Geopandas, an open‑source Python library for geospatial data, contains a flaw in its to_postgis() function that allows an attacker to inject arbitrary SQL when writing GeoDataFrames to a PostgreSQL database. The vulnerability is a classic input validation failure (CWE‑89) and permits a malicious actor to obtain data that the database had stored, potentially leaking sensitive geospatial records. The CVE description does not state that destructive writes are possible, so the impact is limited to unauthorized read access as described.

Any installation of geopandas older than version 1.1.2 that uses the to_postgis() routine to persist data into PostgreSQL is affected. The impact is confined to environments where geopandas is executed with code that can influence the arguments passed to the function—such as custom scripts, data pipelines, or web services that expose data ingestion endpoints.

The vulnerability has a CVSS score of 8.6, indicating high severity. The EPSS score is reported as less than 1%, suggesting a low likelihood of exploitation under normal circumstances, and it is not listed in the CISA KEV catalog. While the exploit requires some level of code execution or data injection capability, the most likely pathway is through local code that utilizes to_postgis(); in shared or public services, an attacker could supply crafted data that is then written to the database. The risk is primarily the potential exposure of confidential geospatial content rather than denial of service or integrity loss.