A SQL injection vulnerability in pycsw all versions before 2.0.2, 1.10.5 and 1.8.6 that leads to read and extract of any data from any table in the pycsw database that the database user has access to. Also on PostgreSQL (at least) it is possible to perform updates/inserts/deletes and database modifications to any table the database user has access to.
seclists.org/oss-sec/2016/q4/406
www.securityfocus.com/bid/94302
github.com/advisories/GHSA-hg4c-rgvm-964g
github.com/geopython/pycsw
github.com/geopython/pycsw/commit/522873e5ce48bb9cbd4e7e8168ca881ce709c222
github.com/geopython/pycsw/commit/69546e13527c82e4f9191769215490381ad511b2
github.com/geopython/pycsw/commit/daaf09b4b920708a415be3c7f446739661ba3753
github.com/geopython/pycsw/pull/474/files
nvd.nist.gov/vuln/detail/CVE-2016-8640
patch-diff.githubusercontent.com/raw/geopython/pycsw/pull/474.patch