Vulnerabilities > Web2Py > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-16 | CVE-2023-45158 | OS Command Injection vulnerability in Web2Py An OS command injection vulnerability exists in web2py 2.24.1 and earlier. | 9.8 |
| 2018-02-06 | CVE-2016-3957 | Deserialization of Untrusted Data vulnerability in Web2Py The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key. | 9.8 |
| 2018-02-06 | CVE-2016-3953 | Use of Hard-coded Credentials vulnerability in Web2Py The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function. | 9.8 |
| 2017-04-10 | CVE-2016-10321 | 7PK - Security Features vulnerability in Web2Py web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks. | 9.8 |