",
              "versions": [
                {
                  "lessThanOrEqual": "2.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "https://github.com/flaskbb/flaskbb/commit/a5da9a52",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hamed Kohi (@0xHamy)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulnCheck"
            }
          ],
          "datePublic": "2026-07-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted forum as an anchor in a batch request, causing the permission check applied only to the first result to pass, and then execute lock, unlock, delete, or hide actions against topics in unmoderated forums."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T13:31:02.784Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-9rjj-9p2h-6c55)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/flaskbb/flaskbb/security/advisories/GHSA-9rjj-9p2h-6c55"
            },
            {
              "name": "Patch Commit",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/flaskbb/flaskbb/commit/acc88cfedd011124395e0101cb27432a47f712be"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/flaskbb-authorization-bypass-via-topic-id-manipulation"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "FlaskBB Authorization Bypass via Topic ID Manipulation",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-22659",
        "datePublished": "2026-07-10T13:31:02.784Z",
        "dateReserved": "2026-01-08T19:04:26.364Z",
        "dateUpdated": "2026-07-10T13:31:02.784Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22660 (GCVE-0-2026-22660)

    Vulnerability from cvelistv5 – Published: 2026-07-10 13:26 – Updated: 2026-07-10 14:18 X_Open Source
    VLAI
    Title
    FlaskBB Logic Flaw Authorization Group Deletion via Bulk AJAX Endpoint
    Summary
    FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares received JSON integer group IDs against string literals, causing the protection check to always pass, which allows deletion of all six built-in groups and destroys the forum's permission model, potentially rendering the site unusable.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    flaskbb flaskbb Affected: 0 , ≤ 2.2.0 (semver)
    Unaffected: https://github.com/flaskbb/flaskbb/commit/a5da9a52 (git)
    Create a notification for this product.
    Date Public
    2026-07-10 00:00
    Credits
    Hamed Kohi (@0xHamy) VulnCheck
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22660",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T14:18:30.364694Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T14:18:33.452Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/flaskbb/flaskbb/security/advisories/GHSA-r9cf-jxr6-5h3r"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "flaskbb",
              "repo": "https://github.com/flaskbb/flaskbb",
              "vendor": "flaskbb",
              "versions": [
                {
                  "lessThanOrEqual": "2.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "https://github.com/flaskbb/flaskbb/commit/a5da9a52",
                  "versionType": "git"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hamed Kohi (@0xHamy)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulnCheck"
            }
          ],
          "datePublic": "2026-07-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares received JSON integer group IDs against string literals, causing the protection check to always pass, which allows deletion of all six built-in groups and destroys the forum\u0027s permission model, potentially rendering the site unusable."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-697",
                  "description": "Incorrect Comparison",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T13:26:50.593Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-r9cf-jxr6-5h3r)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/flaskbb/flaskbb/security/advisories/GHSA-r9cf-jxr6-5h3r"
            },
            {
              "name": "Patch Commit",
              "tags": [
                "patch"
              ],
              "url": "https://github.com/flaskbb/flaskbb/commit/a5da9a529adddc65fe31e275192b642a4e32de64"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/flaskbb-logic-flaw-authorization-group-deletion-via-bulk-ajax-endpoint"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "FlaskBB Logic Flaw Authorization Group Deletion via Bulk AJAX Endpoint",
          "x_generator": {
            "engine": "vulncheck"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-22660",
        "datePublished": "2026-07-10T13:26:31.423Z",
        "dateReserved": "2026-01-08T19:04:26.364Z",
        "dateUpdated": "2026-07-10T14:18:33.452Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }