PyPI package
web2py
pkg:pypi/web2py
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-25198 | Med | 4.7 | < 3.1.1 | 3.1.1 | Feb 5, 2026 | web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim o | |
| CVE-2023-22432 | — | < 2.23.1 | 2.23.1 | Mar 5, 2023 | Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack. | ||
| CVE-2022-33146 | — | < 2.22.5 | 2.22.5 | Jun 27, 2022 | Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL. | ||
| CVE-2016-3954 | Med | 5.5 | < 2.14.2 | 2.14.2 | Feb 6, 2018 | web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957. | |
| CVE-2016-3953 | Cri | 9.8 | < 2.14.2 | 2.14.2 | Feb 6, 2018 | The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function. | |
| CVE-2016-10321 | Cri | 9.8 | < 2.14.6 | 2.14.6 | Apr 10, 2017 | web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks. | |
| CVE-2016-4808 | Hig | 8.8 | < 2.14.6 | 2.14.6 | Jan 11, 2017 | Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to | |
| CVE-2016-4807 | Med | 4.8 | <= 2.14.5 | — | Jan 11, 2017 | Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin). |
- affected < 3.1.1fixed 3.1.1
web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim o
- CVE-2023-22432Mar 5, 2023affected < 2.23.1fixed 2.23.1
Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
- CVE-2022-33146Jun 27, 2022affected < 2.22.5fixed 2.22.5
Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
- affected < 2.14.2fixed 2.14.2
web2py before 2.14.2 allows remote attackers to obtain the session_cookie_key value via a direct request to examples/simple_examples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957.
- affected < 2.14.2fixed 2.14.2
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function.
- affected < 2.14.6fixed 2.14.6
web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.
- affected < 2.14.6fixed 2.14.6
Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to
- affected <= 2.14.5
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).