Vulnerability in Pallets Flask

CVE-2026-27205

Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Informa…

EPSS: 0.000 (2.7th percentile) — read the EPSS interpretation.

Affected products

Pallets Flask — versions < 3.1.3

Weakness classification (CWE)

CWE-524 — Use of Cache Containing Sensitive Information

References

https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726 (x_refsource_CONFIRM)
https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4 (x_refsource_MISC)
https://github.com/pallets/flask/releases/tag/3.1.3 (x_refsource_MISC)