{"id":"CVE-2016-10516","details":"Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote attackers to inject arbitrary web script or HTML via a field that contains an exception message.","aliases":["GHSA-h2fp-xgx6-xh6f","PYSEC-2017-43"],"modified":"2026-05-15T10:30:46.595358Z","published":"2017-10-23T16:29:00.313Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2017/11/msg00037.html"},{"type":"ADVISORY","url":"https://github.com/pallets/werkzeug/pull/1001"},{"type":"REPORT","url":"http://blog.neargle.com/2016/09/21/flask-src-review-get-a-xss-from-debuger/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pallets/werkzeug","events":[{"introduced":"0"},{"fixed":"938a331ddb0c7009f4286e962f8a9c1ebad62be2"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:palletsprojects:werkzeug:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"0.11.11"}]}}],"versions":["0.11.10","0.11.9","0.11.8","0.11.7","0.11.6","0.11.5","0.11.4","0.11.3","0.11.2","0.11.1","0.11","0.10","0.9","0.8","0.7","0.6.2","0.6.1","0.6","0.4.1","0.4","0.3","0.2","0.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-10516.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}