PYSEC-2026-1249

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/ckan/PYSEC-2026-1249.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1249
Aliases
Published
2026-07-07T11:45:28.466851Z
Modified
2026-07-07T17:47:27.086073376Z
Severity
  • 4.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Out of memory error when submitting the dataset form with a specially-crafted field
Details

Impact

When submitting a POST request to the /dataset/new endpoint (including either the auth cookie or the Authorization header) with a specially-crafted field, an attacker can create an out-of-memory error in the hosting server.

To trigger this error the user needs to have permissions to create or edit datasets.

Patches

This vulnerability has been patched in CKAN 2.10.3 and 2.9.10

References

Affected packages

PyPI / ckan

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0
Fixed
2.9.10
Introduced
2.10.0
Fixed
2.10.3

Affected versions

2.*
2.0
2.0.1
2.0.7
2.0.8
2.1
2.1.1
2.1.5
2.1.6
2.2
2.2.1
2.2.3
2.2.4
2.3
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.8
2.4.9
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.6
2.5.7
2.5.8
2.5.9
2.6.0
2.6.1
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11
2.8.12
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.10.0
2.10.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/ckan/PYSEC-2026-1249.yaml"