CVE-2023-33175
CRITICALtoui 2.0.1-2.4.0 - Unauthenticated Remote Code Execution via Flask-Caching SimpleCache
Title source: llmDescription
ToUI is a Python package for creating user interfaces (websites and desktop apps) from HTML. ToUI is using Flask-Caching (SimpleCache) to store user variables. Websites that use `Website.user_vars` property. It affects versions 2.0.1 to 2.4.0. This issue has been patched in version 2.4.1.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/mubarakalmehairbi/ToUI/security/advisories/GHSA-hh7j-pg39-q563
Release Notes x_refsource_misc
https://github.com/mubarakalmehairbi/ToUI/releases/tag/v2.4.1
Scores
CVSS v3
9.1
EPSS
0.0065
EPSS Percentile
46.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-914
CWE-913
Status
published
Products (2)
pypi/toui
2.0.1 - 2.4.1PyPI
toui_project/toui
2.0.1 - 2.4.0
Published
May 30, 2023
Tracked Since
Feb 18, 2026