OPENSUSE-SU-2026:20885-1 Security update for python-Flask

This update for python-Flask fixes the following issue: - CVE-2026-27205: information disclosure due to Flask session not adding the Vary: Cookie header bsc1258700...

CVE-2026-44457

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be...

CVE-2026-44457 Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be...

CVE-2026-44457

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be...

GHSA-P77W-8QQV-26RM Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Summary Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. Details The Cache Middleware skips caching when...

Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Summary Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. Details The Cache Middleware skips caching when...

PT-2026-39327

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.18 Description Cache Middleware fails to skip caching for responses that declare per-user variance using the Vary: Authorization or Vary: Cookie headers. While the middleware correctly skips caching for Vary: ,...

Security Bulletin:Flask Vary Cookie Header Vulnerability: Use of Cache Containing Sensitive Information Fixed in 3.1.3

Summary Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not t...

OESA-2026-2137 python-flask security update

Flask is a lightweight WSGI web application framework. It is designed to make getting started quick and easy, with the ability to scale up to complex applications. It began as a simple wrapper around Werkzeug and Jinja and has become one of the most popular Python web application frameworks...

OESA-2026-2136 python-flask security update

Flask is a lightweight WSGI web application framework. It is designed to make getting started quick and easy, with the ability to scale up to complex applications. It began as a simple wrapper around Werkzeug and Jinja and has become one of the most popular Python web application frameworks...

Security update for python-Flask

This update for python-Flask fixes the following issue: CVE-2026-27205: information disclosure due to Flask session not adding the Vary: Cookie header bsc1258700. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

SUSE-SU-2026:0849-1 Security update for python-Flask

This update for python-Flask fixes the following issue: - CVE-2026-27205: information disclosure due to Flask session not adding the Vary: Cookie header bsc1258700...

Sensitive Information Exposure

Flask is vulnerable to Sensitive Information Exposure. The vulnerability is due to incomplete handling of the Vary: Cookie header when accessing the session object, where certain access patterns e.g., using the in operator fail to mark responses as user-specific, allowing caching proxies to store...

SUSE CVE-2026-27205

Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...

CVE-2026-27205

Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...

CVE-2026-27205

CVE-2026-27205 – Flask cache-related information disclosure (root cause: Vary: Cookie not set when session accessed) Affected: Flask 3.1.2 and below. In these versions, accessing the session object may cause a response to be cached with user-specific data, as the Vary: Cookie header is not consis...

CVE-2026-27205

Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...

CVE-2026-27205 Flask session does not add `Vary: Cookie` header when accessed in some ways

Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...

CVE-2026-27205 Flask session does not add `Vary: Cookie` header when accessed in some ways

Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...

CVE-2026-27205 Flask session does not add `Vary: Cookie` header when accessed in some ways

Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...