CRITICAL 9.8
PYSEC-2026-524
ReviewBoard and Djblets library are vulnerable to code execution
Details
An eval() vulnerability exists in Python Software Foundation Djblets version before 0.6.30 and 0.7.0 before 0.7.19 and Beanbag Review Board before 1.7.15 when parsing JSON requests allowing an attacker to execute arbitrary Python code.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / reviewboard
Introduced in:
0 Fixed in: 1.7.15 Fix
pip install --upgrade 'reviewboard>=1.7.15' References
- https://nvd.nist.gov/vuln/detail/CVE-2013-4409 [ADVISORY]
- https://access.redhat.com/security/cve/cve-2013-4409 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4409 [WEB]
- https://exchange.xforce.ibmcloud.com/vulnerabilities/88059 [WEB]
- https://github.com/djblets/djblets [PACKAGE]
- https://github.com/djblets/djblets/blob/release-0.7.19/NEWS [WEB]
- https://github.com/pypa/advisory-database/tree/main/vulns/djblets/PYSEC-2019-175.yaml [WEB]
- https://security-tracker.debian.org/tracker/CVE-2013-4409 [WEB]
- https://web.archive.org/web/20200228151135/https://www.securityfocus.com/bid/63029 [WEB]
- https://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.15 [WEB]
- http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120619.html [WEB]
- http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119819.html [WEB]
- http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119820.html [WEB]
- http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119830.html [WEB]
- http://lists.fedoraproject.org/pipermail/package-announce/2013-October/119831.html [WEB]
- https://pypi.org/project/reviewboard [PACKAGE]
- https://github.com/advisories/GHSA-58h8-44mg-r43x [ADVISORY]