PT-2026-31470 · Unfurl+2 · Unfurl+2
Mobasi-Team
·
Published
2026-04-08
·
Updated
2026-04-09
·
CVE-2026-40035
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Unfurl versions through 2025.08
Description
Unfurl through 2025.08 has an improper input validation issue in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to
app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and potentially disclose sensitive information or achieve remote code execution.Recommendations
Update to a version later than 2025.08.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flask
Unfurl
Werkzeug