CVE-2026-26993

MEDIUM

Flare < 1.7.1 - Stored Cross-Site Scripting via SVG/HTML/XML File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-26993. PoCs published by G3XAR.

AI-analyzed exploit summary The repository provides a functional proof-of-concept for CVE-2026-26993, demonstrating a stored XSS vulnerability in Flare versions <1.7.0 via malicious SVG file uploads. The PoC includes a detailed payload and steps to exfiltrate sensitive data.

Description

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG (or other active content formats such as HTML or XML), an attacker can achieve script execution in the context of the application's origin when a victim views the file in “raw” mode. This results in a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to exfiltrate user data. This issue has been fixed in version 1.7.1.

Exploits (1)

github WORKING POC

by G3XAR · poc

https://github.com/G3XAR/Security-Research/tree/main/CVE-2026-26993

View Code ZIP pw:eip

The repository provides a functional proof-of-concept for CVE-2026-26993, demonstrating a stored XSS vulnerability in Flare versions <1.7.0 via malicious SVG file uploads. The PoC includes a detailed payload and steps to exfiltrate sensitive data.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Flare <1.7.0

Auth required

Prerequisites: valid account for file upload · victim interaction to view raw file

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/FlintSH/Flare/security/advisories/GHSA-q8fp-w6m5-4gjm

Patch x_refsource_misc

https://github.com/FlintSH/Flare/commit/7763d7b954799552f287ab9260bb1353f8880163

View Patch ZIP pw:eip

Release Notes x_refsource_misc

https://github.com/FlintSH/Flare/releases/tag/v1.7.1

Scores

CVSS v3 4.6

EPSS 0.0028

EPSS Percentile 19.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

flintsh/flare < 1.7.1

Published Feb 20, 2026

Tracked Since Feb 20, 2026