CVE-2025-46595

Name of the Vulnerable Software and Affected Versions Backdrop CMS Flag module versions prior to 1.x-3.6.2

Description A Cross-Site Scripting issue was discovered in the Flag module for Backdrop CMS. The module does not verify flag links before performing the flag action, or verify that the response returned was provided by the flag module, allowing crafted HTML to result in Cross Site Scripting. This issue is mitigated by the fact that an attacker must have a role with permission to create links on the website.

Recommendations For Backdrop CMS Flag module versions prior to 1.x-3.6.2, update to version 1.x-3.6.2 or later to resolve the issue. As a temporary workaround, consider restricting the permission to create links on the website to minimize the risk of exploitation.