← Back

Sqlalchemy

sqlalchemy

5 CVEs • 2 products

Products (2)

Click to collapse
Toggle
Sqlalchemy
sqlalchemy
3 CVEs
Mako
mako
2 CVEs

CVEs (5)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2026-41205
1Sqlalchemy
1Mako
May 20, 2026
Apr 23, 2026
7.7 HIGH· v4
7.5 HIGH· v3
N/A· v2
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency bet...Show more
Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.Show less
CVE-2022-40023
2Debian
Sqlalchemy
2Debian Linux
Mako
Dec 3, 2025
Sep 7, 2022
N/A· v4
7.5 HIGH· v3
N/A· v2
Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.
CVE-2019-7164
5Debian
OpensuseOracle+2 more
9Backports Sle
Communications Operations MonitorDebian Linux+6 more
Nov 21, 2024
Feb 20, 2019
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
CVE-2019-7548
5Debian
OpensuseOracle+2 more
9Backports Sle
Communications Operations MonitorDebian Linux+6 more
Nov 21, 2024
Feb 6, 2019
N/A· v4
7.8 HIGH· v3
6.8 MEDIUM· v2
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
CVE-2012-0805
1Sqlalchemy
1Sqlalchemy
Apr 29, 2026
Jun 5, 2012
N/A· v4
N/A· v3
7.5 HIGH· v2
Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset keyword to the select function, or unspec...Show more
Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset keyword to the select function, or unspecified vectors to the (3) select.limit or (4) select.offset function.Show less