werkzeug

If debug is active you could try to access to /console and gain RCE.

__import__('os').popen('whoami').read();

There is also several exploits on the internet like this or one in metasploit.