{"id":"PYSEC-2026-286","summary":"asyncmy is vulnerable to SQL injection via crafted dict keys","details":"SQL injection vulnerability in long2ice asyncmy thru 0.2.10 allows attackers to execute arbitrary SQL commands via crafted dict keys.","aliases":["CVE-2025-65896","GHSA-qhqw-rrw9-25rm"],"modified":"2026-07-01T20:22:49.484655Z","published":"2026-06-29T11:50:38.965576Z","references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65896"},{"type":"WEB","url":"https://github.com/long2ice/asyncmy/issues/134"},{"type":"PACKAGE","url":"https://github.com/long2ice/asyncmy"},{"type":"PACKAGE","url":"https://pypi.org/project/asyncmy"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-qhqw-rrw9-25rm"}],"affected":[{"package":{"name":"asyncmy","ecosystem":"PyPI","purl":"pkg:pypi/asyncmy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"0.2.11"}]}],"versions":["0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.2.0","0.2.1","0.2.10","0.2.10rc1","0.2.11","0.2.2","0.2.3","0.2.4","0.2.5","0.2.7","0.2.7rc6","0.2.8","0.2.8rc1","0.2.8rc2","0.2.9"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/asyncmy/PYSEC-2026-286.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}