Flask-Security-Too Project Flask-Security-Too vulnerabilities
4 known vulnerabilities affecting flask-security-too_project/flask-security-too.
Total CVEs
4
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM2LOW1
Vulnerabilities
Page 1 of 1
CVE-2021-32618P3LOWPoC≥ 0, < 4.1.02021-05-17
CVE-2021-32618 [LOW] CWE-601 Open Redirect in Flask-Security-Too
Open Redirect in Flask-Security-Too
### Impact
Flask-Security allows redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL.
This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept
ghsaosv
CVE-2023-49438P4MEDIUMCVSS 6.1PoC≤ 5.3.22023-12-26
CVE-2023-49438 [MEDIUM] CWE-601 CVE-2023-49438: An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to
An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.
ghsanvdosv
CVE-2021-21241P3HIGHCVSS 7.4≥ 3.3.0, < 3.4.52021-01-11
CVE-2021-21241 [HIGH] CWE-352 CVE-2021-21241: The Python "Flask-Security-Too" package is used for adding security features to your Flask applicati
The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is a independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. In Flask-Security-Too from version 3.3.0 and before version 3.4.5, the /login and /change endpoints can return the authenticated user's au
ghsanvdosv
CVE-2026-46715MEDIUM≥ 5.8.0, < 5.8.12026-05-22
CVE-2026-46715 [MEDIUM] CWE-287 Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance
Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance
### Summary
Flask-Security-Too 5.8.0's OAuth reauthentication flow can mark a
session as fresh after verifying an OAuth account that belongs to a
different user.
If an attacker can operate an already-authenticated but stale victim
session, they can complete OAu
ghsa