CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-22659

highCVSS 8.1covered by 1 sourcefirst seen 2026-07-10
FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted forum as an anchor in a batch request, causing the permission check applied only to the first result to pass, and then execute lock, unlock, delete, or hide actions against topics in unmoderated forums.

⚡ Watch CVE-2026-22659

Get an email if CVE-2026-22659 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-22659

CVE.org record

Embed the live status

CVE-2026-22659 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-22659 status](https://www.csirts.com/badge/CVE-2026-22659)](https://www.csirts.com/cve/CVE-2026-22659)