Unfurl's debug mode cannot be disabled due to string config parsing (Werkzeug debugger exposure)

Summary The Unfurl web app enables Flask debug mode even when configuration sets debug = False. The config value is read as a string and passed directly to app.rundebug=..., so any non-empty string evaluates truthy. This leaves the Werkzeug debugger active by default. Details - unfurl/app.py:weba...

GHSA-VG9H-JX4V-CWX2 Unfurl's debug mode cannot be disabled due to string config parsing (Werkzeug debugger exposure)

Summary The Unfurl web app enables Flask debug mode even when configuration sets debug = False. The config value is read as a string and passed directly to app.rundebug=..., so any non-empty string evaluates truthy. This leaves the Werkzeug debugger active by default. Details - unfurl/app.py:weba...

EUVD-2025-50823

Parse Server allows public explain queries which may expose sensitive database performance information and schema details...

GHSA-7CX5-254X-CGRQ Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details

Impact The MongoDB explain method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Parse Server permits any client to execute explain queries without requiring the master key. This exposes: - Database schema...

CVE-2025-64502

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB explain method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to version 8.5.0-alpha....

UBUNTU-CVE-2024-6221

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the Access-Control-Allow-Private-Network CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches,...

PYSEC-2024-71

A vulnerability in corydolphin/flask-cors up to version 4.0.1 allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant...

SUSE CVE-2021-41228

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's savedmodelcli tool is vulnerable to a code injection as it calls eval on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given...

PYSEC-2021-420

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's savedmodelcli tool is vulnerable to a code injection as it calls eval on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given...

PYSEC-2021-835

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's savedmodelcli tool is vulnerable to a code injection as it calls eval on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given...

PYSEC-2021-420

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's savedmodelcli tool is vulnerable to a code injection as it calls eval on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given...

CVE-2021-41228

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's savedmodelcli tool is vulnerable to a code injection as it calls eval on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given...

PT-2019-15396 · Typestack · Class-Validator

Name of the Vulnerable Software and Affected Versions: class-validator versions 0.10.2 through 0.13.x Description: The validate input validation in class-validator can be bypassed because certain internal attributes can be overwritten via a conflicting name. Although there is an optional...