VulnerableCode Package Details - pkg:pypi/alerta-server@3.3.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-6sbe-pbcn-67gq Aliases: CVE-2026-34400 GHSA-8prr-286p-4w7j	alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API ### Impact The Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. ### Patches Fixed in v9.1.0. The Postgres query parser now uses parameterized queries with %(name)s placeholders passed to psycopg2's cursor.execute(), preventing SQL injection through the ?q= parameter. The MongoDB backend was not affected. ### Workarounds Upgrade to v9.1.0 or later. If unable to upgrade, deploy a proxy in front of the Alerta API to sanitize the q= parameter. ### Resources https://github.com/alerta/alerta/pull/712/files https://owasp.org/www-community/attacks/SQL_Injection	9.1.0 Affected by 0 other vulnerabilities.
VCID-hwv6-r93u-bube Aliases: CVE-2020-26214 GHSA-5hmm-x8q8-w5jh PYSEC-2020-159	In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for anonymous authorization are affected. A fix has been implemented in version 8.1.0 that returns HTTP 401 Unauthorized response for any authentication attempts where the password field is empty. As a workaround LDAP administrators can disallow unauthenticated bind requests by clients.	7.5.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.1.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6sbe-pbcn-67gq
Aliases:
CVE-2026-34400
GHSA-8prr-286p-4w7j

alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API ### Impact The Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. ### Patches Fixed in v9.1.0. The Postgres query parser now uses parameterized queries with %(name)s placeholders passed to psycopg2's cursor.execute(), preventing SQL injection through the ?q= parameter. The MongoDB backend was not affected. ### Workarounds Upgrade to v9.1.0 or later. If unable to upgrade, deploy a proxy in front of the Alerta API to sanitize the q= parameter. ### Resources https://github.com/alerta/alerta/pull/712/files https://owasp.org/www-community/attacks/SQL_Injection

9.1.0
Affected by 0 other vulnerabilities.

VCID-hwv6-r93u-bube
Aliases:
CVE-2020-26214
GHSA-5hmm-x8q8-w5jh
PYSEC-2020-159

In Alerta before version 8.1.0, users may be able to bypass LDAP authentication if they provide an empty password when Alerta server is configure to use LDAP as the authorization provider. Only deployments where LDAP servers are configured to allow unauthenticated authentication mechanism for anonymous authorization are affected. A fix has been implemented in version 8.1.0 that returns HTTP 401 Unauthorized response for any authentication attempts where the password field is empty. As a workaround LDAP administrators can disallow unauthenticated bind requests by clients.

7.5.7
Affected by 1 other vulnerability.

8.1.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:40:08.879467+00:00	GitLab Importer	Affected by	VCID-6sbe-pbcn-67gq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/alerta-server/CVE-2026-34400.yml	38.6.0
2026-06-05T16:56:36.773742+00:00	PyPI Importer	Affected by	VCID-hwv6-r93u-bube	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-06-04T20:40:45.237460+00:00	GitLab Importer	Affected by	VCID-hwv6-r93u-bube	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/alerta-server/CVE-2020-26214.yml	38.6.0
2026-06-02T04:07:53.796081+00:00	Pypa Importer	Affected by	VCID-hwv6-r93u-bube	https://github.com/pypa/advisory-database/blob/main/vulns/alerta-server/PYSEC-2020-159.yaml	38.6.0