Vulnerability of the PostgresDB._process_insert_query() function (file web/db.py), a web application creation framework by web.py, allowing attackers to execute arbitrary SQL commands

🗓️ 30 Apr 2025 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 2 Views

Vulnerability in PostgresDB._process_insert_query allows arbitrary SQL via seqname in web.py framework.

Reporter	Title	Published	Views	Family All 19
Circl	CVE-2025-3818	19 Apr 202520:00	–	circl
CNNVD	webpy 注入漏洞	19 Apr 202500:00	–	cnnvd
CVE	CVE-2025-3818	19 Apr 202519:31	–	cve
Cvelist	CVE-2025-3818 webpy web.py db.py PostgresDB._process_insert_query sql injection	19 Apr 202519:31	–	cvelist
Debian	[SECURITY] [DLA 4189-1] webpy security update	29 May 202511:34	–	debian
Debian CVE	CVE-2025-3818	19 Apr 202519:31	–	debiancve
Tenable Nessus	Debian dla-4189 : python-webpy-doc - security update	29 May 202500:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2025-3818	18 Aug 202500:00	–	nessus
EUVD	EUVD-2025-15028	3 Oct 202520:07	–	euvd
NVD	CVE-2025-3818	19 Apr 202520:15	–	nvd

Vulners

Node

aaron_swartz web.pyRange≤0.70

Source	Link
noppgwz8if	www.noppgwz8if.feishu.cn/docx/TxjpddUpTokyBwxibSgcTRr7nUf
vuldb	www.vuldb.com/
vuldb	www.vuldb.com/
vuldb	www.vuldb.com/
github	www.github.com/webpy/webpy
web	www.web.nvd.nist.gov/view/vuln/detail

30 Apr 2025 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 36.3

CVSS 26.5

EPSS0.00254

PostgresDB vulnerability process insert query seqname parameter web.py framework arbitrary SQL execution