CVE-2026-30942

Name of the Vulnerable Software and Affected Versions Flare versions prior to 1.7.3

Description Flare is a Next.js-based, self-hostable file sharing platform. A path traversal issue exists in the /api/avatars/[filename] endpoint, allowing authenticated users to read arbitrary files within the application container. The filename URL parameter is passed to path.join() without proper sanitization, and the getFileStream() function does not validate the path. This enables the use of encoded ../ sequences to escape the uploads/avatars/ directory and access any file accessible to the Next.js process under /app/. Authentication is enforced by Next.js middleware, but open registration (the default setting) allows attackers to self-register and exploit the issue. The vulnerable parameter is filename.

Recommendations Update Flare to version 1.7.3 or later.