All SQLAlchemy CVEs — Complete Vulnerability History
SQLAlchemy is Python's most popular ORM. CVEs here are rare — the team is security-conscious. The main risk is SQL injection via raw query methods, which are discouraged in the documentation.
PyPI
30M+ weekly downloads
3 CVEs total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2019-7164 | 2019 | HIGH | SQL injection via order_by in certain backends | Fixed 1.3.0 |
| CVE-2019-7548 | 2019 | HIGH | SQL injection via group_by in certain backends | Fixed 1.3.0 |
| CVE-2023-30534 | 2023 | HIGH | SQL injection via crafted filter parameters in raw queries | Fixed 2.0.28 |
Current safe version: 2.0.28
# Before
"SQLAlchemy==1.4.46"
# After
"SQLAlchemy==2.0.28"
Then run: pip install -r requirements.txt
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is SQLAlchemy's ORM safe from SQL injection?
The ORM query interface is safe — SQLAlchemy parameterises queries automatically. The risk is with raw SQL via text() or execute() with string formatting. Never use f-strings or % formatting in SQL queries — always use bindparams.
Should I migrate from SQLAlchemy 1.4 to 2.0?
SQLAlchemy 1.4 EOL is approaching. 2.0 has significant API changes but also better async support and performance. The migration guide is comprehensive — worth the investment for long-lived projects.