## Flask-WebGoat Security Audit Exposes 7 Critical Vulnerabilities in Educational App
A recent automated security audit of the Flask-WebGoat project has flagged a staggering seven critical vulnerabilities, exposing the intentionally vulnerable educational application to severe security risks. The audit summary reveals a total of 16 findings, including four high-severity and three medium-severity issues, painting a picture of an application riddled with exploitable weaknesses despite its pedagogical purpose.

The most immediate and critical risk stems from the project's outdated and vulnerable dependency stack. The `requirements.txt` file pins multiple core libraries to dangerously old versions, including Flask 0.12.5 and Werkzeug 0.16.1. These versions are associated with known, high-severity Common Vulnerabilities and Exposures (CVEs), such as CVE-2023-30861, which involves cookie session confusion, and CVE-2019-1010083, a denial-of-service vulnerability. The presence of such foundational flaws indicates the application's core security posture is fundamentally compromised.

While the project is designed for security training, the audit's findings serve as a stark, real-world case study in dependency management failure and the cascading risks of unpatched software. The report provides remediation guidance, but the severity and volume of the vulnerabilities highlight the significant pressure on developers and educators to maintain even intentionally vulnerable codebases to a basic security standard, lest they become unintended vectors for real attacks.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: Security Audit, Vulnerability, Flask, Dependencies, CVE
- **Credibility**: unverified
- **Published**: 2026-03-30 12:27:11
- **ID**: 41217
- **URL**: https://whisperx.ai/en/intel/41217