CVE-2026-33077: Unvalidated Flask Request Path Traversal

Untrusted input from Flask request parameters or JSON/Form payloads is used in file operations or internal APIs without validating against path traversal sequences (e.g., '..'). This can lead to arbitrary file reads or writes.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0python

greprules fetch cve-2026-33077-unvalidated-flask-request-path-traversal --engine opengrep

Description

Untrusted input from Flask request parameters or JSON/Form payloads is used in file operations or internal APIs without validating against path traversal sequences (e.g., '..'). This can lead to arbitrary file reads or writes.

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Trust signals: 109 downloads
0 direct109 via packs
· 0 stars · Trust score 53How trust works
Included packs: 2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark useful Report false positive Suggest metadata