Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the `sql_case` input field in `/web/generate.php`, allowing remote attackers to execute arbitrary SQL commands and potentially command injection, leading to remote code execution (RCE) under certain conditions.

Affected Packages

PyPI mocodo

Affected versions: 0 (fixed in 4.2.7)

Related CVEs

CVE-2024-35374

Key Information

GHSA ID

GHSA-j6cv-98jx-mrwr

Published

May 28, 2024 8:20 PM

Last Modified

May 28, 2024 8:20 PM

CVSS Score

9.0 /10

Primary Ecosystem

PyPI

Primary Package

mocodo

GitHub Reviewed

✓ Yes

Dataset

Last updated: October 5, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.