CVE-2024-36039

MEDIUM LAB

PyMySQL < 1.1.1 - SQL Injection via Unescaped JSON Keys

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-36039. PoCs published by zenniskayy2k4.

AI-analyzed exploit summary This repository contains a functional Proof of Concept (PoC) for CVE-2024-36039, demonstrating how an object injection vulnerability in PyMySQL (versions <= 1.1.0) can be escalated to SQL Injection using MariaDB's ODBC escape sequences. The PoC includes a Dockerized environment with a Flask application and MariaDB database to reproduce the vulnerability.

Description

PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.

Exploits (1)

nomisec WORKING POC
by zenniskayy2k4 · poc
https://github.com/zenniskayy2k4/CVE-2024-36039_PoC

This repository contains a functional Proof of Concept (PoC) for CVE-2024-36039, demonstrating how an object injection vulnerability in PyMySQL (versions <= 1.1.0) can be escalated to SQL Injection using MariaDB's ODBC escape sequences. The PoC includes a Dockerized environment with a Flask application and MariaDB database to reproduce the vulnerability.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: PyMySQL <= 1.1.0
No auth needed
Prerequisites: Docker · Docker Compose
devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 6.3
EPSS 0.0014
EPSS Percentile 33.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull mariadb:10.11

Details

CWE
CWE-89
Status published
Products (1)
pypi/pymysql 0 - 1.1.1PyPI
Published May 21, 2024
Tracked Since Feb 18, 2026