GHSA-6497-prx7-gpmqHighCVSS 8.6
geopandas SQL Injection Vulnerability in to_postgis() Allows Information Disclosure
🔗 CVE IDs covered (1)
📋 Description
SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.
🎯 Affected products1
- pip/geopandas:< 1.1.2
🔗 References (9)
- https://nvd.nist.gov/vuln/detail/CVE-2025-69662
- https://github.com/geopandas/geopandas/pull/3681
- https://aydinnyunus.github.io/2025/12/27/sql-injection-geopandas
- https://github.com/geopandas/geopandas/issues/3679
- https://github.com/geopandas/geopandas/commit/6aa8ef14ffdee4ba1044349ab948e1a1fbfaf419
- https://github.com/geopandas/geopandas/releases/tag/v1.1.2
- https://lists.debian.org/debian-lts-announce/2026/04/msg00025.html
- https://github.com/pypa/advisory-database/tree/main/vulns/geopandas/PYSEC-2026-62.yaml
- https://github.com/advisories/GHSA-6497-prx7-gpmq