DEBIAN-CVE-2021-33026

DEBIAN-CVE-2021-33026 PUBLISHED CVSS 9.800000190734863 CRITICAL

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the cache, and execute Python code. NOTE: a third party indicates that exploitation is extremely unlikely unless the machine is already compromised; in other cases, the attacker would be unable to write their payload to the cache and generate the required collision

Risk Scores

CVSS v3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:11	flask-caching	2.0.0-1, 1.11.1-1, 1.9.0-1
Debian:14	flask-caching	2.3.1-1, 2.4.0-1, 0
Debian:12	flask-caching	2.3.1-1, 2.1.0-1, 2.2.0-1
Debian:13	flask-caching	0, 2.4.0-1, 0

Timeline

May 13, 2021 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2021-33026 advisory

Open in Interactive Console →