PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by escape_dict.
escape_dict
"https://github.com/pypa/advisory-database/blob/main/vulns/pymysql/PYSEC-2026-502.yaml"