VulnerableCode Package Details - pkg:pypi/flask-security-too@3.4.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-bmnk-p4gw-h3ga Aliases: GHSA-fxq4-r6mr-9x64 GMS-2021-166	Cross-Site Request Forgery in Flask-Security-Too.	3.4.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ktqv-ggxh-skf6 Aliases: CVE-2021-21241 GHSA-hh7m-rx4f-4vpv PYSEC-2021-91	cross-site request forgery	3.4.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-tk55-7fdu-9kfq Aliases: CVE-2023-49438 GHSA-672h-6x89-76m5 PYSEC-2023-248	An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.	5.3.3 Affected by 0 other vulnerabilities.
VCID-ua6e-h8x5-dbgd Aliases: CVE-2021-32618 GHSA-6qmf-fj6m-686c PYSEC-2021-123	The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com will pass FS's relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the `autocorrect_location_header=False`.	4.1.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-bmnk-p4gw-h3ga
Aliases:
GHSA-fxq4-r6mr-9x64
GMS-2021-166

Cross-Site Request Forgery in Flask-Security-Too.

3.4.5
Affected by 2 other vulnerabilities.

VCID-ktqv-ggxh-skf6
Aliases:
CVE-2021-21241
GHSA-hh7m-rx4f-4vpv
PYSEC-2021-91

cross-site request forgery

3.4.5
Affected by 2 other vulnerabilities.

VCID-tk55-7fdu-9kfq
Aliases:
CVE-2023-49438
GHSA-672h-6x89-76m5
PYSEC-2023-248

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

5.3.3
Affected by 0 other vulnerabilities.

VCID-ua6e-h8x5-dbgd
Aliases:
CVE-2021-32618
GHSA-6qmf-fj6m-686c
PYSEC-2021-123

The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of Flask-Security. All versions of Flask-Security-Too allow redirects after many successful views (e.g. /login) by honoring the ?next query param. There is code in FS to validate that the url specified in the next parameter is either relative OR has the same netloc (network location) as the requesting URL. This check utilizes Pythons urlsplit library. However many browsers are very lenient on the kind of URL they accept and 'fill in the blanks' when presented with a possibly incomplete URL. As a concrete example - setting http://login?next=\\\github.com will pass FS's relative URL check however many browsers will gladly convert this to http://github.com. Thus an attacker could send such a link to an unwitting user, using a legitimate site and have it redirect to whatever site they want. This is considered a low severity due to the fact that if Werkzeug is used (which is very common with Flask applications) as the WSGI layer, it by default ALWAYS ensures that the Location header is absolute - thus making this attack vector mute. It is possible for application writers to modify this default behavior by setting the `autocorrect_location_header=False`.

4.1.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T04:28:32.826711+00:00	GitLab Importer	Affected by	VCID-tk55-7fdu-9kfq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask-Security-Too/CVE-2023-49438.yml	38.6.0
2026-06-06T00:37:45.467285+00:00	GitLab Importer	Affected by	VCID-ua6e-h8x5-dbgd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask-Security-Too/CVE-2021-32618.yml	38.6.0
2026-06-05T17:03:27.875480+00:00	PyPI Importer	Affected by	VCID-tk55-7fdu-9kfq	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-05T17:00:05.570172+00:00	PyPI Importer	Affected by	VCID-ua6e-h8x5-dbgd	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-05T16:56:48.464765+00:00	PyPI Importer	Affected by	VCID-ktqv-ggxh-skf6	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-04T20:48:48.793772+00:00	GitLab Importer	Affected by	VCID-bmnk-p4gw-h3ga	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask-Security-Too/GMS-2021-166.yml	38.6.0
2026-06-04T20:43:08.153086+00:00	GitLab Importer	Affected by	VCID-ktqv-ggxh-skf6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/Flask-Security-Too/CVE-2021-21241.yml	38.6.0
2026-06-02T04:20:31.891369+00:00	Pypa Importer	Affected by	VCID-tk55-7fdu-9kfq	https://github.com/pypa/advisory-database/blob/main/vulns/flask-security-too/PYSEC-2023-248.yaml	38.6.0
2026-06-02T04:13:51.736662+00:00	Pypa Importer	Affected by	VCID-ua6e-h8x5-dbgd	https://github.com/pypa/advisory-database/blob/main/vulns/flask-security-too/PYSEC-2021-123.yaml	38.6.0
2026-06-02T04:08:17.880870+00:00	Pypa Importer	Affected by	VCID-ktqv-ggxh-skf6	https://github.com/pypa/advisory-database/blob/main/vulns/flask-security-too/PYSEC-2021-91.yaml	38.6.0