VDB
KO
CRITICAL 9.1

PYSEC-2026-555

toui allows user-specific variables to be shared between users

Details

### Impact Websites that use `Website.user_vars` property in versions. ### Patches It affects versions v2.0.1 to v2.4.0. Please upgrade to v2.4.1

### Workarounds Do not use `Website.user_vars` in websites when using versions v2.0.1 to v2.4.0. Also, do not use `Website.signin_user()` in version v2.4.0 only. ### Explanation ToUI is using Flask-Caching (SimpleCache) to store user variables. My misunderstanding was that these caches are stored in the client's browser, but it seems that these are stored in the server side.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / toui
Introduced in: 2.0.1 Fixed in: 2.4.1
Fix pip install --upgrade 'toui>=2.4.1'

References