CVE-2026-36725: FastapiAdmin v2.2.0 XSS Vulnerability in Notice Creation Endpoint
FastapiAdmin version 2.2.0 contains a vulnerability where attackers can inject malicious scripts into system notices. When an administrator or authorized user views a crafted notice through the notice creation endpoint, the injected code executes in their browser, potentially allowing attackers to steal session tokens, modify page content, or perform actions on their behalf. The attack requires user interaction—the victim must view the malicious notice—but no authentication is needed to craft and inject the payload.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
A markdown based cross-site scripting (XSS) vulnerability in the /system/notice/create endpoint of FastapiAdmin v2.2.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the notice_content parameter.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-36725 is a stored cross-site scripting (XSS) vulnerability in FastapiAdmin v2.2.0's /system/notice/create endpoint. The vulnerability stems from improper sanitization of the notice_content parameter before rendering markdown. An unauthenticated attacker can submit a POST request containing XSS payloads embedded in markdown syntax to the endpoint. When the notice is later rendered to authenticated users, the payload executes in their browser context. The vulnerability maps to CWE-79 (Improper Neutralization of Input During Web Page Generation) and carries a CVSS 3.1 score of 6.1 (MEDIUM severity) due to the requirement for user interaction and the network-based attack vector.
Business impact
This vulnerability poses a moderate but meaningful risk to organizations deploying FastapiAdmin. An attacker could compromise administrator accounts or trick users into performing unintended actions without their knowledge. The impact extends to potential theft of sensitive data accessible within the admin panel, creation of backdoor accounts, or defacement of administrative interfaces. Organizations relying on FastapiAdmin for system administration should treat this as a priority remediation item, particularly if the instance is exposed to untrusted networks.
Affected systems
FastapiAdmin version 2.2.0 is confirmed vulnerable. Organizations running this specific version should immediately verify their deployment status. Check your FastapiAdmin instance by examining version information in deployment logs or the application's admin interface. Versions prior to or after 2.2.0 should be evaluated against the vendor's security advisory to determine affected ranges and verify patch status.
Exploitability
Exploitation requires an unauthenticated attacker to craft a notice with embedded XSS payloads and submit it to the /system/notice/create endpoint. The attacker does not need valid credentials to inject the payload. However, successful exploitation depends on a user (typically an administrator) viewing the malicious notice. The attack is reliable once those conditions are met; there are no unusual technical barriers to exploitation, making this a practical concern for exposed instances.
Remediation
Upgrade FastapiAdmin to a patched version released after the vulnerability discovery. Verify the specific patched version against the official FastapiAdmin GitHub repository or vendor security advisories. Until patching is possible, implement input validation and output encoding on the notice_content parameter to strip or escape markdown-based script injection vectors. Additionally, consider restricting access to the /system/notice/create endpoint to authenticated administrators only if your current configuration permits unauthenticated submissions.
Patch guidance
Consult the official FastapiAdmin project repository or vendor security advisory for the confirmed patched version addressing CVE-2026-36725. Apply the patch during a maintenance window to avoid service disruption. After patching, verify that the notice creation and rendering functionality operates correctly and that previously stored notices do not trigger XSS warnings in browser developer consoles. Test with both benign and previously-problematic notice content to ensure the fix is complete.
Detection guidance
Monitor application logs for POST requests to /system/notice/create containing suspicious markdown syntax or HTML/JavaScript patterns (e.g., <script>, onerror=, onload=, backticks in markdown code blocks with script tags). Watch for notice content that includes unusual encoded characters or mixed markdown-HTML constructs. Deploy Web Application Firewall (WAF) rules to flag or block requests with XSS payloads targeting this endpoint. Additionally, review stored notices in the database for suspicious content and consider alerting on any notice modifications made by unexpected accounts or from unusual network sources.
Why prioritize this
This vulnerability merits timely but non-emergency remediation. The MEDIUM CVSS score (6.1) reflects the requirement for user interaction and limited impact scope, but the ease of exploitation and risk to administrative accounts elevates practical concern. Organizations should address this within a standard patching cycle, prioritizing instances that are internet-facing or serve sensitive admin functions. It does not qualify as a zero-day or critical patch requiring immediate out-of-band deployment in most scenarios.
Risk score, explained
The CVSS 3.1 score of 6.1 reflects: network-based attack vector (AV:N) with no special conditions required (AC:L), no authentication needed (PR:N), but requiring user interaction (UI:R). The scope change (S:C) indicates the impact extends beyond the vulnerable component to other systems. Confidentiality and integrity are low impact (C:L, I:L) because the attacker gains access to user session context rather than underlying system data. Availability is not affected (A:N). The moderate score appropriately captures a meaningful but bounded risk—concerning for admin environments but not a widespread critical threat.
Frequently asked questions
Can this vulnerability be exploited without the victim clicking or interacting with the malicious notice?
No. Exploitation requires that a user visit the page or endpoint where the malicious notice is rendered. An attacker cannot trigger code execution merely by submitting the payload; they must also ensure the victim views it. This user interaction requirement is a key factor in the MEDIUM rather than HIGH severity rating.
Do I need valid FastapiAdmin credentials to inject a malicious notice?
No. The /system/notice/create endpoint accepts unauthenticated requests according to the vulnerability description. This means an external attacker can inject payloads without compromising or spoofing an existing user account, which amplifies the practical risk.
Will patching this vulnerability affect my existing notices or administrative workflows?
Patching should not affect legitimate notices. However, it may render previously stored malicious notices inert by sanitizing their output. Some edge-case markdown rendering behaviors may change if the vendor's fix alters how markdown is parsed. Test in a staging environment first to confirm compatibility with your workflows.
Is this vulnerability currently being exploited in the wild?
According to the data provided, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting no confirmed active exploitation at the time of disclosure. However, the ease of exploitation means vigilance is warranted if you operate an exposed FastapiAdmin instance.
This analysis is based on vulnerability disclosure data current as of the provided modification date (2026-06-17). Patch versions, vendor advisories, and mitigation guidance should be verified against official FastapiAdmin security releases and your organization's specific deployment configuration. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct internal testing before applying patches to production systems. SEC.co does not warrant the completeness or accuracy of third-party vendor responses. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2021-47982MEDIUMWP-Paginate 2.1.3 Stored XSS in Plugin Settings