CVE-2016-4808

HIGH

web2py < 2.14.5 - Cross-Site Request Forgery

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-4808. PoCs published by Narendra Bhati.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities (LFI, XSS, CSRF) in Web2py 2.14.5, including proof-of-concept steps, HTTP request examples, and references to external resources like video PoCs and detailed analysis.

Description

Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim.

Exploits (1)

exploitdb WRITEUP VERIFIED

by Narendra Bhati · textwebappspython

https://www.exploit-db.com/exploits/39821

View Code ZIP pw:eip

This is a detailed technical writeup describing multiple vulnerabilities (LFI, XSS, CSRF) in Web2py 2.14.5, including proof-of-concept steps, HTTP request examples, and references to external resources like video PoCs and detailed analysis.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Web2py 2.14.5

Auth required

Prerequisites: Administrator access to the Web2py admin interface

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39821/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/137070/Web2py-2.14.5-CSRF-XSS-Local-File-Inclusion.html

Scores

CVSS v3 8.8

EPSS 0.0023

EPSS Percentile 46.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-352

Status published

Products (2)

pypi/web2py 0 - 2.14.6PyPI

web2py/web2py < 2.14.5

Published Jan 11, 2017

Tracked Since Feb 18, 2026