CVE-2023-49438

MEDIUM NUCLEI

Flask-Security-Too <=5.3.2 - Open Redirect via Next Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-49438. PoCs published by brandon-t-elliott. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2023-49438, an open redirect vulnerability in Flask-Security-Too <=5.3.2. It explains the bypass mechanism via URL normalization and includes mitigation strategies.

Description

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

Exploits (1)

nomisec WRITEUP 5 stars
by brandon-t-elliott · poc
https://github.com/brandon-t-elliott/CVE-2023-49438

This repository provides a detailed technical analysis of CVE-2023-49438, an open redirect vulnerability in Flask-Security-Too <=5.3.2. It explains the bypass mechanism via URL normalization and includes mitigation strategies.

Classification
Writeup 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Flask-Security-Too <=5.3.2
No auth needed
Prerequisites: Flask-Security-Too <=5.3.2 · Werkzeug >=2.1.0 (for increased impact)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Python Flask-Security-Too <=5.3.2 - Open Redirect
MEDIUMby ritikchaddha

References (4)

Core 4

Scores

CVSS v3 6.1
EPSS 0.1407
EPSS Percentile 94.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-601
Status published
Products (2)
flask-security-too_project/flask-security-too < 5.3.2
pypi/Flask-Security-Too 0 - 5.3.3PyPI
Published Dec 26, 2023
Tracked Since Feb 18, 2026