CVE-2026-40035

9.1 CRITICAL
Published: April 08, 2026 Modified: April 13, 2026
View on NVD

Description

Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cwx2
Source: disclosure@vulncheck.com
https://www.vulncheck.com/advisories/dfir-unfurl-werkzeug-debugger-exposure-via-string-config-parsing
Source: disclosure@vulncheck.com
https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cwx2
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.1 / 10.0
EPSS (Exploit Probability)
0.1%
28th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-489

Related CVEs

CVE-2026-5307 N/A
CVE-2026-2450 N/A
CVE-2024-9168 N/A
CVE-2026-2449 N/A
CVE-2026-2332 7.4