PYSEC-2026-426

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/mocodo/PYSEC-2026-426.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-426
Aliases
Published
2026-06-29T11:50:40.115425Z
Modified
2026-07-01T20:22:58.435412Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Mocodo vulnerable to SQL injection in `/web/generate.php`
Details

Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the sql_case input field in /web/generate.php, allowing remote attackers to execute arbitrary SQL commands and potentially command injection, leading to remote code execution (RCE) under certain conditions.

References

Affected packages

PyPI / mocodo

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.7

Affected versions

2.*
2.0.0rc1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.0.11
2.0.12
2.0.13
2.0.14
2.0.15
2.0.16
2.0.17
2.0.19
2.0.20
2.0.21
2.1
2.1.2
2.1.3
2.1.4
2.3
2.3.1
2.3.2rc1
2.3.2rc2
2.3.2
2.3.3
2.3.5
2.3.7
2.3.8
2.3.9
3.*
3.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
4.*
4.0.0
4.0.1
4.0.2
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10
4.0.11
4.0.12
4.0.13
4.0.14
4.1.0
4.1.1
4.1.2
4.1.3b1
4.1.3b2
4.1.3b3
4.1.3b4
4.1.3b5
4.2.0
4.2.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.6

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/mocodo/PYSEC-2026-426.yaml"
last_known_affected_version_range
"<= 4.2.6"