CVE-2026-40035
CRITICALUnfurl - Werkzeug Debugger Exposure via String Config Parsing
Title source: cnaDescription
Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-vg9h-jx4v-cwx2
https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cwx2
Third Party Advisory third-party-advisory
VulnCheck Advisory: dfir-unfurl - Werkzeug Debugger Exposure via String Config Parsing
https://www.vulncheck.com/advisories/dfir-unfurl-werkzeug-debugger-exposure-via-string-config-parsing
Scores
CVSS v3
9.1
EPSS
0.0056
EPSS Percentile
41.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-489
Status
published
Products (2)
obsidianforensics/unfurl
< 2025.08
ryandfir/unfurl
< 2025.08
Published
Apr 08, 2026
Tracked Since
Apr 09, 2026