Flask-WebGoat Security Audit Exposes 7 Critical Vulnerabilities in Educational App

A recent automated security audit of the Flask-WebGoat project has flagged a staggering seven critical vulnerabilities, exposing the intentionally vulnerable educational application to severe security risks. The audit, dated March 30, 2026, reveals a foundational dependency stack riddled with outdated and exploitable components, raising immediate concerns for any environment where the app is deployed, even for training purposes.

The core of the critical risk lies in the project's `requirements.txt` file, which pins multiple core Flask framework libraries to dangerously outdated versions. The audit specifically identifies Flask 0.12.5, which is susceptible to CVE-2023-30861 (cookie session confusion) and CVE-2019-1010083 (Denial-of-Service). Other critical dependencies include vulnerable versions of Werkzeug, Jinja2, itsdangerous, MarkupSafe, and click. In total, the audit tallied 7 critical, 4 high, 3 medium, and 2 low-severity findings.

While Flask-WebGoat is designed as a deliberately insecure platform for security training, this audit underscores the tangible risk of running such software with known, unpatched vulnerabilities in any context. The findings serve as a stark warning for educators and students about the real-world consequences of outdated dependencies, highlighting that even educational tools can become vectors for exploitation if their underlying vulnerable code is not properly isolated or managed. The report provides remediation guidance, but the sheer volume of critical flaws signals significant pressure to update or heavily sandbox the application.