VulnerableCode Package Details - pkg:pypi/flask-appbuilder@4.1.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-66t3-yf3c-dbc2 Aliases: CVE-2024-27083 GHSA-fqxj-46wg-9v84	Flask-AppBuilder's OAuth login page subject to Cross Site Scripting (XSS) A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user's browser. Impacted versions: Flask-AppBuilder version 4.1.4 up to and including 4.2.0	4.2.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hg35-2qm4-b7h9 Aliases: CVE-2025-24023 GHSA-p8q5-cvwx-wvwp PYSEC-2025-15	Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.	4.5.3 Affected by 0 other vulnerabilities.
VCID-k3kr-tvxd-73hx Aliases: CVE-2023-34110 GHSA-jhpr-j7cq-3jp3 PYSEC-2023-94	Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.	4.3.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-66t3-yf3c-dbc2
Aliases:
CVE-2024-27083
GHSA-fqxj-46wg-9v84

Flask-AppBuilder's OAuth login page subject to Cross Site Scripting (XSS) A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user's browser. Impacted versions: Flask-AppBuilder version 4.1.4 up to and including 4.2.0

4.2.1
Affected by 2 other vulnerabilities.

VCID-hg35-2qm4-b7h9
Aliases:
CVE-2025-24023
GHSA-p8q5-cvwx-wvwp
PYSEC-2025-15

Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3.

4.5.3
Affected by 0 other vulnerabilities.

VCID-k3kr-tvxd-73hx
Aliases:
CVE-2023-34110
GHSA-jhpr-j7cq-3jp3
PYSEC-2023-94

Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on the UI. On certain database engines this error can include the entire user row including the pbkdf2:sha256 hashed password. This vulnerability has been fixed in version 4.3.2.

4.3.2
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:47:15.332714+00:00	GitLab Importer	Affected by	VCID-66t3-yf3c-dbc2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask-AppBuilder/CVE-2024-27083.yml	38.6.0
2026-06-02T04:22:49.451628+00:00	Pypa Importer	Affected by	VCID-hg35-2qm4-b7h9	https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2025-15.yaml	38.6.0
2026-06-02T04:18:57.984384+00:00	Pypa Importer	Affected by	VCID-k3kr-tvxd-73hx	https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2023-94.yaml	38.6.0