From 36fd98b0502f9b811ca6a00230c7824da7bf119a Mon Sep 17 00:00:00 2001
From: Oreofe Solarin <oreofesolarin@gmail.com>
Date: Wed, 22 Apr 2026 13:50:31 -0400
Subject: [PATCH] fix: correct GHSA-887w-45rq-vxgf sqlalchemy fixed version
 1.2.18 -> 1.3.0b1 (no 1.2.x backport)

---
 .../2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json b/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json
index 41eb7b4f8de1c..355b5f7b2b564 100644
--- a/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json
+++ b/advisories/github-reviewed/2019/04/GHSA-887w-45rq-vxgf/GHSA-887w-45rq-vxgf.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-887w-45rq-vxgf",
-  "modified": "2024-10-28T14:20:14Z",
+  "modified": "2026-04-22T00:00:00Z",
   "published": "2019-04-16T15:50:41Z",
   "aliases": [
     "CVE-2019-7164"
   ],
   "summary": "SQLAlchemy vulnerable to SQL Injection via order_by parameter",
-  "details": "SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.",
+  "details": "SQLAlchemy through 1.2.18 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. The fix (commit 30307c4) was never backported to the 1.2.x release branch; users on 1.2.x must upgrade to 1.3.0b3 or later.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -51,7 +51,7 @@
               "introduced": "0"
             },
             {
-              "fixed": "1.2.18"
+              "fixed": "1.3.0b1"
             }
           ]
         }