CVE-2026-26993

Name of the Vulnerable Software and Affected Versions Flare versions 1.7.0 and below

Description Flare, a Next.js-based file sharing platform, is susceptible to a stored Cross-Site Scripting (XSS) issue. The platform does not properly validate or sanitize uploaded files. An attacker can embed malicious JavaScript within an SVG, HTML, or XML file. When a user views the file in “raw” mode, the embedded script executes in the application's context, potentially allowing for the exfiltration of user data. The vulnerability occurs due to insufficient content validation during file uploads.

Recommendations Update to Flare version 1.7.1 or later.