CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-40035

Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 32.6%

CVSS Severity

CVSS v3 Score 9.1

References

https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cwx2
https://www.vulncheck.com/advisories/dfir-unfurl-werkzeug-debugger-exposure-via-string-config-parsing
https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cwx2

Products affected by CVE-2026-40035

Ryandfir » Unfurl » Version: Any

cpe:2.3:a:ryandfir:unfurl:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-40035

Products

Pricing

Contact Us