277 matches found
CVE-2025-32962
CVE-2025-32962 affects Flask-AppBuilder before 4.6.2. An unauthenticated attacker can trigger an open redirect by manipulating the HTTP Host header. The root cause is insufficient validation of redirect targets. The advisory notes that Flask-AppBuilder 4.6.2 introduces the FAB_SAFE_REDIRECT_HOSTS...
CVE-2025-32962 Flask-AppBuilder open redirect vulnerability using HTTP host injection
Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the FABSAFEREDIRECTHOSTS...
PT-2025-21650
Name of the Vulnerable Software and Affected Versions: Flask-AppBuilder versions prior to 4.6.2 Description: The issue allows a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the FAB SAFE REDIRECT HOS...
Flask-AppBuilder open redirect vulnerability using HTTP host injection
Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests...
Username Enumeration
Flask-AppBuilder is vulnerable to Username Enumeration. The vulnerability is due to differences in server response time when brute forcing login requests, allowing unauthenticated users to enumerate existing usernames...
CVE-2025-24023
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3...
PYSEC-2025-15
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3...
abi-ds-utils (=1.0.1), acryl-datahub-airflow-plugin (>=0.8.44.4 <=0.11.0rc1) +156 more potentially affected by CVE-2025-24023 via flask-appbuilder (>=1.10.0 <=4.5.2)
flask-appbuilder PYPI version =1.10.0, =0.8.44.4, =0.1.0rc3, =0.1.0, =2022.9.19, =0.2.1, =0.2.9b1, =1.0.7, =0.5.1, =0.2.0, =0.1.0, =1.0.0, =0.0.7, =0.0.1, =0.0.11 and more Source cves: CVE-2025-24023 Source advisory: OSV:PYSEC-2025-15...
CVE-2025-24023
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3...
PYSEC-2025-15
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3...
Information Exposure
Overview Flask-AppBuilder is a simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more. Affected versions of this package are vulnerable to Information Exposure due to observable...
abi-ds-utils (=1.0.1), acryl-datahub-airflow-plugin (>=0.10.5.2rc3 <=0.11.0rc1) +31 more potentially affected by CVE-2025-24023 via flask-appbuilder (>=4.1.2 <=4.5.2)
flask-appbuilder PYPI version =4.1.2, =0.10.5.2rc3, =0.2.1, =0.8.2, =0.3.1, =0.0.4, =0.0.1a0, =2.3.3, =1.0.0, =1.0.0rc1, =1.0.2, =1.0.0rc1, =1.8.1rc1 and more Source cves: CVE-2025-24023 Source advisory: SNYK:PYTHON-FLASKAPPBUILDER-9058045...
abi-ds-utils (=1.0.1), acryl-datahub-airflow-plugin (>=0.8.44.4 <=0.11.0rc1) +156 more potentially affected by CVE-2025-24023 via flask-appbuilder (>=1.10.0 <=4.5.2)
flask-appbuilder PYPI version =1.10.0, =0.8.44.4, =0.1.0rc3, =0.1.0, =2022.9.19, =0.2.1, =0.2.9b1, =1.0.7, =0.5.1, =0.2.0, =0.1.0, =1.0.0, =0.0.7, =0.0.1, =0.0.11 and more Source cves: CVE-2025-24023 Source advisory: OSV:GHSA-P8Q5-CVWX-WVWP...
Flask-AppBuilder Observable Response Discrepancy
Impact User enumeration in database authentication in Flask-AppBuilder = 3.0.0. Allows for a non authenticated user to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. Patches Upgrade to flask-appbuilder=4.5.3 Workarounds Downgrade...
GHSA-P8Q5-CVWX-WVWP Flask-AppBuilder Observable Response Discrepancy
Impact User enumeration in database authentication in Flask-AppBuilder = 3.0.0. Allows for a non authenticated user to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. Patches Upgrade to flask-appbuilder=4.5.3 Workarounds Downgrade...
CVE-2025-24023 Observable Response Discrepancy in flask-appbuilder
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3...
CVE-2025-24023
CVE-2025-24023 affects Flask-AppBuilder prior to 4.5.3, where unauthenticated users can enumerate existing usernames by timing the login request response. This timing discrepancy constitutes a partial information disclosure vulnerability with low to medium impact as described in multiple sources....
CVE-2025-24023 Observable Response Discrepancy in flask-appbuilder
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3...
CVE-2025-24023 Observable Response Discrepancy in flask-appbuilder
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3...
Flask-AppBuilder Observable Response Discrepancy
User enumeration in database authentication in Flask-AppBuilder = 3.0.0. Allows for a non authenticated user to enumerate existing usernames by timing the response time from the server when brute forcing requests to login...