Werkzeug CVE-2023-46136 incorrect fixed versions
CVE-2023-46136.yml mentions that the CVE has been fixed only for versions 3.0.1 and above, however, the fix has been backported to the 2.3.x branch - see related PR. Therefor, version 2.3.8 should also be included under fixed_versions
.
I have contacted NIST NVD and the CVE-2023-46136 is now updated. Under Known Affected Software Configurations, 2.3.8 is already excluded, however, the description seems to be still incorrect.