VYPR
Vendor

Web2py

Products
1
CVEs
9
Across products
9
Status
Private

Products

1

Recent CVEs

9
  • CVE-2016-3957CriFeb 6, 2018
    risk 0.57cvss 9.8epss 0.05

    The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.

  • CVE-2016-4806HigJan 11, 2017
    risk 0.53cvss 7.5epss 0.10

    Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files.

  • CVE-2016-3952HigFeb 6, 2018
    risk 0.44cvss 7.8epss 0.01

    web2py before 2.14.1, when using the standalone version, allows remote attackers to obtain environment variable values via a direct request to examples/template_examples/beautify. NOTE: this issue can be leveraged by remote attackers to gain administrative access.

  • CVE-2015-6961MedOct 18, 2017
    risk 0.33cvss 6.1epss 0.01

    Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.

  • CVE-2026-25198MedFeb 5, 2026
    risk 0.24cvss 4.7epss 0.00

    web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim…

  • CVE-2023-22432Mar 5, 2023
    risk 0.03cvss epss 0.02

    Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.

  • CVE-2023-45158Oct 16, 2023
    risk 0.00cvss epss 0.04

    An OS command injection vulnerability exists in web2py 2.24.1 and earlier. When the product is configured to use notifySendHandler for logging (not the default configuration), a crafted web request may execute an arbitrary OS command on the web server using the product.

  • CVE-2022-33146Jun 27, 2022
    risk 0.00cvss epss 0.01

    Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.

  • CVE-2013-2311May 22, 2013
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in static/js/share.js (aka the social bookmarking widget) in Web2py before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.