## SQL Injection Vulnerability in Flask Routes Exposes Student Database Search
A high-severity SQL injection vulnerability has been identified in the application's search functionality, allowing attacker-controlled input to be concatenated directly into database queries. The flaw resides in `app/routes.py` at line 34, where user-provided search parameters from the 'q' query string are embedded into raw SQL statements without parameterization. This pattern, classified under CWE-89, enables malicious actors to manipulate query logic and potentially extract, modify, or delete records from the underlying database.

The vulnerable code constructs SQL queries using string interpolation, accepting the 'q' parameter from `request.args` and inserting it directly into a SELECT statement targeting student records. Without input sanitization or prepared statements, an attacker could inject SQL payloads through the search field. The application executes the unsanitized query via SQLAlchemy's text() wrapper, returning results to a search template. The issue has been flagged with detection pattern DEEP-001.

Security researchers warn that exploiting this flaw could lead to unauthorized data access or database manipulation, depending on the application's permission scope. The recommended remediation involves replacing raw string concatenation with parameterized queries or leveraging SQLAlchemy's ORM methods to handle user input safely. Organizations running affected instances should prioritize patching and audit their query construction practices across all application endpoints.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: sql-injection, flask, python, security-vulnerability, owasp-cwe-89
- **Credibility**: unverified
- **Published**: 2026-04-22 18:27:32
- **ID**: 76049
- **URL**: https://whisperx.ai/en/intel/76049