https://spaceraccoon.github.io/vulnerability-spoiler-alert Vulnerability alerts for pallets/flask en-us Fri, 17 Apr 2026 01:52:35 GMT https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/39 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/39 Thu, 19 Feb 2026 17:05:30 GMT The session was not properly marked as accessed when only reading session metadata (keys, length checks), allowing responses to be cached without the Vary: Cookie header. This could lead to cache poisoning where one user's cached response is served to another user, potentially exposing session-dependent data. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/38 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/38 Thu, 19 Feb 2026 17:05:19 GMT The session was not being marked as accessed when only checking keys/metadata, allowing caching proxies to cache pages for different users. This could lead to session data being served to wrong users through shared caches. The patch fixes this by tracking session access at the request context level. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/37 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/37 Thu, 19 Feb 2026 17:05:03 GMT The session was not being marked as accessed when only reading operations like checking keys or length occurred, causing the 'Vary: Cookie' header to not be set. This could allow caching proxies to serve the same cached response to different users, potentially leaking session-dependent data between users. medium unverified