CVE-2026-40035 CRITICAL

CVE-2026-40035: Unfurl - Werkzeug Debugger Exposure via String Config Parsing

Vendor Obsidianforensics
Product unfurl
Weakness CWE-489
Published April 8, 2026
Last update May 8, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.

Key dates

02Disclosure timeline

April 8, 2026 CVE published
May 8, 2026 Record updated