Nixpkgs security tracker

Untriaged

Permalink CVE-2026-40035

9.1 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 6 days, 20 hours ago

Unfurl - Werkzeug Debugger Exposure via String Config Parsing

Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.

References

GHSA Advisory GHSA-vg9h-jx4v-cwx2 vendor-advisory
VulnCheck Advisory: dfir-unfurl - Werkzeug Debugger Exposure via String Config Parsing third-party-advisory

Affected products

dfir-unfurl

=<2025.08

Matching in nixpkgs

pkgs.unfurl

Pull out bits of URLs provided on stdin

nixos-unstable 0.4.3
- nixpkgs-unstable 0.4.3
- nixos-unstable-small 0.4.3
nixos-25.11 0.4.3
- nixos-25.11-small 0.4.3
- nixpkgs-25.11-darwin 0.4.3

Package maintainers

@figsoda figsoda <figsoda@pm.me>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.unfurl

Package maintainers