CVE-2025-69662

HIGH

geopandas < 1.1.2 - SQL Injection via to_postgis() Function

Title source: llm

Description

SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.

References (3)

Core 3

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2026/04/msg00025.html

Exploit, Third Party Advisory

https://aydinnyunus.github.io/2025/12/27/sql-injection-geopandas/

Issue Tracking, Patch

https://github.com/geopandas/geopandas/pull/3681

Scores

CVSS v3 8.6

EPSS 0.0001

EPSS Percentile 2.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

geopandas/geopandas < 1.1.2

pypi/geopandas 0 - 1.1.2PyPI

Published Jan 30, 2026

Tracked Since Feb 18, 2026