Feature bl 1 06012026#9
Conversation
![cycode-security[bot]](https://avatars.githubusercontent.com/in/39308?s=60&v=4){kind=small}
| # Critical vulnerabilities | ||
| flask==1.0.2 | ||
| django==2.2.0 | ||
| requests==2.19.1 |
There was a problem hiding this comment.
❗Cycode: Security vulnerabilities found in newly introduced dependency.
| Ecosystem | PyPI |
| Dependency | requests |
| Dependency Paths | requests 2.19.1 |
| Direct Dependency | Yes |
The following vulnerabilities were introduced:
| GHSA | CVE | Severity | Fixed Version |
|---|---|---|---|
| GHSA-gc5v-m9x4-r6x2 | CVE-2026-25645 | MEDIUM | 2.33.0 |
| GHSA-9hjg-9r4m-mvj7 | CVE-2024-47081 | MEDIUM | 2.32.4 |
| GHSA-9wx4-h78v-vm56 | CVE-2024-35195 | MEDIUM | 2.32.0 |
| GHSA-j8r2-6x86-q33q | CVE-2023-32681 | MEDIUM | 2.31.0 |
| GHSA-x84v-xcm2-53pg | CVE-2018-18074 | HIGH | 2.20.0 |
Highest fixed version: 2.33.0
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| flask==1.0.2 | ||
| django==2.2.0 | ||
| requests==2.19.1 | ||
| urllib3==1.24.1 |
There was a problem hiding this comment.
❗Cycode: Security vulnerabilities found in newly introduced dependency.
| Ecosystem | PyPI |
| Dependency | urllib3 |
| Dependency Paths | urllib3 1.24.1 |
| Direct Dependency | Yes |
The following vulnerabilities were introduced:
| GHSA | CVE | Severity | Fixed Version |
|---|---|---|---|
| GHSA-qccp-gfcp-xxvc | CVE-2026-44431 | HIGH | 2.7.0 |
| GHSA-38jv-5279-wg99 | CVE-2026-21441 | HIGH | 2.6.3 |
| GHSA-2xpw-w6gg-jr37 | CVE-2025-66471 | HIGH | 2.6.0 |
| GHSA-gm62-xv2j-4w53 | CVE-2025-66418 | HIGH | 2.6.0 |
| GHSA-pq67-6m6q-mj2v | CVE-2025-50181 | MEDIUM | 2.5.0 |
| GHSA-34jh-p97f-mpxf | CVE-2024-37891 | MEDIUM | 1.26.19 |
| GHSA-g4mx-q9vg-27p4 | CVE-2023-45803 | MEDIUM | 1.26.18 |
| GHSA-gwvm-45gx-3cf8 | CVE-2018-25091 | MEDIUM | 1.24.2 |
| GHSA-v845-jxx5-vc9f | CVE-2023-43804 | HIGH | 1.26.17 |
| GHSA-mh33-7rrq-662w | CVE-2019-11324 | HIGH | 1.24.2 |
| GHSA-wqvq-5m8c-6g24 | CVE-2020-26137 | MEDIUM | 1.25.9 |
| GHSA-r64q-w8jr-g9qp | CVE-2019-11236 | MEDIUM | 1.24.3 |
Highest fixed version: 2.7.0
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| django==2.2.0 | ||
| requests==2.19.1 | ||
| urllib3==1.24.1 | ||
| pyyaml==5.1 |
There was a problem hiding this comment.
❗Cycode: Security vulnerabilities found in newly introduced dependency.
| Ecosystem | PyPI |
| Dependency | pyyaml |
| Dependency Paths | pyyaml 5.1 |
| Direct Dependency | Yes |
The following vulnerabilities were introduced:
| GHSA | CVE | Severity | Fixed Version |
|---|---|---|---|
| GHSA-6757-jp84-gxfx | CVE-2020-1747 | CRITICAL | 5.3.1 |
| GHSA-8q59-q68h-6hv4 | CVE-2020-14343 | CRITICAL | 5.4 |
| GHSA-3pqx-4fqf-j49f | CVE-2019-20477 | CRITICAL | 5.2 |
Highest fixed version: 5.4
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
|
|
||
| # Critical vulnerabilities | ||
| flask==1.0.2 | ||
| django==2.2.0 |
There was a problem hiding this comment.
❗Cycode: Security vulnerabilities found in newly introduced dependency.
| Ecosystem | PyPI |
| Dependency | django |
| Dependency Paths | django 2.2.0 |
| Direct Dependency | Yes |
The following vulnerabilities were introduced:
Highest fixed version: 4.2.26
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| # Python dependencies with known vulnerabilities (SCA triggers) | ||
|
|
||
| # Critical vulnerabilities | ||
| flask==1.0.2 |
There was a problem hiding this comment.
❗Cycode: Security vulnerabilities found in newly introduced dependency.
| Ecosystem | PyPI |
| Dependency | flask |
| Dependency Paths | flask 1.0.2 |
| Direct Dependency | Yes |
The following vulnerabilities were introduced:
| GHSA | CVE | Severity | Fixed Version |
|---|---|---|---|
| GHSA-m2qf-hxjv-5gpq | CVE-2023-30861 | HIGH | 2.2.5 |
Highest fixed version: 2.2.5
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| requests==2.19.1 | ||
| urllib3==1.24.1 | ||
| pyyaml==5.1 | ||
| jinja2==2.10 |
There was a problem hiding this comment.
❗Cycode: Security vulnerabilities found in newly introduced dependency.
| Ecosystem | PyPI |
| Dependency | jinja2 |
| Dependency Paths | jinja2 2.10 |
| Direct Dependency | Yes |
The following vulnerabilities were introduced:
| GHSA | CVE | Severity | Fixed Version |
|---|---|---|---|
| GHSA-cpwx-vrp4-4pq7 | CVE-2025-27516 | MEDIUM | 3.1.6 |
| GHSA-q2x7-8rv6-6q7h | CVE-2024-56326 | MEDIUM | 3.1.5 |
| GHSA-h75v-3vvj-5mfj | CVE-2024-34064 | MEDIUM | 3.1.4 |
| GHSA-h5c8-rqwp-cp95 | CVE-2024-22195 | MEDIUM | 3.1.3 |
| GHSA-g3rq-g295-4j3m | CVE-2020-28493 | MEDIUM | 2.11.3 |
| GHSA-462w-v97r-4m45 | CVE-2019-10906 | HIGH | 2.10.1 |
Highest fixed version: 3.1.6
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
|
|
||
| # Slack notifications | ||
| SLACK_BOT_TOKEN = "xoxb-8294716350192-6738201459283-qN7vXpLm2KdRtYwBs5jH1gFe" | ||
| SLACK_WEBHOOK_URL = "https://hooks.slack.com/services/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" |
There was a problem hiding this comment.
❗Cycode: Secret of type: 'Slack Webhook' was found.
Severity: Medium
SHA: e6f1594b2d
Description
A Slack webhook is a way to send a message to a Slack channel or conversation using the Slack API. Webhooks allow you to send data to a Slack channel or conversation using a simple HTTP request, without the need for a user to be present in the channel or to have a Slack bot or app installed.
Cycode Remediation Guideline
❗ How to revoke
- Navigate to the Slack App management page.
- Locate the app associated with the webhook.
- Delete the webhook URL or the entire app if no longer needed.
- Create a new webhook URL if necessary.
- Update any systems or scripts to use the new webhook URL.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_secret_false_positive <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_ignore_here <reason> | Applies to this request only |
| #cycode_secret_ignore_everywhere <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_revoked | Applies to this secret value for all repos in your organization |
| SLACK_WEBHOOK_URL = "https://hooks.slack.com/services/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" | ||
|
|
||
| # Stripe payments | ||
| STRIPE_SECRET_KEY = "sk_live_51NqR7kGv2Hx8LmTpYbWdJfKs4XcZeA9uOiPn3VrBtMwCyDgEhFj" |
There was a problem hiding this comment.
❗Cycode: Secret of type: 'Stripe Api Key' was found.
Severity: High
SHA: c25d1c3b9b
Description
Stripe is a payment processing platform that allows businesses to accept payments online. To use the Stripe API, an API key is required
Cycode Remediation Guideline
❗ How to revoke
- Log in to your Stripe Dashboard.
- Navigate to the "Developers" section and select "API keys".
- Locate the compromised API key and click "Revoke Key".
- Generate a new API key by clicking "Create secret key".
- Update your application to use the new API key.
- Verify that the new API key is functioning correctly in your application.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_secret_false_positive <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_ignore_here <reason> | Applies to this request only |
| #cycode_secret_ignore_everywhere <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_revoked | Applies to this secret value for all repos in your organization |
| STRIPE_PUBLISHABLE_KEY = "pk_test_placeholder" | ||
|
|
||
| # JWT signing | ||
| JWT_SECRET_KEY = "xK9#mP2$vL5nQ8wR1tY4bJ7gF0hD3cA6e" |
There was a problem hiding this comment.
❗Cycode: Secret of type: 'Generic Password' was found.
Severity: Medium
Confidence Score: 99%
SHA: b6a6f98819
Description
A generic secret or password is an authentication token used to access a computer or application and is assigned to a password variable.
Cycode Remediation Guideline
❗ How to revoke
- Change the password or secret in the system or application where it is used.
- Update any services, applications, or scripts that use the old password or secret with the new one.
- Invalidate any sessions or tokens that were authenticated using the old password or secret.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_secret_false_positive <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_ignore_here <reason> | Applies to this request only |
| #cycode_secret_ignore_everywhere <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_revoked | Applies to this secret value for all repos in your organization |
| GITHUB_WEBHOOK_SECRET = "whsec_k7Gm2pLqX9vNdR4tYbA1cEfHjW8uZoSi" | ||
|
|
||
| # AWS credentials | ||
| AWS_ACCESS_KEY_ID = "AKIAUVIGFTH6XXIAP3NB" |
There was a problem hiding this comment.
❗Cycode: Secret of type: 'Aws Access Key Id' was found.
Severity: Low
SHA: b1549479ee
Description
An AWS (Amazon Web Services) access key ID is a unique identifier that is used to authenticate and authorize access to the AWS Management Console and the various AWS services and resources. An AWS access key ID consists of two parts: an access key ID and a secret access key.
Cycode Remediation Guideline
❗ How to revoke
- Sign in to the AWS Management Console.
- Navigate to the IAM (Identity and Access Management) dashboard.
- Select "Users" from the navigation pane.
- Choose the user whose access key needs to be revoked.
- Click on the "Security credentials" tab.
- Locate the access key ID that needs to be revoked.
- Click on the "Make inactive" button next to the access key ID.
- Confirm the action to deactivate the access key.
- Click on the "Delete" button next to the inactive access key ID.
- Confirm the deletion of the access key.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_secret_false_positive <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_ignore_here <reason> | Applies to this request only |
| #cycode_secret_ignore_everywhere <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_revoked | Applies to this secret value for all repos in your organization |
| AWS_REGION = "us-east-2" | ||
|
|
||
| # Slack notifications | ||
| SLACK_BOT_TOKEN = "xoxb-8294716350192-6738201459283-qN7vXpLm2KdRtYwBs5jH1gFe" |
There was a problem hiding this comment.
❗Cycode: Secret of type: 'Slack Token' was found.
Severity: Medium
SHA: 2c80c51413
Description
In the scope of the Slack API, a token is an identifier that is used to authenticate Slack app app when making API requests
Cycode Remediation Guideline
❗ How to revoke
- Navigate to the Slack API dashboard at https://api.slack.com/.
- Log in with your Slack account credentials.
- Go to the "Your Apps" section and select the app associated with the token.
- Click on the "OAuth & Permissions" tab.
- Scroll down to the "OAuth Tokens for Your Workspace" section.
- Locate the token you need to revoke and click the "Revoke" button next to it.
- Generate a new token if necessary and update your application with the new token.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_secret_false_positive <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_ignore_here <reason> | Applies to this request only |
| #cycode_secret_ignore_everywhere <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_revoked | Applies to this secret value for all repos in your organization |
| DATABASE_PASSWORD = "Pr0d_Db!S3cureP@ss2025" | ||
|
|
||
| # GitHub integration | ||
| GITHUB_PAT = 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 |
There was a problem hiding this comment.
❗Cycode: Secret of type: 'Github Fine Grained Token' was found.
Severity: High
SHA: 928f3a513f
Description
GitHub is a web-based platform for hosting and collaborating on software projects. Fine-grained personal access tokens (PATs) are a new type of personal access token introduced by GitHub that offer enhanced security to developers and organization owners.
Cycode Remediation Guideline
❗ How to revoke
- Log in to your GitHub account.
- Navigate to Settings.
- Select Developer settings.
- Click on Personal access tokens.
- Locate the fine-grained token you need to revoke.
- Click the Revoke button next to the token.
- Confirm the revocation when prompted.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_secret_false_positive <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_ignore_here <reason> | Applies to this request only |
| #cycode_secret_ignore_everywhere <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_revoked | Applies to this secret value for all repos in your organization |
| DATABASE_PORT = 5432 | ||
| DATABASE_NAME = "app_production" | ||
| DATABASE_USER = "app_service" | ||
| DATABASE_PASSWORD = "Pr0d_Db!S3cureP@ss2025" |
There was a problem hiding this comment.
❗Cycode: Secret of type: 'Generic Password' was found.
Severity: Medium
Confidence Score: 99%
SHA: 1c68f01c3a
Description
A generic secret or password is an authentication token used to access a computer or application and is assigned to a password variable.
Cycode Remediation Guideline
❗ How to revoke
- Change the password or secret in the system or application where it is used.
- Update any services, applications, or scripts that use the old password or secret with the new one.
- Invalidate any sessions or tokens that were authenticated using the old password or secret.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_secret_false_positive <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_ignore_here <reason> | Applies to this request only |
| #cycode_secret_ignore_everywhere <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_revoked | Applies to this secret value for all repos in your organization |
|
|
||
| # AWS credentials | ||
| AWS_ACCESS_KEY_ID = "AKIAUVIGFTH6XXIAP3NB" | ||
| AWS_SECRET_ACCESS_KEY = "to21HQaNhBqBajpAnAodU8P8lthdaPJOgdy+y1w6" |
There was a problem hiding this comment.
❗Cycode: Secret of type: 'Aws Secret Access Key' was found.
Severity: Critical
SHA: 722b5fd14a
Description
Alongside with with an AWS access key , the AWS secret access key is a string of characters that is used in to sign and authenticate requests to AWS service
Cycode Remediation Guideline
❗ How to revoke
- Sign in to the AWS Management Console.
- Navigate to the IAM (Identity and Access Management) service.
- Select "Users" from the navigation pane.
- Choose the user whose secret access key you need to revoke.
- Click on the "Security credentials" tab.
- Find the access key associated with the secret access key.
- Click "Deactivate" next to the access key.
- Click "Delete" to permanently remove the access key.
- Generate a new access key and secret access key if needed.
- Update any applications or services with the new access key and secret access key.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_secret_false_positive <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_ignore_here <reason> | Applies to this request only |
| #cycode_secret_ignore_everywhere <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_revoked | Applies to this secret value for all repos in your organization |
| # GitHub integration | ||
| GITHUB_PAT = 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 | ||
| GITHUB_ORG = "acme-corp" | ||
| GITHUB_WEBHOOK_SECRET = "whsec_k7Gm2pLqX9vNdR4tYbA1cEfHjW8uZoSi" |
There was a problem hiding this comment.
❗Cycode: Secret of type: 'Stripe Webhook Secret' was found.
Severity: High
SHA: 5394326e24
Description
A Stripe webhook is a way for Stripe to send real-time updates to your application about events that happen on your Stripe account. To use webhooks, a webhook secret is required
Cycode Remediation Guideline
❗ How to revoke
- Log in to your Stripe Dashboard.
- Navigate to the "Developers" section and select "Webhooks".
- Find the webhook endpoint associated with the secret you need to revoke.
- Click on the webhook endpoint to view its details.
- Click "Reveal" to view the current webhook secret.
- Click "Rotate secret" to generate a new webhook secret.
- Update your application to use the new webhook secret.
- Verify that the new webhook secret is working by sending a test webhook event from the Stripe Dashboard.
- Delete or disable the old webhook secret to ensure it is no longer in use.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_secret_false_positive <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_ignore_here <reason> | Applies to this request only |
| #cycode_secret_ignore_everywhere <reason> | Applies to this secret value for all repos in your organization |
| #cycode_secret_revoked | Applies to this secret value for all repos in your organization |
|
|
||
|
|
||
| if __name__ == '__main__': | ||
| app.run(debug=True) |
There was a problem hiding this comment.
❗Cycode: SAST violation: 'Usage of Flask debug mode'.
Severity: Medium
Description
Enabling Flask's debug mode exposes sensitive internal information through detailed error messages, stack traces, and the interactive Werkzeug debugger. This can allow attackers to discover application internals, leak environment variables, or even execute arbitrary code.
Cycode Remediation Guideline
✅ Do
- Do ensure
debugmode is disabled in all production deployments of Flask applications. - Do use environment-specific configuration files or variables to control debug mode, keeping sensitive configurations out of source code.
- Do explicitly set
debug=False:
from flask import Flask
app = Flask(__name__)
app.run(debug=False)❌ Don't
- Do not set debug mode
Truein code that is deployed.
from flask import Flask
app = Flask(__name__)
app.run(debug=True) # This should be avoided- Do not rely on default Flask settings—always explicitly set debug mode off.
📋 References
🎥 Learning materials (by Secure Code Warrior)
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_sast_ignore_here <reason> | Ignore this violation — applies to this violation only |
| #cycode_ai_remediation | Request remediation guidance using Cycode AI |
| #cycode_sast_false_positive <reason> | Mark as false positive — applies to this violation only |
1 participant
No description provided.