Lucene search
K

20 matches found

OSV
OSV
added 2026/06/02 5:26 p.m.4 views

OPENSUSE-SU-2026:20885-1 Security update for python-Flask

This update for python-Flask fixes the following issue: - CVE-2026-27205: information disclosure due to Flask session not adding the Vary: Cookie header bsc1258700...

4.3CVSS5.8AI score0.00374EPSS
Exploits0References2
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/04 12:50 p.m.9 views

Security Bulletin:Flask Vary Cookie Header Vulnerability: Use of Cache Containing Sensitive Information Fixed in 3.1.3

Summary Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not t...

4.3CVSS5.8AI score0.00374EPSS
Exploits0Affected Software1
OSV
OSV
added 2026/05/03 9:55 a.m.8 views

OESA-2026-2136 python-flask security update

Flask is a lightweight WSGI web application framework. It is designed to make getting started quick and easy, with the ability to scale up to complex applications. It began as a simple wrapper around Werkzeug and Jinja and has become one of the most popular Python web application frameworks...

4.3CVSS5.7AI score0.00374EPSS
Exploits0References2
SUSE Linux
SUSE Linux
added 2026/03/09 10:13 a.m.5 views

Security update for python-Flask

This update for python-Flask fixes the following issue: CVE-2026-27205: information disclosure due to Flask session not adding the Vary: Cookie header bsc1258700. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

6.5CVSS5.8AI score0.00374EPSS
Exploits0References4
OSV
OSV
added 2026/03/09 10:13 a.m.3 views

SUSE-SU-2026:0849-1 Security update for python-Flask

This update for python-Flask fixes the following issue: - CVE-2026-27205: information disclosure due to Flask session not adding the Vary: Cookie header bsc1258700...

4.3CVSS5.8AI score0.00374EPSS
Exploits0References3
Veracode
Veracode
added 2026/02/28 5:12 a.m.17 views

Sensitive Information Exposure

Flask is vulnerable to Sensitive Information Exposure. The vulnerability is due to incomplete handling of the Vary: Cookie header when accessing the session object, where certain access patterns e.g., using the in operator fail to mark responses as user-specific, allowing caching proxies to store...

4.3CVSS5.7AI score0.00374EPSS
Exploits0References3Affected Software1
SUSE CVE
SUSE CVE
added 2026/02/24 12:24 a.m.2 views

SUSE CVE-2026-27205

Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...

6.5CVSS5.7AI score0.00374EPSS
Exploits0References5
UbuntuCve
UbuntuCve
added 2026/02/21 6:17 a.m.7 views

CVE-2026-27205

Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...

4.3CVSS6.5AI score0.00374EPSS
Exploits0References4
CVE
CVE
added 2026/02/21 5:21 a.m.114 views

CVE-2026-27205

CVE-2026-27205 – Flask cache-related information disclosure (root cause: Vary: Cookie not set when session accessed) Affected: Flask 3.1.2 and below. In these versions, accessing the session object may cause a response to be cached with user-specific data, as the Vary: Cookie header is not consis...

4.3CVSS5.5AI score0.00374EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/21 5:21 a.m.6 views

CVE-2026-27205

Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...

2.3CVSS5.5AI score0.00374EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/02/19 8:45 p.m.10 views

Flask session does not add `Vary: Cookie` header when accessed in some ways

When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The...

4.3CVSS5.5AI score0.00374EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/02/19 8:45 p.m.6 views

GHSA-68RP-WP8R-4726 Flask session does not add `Vary: Cookie` header when accessed in some ways

When the session object is accessed, Flask should set the Vary: Cookie header. This instructs caches not to cache the response, as it may contain information specific to a logged in user. This is handled in most cases, but some forms of access such as the Python in operator were overlooked. The...

2.3CVSS5.9AI score0.00374EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.9 views

PT-2026-21353

Name of the Vulnerable Software and Affected Versions Flask versions 3.1.2 and below Description Flask, a web server gateway interface WSGI web application framework, may improperly handle caching when accessing the session object. Specifically, it may fail to set the 'Vary: Cookie' header,...

4.3CVSS5.8AI score0.00374EPSS
Exploits0References191
RedHat Linux
RedHat Linux
added 2023/06/05 6:53 p.m.3 views

flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header

A flaw was found in the Python Flask package. A cached response may contain data for one client sent by a proxy to other clients, including session cookies, resulting in the compromise of data confidentiality contained in the leak requests or cookies. This happens when the following conditions ar...

7.5CVSS7.1AI score0.01261EPSS
Exploits1References6
RedHat Linux
RedHat Linux
added 2023/06/05 6:53 p.m.5 views

flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header

A flaw was found in the Python Flask package. A cached response may contain data for one client sent by a proxy to other clients, including session cookies, resulting in the compromise of data confidentiality contained in the leak requests or cookies. This happens when the following conditions ar...

7.5CVSS7.1AI score0.01261EPSS
Exploits1References6
Veracode
Veracode
added 2023/05/04 3:1 a.m.45 views

Information Disclosure

flask is vulnerable to Information Disclosure. The vulnerability exists due to the missing Vary cookie header in the savesession function of sessions.py, which leads to the disclosure of the session cookie, or sending data to a client who did not make the request...

7.5CVSS7.1AI score0.01261EPSS
Exploits1References9Affected Software2
OSV
OSV
added 2023/05/01 7:22 p.m.2 views

GHSA-M2QF-HXJV-5GPQ Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header

When all of the following conditions are met, a response containing data intended for one client may be cached and subsequently sent by a proxy to other clients. If the proxy also caches Set-Cookie headers, it may send one client's session cookie to other clients. The severity depends on the...

8.7CVSS7AI score0.01261EPSS
Exploits1References11
SUSE CVE
SUSE CVE
added 2023/02/15 5:31 a.m.4 views

SUSE CVE-2014-1418

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...

6.4CVSS6.7AI score0.02546EPSS
Exploits0References4
OSV
OSV
added 2014/05/16 3:55 p.m.3 views

DEBIAN-CVE-2014-1418

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...

6.4CVSS6.3AI score0.02546EPSS
Exploits0References1
OSV
OSV
added 2014/05/14 12:0 a.m.1 views

UBUNTU-CVE-2014-1418

Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the 1 Vary: Cookie or 2 Cache-Control header in responses, which allows remote attackers to obtain sensitive information or poison the cache via a request from certain browsers...

6.4CVSS5.8AI score0.02546EPSS
Exploits0References5
Rows per page
Query Builder