← volver
CVE-2026-30230

Flare: Password‑Protected Thumbnail Bypass

CVSS 8.2 HIGHEPSS 0.4%CWE-639
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 8.2EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
06 mar 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the thumbnail endpoint does not validate the password for password‑protected files. It checks ownership/admin for private files but skips password verification, allowing thumbnail access without the password. This issue has been patched in version 1.7.2.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Productos afectados
FlintSH · Flare

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/FlintSH/Flare/security/advisories/GHSA-3x7v-x3r6-mjh7