PYSEC-2026-1381

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2026-1381.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1381
Aliases
Published
2026-07-07T11:45:33.452545Z
Modified
2026-07-07T17:47:37.826047043Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Flask-AppBuilder's OAuth login page subject to Cross Site Scripting (XSS)
Details

Impact

A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute malicious javascript code that would get executed on the user's browser.

Impacted versions: Flask-AppBuilder version 4.1.4 up to and including 4.2.0

Patches

This issue was introduced on 4.1.4 and patched on 4.2.1, user's should upgrade to 4.2.1 or newer versions.

References

Affected packages

PyPI / flask-appbuilder

Package

Name
flask-appbuilder
View open source insights on deps.dev
Purl
pkg:pypi/flask-appbuilder

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.1.4
Fixed
4.2.1

Affected versions

4.*
4.1.4
4.1.5rc1
4.1.5
4.1.6rc1
4.1.6
4.1.7rc1
4.2.0rc1
4.2.0
4.2.1rc1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2026-1381.yaml"