10 matches found
SQL Injection
alerta-server is vulnerable to SQL Injection. The vulnerability is due to direct interpolation of user-supplied query parameters into SQL statements without sanitization, which allows an attacker to inject and execute arbitrary SQL queries...
SQL Injection
Overview alerta-server is an Alerta server WSGI application Affected versions of this package are vulnerable to SQL Injection in the q parameter of the query string API due to direct interpolation of user-supplied input into SQL statements using f-strings. An attacker can execute arbitrary SQL...
GHSA-8PRR-286P-4W7J alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API
Impact The Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. Patches Fixed in v9.1.0. The Postgres query parser now uses parameterized queries wit...
alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API
Impact The Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. Patches Fixed in v9.1.0. The Postgres query parser now uses parameterized queries wit...
CVE-2026-34400 alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API
Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version...
CVE-2026-34400
CVE-2026-34400 affects Alerta (alerta-server) prior to version 9.1.0. The vulnerability is in the Query string search API (q=) where user-supplied search terms were interpolated into SQL strings via f-strings in the PostgreSQL query parser, enabling SQL injection in WHERE clauses. The issue has b...
CVE-2026-34400 alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API
Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version...
CVE-2026-34400 alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API
Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version...
PYSEC-2020-159
In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for...
LDAP authentication bypass with empty password
Impact Users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated binds eg. default on Active Directory are affected. Patch...