PYSEC-2026-1864

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/records-mover/PYSEC-2026-1864.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1864
Aliases
Published
2026-07-07T16:03:16.943532Z
Modified
2026-07-07T17:47:00.462566026Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
records-mover Injection vulnerability
Details

A weakness has been identified in bluelabsio records-mover up to 1.5.4. The affected element is an unknown function of the component Table Object Handler. This manipulation causes SQL Injection. The attack needs to be launched locally. Upgrading to version 1.6.0 is sufficient to fix this issue. Patch name: 3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa. Developers should upgrade the affected component.

References

Affected packages

PyPI / records-mover

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.0

Affected versions

0.*
0.1.1
0.1.2
0.2.1
0.2.2
0.3.0
0.3.1
0.3.2
0.4.0
0.4.1
0.5.0
0.6.0
0.6.1
0.7.0
1.*
1.0.0
1.1.0
1.2.0
1.3.0
1.4.0
1.5.1
1.5.2
1.5.3
1.5.4

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/records-mover/PYSEC-2026-1864.yaml"