VDB
KO
CRITICAL 9.8

PYSEC-2026-570

web2py remote code execution via hardcoded encryption key in session.connect function

Details

The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the `session.connect` function.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / web2py
Introduced in: 0 Fixed in: 2.14.2
Fix pip install --upgrade 'web2py>=2.14.2'

References