Home / Vulnerability Intelligence / CVE-2026-40035

CVE-2026-40035 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 8, 2026

Unfurl - Remote Code Execution & Information Disclosure

Published: April 8, 2026Updated: April 8, 2026Remote Exploitable

Overview

Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default, letting attackers access the Werkzeug debugger to disclose sensitive information or execute code remotely, exploit requires crafted config input.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Attackers can access debug tools to disclose sensitive information or execute code remotely, risking full system compromise.

Mitigation

Update to the latest version beyond 2025.08.

References

https://github.com/obsidianforensics/unfurl/security/advisories/GHSA-vg9h-jx4v-cwx2
https://www.vulncheck.com/advisories/dfir-unfurl-werkzeug-debugger-exposure-via-string-config-parsing

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40035
Severity: Critical
CVSS Score: 9.1
Type: undefined
Status: new

CWE

CWE-489

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N