fix(deps): vuln minor: Flask, Jinja2 [pkg/dependency]

[gh-worker-campaigns-3e9aa4]

Summary: High-severity security update — 8 packages upgraded (MINOR changes included)

Manifests changed:

• pkg/dependency (pip)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
Flask	2.0.0	2.3.3	minor	Direct	3 HIGH, 2 LOW
Flask	2.0.0	2.3.3	minor	Direct	3 HIGH, 2 LOW
Flask	2.0.0	2.3.3	minor	Direct	3 HIGH, 2 LOW
Flask	2.0.0	2.3.3	minor	Direct	3 HIGH, 2 LOW
Jinja2	3.0.0	3.1.6	minor	Direct	10 MEDIUM
Jinja2	3.0.0	3.1.6	minor	Direct	10 MEDIUM
Jinja2	3.0.0	3.1.6	minor	Direct	10 MEDIUM
Jinja2	3.0.0	3.1.6	minor	Direct	10 MEDIUM

---

Security Details

🚨 Critical & High Severity (12 fixed)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
Flask	GHSA-m2qf-hxjv-5gpq	HIGH	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	2.0.0	2.3.2
Flask	CVE-2023-30861	HIGH	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	2.0.0	-
Flask	PYSEC-2023-62	HIGH	-	2.0.0	70f906c51ce49c485f1d355703e9cc3386b1cc2b
Flask	PYSEC-2023-62	HIGH	-	2.0.0	70f906c51ce49c485f1d355703e9cc3386b1cc2b
Flask	CVE-2023-30861	HIGH	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	2.0.0	-
Flask	GHSA-m2qf-hxjv-5gpq	HIGH	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	2.0.0	2.3.2
Flask	GHSA-m2qf-hxjv-5gpq	HIGH	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	2.0.0	2.3.2
Flask	CVE-2023-30861	HIGH	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	2.0.0	-
Flask	PYSEC-2023-62	HIGH	-	2.0.0	70f906c51ce49c485f1d355703e9cc3386b1cc2b
Flask	CVE-2023-30861	HIGH	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	2.0.0	-
Flask	PYSEC-2023-62	HIGH	-	2.0.0	70f906c51ce49c485f1d355703e9cc3386b1cc2b
Flask	GHSA-m2qf-hxjv-5gpq	HIGH	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	2.0.0	2.3.2

ℹ️ Other Vulnerabilities (48)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
Jinja2	CVE-2024-22195	MODERATE	Jinja vulnerable to Cross-Site Scripting (XSS)	3.0.0	-
Jinja2	GHSA-h5c8-rqwp-cp95	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0.0	3.1.3
Jinja2	CVE-2024-56201	MODERATE	Jinja has a sandbox breakout through malicious filenames	3.0.0	-
Jinja2	CVE-2025-27516	MODERATE	Jinja sandbox breakout through attr filter selecting format method	3.0.0	-
Jinja2	GHSA-cpwx-vrp4-4pq7	MODERATE	Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	3.0.0	3.1.6
Jinja2	CVE-2024-34064	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0.0	-
Jinja2	GHSA-h75v-3vvj-5mfj	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0.0	3.1.4
Jinja2	GHSA-q2x7-8rv6-6q7h	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	3.0.0	3.1.5
Jinja2	CVE-2024-56326	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	3.0.0	-
Jinja2	GHSA-gmj6-6f8f-6699	MODERATE	Jinja has a sandbox breakout through malicious filenames	3.0.0	3.1.5
Jinja2	CVE-2024-56326	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	3.0.0	-
Jinja2	CVE-2024-22195	MODERATE	Jinja vulnerable to Cross-Site Scripting (XSS)	3.0.0	-
Jinja2	GHSA-h75v-3vvj-5mfj	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0.0	3.1.4
Jinja2	GHSA-cpwx-vrp4-4pq7	MODERATE	Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	3.0.0	3.1.6
Jinja2	GHSA-h5c8-rqwp-cp95	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0.0	3.1.3
Jinja2	GHSA-q2x7-8rv6-6q7h	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	3.0.0	3.1.5
Jinja2	GHSA-gmj6-6f8f-6699	MODERATE	Jinja has a sandbox breakout through malicious filenames	3.0.0	3.1.5
Jinja2	CVE-2024-56201	MODERATE	Jinja has a sandbox breakout through malicious filenames	3.0.0	-
Jinja2	CVE-2025-27516	MODERATE	Jinja sandbox breakout through attr filter selecting format method	3.0.0	-
Jinja2	CVE-2024-34064	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0.0	-
Jinja2	CVE-2024-56201	MODERATE	Jinja has a sandbox breakout through malicious filenames	3.0.0	-
Jinja2	GHSA-q2x7-8rv6-6q7h	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	3.0.0	3.1.5
Jinja2	GHSA-h75v-3vvj-5mfj	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0.0	3.1.4
Jinja2	CVE-2024-34064	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0.0	-
Jinja2	GHSA-cpwx-vrp4-4pq7	MODERATE	Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	3.0.0	3.1.6
Jinja2	CVE-2025-27516	MODERATE	Jinja sandbox breakout through attr filter selecting format method	3.0.0	-
Jinja2	GHSA-gmj6-6f8f-6699	MODERATE	Jinja has a sandbox breakout through malicious filenames	3.0.0	3.1.5
Jinja2	GHSA-h5c8-rqwp-cp95	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0.0	3.1.3
Jinja2	CVE-2024-22195	MODERATE	Jinja vulnerable to Cross-Site Scripting (XSS)	3.0.0	-
Jinja2	CVE-2024-56326	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	3.0.0	-
Jinja2	CVE-2025-27516	MODERATE	Jinja sandbox breakout through attr filter selecting format method	3.0.0	-
Jinja2	GHSA-gmj6-6f8f-6699	MODERATE	Jinja has a sandbox breakout through malicious filenames	3.0.0	3.1.5
Jinja2	GHSA-cpwx-vrp4-4pq7	MODERATE	Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	3.0.0	3.1.6
Jinja2	GHSA-h75v-3vvj-5mfj	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0.0	3.1.4
Jinja2	CVE-2024-34064	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0.0	-
Jinja2	CVE-2024-56201	MODERATE	Jinja has a sandbox breakout through malicious filenames	3.0.0	-
Jinja2	GHSA-q2x7-8rv6-6q7h	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	3.0.0	3.1.5
Jinja2	CVE-2024-56326	MODERATE	Jinja has a sandbox breakout through indirect reference to format method	3.0.0	-
Jinja2	GHSA-h5c8-rqwp-cp95	MODERATE	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	3.0.0	3.1.3
Jinja2	CVE-2024-22195	MODERATE	Jinja vulnerable to Cross-Site Scripting (XSS)	3.0.0	-
Flask	GHSA-68rp-wp8r-4726	LOW	Flask session does not add Vary: Cookie header when accessed in some ways	2.0.0	3.1.3
Flask	CVE-2026-27205	LOW	Flask session does not add Vary: Cookie header when accessed in some ways	2.0.0	-
Flask	GHSA-68rp-wp8r-4726	LOW	Flask session does not add Vary: Cookie header when accessed in some ways	2.0.0	3.1.3
Flask	CVE-2026-27205	LOW	Flask session does not add Vary: Cookie header when accessed in some ways	2.0.0	-
Flask	CVE-2026-27205	LOW	Flask session does not add Vary: Cookie header when accessed in some ways	2.0.0	-
Flask	GHSA-68rp-wp8r-4726	LOW	Flask session does not add Vary: Cookie header when accessed in some ways	2.0.0	3.1.3
Flask	CVE-2026-27205	LOW	Flask session does not add Vary: Cookie header when accessed in some ways	2.0.0	-
Flask	GHSA-68rp-wp8r-4726	LOW	Flask session does not add Vary: Cookie header when accessed in some ways	2.0.0	3.1.3

⚠️ Dependencies that have Reached EOL (8)

Dependency	Unsafe Version	EOL Date	New Version	Path
Flask	2.0.0	May 11, 2026	2.3.3	pkg/dependency/parser/python/pip/testdata/requirements_comments.txt
Flask	2.0.0	May 11, 2026	2.3.3	pkg/dependency/parser/python/pip/testdata/requirements_flask.txt
Flask	2.0.0	May 11, 2026	2.3.3	pkg/dependency/parser/python/pip/testdata/requirements_no_version.txt
Flask	2.0.0	May 11, 2026	2.3.3	pkg/dependency/parser/python/pip/testdata/requirements_spaces.txt
Jinja2	3.0.0	May 11, 2026	3.1.6	pkg/dependency/parser/python/pip/testdata/requirements_comments.txt
Jinja2	3.0.0	May 11, 2026	3.1.6	pkg/dependency/parser/python/pip/testdata/requirements_flask.txt
Jinja2	3.0.0	May 11, 2026	3.1.6	pkg/dependency/parser/python/pip/testdata/requirements_hash.txt
Jinja2	3.0.0	May 11, 2026	3.1.6	pkg/dependency/parser/python/pip/testdata/requirements_spaces.txt

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

[datadog-datadog-prod-us1]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

Test | Integration Test     

Test | Test (macos-latest)     

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: cf44e2a | Docs | Datadog PR Page | Give us feedback!}