🌐
Snyk
security.snyk.io › snyk vulnerability database › pip
flask | Snyk
Security vulnerabilities and package health score for pip package flask
🌐
Flask
flask.palletsprojects.com › en › stable › web-security
Security Considerations — Flask Documentation (3.1.x)
In Flask 0.10 and lower, jsonify() did not serialize top-level arrays to JSON. This was because of a security vulnerability in ECMAScript 4.
Discussions
How to secure a flask app
A good start for security is always the OWASP top 10. https://owasp.org/Top10/ XSS is of course in the top 10. More on reddit.com
🌐 r/flask
11
24
July 28, 2022
How can I test for vulnerabilities in Flask?
We test with a free tool snyk and trivy. They have vscode extensions too. I also work in docker and kubernetes security if you need help. More on reddit.com
🌐 r/learnpython
3
4
January 6, 2022
Injection Attacks Against Flask [blog]

The first point about template injection almost seemed like it was going somewhere, but actually feels like a no brainer to avoid, since every flask/jinja tutorial under the sun is going to tell you to use curly-brace placeholders in your templates, and not python's built-in substitution operators/methods.

When I think vulnerabilities, I think of something inherently flawed with the design and implementation of something that can be easily exploited, even when used perfectly as intended. For example, if there was a way for someone to inject code into the template even when used with all common sense template syntax and loading techniques.

Since Jinja/Flask were designed to handle untrusted input sanitization well, this is more of a "gotcha" than a "vulnerability." If you use the tools available to you appropriately, it's not a problem. If you misuse or don't use the tools available to you, you risk accidentally creating vulnerabilities unnecessarily. That sort of goes without saying.

More on reddit.com
🌐 r/flask
4
16
December 8, 2015
How safe are the sessions that come with pythons flask framework?

generally there is a secret key known to the server that is used to sign the session. you cannot modify the session without the signature becoming invalid, and the only way to property sign a mutated session would be if the attacker had access to the secret key stored on the server.

generally it’s recommended that the key be 40 bytes (320 bits) of random data but it could be much more. you would have to somehow guess that value to fake a session.

you shouldn’t ever put any sensitive information inside those sessions as they are NOT encrypted and anyone could decode them, the real protection you are afforded is that an attacker (or normal user) can not modify that data and you can be reasonably sure the data can only be modified by your code.

more info: https://blog.paradoxis.nl/defeating-flasks-session-management-65706ba9d3ce

More on reddit.com
🌐 r/blackhat
6
36
January 15, 2020
Videos
37:21
🌐 YouTube
DANGEROUS Python Flask Debug Mode Vulnerabilities - YouTube
September 8, 2022
28:28
🌐 YouTube
hacking RCE & SSTI remote code execution and server side template ...
January 24, 2020
10:21
🌐 YouTube
Server-Side Template Injection w/ Flask | Flaskcards [34] picoCTF ...
December 16, 2018
09:52
🌐 YouTube
Python Flask App H.A.C.K.E.D - Basilic CTF Ep1 - YouTube
March 13, 2023
12:33
🌐 YouTube
Python Code Review Flask Web Security Tutorial + Virtualenvs, ...
November 1, 2016
View all
View all
🌐
Vulmon
vulmon.com › home › search results
flask vulnerabilities and exploits
The tsileo/flask-yeoman repository through 2013-09-13 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. ... Recommendations: authentication bypassCVE-2026-4681command injectionCVE-2026-5026cross-site request forgeryCVE-2026-3055CVE-2026-33755CVE-2026-30534CVE-2026-30304 ... Vulmon Search is a vulnerability search engine.
🌐
OWASP
owasp.org › www-project-vulnerable-flask-app
OWASP Vulnerable Flask App | OWASP Foundation
It is a vulnerable Flask Web App.
🌐
CVE Details
cvedetails.com › product › 57169 › Palletsprojects-Flask.html
Palletsprojects Flask security vulnerabilities, CVEs, versions and CVE reports
This page lists vulnerability statistics for all versions of Palletsprojects » Flask. Vulnerability statistics provide a quick overview for security vulnerabilities of Flask.
🌐
Escape Tech
escape.tech › home › blog
How to protect your Flask applications ⎜Escape Blog
April 14, 2025 - Flask makes use of third-party ... applications become vulnerable to a range of exploits, including injection attacks, cross-site scripting (XSS), and data breaches....
🌐
Medium
medium.com › swlh › hacking-flask-applications-939eae4bffed
Hacking Flask Applications. Executing arbitrary commands using the… | by Vickie Li | The Startup | Medium
February 18, 2020 - Flask began as a wrapper around Jinja and Werkzeug. The vulnerability that we are going to discuss today is caused by Werkzeug.
🌐
StackHawk
stackhawk.com › stackhawk, inc. › vulnerabilities and remediation › server-side template injection: a developer's guide
Finding and Fixing SSTI Vulnerabilities in Flask (Python) With StackHawk
August 8, 2024 - Below is an example of a simple Flask application with an SSTI vulnerability. This application allows users to input their name, which is then rendered in a greeting message using Jinja2 templating. However, it embeds the user input into the template without proper sanitization or escaping, leading to a potential Server-Side Template Injection (SSTI) vulnerability in Jinja2.
Find elsewhere
🌐
Acunetix
acunetix.com › vulnerabilities › web › flask-debug-mode
Flask debug mode - Vulnerabilities - Acunetix
This debugger allows execution of arbitrary Python code on the server, presenting a critical security vulnerability. While the interactive debugger has limitations in forking environments commonly used in production, it still provides attackers with a direct mechanism to execute code on the server.
🌐
GitHub
github.com › stephenbradshaw › breakableflask
GitHub - stephenbradshaw/breakableflask: Simple vulnearable Flask web application · GitHub
A simple vulnerable Flask application.
Starred by 30 users
Forked by 219 users
Languages   Python
🌐
CVE Details
cvedetails.com › vulnerability-list › vendor_id-24664 › product_id-95501 › Flask-security-Project-Flask-security.html
Flask-security Project Flask-security : Security vulnerabilities, CVEs
May 17, 2021 - This affects all versions of package Flask-Security. When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behaviour of Werkzeug is modified using 'autocorrect_location_header=False.
🌐
IBM
ibm.com › support › pages › security-bulletin-vulnerability-flask-and-python-affects-ibm-spectrum-protect-plus-microsoft-file-systems-backup-and-restore-cve-2021-33026-cve-2022-0391
Security Bulletin: Vulnerability in Flask and Python affects IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2021-33026, CVE-2022-0391)
March 11, 2022 - CVEID: CVE-2021-33026 DESCRIPTION: Flask-Caching extension for Flask could allow a local lauthenticated attacker to gain elevated privileges on the system, caused by an unsafe deserialization flaw in Pickle. By sending a specially-crested payload, an authenticated attacker could exploit this ...
🌐
GitHub
github.com › lokori › flask-vuln
GitHub - lokori/flask-vuln: Pretty vulnerable flask app..
September 29, 2017 - Which means it hangs and sucks in a workshop setting. As a remedy, do something like this: Setup Ubuntu server on EC2, proper firewalls etc. ... This runs it through Gunicorn which is a better implementation for multi-threaded web server.
Starred by 22 users
Forked by 12 users
Languages   HTML 63.2% | Python 32.2% | Shell 2.5% | Dockerfile 2.1% | HTML 63.2% | Python 32.2% | Shell 2.5% | Dockerfile 2.1%
🌐
CVE Details
cvedetails.com › vulnerability-list › vendor_id-17201 › product_id-57169 › Palletsprojects-Flask.html
Palletsprojects Flask : Security vulnerabilities, CVEs
The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1.
🌐
Netapp
security.netapp.com › advisory › ntap-20230818-0006
CVE-2023-30861 Flask Vulnerability in NetApp Products
NetApp is an industry leader in developing and implementing product security standards. Learn how we can help you maintain the confidentiality, integrity, and availability of your data.
🌐
GitHub
github.com › topics › vulnerable-flask-app
vulnerable-flask-app · GitHub Topics · GitHub
It includes multiple types of vulnerabilities for you to practice exploiting. python flask penetration-testing flask-application vulnerable vulnerable-application vulnerable-flask-app
🌐
Snyk
snyk.io › blog › secure-python-flask-applications
How to secure Python Flask applications | Snyk
May 21, 2024 - The most common security risks for Flask include cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection. You can easily see on the Snyk Vulnerability Database some of the many security vulnerabilities found for the ...
🌐
NIST
nvd.nist.gov › vuln › detail › CVE-2023-49438
CVE-2023-49438 Detail - NVD
This is a potential security issue, you are being redirected to https://nvd.nist.gov · Official websites use .gov A .gov website belongs to an official government organization in the United States
🌐
F5
my.f5.com › manage › s › article › K63597327
K63597327: Python Flask vulnerability CVE-2018-1000656
June 22, 2021 - Loading · ×Sorry to interrupt · Refresh
Related queries
flask vulnerabilities ctf
flask 2.0.3 vulnerabilities
flask exploit
flask 2.1.2 exploit
vulnerable flask app github
flask cve
flask 1.1 2 vulnerabilities
flask vulnerability scanner