GHSA-8prr-286p-4w7j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8prr-286p-4w7j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-8prr-286p-4w7j/GHSA-8prr-286p-4w7j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8prr-286p-4w7j
- Aliases
- Published
- 2026-03-31T23:23:21Z
- Modified
- 2026-04-06T17:46:14.838351Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API
- Details
-
Impact
The Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings.
Patches
Fixed in v9.1.0. The Postgres query parser now uses parameterized queries with %(name)s placeholders passed to psycopg2's cursor.execute(), preventing SQL injection through the ?q= parameter. The MongoDB backend was not affected.
Workarounds
Upgrade to v9.1.0 or later. If unable to upgrade, deploy a proxy in front of the Alerta API to sanitize the q= parameter.
Resources
https://github.com/alerta/alerta/pull/712/files https://owasp.org/www-community/attacks/SQL_Injection
- Database specific
{ "github_reviewed_at": "2026-03-31T23:23:21Z", "nvd_published_at": "2026-03-31T22:16:18Z", "cwe_ids": [ "CWE-89" ], "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/alerta/alerta/security/advisories/GHSA-8prr-286p-4w7j
- https://nvd.nist.gov/vuln/detail/CVE-2026-34400
- https://github.com/alerta/alerta/pull/2040
- https://github.com/alerta/alerta/pull/712
- https://github.com/alerta/alerta/commit/aeba85a37a09e5769a7a2da56481aa979ff99a00
- https://github.com/alerta/alerta/commit/fdd52cd1abad8d02d1dfb8ecdcdbb43b6af3b883
- https://github.com/alerta/alerta
- https://github.com/alerta/alerta/releases/tag/v9.1.0
Affected packages
PyPI / alerta-server
Package
- Name
- alerta-server
- View open source insights on deps.dev
- Purl
- pkg:pypi/alerta-server
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed9.1.0
Affected versions
3.*
3.1.2
3.2.0
3.2.3
3.2.4
3.2.6
3.2.7
3.2.8
3.2.9
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.1.0
4.1.1
4.1.2
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6
4.3.0
4.3.1
4.3.2
4.4.0
4.4.1
4.4.2
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9
4.4.10
4.4.11
4.4.12
4.4.13
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
4.6.6
4.6.7
4.6.8
4.6.9
4.7.0
4.7.1
4.7.2
4.7.3
4.7.4
4.7.5
4.7.6
4.7.7
4.7.8
4.7.9
4.7.10
4.7.11
4.7.12
4.7.13
4.7.14
4.7.15
4.7.16
4.7.17
4.7.18
4.7.19
4.7.20
4.7.21
4.7.22
4.7.23
4.7.24
4.7.25
4.7.26
4.7.27
4.7.28
4.7.29
4.7.30
4.7.31
4.7.32
4.7.33
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.8.9
4.8.10
4.8.11
4.8.12
4.8.13
4.8.14
4.8.15
4.8.16
4.8.17
4.8.18
4.8.19
4.8.20
4.8.21
4.8.22
4.8.23
4.8.24
4.8.25
4.8.26
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
5.*
5.0.0rc1
5.0.0rc2
5.0.0rc3
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.1.0
5.1.1
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
6.*
6.0.0
6.0.1
6.1.0
6.2.0
6.2.1
6.3.0
6.3.1
6.3.2
6.4.0
6.5.0
6.6.0
6.6.1
6.7.0
6.7.1
6.7.2
6.7.3
6.7.4
6.7.5
6.8.0
6.8.1
6.8.2
6.8.3
6.8.4
6.8.5
7.*
7.0.0
7.0.1
7.1.0
7.1.1
7.1.2
7.2.0
7.2.1
7.2.2
7.2.3
7.2.4
7.2.5
7.2.6
7.2.7
7.2.8
7.2.9
7.2.10
7.2.11
7.3.0
7.3.1
7.3.2
7.4.0
7.4.1
7.4.4
7.4.5
7.4.6
7.5.0
7.5.1
7.5.2
7.5.3
7.5.4
7.5.5
7.5.6
7.5.7
8.*
8.0.0
8.0.1
8.0.2
8.0.3
8.1.0
8.2.0
8.3.0
8.3.1
8.3.2
8.3.3
8.4.0
8.4.1
8.5.0
8.6.0
8.6.2
8.6.3
8.6.4
8.6.5
8.7.0
9.*
9.0.0
9.0.1
9.0.2
9.0.3
9.0.4