Flower 0.9.3 has XSS via the name parameter in an @app.task call. NOTE: The project author stated that he doesn't think this is a valid vulnerability. Worker name and task name aren’t user facing configuration options. They are internal backend config options and person having rights to change them already has full access
https://fatihhcelik.blogspot.com/2019/09/flower-100-has-xss-via-name-parameter.html