[Security Triage] CodeQL Alert Summary — 2026-03-25

[devin-ai-integration]

CodeQL Alert Summary — 2026-03-25

This issue tracks the triage of all open CodeQL security scanning alerts for colin-d-fried/demo-python.

Total open alerts: 50
Triage status: COMPLETE

Alert Checklist

• Add security workflows, fix hardcoded secret, and add requirements.txt #1 | HIGH | server/routes.py:16 | SQL query built from user-controlled sources | View alert | Classification: tutorial-code | Tracking: [CodeQL #1] SQL query built from user-controlled sources #3
• [Security Triage] CodeQL Alert Summary — 2026-03-25 #2 | HIGH | server/routes.py:22 | SQL query built from user-controlled sources | View alert | Classification: tutorial-code | Tracking: [CodeQL #2] SQL query built from user-controlled sources #4
• [CodeQL #1] SQL query built from user-controlled sources #3 | CRITICAL | vulnerable_command_injection.py:12 | Uncontrolled command line | View alert | Classification: demo-only | Tracking: [CodeQL #3] Uncontrolled command line #5
• [CodeQL #2] SQL query built from user-controlled sources #4 | CRITICAL | vulnerable_command_injection.py:20 | Uncontrolled command line | View alert | Classification: demo-only | Tracking: [CodeQL #4] Uncontrolled command line #6
• [CodeQL #3] Uncontrolled command line #5 | CRITICAL | vulnerable_command_injection.py:28 | Uncontrolled command line | View alert | Classification: demo-only | Tracking: [CodeQL #5] Uncontrolled command line #7
• [CodeQL #4] Uncontrolled command line #6 | HIGH | vulnerable_command_injection.py:40 | Flask app is run in debug mode | View alert | Classification: demo-only | Tracking: [CodeQL #6] Flask app is run in debug mode #8
• [CodeQL #5] Uncontrolled command line #7 | HIGH | vulnerable_deserialization.py:56 | Flask app is run in debug mode | View alert | Classification: demo-only | Tracking: [CodeQL #7] Flask app is run in debug mode #9
• [CodeQL #6] Flask app is run in debug mode #8 | HIGH | vulnerable_path_traversal.py:54 | Flask app is run in debug mode | View alert | Classification: demo-only | Tracking: [CodeQL #8] Flask app is run in debug mode #10
• [CodeQL #7] Flask app is run in debug mode #9 | HIGH | vulnerable_sql_injection.py:52 | Flask app is run in debug mode | View alert | Classification: demo-only | Tracking: [CodeQL #9] Flask app is run in debug mode #11
• [CodeQL #8] Flask app is run in debug mode #10 | HIGH | vulnerable_missing_auth.py:58 | Flask app is run in debug mode | View alert | Classification: demo-only | Tracking: [CodeQL #10] Flask app is run in debug mode #12
• [CodeQL #9] Flask app is run in debug mode #11 | HIGH | vulnerable_ssrf.py:58 | Flask app is run in debug mode | View alert | Classification: demo-only | Tracking: [CodeQL #11] Flask app is run in debug mode #13
• [CodeQL #10] Flask app is run in debug mode #12 | HIGH | vulnerable_xss.py:67 | Flask app is run in debug mode | View alert | Classification: demo-only | Tracking: [CodeQL #12] Flask app is run in debug mode #14
• [CodeQL #11] Flask app is run in debug mode #13 | HIGH | vulnerable_xxe.py:55 | Flask app is run in debug mode | View alert | Classification: demo-only | Tracking: [CodeQL #13] Flask app is run in debug mode #15
• [CodeQL #12] Flask app is run in debug mode #14 | HIGH | vulnerable_sql_injection.py:15 | SQL query built from user-controlled sources | View alert | Classification: demo-only | Tracking: [CodeQL #14] SQL query built from user-controlled sources #16
• [CodeQL #13] Flask app is run in debug mode #15 | HIGH | vulnerable_sql_injection.py:33 | SQL query built from user-controlled sources | View alert | Classification: demo-only | Tracking: [CodeQL #15] SQL query built from user-controlled sources #17
• [CodeQL #14] SQL query built from user-controlled sources #16 | HIGH | vulnerable_weak_crypto.py:7 | Use of a broken or weak cryptographic hashing algorithm on sensitive data | View alert | Classification: demo-only | Tracking: [CodeQL #16] Use of a broken or weak cryptographic hashing algorithm on sensitive data #18
• [CodeQL #15] SQL query built from user-controlled sources #17 | HIGH | vulnerable_weak_crypto.py:37 | Use of a broken or weak cryptographic hashing algorithm on sensitive data | View alert | Classification: demo-only | Tracking: [CodeQL #17] Use of a broken or weak cryptographic hashing algorithm on sensitive data #19
• [CodeQL #16] Use of a broken or weak cryptographic hashing algorithm on sensitive data #18 | HIGH | vulnerable_weak_crypto.py:40 | Use of a broken or weak cryptographic hashing algorithm on sensitive data | View alert | Classification: demo-only | Tracking: [CodeQL #18] Use of a broken or weak cryptographic hashing algorithm on sensitive data #20
• [CodeQL #17] Use of a broken or weak cryptographic hashing algorithm on sensitive data #19 | HIGH | vulnerable_weak_crypto.py:14 | Use of a broken or weak cryptographic algorithm | View alert | Classification: demo-only | Tracking: [CodeQL #19] Use of a broken or weak cryptographic algorithm #21
• [CodeQL #18] Use of a broken or weak cryptographic hashing algorithm on sensitive data #20 | HIGH | vulnerable_weak_crypto.py:19 | Use of a broken or weak cryptographic algorithm | View alert | Classification: demo-only | Tracking: [CodeQL #20] Use of a broken or weak cryptographic algorithm #22
• [CodeQL #19] Use of a broken or weak cryptographic algorithm #21 | HIGH | vulnerable_weak_crypto.py:46 | Use of a broken or weak cryptographic algorithm | View alert | Classification: demo-only | Tracking: [CodeQL #21] Use of a broken or weak cryptographic algorithm #23
• [CodeQL #20] Use of a broken or weak cryptographic algorithm #22 | CRITICAL | vulnerable_ssrf.py:11 | Full server-side request forgery | View alert | Classification: demo-only | Tracking: [CodeQL #22] Full server-side request forgery #24
• [CodeQL #21] Use of a broken or weak cryptographic algorithm #23 | CRITICAL | vulnerable_ssrf.py:19 | Full server-side request forgery | View alert | Classification: demo-only | Tracking: [CodeQL #23] Full server-side request forgery #25
• [CodeQL #22] Full server-side request forgery #24 | CRITICAL | vulnerable_ssrf.py:27 | Full server-side request forgery | View alert | Classification: demo-only | Tracking: [CodeQL #24] Full server-side request forgery #26
• [CodeQL #23] Full server-side request forgery #25 | CRITICAL | vulnerable_ssrf.py:35 | Full server-side request forgery | View alert | Classification: demo-only | Tracking: [CodeQL #25] Full server-side request forgery #27
• [CodeQL #24] Full server-side request forgery #26 | CRITICAL | vulnerable_ssrf.py:47 | Full server-side request forgery | View alert | Classification: demo-only | Tracking: [CodeQL #26] Full server-side request forgery #28
• [CodeQL #25] Full server-side request forgery #27 | CRITICAL | vulnerable_xxe.py:21 | XML external entity expansion | View alert | Classification: demo-only | Tracking: [CodeQL #27] XML external entity expansion #29
• [CodeQL #26] Full server-side request forgery #28 | HIGH | vulnerable_path_traversal.py:11 | Uncontrolled data used in path expression | View alert | Classification: demo-only | Tracking: [CodeQL #28] Uncontrolled data used in path expression #30
• [CodeQL #27] XML external entity expansion #29 | HIGH | vulnerable_path_traversal.py:17 | Uncontrolled data used in path expression | View alert | Classification: demo-only | Tracking: [CodeQL #29] Uncontrolled data used in path expression #31
• [CodeQL #28] Uncontrolled data used in path expression #30 | HIGH | vulnerable_path_traversal.py:27 | Uncontrolled data used in path expression | View alert | Classification: demo-only | Tracking: [CodeQL #30] Uncontrolled data used in path expression #32
• [CodeQL #29] Uncontrolled data used in path expression #31 | HIGH | vulnerable_path_traversal.py:51 | Uncontrolled data used in path expression | View alert | Classification: demo-only | Tracking: [CodeQL #31] Uncontrolled data used in path expression #33
• [CodeQL #30] Uncontrolled data used in path expression #32 | HIGH | vulnerable_xxe.py:12 | XML internal entity expansion | View alert | Classification: demo-only | Tracking: [CodeQL #32] XML internal entity expansion #34
• [CodeQL #31] Uncontrolled data used in path expression #33 | HIGH | vulnerable_xxe.py:50 | XML internal entity expansion | View alert | Classification: demo-only | Tracking: [CodeQL #33] XML internal entity expansion #35
• [CodeQL #32] XML internal entity expansion #34 | CRITICAL | vulnerable_deserialization.py:12 | Deserialization of user-controlled data | View alert | Classification: demo-only | Tracking: [CodeQL #34] Deserialization of user-controlled data #36
• [CodeQL #33] XML internal entity expansion #35 | CRITICAL | vulnerable_deserialization.py:20 | Deserialization of user-controlled data | View alert | Classification: demo-only | Tracking: [CodeQL #35] Deserialization of user-controlled data #37
• [CodeQL #34] Deserialization of user-controlled data #36 | CRITICAL | vulnerable_deserialization.py:40 | Deserialization of user-controlled data | View alert | Classification: demo-only | Tracking: [CodeQL #36] Deserialization of user-controlled data #38
• [CodeQL #35] Deserialization of user-controlled data #37 | CRITICAL | vulnerable_xss.py:31 | Server Side Template Injection | View alert | Classification: demo-only | Tracking: [CodeQL #37] Server Side Template Injection #39
• [CodeQL #36] Deserialization of user-controlled data #38 | MEDIUM | vulnerable_deserialization.py:14 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #38] Reflected server-side cross-site scripting #40
• [CodeQL #37] Server Side Template Injection #39 | MEDIUM | vulnerable_deserialization.py:22 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #39] Reflected server-side cross-site scripting #41
• [CodeQL #38] Reflected server-side cross-site scripting #40 | MEDIUM | vulnerable_deserialization.py:42 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #40] Reflected server-side cross-site scripting #42
• [CodeQL #39] Reflected server-side cross-site scripting #41 | MEDIUM | vulnerable_ssrf.py:13 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #41] Reflected server-side cross-site scripting #43
• [CodeQL #40] Reflected server-side cross-site scripting #42 | MEDIUM | vulnerable_ssrf.py:37 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #42] Reflected server-side cross-site scripting #44
• [CodeQL #41] Reflected server-side cross-site scripting #43 | MEDIUM | vulnerable_ssrf.py:49 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #43] Reflected server-side cross-site scripting #45
• [CodeQL #42] Reflected server-side cross-site scripting #44 | MEDIUM | vulnerable_xss.py:9 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #44] Reflected server-side cross-site scripting #46
• [CodeQL #43] Reflected server-side cross-site scripting #45 | MEDIUM | vulnerable_xss.py:24 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #45] Reflected server-side cross-site scripting #47
• [CodeQL #44] Reflected server-side cross-site scripting #46 | MEDIUM | vulnerable_xss.py:31 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #46] Reflected server-side cross-site scripting #48
• [CodeQL #45] Reflected server-side cross-site scripting #47 | MEDIUM | vulnerable_xss.py:48 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #47] Reflected server-side cross-site scripting #49
• [CodeQL #46] Reflected server-side cross-site scripting #48 | MEDIUM | vulnerable_xss.py:54 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #48] Reflected server-side cross-site scripting #50
• [CodeQL #47] Reflected server-side cross-site scripting #49 | MEDIUM | vulnerable_xss.py:60 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #49] Reflected server-side cross-site scripting #51
• [CodeQL #48] Reflected server-side cross-site scripting #50 | MEDIUM | vulnerable_xxe.py:23 | Reflected server-side cross-site scripting | View alert | Classification: demo-only | Tracking: [CodeQL #50] Reflected server-side cross-site scripting #52

Triage Report

See Triage Report — 2026-03-25 for the full summary.

---

Generated by automated security triage on 2026-03-25. Updated after triage completion.

[devin-ai-integration]

Triage Complete

All 50 CodeQL alerts have been reviewed and classified:

• tutorial-code (2): Alerts Add security workflows, fix hardcoded secret, and add requirements.txt #1, [Security Triage] CodeQL Alert Summary — 2026-03-25 #2 — server/routes.py (intentional SQL injection for CodeQL tutorial)
• demo-only (48): Alerts [CodeQL #1] SQL query built from user-controlled sources #3–[CodeQL #48] Reflected server-side cross-site scripting #50 — vulnerable_* files (intentionally insecure demo files)
• fix (0): No real unintentional vulnerabilities found
• false-positive (0): None

All tracking issues (#3–#52) have been created, classified, closed as 'not planned', and added to the Projects board.

See the full Triage Report — 2026-03-25 for details.