CVE-2025-3818: 
Linux Debian vulnerability analysis and mitigation

A critical SQL injection vulnerability was discovered in webpy web.py version 0.70. The vulnerability affects the PostgresDB.processinsert_query function in the web/db.py file, specifically related to the manipulation of the seqname argument. The vulnerability was disclosed on April 19, 2025, and has been assigned CVE-2025-3818 (NVD, VulDB).

The vulnerability exists in the PostgresDB.processinsert_query method of web/db.py where the seqname parameter is not properly filtered or escaped. The issue is classified as CWE-89 (SQL Injection) and CWE-74 (Injection). The vulnerability has received a CVSS v3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, and a CVSS v4.0 score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N (VulDB).

The SQL injection vulnerability can impact the confidentiality, integrity, and availability of the affected system. When using PostgreSQL database, attackers can potentially inject arbitrary SQL commands by controlling the sequence name parameter (VulDB).

No specific mitigation measures or workarounds have been publicly documented. It is recommended to replace the affected component with an alternative product until a patch is available (VulDB).