VDB
KO
CRITICAL 9.8

PYSEC-2026-569

web2py is vulnerable to password brute-force attack

Details

web2py before 2.14.6 does not properly check if a host is denied before verifying passwords, allowing a remote attacker to perform brute-force attacks.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / web2py
Introduced in: 0 Fixed in: 2.14.6
Fix pip install --upgrade 'web2py>=2.14.6'

References