CVE-2025-55737

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-55737
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55737.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-55737
Aliases
  • GHSA-6hp9-jv2f-88wr
Published
2025-08-19T19:06:15.195Z
Modified
2026-04-10T05:26:19.806792Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
flaskBlog arbitrary comment delete
Details

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code that causes the problem is in routes/post.py.

Database specific 
{
    "cwe_ids": [
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55737.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/dogukanurker/flaskblog

Affected ranges

Type
GIT
Repo
https://github.com/dogukanurker/flaskblog
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
7fea76d8c9ae624125ed86ed63e2c56dfad0d757
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.8.0"
        }
    ]
}

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0
2.*
2.0.0
2.0.1
2.0.10
2.0.11
2.0.12
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.6.0
2.7.0
2.8.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55737.json"