Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:pypi/flask-appbuilder@1.3.1
purl pkg:pypi/flask-appbuilder@1.3.1
Next non-vulnerable version 4.5.3
Latest non-vulnerable version 4.5.3
Risk
Vulnerabilities affecting this package (7)
Vulnerability Summary Fixed by
VCID-7kd2-6yuh-9fe4
Aliases:
CVE-2022-21659
GHSA-wfjw-w6pv-8p7f
PYSEC-2022-24
Flask-AppBuilder is an application development framework, built on top of the Flask web framework. In affected versions there exists a user enumeration vulnerability. This vulnerability allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Users are advised to upgrade to version 3.4.4 as soon as possible. There are no known workarounds for this issue.
3.4.2
Affected by 3 other vulnerabilities.
3.4.4
Affected by 3 other vulnerabilities.
VCID-agw1-8rq2-nue5
Aliases:
CVE-2022-31177
GHSA-32ff-4g79-vgfc
PYSEC-2022-247
Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed password strings. The response would not include the hashed passwords, but an attacker could infer partial password hashes and their respective users. This issue has been fixed in version 4.1.3. Users are advised to upgrade. There are no known workarounds for this issue.
4.1.3
Affected by 2 other vulnerabilities.
VCID-hcrt-cr97-t3g5
Aliases:
CVE-2021-32805
GHSA-624f-cqvr-3qw4
PYSEC-2021-359
Flask-AppBuilder is an application development framework, built on top of Flask. In affected versions if using Flask-AppBuilder OAuth, an attacker can share a carefully crafted URL with a trusted domain for an application built with Flask-AppBuilder, this URL can redirect a user to a malicious site. This is an open redirect vulnerability. To resolve this issue upgrade to Flask-AppBuilder 3.2.2 or above. If upgrading is infeasible users may filter HTTP traffic containing `?next={next-site}` where the `next-site` domain is different from the application you are protecting as a workaround.
3.3.2
Affected by 5 other vulnerabilities.
VCID-hg35-2qm4-b7h9
Aliases:
CVE-2025-24023
GHSA-p8q5-cvwx-wvwp
PYSEC-2025-15
Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.
4.5.3
Affected by 0 other vulnerabilities.
VCID-k3kr-tvxd-73hx
Aliases:
CVE-2023-34110
GHSA-jhpr-j7cq-3jp3
PYSEC-2023-94
Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.
4.3.2
Affected by 1 other vulnerability.
VCID-q16k-8utn-vfgp
Aliases:
CVE-2021-41265
GHSA-m3rf-7m4w-r66q
PYSEC-2021-851
Flask-AppBuilder is a development framework built on top of Flask. Verions prior to 3.3.4 contain an improper authentication vulnerability in the REST API. The issue allows for a malicious actor with a carefully crafted request to successfully authenticate and gain access to existing protected REST API endpoints. This only affects non database authentication types and new REST API endpoints. Users should upgrade to Flask-AppBuilder 3.3.4 to receive a patch.
3.3.4
Affected by 4 other vulnerabilities.
VCID-v1vh-ycet-23ec
Aliases:
CVE-2021-29621
GHSA-434h-p4gx-jm89
PYSEC-2021-90
Flask-AppBuilder is a development framework, built on top of Flask. User enumeration in database authentication in Flask-AppBuilder <= 3.2.3. Allows for a non authenticated user to enumerate existing accounts by timing the response time from the server when you are logging in. Upgrade to version 3.3.0 or higher to resolve.
3.3.0
Affected by 6 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-02T04:22:48.881676+00:00 Pypa Importer Affected by VCID-hg35-2qm4-b7h9 https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2025-15.yaml 38.6.0
2026-06-02T04:18:57.371143+00:00 Pypa Importer Affected by VCID-k3kr-tvxd-73hx https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2023-94.yaml 38.6.0
2026-06-02T04:17:32.066430+00:00 Pypa Importer Affected by VCID-agw1-8rq2-nue5 https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2022-247.yaml 38.6.0
2026-06-02T04:16:22.469162+00:00 Pypa Importer Affected by VCID-7kd2-6yuh-9fe4 https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2022-24.yaml 38.6.0
2026-06-02T04:16:11.066754+00:00 Pypa Importer Affected by VCID-q16k-8utn-vfgp https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2021-851.yaml 38.6.0
2026-06-02T04:14:40.764388+00:00 Pypa Importer Affected by VCID-hcrt-cr97-t3g5 https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2021-359.yaml 38.6.0
2026-06-02T04:14:04.648753+00:00 Pypa Importer Affected by VCID-v1vh-ycet-23ec https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2021-90.yaml 38.6.0