CVE-2016-3957

CRITICAL

web2py < 2.14.2 - Remote Code Execution via Pickle Deserialization in Session Cookie

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-3957. PoCs published by sj.

AI-analyzed exploit summary This repository contains a full web2py application snapshot, including the vulnerable code for CVE-2016-3957. The presence of the admin shell controller and other components suggests it is a functional exploit PoC for the vulnerability.

Description

The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_key.

Exploits (1)

nomisec WORKING POC
by sj · poc
https://github.com/sj/web2py-e94946d-CVE-2016-3957

This repository contains a full web2py application snapshot, including the vulnerable code for CVE-2016-3957. The presence of the admin shell controller and other components suggests it is a functional exploit PoC for the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: web2py 2.13.4-stable
No auth needed
Prerequisites: Access to the web2py admin interface
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://devco.re/blog/2017/01/03/web2py-unserialize-code-execution-CVE-2016-3957/
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4030-1/

Scores

CVSS v3 9.8
EPSS 0.0499
EPSS Percentile 91.1%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (1)
web2py/web2py < 2.14.2
Published Feb 06, 2018
Tracked Since Feb 18, 2026