← Back

Webargs

webargs

Vendor: Webargs Project • 2 CVEs

CVEs (2)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2020-7965
1Webargs Project
1Webargs
Jun 17, 2026
Jan 29, 2020
N/A· v4
8.8 HIGH· v3
6.8 MEDIUM· v2
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is appli...Show more
flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the content type is application/x-www-form-urlencoded. This allows for JSON POST requests to be made across domains, leading to CSRF.Show less
CVE-2019-9710
1Webargs Project
1Webargs
Jun 17, 2026
Mar 12, 2019
N/A· v4
8.1 HIGH· v3
6.8 MEDIUM· v2
An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSO...Show more
An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests.Show less