Vulnerability Description
Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ryandfir | Unfurl | <= 2025.08 |
Related Weaknesses (CWE)
References
- https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cExploitVendor Advisory
- https://www.vulncheck.com/advisories/dfir-unfurl-werkzeug-debugger-exposure-via-Third Party Advisory
- https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cExploitVendor Advisory
FAQ
What is CVE-2026-40035?
CVE-2026-40035 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed dire...
How severe is CVE-2026-40035?
CVE-2026-40035 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-40035?
Check the references section above for vendor advisories and patch information. Affected products include: Ryandfir Unfurl.