CVE-2025-3818

NameCVE-2025-3818
DescriptionA vulnerability, which was classified as critical, was found in webpy web.py 0.70. Affected is the function PostgresDB._process_insert_query of the file web/db.py. The manipulation of the argument seqname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1103780

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
webpy (PTS)bullseye1:0.61-1vulnerable
bookworm1:0.62-4vulnerable
sid, trixie1:0.62-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
webpysource(unstable)(unfixed)1103780

Notes

https://noppgwz8if.feishu.cn/docx/TxjpddUpTokyBwxibSgcTRr7nUf
https://github.com/webpy/webpy/issues/806
Search for package or bug name: Reporting problems