[Security Triage] CodeQL Alert Summary — 2026-03-25

[devin-ai-integration]

[Security Triage] CodeQL Alert Summary — 2026-03-25

This issue tracks the triage of all open CodeQL security scanning alerts for colin-d-fried/demo-python.

Fast-Track (Critical Severity)

• [CodeQL #1] SQL query built from user-controlled sources #3 — py/command-line-injection (critical) — vulnerable_command_injection.py line 12 — CWE-078
• [CodeQL #2] SQL query built from user-controlled sources #4 — py/command-line-injection (critical) — vulnerable_command_injection.py line 20 — CWE-078
• [CodeQL #3] Uncontrolled command line #5 — py/command-line-injection (critical) — vulnerable_command_injection.py line 28 — CWE-078
• [CodeQL #20] Use of a broken or weak cryptographic algorithm #22 — py/full-ssrf (critical) — vulnerable_ssrf.py line 11 — CWE-918
• [CodeQL #21] Use of a broken or weak cryptographic algorithm #23 — py/full-ssrf (critical) — vulnerable_ssrf.py line 19 — CWE-918
• [CodeQL #22] Full server-side request forgery #24 — py/full-ssrf (critical) — vulnerable_ssrf.py line 27 — CWE-918
• [CodeQL #23] Full server-side request forgery #25 — py/full-ssrf (critical) — vulnerable_ssrf.py line 35 — CWE-918
• [CodeQL #24] Full server-side request forgery #26 — py/full-ssrf (critical) — vulnerable_ssrf.py line 47 — CWE-918
• [CodeQL #25] Full server-side request forgery #27 — py/xxe (critical) — vulnerable_xxe.py line 21 — CWE-611
• [CodeQL #32] XML internal entity expansion #34 — py/unsafe-deserialization (critical) — vulnerable_deserialization.py line 12 — CWE-502
• [CodeQL #33] XML internal entity expansion #35 — py/unsafe-deserialization (critical) — vulnerable_deserialization.py line 20 — CWE-502
• [CodeQL #34] Deserialization of user-controlled data #36 — py/unsafe-deserialization (critical) — vulnerable_deserialization.py line 40 — CWE-502
• [CodeQL #35] Deserialization of user-controlled data #37 — py/template-injection (critical) — vulnerable_xss.py line 31 — CWE-074
• [CodeQL #36] Deserialization of user-controlled data #38 — py/reflective-xss (critical) — vulnerable_xss.py line 9 — CWE-079
• [CodeQL #37] Server Side Template Injection #39 — py/command-line-injection (critical) — vulnerable_command_injection.py line 34 — CWE-078
• [CodeQL #38] Reflected server-side cross-site scripting #40 — py/command-line-injection (critical) — vulnerable_command_injection.py line 37 — CWE-078
• [CodeQL #39] Reflected server-side cross-site scripting #41 — py/command-line-injection (critical) — vulnerable_command_injection.py line 33 — CWE-078
• [CodeQL #40] Reflected server-side cross-site scripting #42 — py/command-line-injection (critical) — vulnerable_command_injection.py line 11 — CWE-078

Fast-Track (High Severity)

• Add security workflows, fix hardcoded secret, and add requirements.txt #1 — py/sql-injection (high) — server/routes.py line 16 — CWE-089
• [Security Triage] CodeQL Alert Summary — 2026-03-25 #2 — py/sql-injection (high) — server/routes.py line 22 — CWE-089
• [CodeQL #4] Uncontrolled command line #6 — py/flask-debug (high) — vulnerable_command_injection.py line 40 — CWE-215
• [CodeQL #5] Uncontrolled command line #7 — py/flask-debug (high) — vulnerable_deserialization.py line 56 — CWE-215
• [CodeQL #6] Flask app is run in debug mode #8 — py/flask-debug (high) — vulnerable_path_traversal.py line 54 — CWE-215
• [CodeQL #7] Flask app is run in debug mode #9 — py/flask-debug (high) — vulnerable_sql_injection.py line 52 — CWE-215
• [CodeQL #8] Flask app is run in debug mode #10 — py/flask-debug (high) — vulnerable_missing_auth.py line 58 — CWE-215
• [CodeQL #9] Flask app is run in debug mode #11 — py/flask-debug (high) — vulnerable_ssrf.py line 58 — CWE-215
• [CodeQL #10] Flask app is run in debug mode #12 — py/flask-debug (high) — vulnerable_xss.py line 67 — CWE-215
• [CodeQL #11] Flask app is run in debug mode #13 — py/flask-debug (high) — vulnerable_xxe.py line 55 — CWE-215
• [CodeQL #12] Flask app is run in debug mode #14 — py/sql-injection (high) — vulnerable_sql_injection.py line 15 — CWE-089
• [CodeQL #13] Flask app is run in debug mode #15 — py/sql-injection (high) — vulnerable_sql_injection.py line 33 — CWE-089
• [CodeQL #14] SQL query built from user-controlled sources #16 — py/weak-sensitive-data-hashing (high) — vulnerable_weak_crypto.py line 7 — CWE-327
• [CodeQL #15] SQL query built from user-controlled sources #17 — py/weak-sensitive-data-hashing (high) — vulnerable_weak_crypto.py line 37 — CWE-327
• [CodeQL #16] Use of a broken or weak cryptographic hashing algorithm on sensitive data #18 — py/weak-sensitive-data-hashing (high) — vulnerable_weak_crypto.py line 40 — CWE-327
• [CodeQL #17] Use of a broken or weak cryptographic hashing algorithm on sensitive data #19 — py/weak-cryptographic-algorithm (high) — vulnerable_weak_crypto.py line 14 — CWE-327
• [CodeQL #18] Use of a broken or weak cryptographic hashing algorithm on sensitive data #20 — py/weak-cryptographic-algorithm (high) — vulnerable_weak_crypto.py line 19 — CWE-327
• [CodeQL #19] Use of a broken or weak cryptographic algorithm #21 — py/weak-cryptographic-algorithm (high) — vulnerable_weak_crypto.py line 46 — CWE-327
• [CodeQL #26] Full server-side request forgery #28 — py/path-injection (high) — vulnerable_path_traversal.py line 11 — CWE-022
• [CodeQL #27] XML external entity expansion #29 — py/path-injection (high) — vulnerable_path_traversal.py line 17 — CWE-022
• [CodeQL #28] Uncontrolled data used in path expression #30 — py/path-injection (high) — vulnerable_path_traversal.py line 27 — CWE-022
• [CodeQL #29] Uncontrolled data used in path expression #31 — py/path-injection (high) — vulnerable_path_traversal.py line 51 — CWE-022
• [CodeQL #30] Uncontrolled data used in path expression #32 — py/xml-bomb (high) — vulnerable_xxe.py line 12 — CWE-776
• [CodeQL #31] Uncontrolled data used in path expression #33 — py/xml-bomb (high) — vulnerable_xxe.py line 50 — CWE-776

---

Total alerts: 42
Classification: All fix (no false positives)
Priority: 18 critical (fast-track), 24 high (fast-track)
Projects board: https://github.com/users/colin-d-fried/projects/4 (Note: token lacks project scope — items could not be added to board)