CRITICAL 9.8
PYSEC-2026-570
web2py remote code execution via hardcoded encryption key in session.connect function
Details
The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the `session.connect` function.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2016-3953 [ADVISORY]
- https://github.com/web2py/web2py/issues/1205 [WEB]
- https://github.com/web2py/web2py/commit/9706d125b42481178d2b423de245f5d2faadbf40 [WEB]
- https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957 [WEB]
- https://github.com/web2py/web2py [PACKAGE]
- https://github.com/web2py/web2py/blob/R-2.14.1/applications/examples/models/session.py [WEB]
- https://usn.ubuntu.com/4030-1 [WEB]
- https://pypi.org/project/web2py [PACKAGE]
- https://github.com/advisories/GHSA-q2rq-qgcf-m22w [ADVISORY]