Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-bxfr-hpkh-cyby
Vulnerability ID VCID-bxfr-hpkh-cyby
Aliases CVE-2023-46136
GHSA-hrfv-mqp8-q5rw
PYSEC-2023-221
Summary Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-400 Uncontrolled Resource Consumption
CWE-787 Out-of-bounds Write
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-407 Inefficient Algorithmic Complexity
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46136.json
epss 0.00555 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00573 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00573 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00573 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00573 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00622 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00622 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00622 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00622 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00622 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00622 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00622 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00622 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
epss 0.00622 https://api.first.org/data/v1/epss?cve=CVE-2023-46136
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-hrfv-mqp8-q5rw
cvssv3.1 5.7 https://github.com/pallets/werkzeug
generic_textual MODERATE https://github.com/pallets/werkzeug
cvssv3.1 5.7 https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1
generic_textual MODERATE https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1
cvssv3.1 5.7 https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9
generic_textual MODERATE https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9
cvssv3.1 5.7 https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2
cvssv3.1 7.5 https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2
generic_textual MODERATE https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2
cvssv3.1 5.7 https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
cvssv3.1 7.5 https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
cvssv3.1_qr MODERATE https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
generic_textual MODERATE https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
cvssv3.1 5.7 https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-221.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-221.yaml
cvssv3.1 5.7 https://nvd.nist.gov/vuln/detail/CVE-2023-46136
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-46136
cvssv3.1 5.7 https://security.netapp.com/advisory/ntap-20231124-0008
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20231124-0008
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46136.json
https://api.first.org/data/v1/epss?cve=CVE-2023-46136
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/pallets/werkzeug
https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1
https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9
https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2
https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-221.yaml
https://security.netapp.com/advisory/ntap-20231124-0008
1054553 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054553
2246310 https://bugzilla.redhat.com/show_bug.cgi?id=2246310
CVE-2023-46136 https://nvd.nist.gov/vuln/detail/CVE-2023-46136
GHSA-hrfv-mqp8-q5rw https://github.com/advisories/GHSA-hrfv-mqp8-q5rw
RHSA-2023:7473 https://access.redhat.com/errata/RHSA-2023:7473
RHSA-2023:7477 https://access.redhat.com/errata/RHSA-2023:7477
RHSA-2023:7610 https://access.redhat.com/errata/RHSA-2023:7610
RHSA-2024:0189 https://access.redhat.com/errata/RHSA-2024:0189
RHSA-2024:0214 https://access.redhat.com/errata/RHSA-2024:0214
RHSA-2025:9775 https://access.redhat.com/errata/RHSA-2025:9775
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46136.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pallets/werkzeug
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-221.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-46136
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20231124-0008
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.68063
EPSS Score 0.00555
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:48:55.227599+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/werkzeug/PYSEC-2023-221.yaml 38.0.0