All Flask CVEs — Complete Vulnerability History
Flask is Python's most popular microframework. CVEs in Flask itself are rare — most Flask-related vulnerabilities come through Werkzeug or Jinja2. The main direct CVE is a cookie bypass.
PyPI
100M+ weekly downloads
2 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2018-1000656 | 2018 | HIGH | DoS via large cookie value | Fixed 0.12.3 |
| CVE-2023-30861 | 2023 | HIGH | Secure cookie bypass via response manipulation | Fixed 2.3.2 |
Current safe version: 3.0.3
# Before
"Flask==2.0.0"
# After
"Flask==3.0.3"
Then run: pip install -r requirements.txt
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does Flask have many CVEs?
Flask itself has very few direct CVEs — most Flask security issues come through its dependencies Werkzeug (routing, request handling) and Jinja2 (templates). Keep the entire Flask stack updated together.
What changed in CVE-2023-30861?
A response could be crafted to cause Flask to set cookies without the Secure flag even when configured to require it. Update to 2.3.2 or later.