VulnerableCode Package Details - pkg:pypi/webargs@5.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-hus6-n43q-3yee Aliases: PYSEC-2019-69	An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests.	5.1.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-sjj8-nvvx-k3fk Aliases: CVE-2020-7965 GHSA-fjq3-5pxw-4wj4 PYSEC-2020-156	flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.	5.5.3 Affected by 0 other vulnerabilities. 6.0.0b4 Affected by 0 other vulnerabilities.
VCID-uauj-n1q6-1udj Aliases: CVE-2019-9710 GHSA-8554-jxcw-454q PYSEC-2019-139	Webargs mishandles concurrent JSON parsing	5.1.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-hus6-n43q-3yee
Aliases:
PYSEC-2019-69

An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests.

5.1.3
Affected by 1 other vulnerability.

VCID-sjj8-nvvx-k3fk
Aliases:
CVE-2020-7965
GHSA-fjq3-5pxw-4wj4
PYSEC-2020-156

flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.

5.5.3
Affected by 0 other vulnerabilities.

6.0.0b4
Affected by 0 other vulnerabilities.

VCID-uauj-n1q6-1udj
Aliases:
CVE-2019-9710
GHSA-8554-jxcw-454q
PYSEC-2019-139

Webargs mishandles concurrent JSON parsing

5.1.3
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T08:25:25.918715+00:00	GHSA Importer	Affected by	VCID-sjj8-nvvx-k3fk	https://github.com/advisories/GHSA-fjq3-5pxw-4wj4	38.6.0
2026-06-12T17:36:55.630793+00:00	GitLab Importer	Affected by	VCID-sjj8-nvvx-k3fk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/webargs/CVE-2020-7965.yml	38.6.0
2026-06-12T17:09:02.241278+00:00	GitLab Importer	Affected by	VCID-uauj-n1q6-1udj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/webargs/CVE-2019-9710.yml	38.6.0
2026-06-12T04:03:11.544265+00:00	Pypa Importer	Affected by	VCID-sjj8-nvvx-k3fk	https://github.com/pypa/advisory-database/blob/main/vulns/webargs/PYSEC-2020-156.yaml	38.6.0
2026-06-12T04:02:40.052347+00:00	Pypa Importer	Affected by	VCID-uauj-n1q6-1udj	https://github.com/pypa/advisory-database/blob/main/vulns/webargs/PYSEC-2019-139.yaml	38.6.0
2026-06-11T20:45:05.863312+00:00	PyPI Importer	Affected by	VCID-sjj8-nvvx-k3fk	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-11T20:44:17.286270+00:00	PyPI Importer	Affected by	VCID-hus6-n43q-3yee	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-11T20:44:16.991916+00:00	PyPI Importer	Affected by	VCID-uauj-n1q6-1udj	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0