Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability.
https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability.
https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6

Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks.
https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1

Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability.
https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6

Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks.
https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1

Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability.
https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6

Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks.
https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1

Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link.
https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff
https://github.com/python-validators/validators/pull/243

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability.
https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6

Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks.
https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1

Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link.
https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff
https://github.com/python-validators/validators/pull/243

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability.
https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6

Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks.
https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1

Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link.
https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff
https://github.com/python-validators/validators/pull/243

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability.
https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6

Sqlparse 0.5.0 addresses a potential denial of service (DoS) vulnerability related to recursion errors in deeply nested SQL statements. To mitigate this issue, the update replaces recursion errors with a general SQLParseError, improving the resilience and stability of the parsing process.

Sqlparse 0.4.4 includes a fix for CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service).
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2

Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks.
https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1

Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link.
https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff
https://github.com/python-validators/validators/pull/243

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability.
https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6

Sqlparse 0.5.0 addresses a potential denial of service (DoS) vulnerability related to recursion errors in deeply nested SQL statements. To mitigate this issue, the update replaces recursion errors with a general SQLParseError, improving the resilience and stability of the parsing process.

Sqlparse 0.4.4 includes a fix for CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service).
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2

Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks.
https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1

Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link.
https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff
https://github.com/python-validators/validators/pull/243

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability.
https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6

Sqlparse 0.5.0 addresses a potential denial of service (DoS) vulnerability related to recursion errors in deeply nested SQL statements. To mitigate this issue, the update replaces recursion errors with a general SQLParseError, improving the resilience and stability of the parsing process.

Sqlparse 0.4.4 includes a fix for CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service).
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2

Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks.
https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1

Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints.
https://github.com/sqlalchemy/sqlalchemy/pull/8563

Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link.
https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff
https://github.com/python-validators/validators/pull/243

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability.
https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6

Sqlparse 0.5.0 addresses a potential denial of service (DoS) vulnerability related to recursion errors in deeply nested SQL statements. To mitigate this issue, the update replaces recursion errors with a general SQLParseError, improving the resilience and stability of the parsing process.

Sqlparse 0.4.4 includes a fix for CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service).
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2

Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks.
https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1

Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints.
https://github.com/sqlalchemy/sqlalchemy/pull/8563

Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link.
https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff
https://github.com/python-validators/validators/pull/243

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45

Py throughout 1.11.0 allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.
https://github.com/pytest-dev/py/issues/287

Wtforms 3.0.0a1 escape unsafe characters in label text, patching a potential XSS vulnerability.
https://github.com/wtforms/wtforms/commit/8529b953a0919300794f95e01a7713162908c8a6

Sqlparse 0.5.0 addresses a potential denial of service (DoS) vulnerability related to recursion errors in deeply nested SQL statements. To mitigate this issue, the update replaces recursion errors with a general SQLParseError, improving the resilience and stability of the parsing process.

Sqlparse 0.4.4 includes a fix for CVE-2023-30608: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of Service).
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2

Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

Werkzeug 3.0.1 and 2.3.8 include a security fix: Slow multipart parsing for large parts potentially enabling DoS attacks.
https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1

Werkzeug 2.2.3 includes a fix for CVE-2023-25577: Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses 'request.data', 'request.form', 'request.files', or 'request.get_data(parse_form_data=False)', it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
https://github.com/pallets/werkzeug/security/advisories/GHSA-xg9f-g7g7-2323

Sqlalchemy 2.0.0b1 avoids leaking cleartext passwords to the open for careless uses of str(engine.URL()) in logs and prints.
https://github.com/sqlalchemy/sqlalchemy/pull/8563

Validators 0.21.0 includes a fix for CVE-2023-45813: Inefficient Regular Expression Complexity in validate_link.
https://github.com/DedSecInside/TorBot/security/advisories/GHSA-72qw-p7hh-m3ff
https://github.com/python-validators/validators/pull/243

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

All versions of flask-security are affected by CVE-2021-23385, an open redirect vulnerability: When using the get_post_logout_redirect and get_post_login_redirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing multiple back slashes such as \\\evil.com/path. This vulnerability is only exploitable if an alternative WSGI server other than Werkzeug is used, or the default behavior of Werkzeug is modified using 'autocorrect_location_header=False'. 
Note: Flask-Security is not maintained anymore.

Flask-security 3.1.0 fixes timing attack on login form.
https://github.com/mattupstate/flask-security/pull/676

Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES with CBC mode. The IV that it uses is not random though.
https://github.com/kvesteri/sqlalchemy-utils/issues/166
https://github.com/kvesteri/sqlalchemy-utils/pull/499

Flask-session-captcha 1.2.1 includes a fix for CVE-2022-24880: In versions prior to 1.2.1, the 'captcha.validate()' function would return 'None' if passed no value (e.g. by submitting an having an empty form). If implementing users were checking the return value to be **False**, the captcha verification check could be bypassed. Users can workaround the issue by not explicitly checking that the value is False. Checking the return value less explicitly should still work.
https://github.com/Tethik/flask-session-captcha/security/advisories/GHSA-7r87-cj48-wj45