CVE-2026-36725 Overview
CVE-2026-36725 is a markdown-based cross-site scripting (XSS) vulnerability affecting FastapiAdmin v2.2.0. The flaw resides in the /system/notice/create endpoint, where the notice_content parameter fails to sanitize markdown input before rendering. Attackers can inject crafted markdown payloads that execute arbitrary JavaScript or HTML in the browsers of users who view the notice. The issue is tracked under CWE-79: Improper Neutralization of Input During Web Page Generation. Exploitation requires user interaction but no authentication, and the scope is changed because injected scripts run in the context of the administrative interface.
Critical Impact
Authenticated administrators viewing a crafted notice can have session tokens stolen, actions performed on their behalf, or be redirected to attacker-controlled content within the FastapiAdmin console.
Affected Products
- FastapiAdmin v2.2.0
- The /system/notice/create endpoint accepting the notice_content parameter
- Deployments rendering markdown notice content without sanitization
Discovery Timeline
- 2026-06-09 - CVE-2026-36725 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-36725
Vulnerability Analysis
The vulnerability stems from improper neutralization of user-supplied markdown content in the FastapiAdmin notice creation workflow. When an attacker submits a request to /system/notice/create, the notice_content parameter accepts markdown that is later rendered as HTML in the administrative dashboard. Because the rendering pipeline does not strip or escape dangerous constructs, embedded HTML tags and JavaScript URIs survive into the final DOM. Any user who subsequently loads the notice triggers execution of the injected script in their browser session.
Root Cause
The root cause is missing output sanitization on markdown-to-HTML conversion. Markdown specifications permit raw HTML passthrough by default, and FastapiAdmin's renderer does not apply an allowlist or call a sanitizer such as DOMPurify or bleach before emitting the rendered content. The notice_content field is treated as trusted formatted text rather than untrusted user input.
Attack Vector
An attacker submits a POST request to /system/notice/create containing a markdown payload in notice_content that embeds an HTML element with an event handler, an inline <script> block, or a javascript: URI within a link. After the notice is stored, any administrator browsing the notices view renders the payload, executing the script under the application's origin. The changed scope reflects the script running in the trusted administrative context, allowing session theft, CSRF-like actions, or pivoting to other administrative endpoints. No prior authentication is required to submit the payload if the endpoint is reachable, and one round of user interaction is required for the victim to view the notice.
No verified public proof-of-concept code is available. See the GitHub vulnerability writeup for technical details.
Detection Methods for CVE-2026-36725
Indicators of Compromise
- POST requests to /system/notice/create containing <script>, onerror=, onload=, or javascript: substrings in the notice_content parameter
- Stored notice records with embedded HTML event handlers or inline scripts
- Unexpected outbound requests from administrator browsers to unfamiliar domains shortly after viewing notices
Detection Strategies
- Inspect web server and application logs for malformed or HTML-laden notice_content payloads submitted to the notice creation endpoint
- Run periodic database scans on the notices table for markdown content containing raw HTML tags, especially <script>, <iframe>, and <img> with event attributes
- Deploy a Content Security Policy (CSP) in report-only mode to capture inline script violations originating from the notices view
Monitoring Recommendations
- Alert on administrator sessions that generate anomalous API calls immediately after rendering notice pages
- Monitor for newly created notice records authored by low-privilege or unauthenticated accounts
- Track CSP violation reports for script-src and img-src directives sourced from the notice rendering path
How to Mitigate CVE-2026-36725
Immediate Actions Required
- Restrict access to /system/notice/create to authenticated administrators and audit existing notice records for malicious markup
- Purge stored notice entries containing raw HTML or javascript: URIs and reset sessions for users who viewed affected notices
- Apply a strict Content Security Policy that disallows inline scripts on pages rendering notice content
Patch Information
No vendor patch has been referenced in the public CVE record at the time of writing. Consult the GitHub vulnerability repository for the latest remediation guidance and monitor the FastapiAdmin project for an updated release beyond v2.2.0.
Workarounds
- Sanitize notice_content server-side using a markdown renderer configured to disable raw HTML, or post-process output with a library such as bleach or DOMPurify
- Encode HTML special characters in notice content before rendering and disallow javascript: URIs in markdown links
- Implement a strict Content Security Policy with script-src 'self' and no unsafe-inline directive on administrative views
# Example CSP header for the FastapiAdmin reverse proxy
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
