Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN132
_____________________________________________________________________

DATE                : 06/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running web2py versions prior to 3.1.7.

=====================================================================
https://github.com/advisories/GHSA-rf8c-3f5p-xv45
_____________________________________________________________________


web2py has an Open Redirect Vulnerability
Moderate severity GitHub Reviewed Published Feb 5, 2026 to the GitHub
Advisory Database • Updated Feb 5, 2026


Vulnerability details

Package
web2py (pip)

Affected versions
< 3.1.1

Patched versions
3.1.1


Description

web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior
contain an Open Redirect vulnerability. If this vulnerability is
exploited, the user may be redirected to an arbitrary website when
accessing a specially crafted URL. As a result, the user may become
a victim of a phishing attack.


References

    https://nvd.nist.gov/vuln/detail/CVE-2026-25198
    web2py/web2py@b4e1ddb
    https://github.com/web2py/web2py/releases
    https://jvn.jp/en/jp/JVN46925341
    https://web2py.com


Severity
Moderate
5.1/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required None
User interaction Active
Vulnerable System Impact Metrics
Confidentiality None
Integrity None
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity Low
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

EPSS score
(8th percentile)

Weaknesses
Weakness CWE-601

CVE ID
CVE-2026-25198

GHSA ID
GHSA-rf8c-3f5p-xv45

Source code
web2py/web2py

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================