CVE-2026-40035

Published April 9, 2026 · Updated April 9, 2026

9.1CVSS

critical

What This Means

CVE-2026-40035 is a critical vulnerability in Unfurl (version through 2025.08) that stems from improper input validation during configuration parsing. This flaw allows the Flask debug mode to be enabled by default, enabling attackers to access the Werkzeug debugger, potentially leading to sensitive information disclosure or remote code execution. Security teams should immediately review their configurations, ensure debug mode is disabled in production environments, and apply any available patches from the vendor.

Official Description+

Unfurl through 2025.08 contains an improper input validation vulnerability in config parsing that enables Flask debug mode by default. The debug configuration value is read as a string and passed directly to app.run(), causing any non-empty string to evaluate truthy, allowing attackers to access the Werkzeug debugger and disclose sensitive information or achieve remote code execution.

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2026-40035.

Related Coverage

Vvulnerability

🚨 Critical Vulnerability in Unfurl: CVE-2026-40035 Allows Remote Code Execution

CVE-2026-40035, a critical vulnerability in Unfurl through 2025.08, enables Flask debug mode, exposing sensitive data and allowing remote code execution. Immediate action is recommended to disable debug mode and apply patches.

NVD·4h ago·3 min read