Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

pallets — Vulnerabilities & Security Advisories 17

Browse all 17 CVE security advisories affecting pallets. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Pallets serve as the foundational building blocks for Python web applications, providing essential micro-framework components for routing, templating, and request handling. Historically, these components have been susceptible to remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from improper input validation and insecure default configurations. While no major public incidents have been widely documented, the 17 recorded CVEs highlight consistent security challenges in areas such as template rendering and session management. Developers must implement strict input sanitization and security hardening measures when integrating these components into production environments.

Top products by pallets: werkzeug jinja flask
CVE IDTitleCVSSSeverityPublished
CVE-2026-27205 Flask session does not add `Vary: Cookie` header when accessed in some ways — flaskCWE-524 7.5AIHighAI2026-02-21
CVE-2026-27199 Werkzeug safe_join() allows Windows special device names — werkzeugCWE-67 7.5AIHighAI2026-02-21
CVE-2026-21860 Werkzeug safe_join() allows Windows special device names with compound extensions — werkzeugCWE-67 7.5 -2026-01-08
CVE-2025-66221 Werkzeug safe_join() allows Windows special device names — werkzeugCWE-67--2025-11-29
CVE-2025-47278 Flask uses fallback key instead of current signing key — flaskCWE-683 7.5AIHighAI2025-05-13
CVE-2025-27516 Jinja sandbox breakout through attr filter selecting format method — jinjaCWE-1336 9.8 -2025-03-05
CVE-2024-56326 Jinja has a sandbox breakout through indirect reference to format method — jinjaCWE-1336 8.8 -2024-12-23
CVE-2024-56201 Jinja has a sandbox breakout through malicious filenames — jinjaCWE-150 8.1 -2024-12-23
CVE-2024-49767 Werkzeug possible resource exhaustion when parsing file data in forms — werkzeugCWE-400 7.5 -2024-10-25
CVE-2024-49766 Werkzeug safe_join not safe on Windows — werkzeugCWE-22 7.5 -2024-10-25
CVE-2024-34069 Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution — werkzeugCWE-352 7.5 High2024-05-06
CVE-2024-34064 Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter — jinjaCWE-79 5.4 Medium2024-05-06
CVE-2024-22195 Jinja vulnerable to Cross-Site Scripting (XSS) — jinjaCWE-79 5.4 Medium2024-01-11
CVE-2023-46136 Werkzeug vulnerable to high resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning — werkzeugCWE-407 8.0 High2023-10-24
CVE-2023-30861 Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header — flaskCWE-539 7.5 High2023-05-02
CVE-2023-25577 Werkzeug may allow high resource usage when parsing multipart form data with many fields — werkzeugCWE-770 7.5 High2023-02-14
CVE-2023-23934 Wrkzeug's incorrect parsing of nameless cookies leads to __Host- cookies bypass — werkzeugCWE-20 2.6 Low2023-02-14

This page lists every published CVE security advisory associated with pallets. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.