{"id":"CVE-2016-10516","details":"Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.","aliases":["GHSA-h2fp-xgx6-xh6f","PYSEC-2017-43"],"modified":"2026-04-10T03:47:27.481674Z","published":"2017-10-23T16:29:00.313Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2017/11/msg00037.html"},{"type":"ADVISORY","url":"https://github.com/pallets/werkzeug/pull/1001"},{"type":"REPORT","url":"http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pallets/werkzeug","events":[{"introduced":"0"},{"fixed":"938a331ddb0c7009f4286e962f8a9c1ebad62be2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.11.11"}]}}],"versions":["0.1","0.10","0.11","0.11.1","0.11.10","0.11.2","0.11.3","0.11.4","0.11.5","0.11.6","0.11.7","0.11.8","0.11.9","0.2","0.3","0.4","0.4.1","0.6","0.6.1","0.6.2","0.7","0.8","0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-10516.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}