Massimo Di Pierro - Security Researcher - Exploit Intelligence Platform

CVE-2016-3957 NOMISEC CRITICAL WORKING POC

web2py <2.14.2 - Code Injection

The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.

CVSS 9.8

View Code

CVE-2022-33146 WRITEUP MEDIUM WRITEUP

web2py <2.22.5 - Open Redirect

Open redirect vulnerability in web2py versions prior to 2.22.5 allows a remote attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.

CVSS 6.1

View Code

CVE-2026-25198 WRITEUP MEDIUM WRITEUP

Pypi Web2py < 3.1.1 - Open Redirect

web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.

CVSS 4.7

View Code