CVE-2016-4807

MEDIUM

web2py < 2.14.5 - Reflected Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-4807. PoCs published by Narendra Bhati.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities (LFI, XSS, CSRF) in Web2py 2.14.5, including proof-of-concept steps, HTTP request examples, and references to external resources like video PoCs and detailed analysis.

Description

Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).

Exploits (1)

exploitdb WRITEUP VERIFIED
by Narendra Bhati · textwebappspython
https://www.exploit-db.com/exploits/39821

This is a detailed technical writeup describing multiple vulnerabilities (LFI, XSS, CSRF) in Web2py 2.14.5, including proof-of-concept steps, HTTP request examples, and references to external resources like video PoCs and detailed analysis.

Classification
Writeup 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Web2py 2.14.5
Auth required
Prerequisites: Administrator access to the Web2py admin interface
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39821/

Scores

CVSS v3 4.8
EPSS 0.0228
EPSS Percentile 80.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
pypi/web2py 0PyPI
web2py/web2py < 2.14.5
Published Jan 11, 2017
Tracked Since Feb 18, 2026