CVE-2026-40035

CRITICAL

Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.

CVSS v3.1 Score

9.1
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
NETWORK
Complexity
LOW
Privileges
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Published: 4/8/2026Modified: 4/17/2026

Related Intelligence (1)

CRITICALVulnerability

NVD CRITICAL: CVE-2026-40035 — Unfurl through 2025.08 contains an improper input validation vulnerability in co...

Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.

CVE-2026-40035
NIST NVD

References (3)

https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cwx2ExploitVendor Advisoryhttps://www.vulncheck.com/advisories/dfir-unfurl-werkzeug-debugger-exposure-via-string-config-parsingThird Party Advisoryhttps://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cwx2ExploitVendor Advisory