SQLAlchemy is a widely used PyPI package. As of 2026-05-24, there are 6 known vulnerabilities in the OSV database. The latest stable version is 2.0.49. Developers should audit their dependency trees and update to patched versions.
Package Overview
Known Vulnerabilities (6)
| ID | Severity | Score | Affected Versions | Fixed In | Description |
|---|---|---|---|---|---|
| CVE-2019-7548 | CRITICAL | 9.5 | 0 to 1.2.19 | 1.2.19 | SQLAlchemy is vulnerable to SQL Injection via group_by parameter |
| CVE-2019-7164 | CRITICAL | 9.5 | 0 to 1.3.0b3 | 1.3.0b3 | SQLAlchemy vulnerable to SQL Injection via order_by parameter |
| CVE-2012-0805 | CRITICAL | 9.5 | 0 to 0.7.0b4 | 0.7.0b4 | SQLAlchemy vulnerable to SQL injection |
| CVE-2012-0805 | UNKNOWN | - | 0 to 0.7.0 | 0.7.0 | Multiple SQL injection vulnerabilities in SQLAlchemy before 0.7.0b4, as used in Keystone, allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset keyword to the select |
| CVE-2019-7164 | UNKNOWN | - | 0 to 1.2.18 | 1.2.18 | SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. |
| CVE-2019-7548 | UNKNOWN | - | 0 to 1.2.18 | 1.2.18 | SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled. |
Security Recommendations
- Pin SQLAlchemy to the latest stable version (2.0.49) in your dependency manifest
- Enable automated dependency updates with Dependabot or Renovate
- Run regular vulnerability scans using
pip-audit - Review your lock file (requirements.txt) after every update
- Monitor the OSV database and NIST NVD for new advisories
FAQ
Is SQLAlchemy safe to use?
SQLAlchemy is actively maintained and widely used. As of 2026-05-24, there are 6 known vulnerabilities listed in the OSV database. Most have patches available. Keeping your dependencies updated and running regular security audits significantly reduces risk.
What vulnerabilities does SQLAlchemy have?
The OSV database currently lists 6 vulnerabilities for SQLAlchemy. These range in severity and are detailed in the vulnerability table above. Check the linked advisories for full technical details and remediation guidance.
How do I update SQLAlchemy to fix vulnerabilities?
Run pip install --upgrade sqlalchemy to get the newest version. Use pip-audit or safety check to scan for known vulnerabilities. Pin your dependencies with a requirements file and review updates regularly.
Using AI-Generated Code with SQLAlchemy?
Our vibe coding security audit checks for misconfigurations, exposed secrets and vulnerable dependencies in AI-generated codebases. If your project uses SQLAlchemy, we can verify it is locked to a safe version and properly configured.
Get a Vibe Coding Security Audit