CVE-2026-40035

Exploit

EPSS 0.56%
Veröffentlicht 08.04.2026 21:35:27
Zuletzt bearbeitet 17.04.2026 16:03:26
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Unfurl - Werkzeug Debugger Exposure via String Config Parsing

Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ryandfir ≫ Unfurl Version <= 2025.08

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.56%	0.419

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-489 Active Debug Code

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cwx2

Vendor Advisory

Exploit

https://www.vulncheck.com/advisories/dfir-unfurl-werkzeug-debugger-exposure-via-string-config-parsing

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-40035

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40035

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40035

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40035