CVE-2024-36039

MEDIUM LAB

PyMySQL <1.1.0 - SQL Injection

Title source: llm

Description

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.

Exploits (1)

nomisec WORKING POC

by zenniskayy2k4 · poc

https://github.com/zenniskayy2k4/CVE-2024-36039_PoC

View Code ZIP pw:eip

References (4)

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/05/msg00017.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/23VXBV34GFRICCVYZ6KFMSSWY5UEXCF5/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35VOJS3SRJNLQIO7YTZFNM6RWHIHWTMK/

[Release Notes] https://github.com/PyMySQL/PyMySQL/releases/tag/v1.1.1

Scores

CVSS v3 6.3

EPSS 0.0010

EPSS Percentile 27.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Lab Environment

COMMUNITY

Community Lab

docker pull mariadb:10.11

https://github.com/zenniskayy2k4/CVE-2024-36039_PoC

View in Library

Details

CWE

CWE-89

Status published

Products (1)

pypi/pymysql 0 - 1.1.1PyPI

Published May 21, 2024

Tracked Since Feb 18, 2026