VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Oct 23, 2017· Updated May 13, 2026

CVE-2016-10516

CVE-2016-10516

Description

Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
WerkzeugPyPI
< 0.11.110.11.11

Affected products

1

Patches

1
1034edc7f901

fix XSS in debugger

https://github.com/pallets/werkzeugYour NameAug 31, 2016via ghsa
commit
2 files changed · +2 1
  • CHANGES+1 0 modified
    @@ -13,6 +13,7 @@ Bugfix release, unreleased.
   see issue ``#995``.
 - Fix a bug in multidicts when passing empty lists as values, see issue
   ``#979``.
+- Fix a security issue that allows XSS on the Werkzeug debugger. See ``#1001``.
 
 Version 0.11.10
 ---------------
  • werkzeug/debug/tbtools.py+1 1 modified
    @@ -358,7 +358,7 @@ def render_full(self, evalex=False, secret=None,
             'exception':        exc,
             'exception_type':   escape(self.exception_type),
             'summary':          self.render_summary(include_title=False),
-            'plaintext':        self.plaintext,
+            'plaintext':        escape(self.plaintext),
             'plaintext_cs':     re.sub('-{2,}', '-', self.plaintext),
             'traceback_id':     self.id,
             'secret':           secret

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.