Improper Input Validation in Unfurl by Obsidian Forensics
CVE-2026-40035

9.3CRITICAL

Key Information:

Vendor: Obsidianforensics
Status: Unfurl
Vendor: CVE Published:; 8 April 2026

🔔 Create Obsidianforensics Vulnerability Alert

What is CVE-2026-40035?

The Unfurl tool by Obsidian Forensics has a flaw in its configuration parsing that improperly validates input. This issue may unintentionally enable the Flask debug mode by default, as the debug configuration value is treated as a string and directly fed into app.run(). Consequently, any non-empty input is interpreted as truthy, potentially granting attackers access to the Werkzeug debugger. Such access could lead to the disclosure of sensitive information or even remote code execution, posing a significant threat to any application utilizing the affected version.

Affected Version(s)

unfurl 0 <= 2025.08

References

https://github.com/obsidianforensics/unfurl/security/advi...

vendor-advisory

https://www.vulncheck.com/advisories/dfir-unfurl-werkzeug...

third-party-advisory

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

Mobasi Security Team

CVE-2026-40035 Data

JSON