mapoor voteapp app.py show_refresh sql injection
Description
A vulnerability was found in mapoor voteapp. It has been rated as critical. Affected by this issue is the function create_poll/do_poll/show_poll/show_refresh of the file app.py. The manipulation leads to sql injection. The patch is identified as b290c21a0d8bcdbd55db860afd3cadec97388e72. It is recommended to apply a patch to fix this issue. VDB-217790 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"The application improperly sanitizes user input before incorporating it into SQL queries, leading to SQL injection."
Attack vector
An attacker can exploit this vulnerability by manipulating the `p_id` parameter in requests to the `do_poll`, `show_poll`, and `show_refresh` functions. By injecting malicious SQL code into this parameter, an attacker can execute arbitrary SQL commands against the database. The `create_poll` function is also vulnerable as it directly embeds user-provided data into SQL queries without proper sanitization [ref_id=1].
Affected code
The vulnerability exists in the `create_poll`, `do_poll`, `show_poll`, and `show_refresh` functions within the `app.py` file. Specifically, the way SQL queries are constructed and executed in these functions allows for the injection of malicious SQL code.
What the fix does
The patch modifies the SQL query execution in `create_poll`, `do_poll`, `show_poll`, and `show_refresh` functions. Instead of directly formatting the SQL string with user input, it now uses parameterized queries. This change ensures that user-supplied data is treated as literal values rather than executable SQL code, thereby preventing SQL injection [patch_id=4373519].
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/mapoor/voteapp/commit/b290c21a0d8bcdbd55db860afd3cadec97388e72mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.