From c20c718dc3b64070b8fea9cf3da0a5644f24c569 Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Wed, 15 Apr 2026 19:08:17 +0200
Subject: [PATCH 01/17] Minor refactoring

---
 data/txt/sha256sums.txt      | 6 +++---
 lib/controller/controller.py | 2 +-
 lib/core/settings.py         | 2 +-
 lib/request/connect.py       | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index 4f1baa5ce..c803eafd4 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -162,7 +162,7 @@ df768bcb9838dc6c46dab9b4a877056cb4742bd6cfaaf438c4a3712c5cc0d264  extra/shutils/
 9e5e4d3d9acb767412259895a3ee75e1a5f42d0b9923f17605d771db384a6f60  extra/vulnserver/vulnserver.py
 b8411d1035bb49b073476404e61e1be7f4c61e205057730e2f7880beadcd5f60  lib/controller/action.py
 ced1c82713afc1309c1495485b3d25a11c95af1f7460ea7922dbb96dacac37b4  lib/controller/checks.py
-430475857a37fd997e73a47d7485c5dd4aa0985ef32c5a46b5e7bff01749ba66  lib/controller/controller.py
+c1881685bef8504ded32c51abed00ab51849008c84b74e8a66117e5f5041b3df  lib/controller/controller.py
 d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f  lib/controller/handler.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/controller/__init__.py
 9e694e4864d865c5da745aaf9d35da885eff697a9a0f7b37c3e85d47b4378f64  lib/core/agent.py
@@ -188,7 +188,7 @@ d9b37177efcaba035c7fabe7d015a3b63d9cfe502bb4998ff71e47f825eeaaca  lib/core/patch
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-7ac60a264e940e5dd3cb425a9106c00699443b99ed9397cf47b3cc58ec21e081  lib/core/settings.py
+6b00dc765817f848de768ccb25831ec8a5d310c01adda6dcf1eaef36be742594  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
@@ -211,7 +211,7 @@ d2e771cdacef25ee3fdc0e0355b92e7cd1b68f5edc2756ffc19f75d183ba2c73  lib/parse/payl
 1d5972aba14e4e340e3dde4f1d39a671020187fb759f435ba8b7f522dd4498fa  lib/request/basic.py
 bc61bc944b81a7670884f82231033a6ac703324b34b071c9834886a92e249d0e  lib/request/chunkedhandler.py
 09c2d8786fb5280f5f14a7b4345ecb2e7c2ca836ee06a6cf9b51770df923d94c  lib/request/comparison.py
-f3a457675d7c2b85c7d5da5e336baf2782eaf0abbcb2ecdeb3c0e88d5bb60528  lib/request/connect.py
+6091ddc3e349f9c8d5280c54a79f39cdc9b52c9b21da14ae76091f9e7c2587d9  lib/request/connect.py
 8e06682280fce062eef6174351bfebcb6040e19976acff9dc7b3699779783498  lib/request/direct.py
 cf019248253a5d7edb7bc474aa020b9e8625d73008a463c56ba2b539d7f2d8ec  lib/request/dns.py
 92c81cc31ff4a396723242058fb2152c9e9745f8412d01ea74480b048a53af6c  lib/request/httpshandler.py
diff --git a/lib/controller/controller.py b/lib/controller/controller.py
index 1770e751c..69d515f12 100644
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@@ -437,7 +437,7 @@ def start():
                 continue
 
             if conf.rParam and kb.originalPage:
-                kb.randomPool = dict([_ for _ in kb.randomPool.items() if isinstance(_[1], list)])
+                kb.randomPool = dict(_ for _ in kb.randomPool.items() if isinstance(_[1], list))
 
                 for match in re.finditer(r"(?si)<select[^>]+\bname\s*=\s*[\"']([^\"']+)(.+?)</select>", kb.originalPage):
                     name, _ = match.groups()
diff --git a/lib/core/settings.py b/lib/core/settings.py
index fc9b9addb..7772bb7eb 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.0"
+VERSION = "1.10.4.1"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/lib/request/connect.py b/lib/request/connect.py
index 4d8024c34..3a830aef9 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -640,7 +640,7 @@ class Connect(object):
                         conn._read_buffer = conn.read()
                         conn._read_offset = 0
 
-                        requestMsg = re.sub(" HTTP/[0-9.]+\r\n", " %s\r\n" % conn.http_version, requestMsg, count=1)
+                        requestMsg = re.sub(r" HTTP/[0-9.]+\r\n", " %s\r\n" % conn.http_version, requestMsg, count=1)
 
                         if not multipart:
                             threadData.lastRequestMsg = requestMsg

From 608412907a352240f1dd07fe4be1bd74074b696b Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Wed, 15 Apr 2026 19:18:30 +0200
Subject: [PATCH 02/17] Implementing safe(r) pickle loads

---
 data/txt/sha256sums.txt |  4 ++--
 lib/core/patch.py       | 35 +++++++++++++++++++++++++++++++++++
 lib/core/settings.py    |  2 +-
 3 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index c803eafd4..93359233c 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -182,13 +182,13 @@ a033f92d136c707a25927c2383125ddb004d4283db62c004dcd67c3fc242bb1c  lib/core/dump.
 914a13ee21fd610a6153a37cbe50830fcbd1324c7ebc1e7fc206d5e598b0f7ad  lib/core/log.py
 67ea32c993cbf23cdbd5170360c020ca33363b7c516ff3f8da4124ef7cb0254d  lib/core/optiondict.py
 d75baf80690f08f80d605a42f675eaca9c26d7b1cbb47f5ddf7d36a47c4b640b  lib/core/option.py
-d9b37177efcaba035c7fabe7d015a3b63d9cfe502bb4998ff71e47f825eeaaca  lib/core/patch.py
+789320dcb3f93137d3065080ee98429280bf10b20b66a1c08d3fcc1747b30d94  lib/core/patch.py
 49c0fa7e3814dfda610d665ee02b12df299b28bc0b6773815b4395514ddf8dec  lib/core/profiling.py
 03db48f02c3d07a047ddb8fe33a757b6238867352d8ddda2a83e4fec09a98d04  lib/core/readlineng.py
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-6b00dc765817f848de768ccb25831ec8a5d310c01adda6dcf1eaef36be742594  lib/core/settings.py
+660dc65807eb1b660d3f4f7b154a1bf44d3841bf7dc1ad68ecb32d1dca354cf2  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
diff --git a/lib/core/patch.py b/lib/core/patch.py
index 27d790a6f..55ac8d3f1 100644
--- a/lib/core/patch.py
+++ b/lib/core/patch.py
@@ -178,6 +178,41 @@ def dirtyPatches():
         et.parse = _safe_parse
         et._patched = True
 
+    import io
+    import pickle
+    if not getattr(pickle, "_patched", False):
+        class RestrictedUnpickler(pickle.Unpickler):
+            def find_class(self, module, name):
+                # blacklist for OS-level execution modules
+                if module in ("os", "subprocess", "sys", "posix", "nt", "pty", "commands", "shutil"):
+                    raise ValueError("Unpickling of module '%s' is forbidden" % module)
+
+                # Python 2/3 method resolution
+                if hasattr(pickle.Unpickler, "find_class"):
+                    return pickle.Unpickler.find_class(self, module, name)
+
+                __import__(module)
+                return getattr(sys.modules[module], name)
+
+        def _safe_loads(data):
+            try:
+                stream = io.BytesIO(data)
+            except TypeError:
+                stream = io.StringIO(data)
+
+            return RestrictedUnpickler(stream).load()
+
+        pickle.loads = _safe_loads
+        pickle._patched = True
+
+    try:
+        import cPickle
+        if not getattr(cPickle, "_patched", False):
+            cPickle.loads = pickle.loads
+            cPickle._patched = True
+    except ImportError:
+        pass
+
     try:
         import builtins
     except ImportError:
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 7772bb7eb..1eef72349 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.1"
+VERSION = "1.10.4.2"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

From 93cbbc237800b9fa240597fa75e2be83f6602202 Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Wed, 15 Apr 2026 19:27:35 +0200
Subject: [PATCH 03/17] Hiding --alert behind SQLMAP_UNSAFE_ALERT

---
 data/txt/sha256sums.txt | 4 ++--
 lib/core/option.py      | 7 +++++++
 lib/core/settings.py    | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index 93359233c..c304d3e88 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -181,14 +181,14 @@ a033f92d136c707a25927c2383125ddb004d4283db62c004dcd67c3fc242bb1c  lib/core/dump.
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/core/__init__.py
 914a13ee21fd610a6153a37cbe50830fcbd1324c7ebc1e7fc206d5e598b0f7ad  lib/core/log.py
 67ea32c993cbf23cdbd5170360c020ca33363b7c516ff3f8da4124ef7cb0254d  lib/core/optiondict.py
-d75baf80690f08f80d605a42f675eaca9c26d7b1cbb47f5ddf7d36a47c4b640b  lib/core/option.py
+226c01e46050ff48122df682f713565509a386e58d06cc43da59d028e0afc2fd  lib/core/option.py
 789320dcb3f93137d3065080ee98429280bf10b20b66a1c08d3fcc1747b30d94  lib/core/patch.py
 49c0fa7e3814dfda610d665ee02b12df299b28bc0b6773815b4395514ddf8dec  lib/core/profiling.py
 03db48f02c3d07a047ddb8fe33a757b6238867352d8ddda2a83e4fec09a98d04  lib/core/readlineng.py
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-660dc65807eb1b660d3f4f7b154a1bf44d3841bf7dc1ad68ecb32d1dca354cf2  lib/core/settings.py
+76823a75705cc63d0dde9cd680913626536fbc6989b932fd191cd379ab2aaefb  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
diff --git a/lib/core/option.py b/lib/core/option.py
index fd3103fa0..dfaf3653e 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -2671,6 +2671,13 @@ def _basicOptionValidation():
         errMsg = "switch '--dump' is incompatible with switch '--search'"
         raise SqlmapSyntaxException(errMsg)
 
+    if conf.alert and os.environ.get("SQLMAP_UNSAFE_ALERT") != '1':
+        errMsg = "for security reasons, to prevent execution of potentially malicious "
+        errMsg += "OS commands via configuration files or copy-paste attacks, "
+        errMsg += "the '--alert' option requires the environment variable "
+        errMsg += "'SQLMAP_UNSAFE_ALERT=1' to be explicitly set"
+        raise SqlmapSystemException(errMsg)
+
     if conf.chunked and not any((conf.data, conf.requestFile, conf.forms)):
         errMsg = "switch '--chunked' requires usage of (POST) options/switches '--data', '-r' or '--forms'"
         raise SqlmapSyntaxException(errMsg)
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 1eef72349..c26dc13e3 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.2"
+VERSION = "1.10.4.3"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

From 39b8ff4bec7c739973060835c3adaf7bac7447e4 Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Fri, 17 Apr 2026 10:42:01 +0200
Subject: [PATCH 04/17] Patch for #6049

---
 data/txt/sha256sums.txt | 4 ++--
 lib/core/settings.py    | 2 +-
 lib/request/connect.py  | 4 ++++
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index c304d3e88..8427aaee4 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -188,7 +188,7 @@ a033f92d136c707a25927c2383125ddb004d4283db62c004dcd67c3fc242bb1c  lib/core/dump.
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-76823a75705cc63d0dde9cd680913626536fbc6989b932fd191cd379ab2aaefb  lib/core/settings.py
+9af9eabb33938e0c1fed05afa5699fab047b3cb0ab7c61fc2d471ee41df1d4dd  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
@@ -211,7 +211,7 @@ d2e771cdacef25ee3fdc0e0355b92e7cd1b68f5edc2756ffc19f75d183ba2c73  lib/parse/payl
 1d5972aba14e4e340e3dde4f1d39a671020187fb759f435ba8b7f522dd4498fa  lib/request/basic.py
 bc61bc944b81a7670884f82231033a6ac703324b34b071c9834886a92e249d0e  lib/request/chunkedhandler.py
 09c2d8786fb5280f5f14a7b4345ecb2e7c2ca836ee06a6cf9b51770df923d94c  lib/request/comparison.py
-6091ddc3e349f9c8d5280c54a79f39cdc9b52c9b21da14ae76091f9e7c2587d9  lib/request/connect.py
+86bfe2cef8d3fcdbadf3adc427f593ec638cf8953a37c68dd17691741bf9a950  lib/request/connect.py
 8e06682280fce062eef6174351bfebcb6040e19976acff9dc7b3699779783498  lib/request/direct.py
 cf019248253a5d7edb7bc474aa020b9e8625d73008a463c56ba2b539d7f2d8ec  lib/request/dns.py
 92c81cc31ff4a396723242058fb2152c9e9745f8412d01ea74480b048a53af6c  lib/request/httpshandler.py
diff --git a/lib/core/settings.py b/lib/core/settings.py
index c26dc13e3..7d3898b75 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.3"
+VERSION = "1.10.4.4"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/lib/request/connect.py b/lib/request/connect.py
index 3a830aef9..dbca1977d 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -561,6 +561,10 @@ class Connect(object):
             else:
                 post = getBytes(post)
 
+                # Reference: https://github.com/sqlmapproject/sqlmap/issues/6049
+                if cmdLineOptions.method is None and method == HTTPMETHOD.GET and post == b"":
+                    post = None
+
                 if unArrayizeValue(conf.base64Parameter) == HTTPMETHOD.POST:
                     if kb.place != HTTPMETHOD.POST:
                         conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data)

From fdf6673dbbec5a6c12500c3d9ac9d00071466abf Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Thu, 23 Apr 2026 16:02:06 +0200
Subject: [PATCH 05/17] Dealing with some pesky issues

---
 data/txt/sha256sums.txt |  4 ++--
 lib/core/dump.py        | 27 +++++++++++++--------------
 lib/core/settings.py    |  2 +-
 3 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index 8427aaee4..f518afe24 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -175,7 +175,7 @@ c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6  lib/core/data.
 70fb2528e580b22564899595b0dff6b1bc257c6a99d2022ce3996a3d04e68e4e  lib/core/decorators.py
 147823c37596bd6a56d677697781f34b8d1d1671d5a2518fbc9468d623c6d07d  lib/core/defaults.py
 2f44a1bfe6f18aafe64147b99e69aa93cf438c0e7befe59f4e2aee9065c8b7b6  lib/core/dicts.py
-a033f92d136c707a25927c2383125ddb004d4283db62c004dcd67c3fc242bb1c  lib/core/dump.py
+ccd3b414727ef75f5d533f9518198b61322781f3ee53a86643763e029b2874c0  lib/core/dump.py
 23e33f0b457e2a7114c9171ba9b42e1751b71ee3f384bba7fad39e4490adb803  lib/core/enums.py
 5387168e5dfedd94ae22af7bb255f27d6baaca50b24179c6b98f4f325f5cc7b4  lib/core/exception.py
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/core/__init__.py
@@ -188,7 +188,7 @@ a033f92d136c707a25927c2383125ddb004d4283db62c004dcd67c3fc242bb1c  lib/core/dump.
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-9af9eabb33938e0c1fed05afa5699fab047b3cb0ab7c61fc2d471ee41df1d4dd  lib/core/settings.py
+f27a2b0fc084f321c802056cdd7c9cfdc776fcc728553f1cb0db3f67c88a3671  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
diff --git a/lib/core/dump.py b/lib/core/dump.py
index aa50ae07c..26d505690 100644
--- a/lib/core/dump.py
+++ b/lib/core/dump.py
@@ -410,14 +410,17 @@ class Dump(object):
             db = "All"
         table = tableValues["__infos__"]["table"]
 
+        safeDb = re.sub(r"[^\w]", UNSAFE_DUMP_FILEPATH_REPLACEMENT, unsafeSQLIdentificatorNaming(db))
+        safeTable = re.sub(r"[^\w]", UNSAFE_DUMP_FILEPATH_REPLACEMENT, unsafeSQLIdentificatorNaming(table))
+
         if conf.api:
             self._write(tableValues, content_type=CONTENT_TYPE.DUMP_TABLE)
 
         try:
-            dumpDbPath = os.path.join(conf.dumpPath, unsafeSQLIdentificatorNaming(db))
+            dumpDbPath = os.path.join(conf.dumpPath, safeDb)
         except UnicodeError:
             try:
-                dumpDbPath = os.path.join(conf.dumpPath, normalizeUnicode(unsafeSQLIdentificatorNaming(db)))
+                dumpDbPath = os.path.join(conf.dumpPath, normalizeUnicode(safeDb))
             except (UnicodeError, OSError):
                 tempDir = tempfile.mkdtemp(prefix="sqlmapdb")
                 warnMsg = "currently unable to use regular dump directory. "
@@ -427,16 +430,14 @@ class Dump(object):
                 dumpDbPath = tempDir
 
         if conf.dumpFormat == DUMP_FORMAT.SQLITE:
-            replication = Replication(os.path.join(conf.dumpPath, "%s.sqlite3" % unsafeSQLIdentificatorNaming(db)))
+            replication = Replication(os.path.join(conf.dumpPath, "%s.sqlite3" % safeDb))
         elif conf.dumpFormat in (DUMP_FORMAT.CSV, DUMP_FORMAT.HTML):
             if not os.path.isdir(dumpDbPath):
                 try:
                     os.makedirs(dumpDbPath)
                 except:
                     warnFile = True
-
-                    _ = re.sub(r"[^\w]", UNSAFE_DUMP_FILEPATH_REPLACEMENT, unsafeSQLIdentificatorNaming(db))
-                    dumpDbPath = os.path.join(conf.dumpPath, "%s-%s" % (_, hashlib.md5(getBytes(db)).hexdigest()[:8]))
+                    dumpDbPath = os.path.join(conf.dumpPath, "%s-%s" % (safeDb, hashlib.md5(getBytes(db)).hexdigest()[:8]))
 
                     if not os.path.isdir(dumpDbPath):
                         try:
@@ -450,7 +451,8 @@ class Dump(object):
 
                             dumpDbPath = tempDir
 
-            dumpFileName = conf.dumpFile or os.path.join(dumpDbPath, re.sub(r'[\\/]', UNSAFE_DUMP_FILEPATH_REPLACEMENT, "%s.%s" % (unsafeSQLIdentificatorNaming(table), conf.dumpFormat.lower())))
+            dumpFileName = conf.dumpFile or os.path.join(dumpDbPath, "%s.%s" % (safeTable, conf.dumpFormat.lower()))
+
             if not checkFile(dumpFileName, False):
                 try:
                     openFile(dumpFileName, "w+").close()
@@ -458,13 +460,10 @@ class Dump(object):
                     raise
                 except:
                     warnFile = True
-
-                    _ = re.sub(r"[^\w]", UNSAFE_DUMP_FILEPATH_REPLACEMENT, normalizeUnicode(unsafeSQLIdentificatorNaming(table)))
-                    if len(_) < len(table) or IS_WIN and table.upper() in WINDOWS_RESERVED_NAMES:
-                        _ = re.sub(r"[^\w]", UNSAFE_DUMP_FILEPATH_REPLACEMENT, unsafeSQLIdentificatorNaming(table))
-                        dumpFileName = os.path.join(dumpDbPath, "%s-%s.%s" % (_, hashlib.md5(getBytes(table)).hexdigest()[:8], conf.dumpFormat.lower()))
+                    if IS_WIN and safeTable.upper() in WINDOWS_RESERVED_NAMES:
+                        dumpFileName = os.path.join(dumpDbPath, "%s-%s.%s" % (safeTable, hashlib.md5(getBytes(table)).hexdigest()[:8], conf.dumpFormat.lower()))
                     else:
-                        dumpFileName = os.path.join(dumpDbPath, "%s.%s" % (_, conf.dumpFormat.lower()))
+                        dumpFileName = os.path.join(dumpDbPath, "%s.%s" % (safeTable, conf.dumpFormat.lower()))
             else:
                 appendToFile = any((conf.limitStart, conf.limitStop))
 
@@ -548,7 +547,7 @@ class Dump(object):
             dataToDumpFile(dumpFP, "<!DOCTYPE html>\n<html>\n<head>\n")
             dataToDumpFile(dumpFP, "<meta http-equiv=\"Content-type\" content=\"text/html;charset=%s\">\n" % UNICODE_ENCODING)
             dataToDumpFile(dumpFP, "<meta name=\"generator\" content=\"%s\" />\n" % VERSION_STRING)
-            dataToDumpFile(dumpFP, "<title>%s</title>\n" % ("%s%s" % ("%s." % db if METADB_SUFFIX not in db else "", table)))
+            dataToDumpFile(dumpFP, "<title>%s</title>\n" % ("%s%s" % ("%s." % db if METADB_SUFFIX not in db else "", table)).replace("<", ""))
             dataToDumpFile(dumpFP, HTML_DUMP_CSS_STYLE)
             dataToDumpFile(dumpFP, "\n</head>\n<body>\n<table>\n<thead>\n<tr>\n")
 
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 7d3898b75..7cf0f965e 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.4"
+VERSION = "1.10.4.5"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

From 3cec18f323595e9c3378e5741b5a4a132cfe8fd6 Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Thu, 23 Apr 2026 16:12:43 +0200
Subject: [PATCH 06/17] Expanding RESTAPI_UNSUPPORTED_OPTIONS

---
 data/txt/sha256sums.txt | 2 +-
 lib/core/settings.py    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index f518afe24..c53944e82 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -188,7 +188,7 @@ ccd3b414727ef75f5d533f9518198b61322781f3ee53a86643763e029b2874c0  lib/core/dump.
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-f27a2b0fc084f321c802056cdd7c9cfdc776fcc728553f1cb0db3f67c88a3671  lib/core/settings.py
+734c47be9240b70dc23a65bad724cb532553bc718a29709edb19979cbc4317fe  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 7cf0f965e..67e6db8c0 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.5"
+VERSION = "1.10.4.6"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -847,7 +847,7 @@ RESTAPI_DEFAULT_ADDRESS = "127.0.0.1"
 RESTAPI_DEFAULT_PORT = 8775
 
 # Unsupported options by REST-JSON API server
-RESTAPI_UNSUPPORTED_OPTIONS = ("sqlShell", "wizard")
+RESTAPI_UNSUPPORTED_OPTIONS = ("sqlShell", "wizard", "evalCode", "alert")
 
 # Use "Supplementary Private Use Area-A"
 INVALID_UNICODE_PRIVATE_AREA = False

From 2b2796d85904d4dd8695c3e6afd9ef1b594a101f Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Thu, 23 Apr 2026 16:15:04 +0200
Subject: [PATCH 07/17] Minor expansion of blacklisted pickle methods

---
 data/txt/sha256sums.txt | 4 ++--
 lib/core/patch.py       | 2 +-
 lib/core/settings.py    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index c53944e82..3a9b58d88 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -182,13 +182,13 @@ ccd3b414727ef75f5d533f9518198b61322781f3ee53a86643763e029b2874c0  lib/core/dump.
 914a13ee21fd610a6153a37cbe50830fcbd1324c7ebc1e7fc206d5e598b0f7ad  lib/core/log.py
 67ea32c993cbf23cdbd5170360c020ca33363b7c516ff3f8da4124ef7cb0254d  lib/core/optiondict.py
 226c01e46050ff48122df682f713565509a386e58d06cc43da59d028e0afc2fd  lib/core/option.py
-789320dcb3f93137d3065080ee98429280bf10b20b66a1c08d3fcc1747b30d94  lib/core/patch.py
+54113711fbc1be29460eb287674965f1302161763842861a9dd85a4fcdaf221c  lib/core/patch.py
 49c0fa7e3814dfda610d665ee02b12df299b28bc0b6773815b4395514ddf8dec  lib/core/profiling.py
 03db48f02c3d07a047ddb8fe33a757b6238867352d8ddda2a83e4fec09a98d04  lib/core/readlineng.py
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-734c47be9240b70dc23a65bad724cb532553bc718a29709edb19979cbc4317fe  lib/core/settings.py
+17d9a01be01b5e4e750fe4dc6ef339bc3b20e23c8f9c9516ab322fd601c8d865  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
diff --git a/lib/core/patch.py b/lib/core/patch.py
index 55ac8d3f1..5ef5783d1 100644
--- a/lib/core/patch.py
+++ b/lib/core/patch.py
@@ -184,7 +184,7 @@ def dirtyPatches():
         class RestrictedUnpickler(pickle.Unpickler):
             def find_class(self, module, name):
                 # blacklist for OS-level execution modules
-                if module in ("os", "subprocess", "sys", "posix", "nt", "pty", "commands", "shutil"):
+                if module in ("os", "subprocess", "sys", "posix", "nt", "pty", "commands", "shutil", "builtins", "__builtin__"):
                     raise ValueError("Unpickling of module '%s' is forbidden" % module)
 
                 # Python 2/3 method resolution
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 67e6db8c0..ac7bf442b 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.6"
+VERSION = "1.10.4.7"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

From 5e5629cd7a50f4a05295f6cd84694147ab98dc50 Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Thu, 23 Apr 2026 16:21:02 +0200
Subject: [PATCH 08/17] Revert of last commit

---
 data/txt/sha256sums.txt | 4 ++--
 lib/core/patch.py       | 2 +-
 lib/core/settings.py    | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index 3a9b58d88..ff6e30915 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -182,13 +182,13 @@ ccd3b414727ef75f5d533f9518198b61322781f3ee53a86643763e029b2874c0  lib/core/dump.
 914a13ee21fd610a6153a37cbe50830fcbd1324c7ebc1e7fc206d5e598b0f7ad  lib/core/log.py
 67ea32c993cbf23cdbd5170360c020ca33363b7c516ff3f8da4124ef7cb0254d  lib/core/optiondict.py
 226c01e46050ff48122df682f713565509a386e58d06cc43da59d028e0afc2fd  lib/core/option.py
-54113711fbc1be29460eb287674965f1302161763842861a9dd85a4fcdaf221c  lib/core/patch.py
+789320dcb3f93137d3065080ee98429280bf10b20b66a1c08d3fcc1747b30d94  lib/core/patch.py
 49c0fa7e3814dfda610d665ee02b12df299b28bc0b6773815b4395514ddf8dec  lib/core/profiling.py
 03db48f02c3d07a047ddb8fe33a757b6238867352d8ddda2a83e4fec09a98d04  lib/core/readlineng.py
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-17d9a01be01b5e4e750fe4dc6ef339bc3b20e23c8f9c9516ab322fd601c8d865  lib/core/settings.py
+f8db5d72cb41479e3f656245698b8381cb27d85429d828c258febbe66f8feb58  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
diff --git a/lib/core/patch.py b/lib/core/patch.py
index 5ef5783d1..55ac8d3f1 100644
--- a/lib/core/patch.py
+++ b/lib/core/patch.py
@@ -184,7 +184,7 @@ def dirtyPatches():
         class RestrictedUnpickler(pickle.Unpickler):
             def find_class(self, module, name):
                 # blacklist for OS-level execution modules
-                if module in ("os", "subprocess", "sys", "posix", "nt", "pty", "commands", "shutil", "builtins", "__builtin__"):
+                if module in ("os", "subprocess", "sys", "posix", "nt", "pty", "commands", "shutil"):
                     raise ValueError("Unpickling of module '%s' is forbidden" % module)
 
                 # Python 2/3 method resolution
diff --git a/lib/core/settings.py b/lib/core/settings.py
index ac7bf442b..b260f3c86 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.7"
+VERSION = "1.10.4.8"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

From dec5a8207734a72f76196abb5e1a79cb1a1189c9 Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Thu, 23 Apr 2026 16:23:59 +0200
Subject: [PATCH 09/17] Adding 'safe string cmp' to API

---
 data/txt/sha256sums.txt |  6 +++---
 lib/core/common.py      | 26 ++++++++++++++++++++++++++
 lib/core/settings.py    |  2 +-
 lib/utils/api.py        |  2 +-
 4 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index ff6e30915..07a945bdf 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -167,7 +167,7 @@ d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f  lib/controller
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/controller/__init__.py
 9e694e4864d865c5da745aaf9d35da885eff697a9a0f7b37c3e85d47b4378f64  lib/core/agent.py
 b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2  lib/core/bigarray.py
-91a1257c761b560bf00c9b94a6838c6dcb7aef2a24c85eb8fd67a41b980c0d75  lib/core/common.py
+03a144d63d7fdd2c0124f8b51e0af3e94455596153d11425d516bc13165f2962  lib/core/common.py
 a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e  lib/core/compat.py
 a9997e97ebe88e0bf7efcf21e878bc5f62c72348e5aba18f64d6861390a4dcf2  lib/core/convert.py
 c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6  lib/core/data.py
@@ -188,7 +188,7 @@ ccd3b414727ef75f5d533f9518198b61322781f3ee53a86643763e029b2874c0  lib/core/dump.
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-f8db5d72cb41479e3f656245698b8381cb27d85429d828c258febbe66f8feb58  lib/core/settings.py
+529ef1798ed4c1bcd80dd2b349798b0df2aba80c259fbcc1923f4536abbf0d47  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
@@ -241,7 +241,7 @@ f552b6140d4069be6a44792a08f295da8adabc1c4bb6a5e100f222f87144ca9d  lib/techniques
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/techniques/union/__init__.py
 30cae858e2a5a75b40854399f65ad074e6bb808d56d5ee66b94d4002dc6e101b  lib/techniques/union/test.py
 a8a795f29ec6fd66482926f04b054ed492a033982c3b7837c5d2ea32368acec0  lib/techniques/union/use.py
-67dff80a17503b91c8ff93788ccc037b6695aa18b0793894b42488cbb21c4c83  lib/utils/api.py
+f8c30ed8e79f93a6b5535e2d8977b9c10bdc10142418760213f8a2548bf199ad  lib/utils/api.py
 ea5e14f8c9d74b0fb17026b14e3fb70ee90e4046e51ab2c16652d86b3ca9b949  lib/utils/brute.py
 da5bcbcda3f667582adf5db8c1b5d511b469ac61b55d387cec66de35720ed718  lib/utils/crawler.py
 a94958be0ec3e9d28d8171813a6a90655a9ad7e6aa33c661e8d8ebbfcf208dbb  lib/utils/deps.py
diff --git a/lib/core/common.py b/lib/core/common.py
index 974c7320b..994a77df8 100644
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -13,6 +13,7 @@ import contextlib
 import copy
 import functools
 import getpass
+import hmac
 import hashlib
 import inspect
 import io
@@ -5654,3 +5655,28 @@ def checkSums():
                     break
 
     return retVal
+
+def safeCompareStrings(a, b):
+    """
+    Constant-time string comparison to prevent timing attacks.
+    >>> safeCompareStrings("test", "test")
+    True
+    >>> safeCompareStrings("test", None)
+    False
+    >>> safeCompareStrings("test1", "test2")
+    False
+    """
+    if a is None or b is None:
+        return a == b
+
+    if hasattr(hmac, "compare_digest"):
+        return hmac.compare_digest(a, b)
+
+    # Fallback for Python < 2.7.7 and < 3.3
+    if len(a) != len(b):
+        return False
+
+    result = 0
+    for x, y in zip(a, b):
+        result |= ord(x) ^ ord(y)
+    return result == 0
diff --git a/lib/core/settings.py b/lib/core/settings.py
index b260f3c86..0d109e111 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.8"
+VERSION = "1.10.4.9"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/lib/utils/api.py b/lib/utils/api.py
index b0242b3ad..911347ec8 100644
--- a/lib/utils/api.py
+++ b/lib/utils/api.py
@@ -293,7 +293,7 @@ def setRestAPILog():
 
 # Generic functions
 def is_admin(token):
-    return DataStore.admin_token == token
+    return safeCompareStrings(DataStore.admin_token, token)
 
 @hook('before_request')
 def check_authentication():

From 09aaa9b847b96d5ab86e20628f67aeab5ee231f5 Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Thu, 23 Apr 2026 16:28:31 +0200
Subject: [PATCH 10/17] Implementing SQLMAP_UNSAFE_EVAL

---
 data/txt/sha256sums.txt | 4 ++--
 lib/core/option.py      | 7 +++++++
 lib/core/settings.py    | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index 07a945bdf..39f5810a9 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -181,14 +181,14 @@ ccd3b414727ef75f5d533f9518198b61322781f3ee53a86643763e029b2874c0  lib/core/dump.
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/core/__init__.py
 914a13ee21fd610a6153a37cbe50830fcbd1324c7ebc1e7fc206d5e598b0f7ad  lib/core/log.py
 67ea32c993cbf23cdbd5170360c020ca33363b7c516ff3f8da4124ef7cb0254d  lib/core/optiondict.py
-226c01e46050ff48122df682f713565509a386e58d06cc43da59d028e0afc2fd  lib/core/option.py
+d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9  lib/core/option.py
 789320dcb3f93137d3065080ee98429280bf10b20b66a1c08d3fcc1747b30d94  lib/core/patch.py
 49c0fa7e3814dfda610d665ee02b12df299b28bc0b6773815b4395514ddf8dec  lib/core/profiling.py
 03db48f02c3d07a047ddb8fe33a757b6238867352d8ddda2a83e4fec09a98d04  lib/core/readlineng.py
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-529ef1798ed4c1bcd80dd2b349798b0df2aba80c259fbcc1923f4536abbf0d47  lib/core/settings.py
+d69d76b4d3fe797dd5c65faeff3c51c288dbdc1eb322d3b301e12014487127fe  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
diff --git a/lib/core/option.py b/lib/core/option.py
index dfaf3653e..749ecdc94 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -2678,6 +2678,13 @@ def _basicOptionValidation():
         errMsg += "'SQLMAP_UNSAFE_ALERT=1' to be explicitly set"
         raise SqlmapSystemException(errMsg)
 
+    if conf.evalCode and os.environ.get("SQLMAP_UNSAFE_EVAL") != '1':
+        errMsg = "for security reasons, to prevent execution of potentially malicious "
+        errMsg += "Python code via configuration files or copy-paste attacks, "
+        errMsg += "the '--eval' option requires the environment variable "
+        errMsg += "'SQLMAP_UNSAFE_EVAL=1' to be explicitly set"
+        raise SqlmapSystemException(errMsg)
+
     if conf.chunked and not any((conf.data, conf.requestFile, conf.forms)):
         errMsg = "switch '--chunked' requires usage of (POST) options/switches '--data', '-r' or '--forms'"
         raise SqlmapSyntaxException(errMsg)
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 0d109e111..375d26907 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.9"
+VERSION = "1.10.4.10"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

From e40a9a3b87ce0ee05614ac5f6e4d2707215b0660 Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Thu, 23 Apr 2026 16:40:11 +0200
Subject: [PATCH 11/17] Fixing the CI/CD

---
 data/txt/sha256sums.txt | 4 ++--
 lib/core/settings.py    | 2 +-
 lib/core/testing.py     | 2 ++
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index 39f5810a9..591ef72ca 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -188,11 +188,11 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9  lib/core/optio
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-d69d76b4d3fe797dd5c65faeff3c51c288dbdc1eb322d3b301e12014487127fe  lib/core/settings.py
+6100d11481db84a8942f451b2292a6ff14ae34c0f1132df23ed90975da5a1180  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
-ddf8c5a3dbebd6cdf8b8ba4417e36652d1e040f025175cb6487f1aebc0208836  lib/core/testing.py
+7f7d1c57917f6ccc98e2ef093e2fa4cb6424d904c772b61003d5a5a3482a848f  lib/core/testing.py
 b5b65f018d6ef4b1ceeebbc50d372e07d4733267c9f3f4b13062efd065e847b6  lib/core/threads.py
 b9aacb840310173202f79c2ba125b0243003ee6b44c92eca50424f2bdfc83c02  lib/core/unescaper.py
 10719f5ca450610ad28242017b2d8a77354ca357ffa26948c5f62d20cac29a8b  lib/core/update.py
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 375d26907..29971ff20 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.10"
+VERSION = "1.10.4.11"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/lib/core/testing.py b/lib/core/testing.py
index a8d318268..6d0a9849e 100644
--- a/lib/core/testing.py
+++ b/lib/core/testing.py
@@ -199,6 +199,8 @@ def vulnTest():
             os.close(handle)
             cmd = cmd.replace("<tmpfile>", tmp)
 
+        os.environ["SQLMAP_UNSAFE_EVAL"] = '1'
+
         output = shellExec(cmd)
 
         if not all((check in output if not check.startswith('~') else check[1:] not in output) for check in checks) or "unhandled exception" in output:

From cc74bdfbad2f2218bc7ae007717440ee04694275 Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Fri, 24 Apr 2026 20:21:41 +0200
Subject: [PATCH 12/17] Update of settings for exception reporting

---
 data/txt/sha256sums.txt | 2 +-
 lib/core/settings.py    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index 591ef72ca..0706c8d98 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9  lib/core/optio
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-6100d11481db84a8942f451b2292a6ff14ae34c0f1132df23ed90975da5a1180  lib/core/settings.py
+8715101dc53c62468a24de12c55a807ec923ca7e5fe98fdf42a6b5f8f06a2477  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 29971ff20..2f707c5f0 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.11"
+VERSION = "1.10.4.12"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -712,7 +712,7 @@ DEFAULT_COOKIE_DELIMITER = ';'
 FORCE_COOKIE_EXPIRATION_TIME = "9999999999"
 
 # Github OAuth token used for creating an automatic Issue for unhandled exceptions
-GITHUB_REPORT_OAUTH_TOKEN = "wxqc7vTeW8ohIcX+1wK55Mnql2Ex9cP+2s1dqTr/mjlZJVfLnq24fMAi08v5vRvOmuhVZQdOT/lhIRovWvIJrdECD1ud8VMPWpxY+NmjHoEx+VLK1/vCAUBwJe"
+GITHUB_REPORT_OAUTH_TOKEN = "0EZh0n8npcacTH4oBcdKKWvfZLcdGWx0N5XFHD2xYaQDOkmI9LWaeDvZRZUMDz8l96RDH3+LVsbwGE5zUtaau0kld9VXG20fVbYES3ooFpNv+U9J5OTnaT2OlZcYzk4w5veT+GiHV5cuCngOJ6QgL1+qRpZDX1gzFecXbm2sNfQ2SGjT5McQe1mtxMTN7WsS1fQfPH+RhMUgbnwXJ5YG6EsBNZWOyk0C16QnekrVtuQpK0/ZVvU560uQhoMsP1/FBguBwJe"
 
 # Flush HashDB threshold number of cached items
 HASHDB_FLUSH_THRESHOLD_ITEMS = 200

From 41330aa3b7ab462e7145c900dc95f246f5ae78d7 Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Fri, 24 Apr 2026 20:50:59 +0200
Subject: [PATCH 13/17] Making stuff boring for P3 lurkers

---
 data/txt/sha256sums.txt | 4 ++--
 lib/core/common.py      | 4 ++--
 lib/core/settings.py    | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index 0706c8d98..b19c23fbe 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -167,7 +167,7 @@ d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f  lib/controller
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/controller/__init__.py
 9e694e4864d865c5da745aaf9d35da885eff697a9a0f7b37c3e85d47b4378f64  lib/core/agent.py
 b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2  lib/core/bigarray.py
-03a144d63d7fdd2c0124f8b51e0af3e94455596153d11425d516bc13165f2962  lib/core/common.py
+c265eb478d912aba53ebd1d93de2646a7738b7a0e621a2c38a35f0ba897d3db6  lib/core/common.py
 a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e  lib/core/compat.py
 a9997e97ebe88e0bf7efcf21e878bc5f62c72348e5aba18f64d6861390a4dcf2  lib/core/convert.py
 c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6  lib/core/data.py
@@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9  lib/core/optio
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-8715101dc53c62468a24de12c55a807ec923ca7e5fe98fdf42a6b5f8f06a2477  lib/core/settings.py
+b9d9e12200b65a63d8893364b83ec5ae8ef5b6f3b9b2ea1bcddfdaaf6c6324ad  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
diff --git a/lib/core/common.py b/lib/core/common.py
index 994a77df8..a28abcb4f 100644
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -131,7 +131,7 @@ from lib.core.settings import FORCE_COOKIE_EXPIRATION_TIME
 from lib.core.settings import FORM_SEARCH_REGEX
 from lib.core.settings import GENERIC_DOC_ROOT_DIRECTORY_NAMES
 from lib.core.settings import GIT_PAGE
-from lib.core.settings import GITHUB_REPORT_OAUTH_TOKEN
+from lib.core.settings import GITHUB_REPORT_PAT_TOKEN
 from lib.core.settings import GOOGLE_ANALYTICS_COOKIE_REGEX
 from lib.core.settings import HASHDB_MILESTONE_VALUE
 from lib.core.settings import HOST_ALIASES
@@ -4014,7 +4014,7 @@ def createGithubIssue(errMsg, excMsg):
             pass
 
         data = {"title": "Unhandled exception (#%s)" % key, "body": "```%s\n```\n```\n%s```" % (errMsg, excMsg)}
-        token = getText(zlib.decompress(decodeBase64(GITHUB_REPORT_OAUTH_TOKEN[::-1], binary=True))[0::2][::-1])
+        token = getText(zlib.decompress(decodeBase64(GITHUB_REPORT_PAT_TOKEN[::-1], binary=True))[0::2][::-1])
         req = _urllib.request.Request(url="https://api.github.com/repos/sqlmapproject/sqlmap/issues", data=getBytes(json.dumps(data)), headers={HTTP_HEADER.AUTHORIZATION: "token %s" % token, HTTP_HEADER.USER_AGENT: fetchRandomAgent()})
 
         try:
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 2f707c5f0..6c0137c11 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.12"
+VERSION = "1.10.4.13"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -711,8 +711,8 @@ DEFAULT_COOKIE_DELIMITER = ';'
 # Unix timestamp used for forcing cookie expiration when provided with --load-cookies
 FORCE_COOKIE_EXPIRATION_TIME = "9999999999"
 
-# Github OAuth token used for creating an automatic Issue for unhandled exceptions
-GITHUB_REPORT_OAUTH_TOKEN = "0EZh0n8npcacTH4oBcdKKWvfZLcdGWx0N5XFHD2xYaQDOkmI9LWaeDvZRZUMDz8l96RDH3+LVsbwGE5zUtaau0kld9VXG20fVbYES3ooFpNv+U9J5OTnaT2OlZcYzk4w5veT+GiHV5cuCngOJ6QgL1+qRpZDX1gzFecXbm2sNfQ2SGjT5McQe1mtxMTN7WsS1fQfPH+RhMUgbnwXJ5YG6EsBNZWOyk0C16QnekrVtuQpK0/ZVvU560uQhoMsP1/FBguBwJe"
+# Restricted PAT token for automated crash reporting (last rotation: 2026-04-24)
+GITHUB_REPORT_PAT_TOKEN = "0EZh0n8npcacTH4oBcdKKWvfZLcdGWx0N5XFHD2xYaQDOkmI9LWaeDvZRZUMDz8l96RDH3+LVsbwGE5zUtaau0kld9VXG20fVbYES3ooFpNv+U9J5OTnaT2OlZcYzk4w5veT+GiHV5cuCngOJ6QgL1+qRpZDX1gzFecXbm2sNfQ2SGjT5McQe1mtxMTN7WsS1fQfPH+RhMUgbnwXJ5YG6EsBNZWOyk0C16QnekrVtuQpK0/ZVvU560uQhoMsP1/FBguBwJe"
 
 # Flush HashDB threshold number of cached items
 HASHDB_FLUSH_THRESHOLD_ITEMS = 200

From 4489b2c0d2fc23d09759147d932da89bdef251cf Mon Sep 17 00:00:00 2001
From: Pierre <pierre@droids-corp.org>
Date: Sat, 2 May 2026 08:53:37 +0200
Subject: [PATCH 14/17] fix: add missing import in lib.utils.api (#6055)

---
 lib/utils/api.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/utils/api.py b/lib/utils/api.py
index 911347ec8..5e5bc61e8 100644
--- a/lib/utils/api.py
+++ b/lib/utils/api.py
@@ -23,6 +23,7 @@ import time
 from lib.core.common import dataToStdout
 from lib.core.common import getSafeExString
 from lib.core.common import openFile
+from lib.core.common import safeCompareStrings
 from lib.core.common import saveConfig
 from lib.core.common import setColor
 from lib.core.common import unArrayizeValue

From 026e5d05f44fdd954ccb85dc01dc09f98fabc51e Mon Sep 17 00:00:00 2001
From: ChrisJr404 <Sintation@gmail.com>
Date: Sat, 2 May 2026 02:57:16 -0400
Subject: [PATCH 15/17] Fix stdoutEncode mangling non-string values used by
 REST API (#6054) (#6056)

Co-authored-by: Chris (ChrisJr404) <11917633+ChrisJr404@users.noreply.github.com>
---
 lib/core/convert.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/core/convert.py b/lib/core/convert.py
index 0b4cddd73..c8286e3f3 100644
--- a/lib/core/convert.py
+++ b/lib/core/convert.py
@@ -412,6 +412,8 @@ def stdoutEncode(value):
     Returns textual representation of a given value safe for writing to stdout
     >>> stdoutEncode(b"foobar")
     'foobar'
+    >>> stdoutEncode({"url": "http://example.com/foo", "data": "id=1"}) == {"url": "http://example.com/foo", "data": "id=1"}
+    True
     """
 
     if value is None:
@@ -437,7 +439,11 @@ def stdoutEncode(value):
         if isinstance(value, (bytes, bytearray)):
             value = getUnicode(value, encoding)
         elif not isinstance(value, str):
-            value = str(value)
+            # Non-string values (e.g. dicts passed through the REST API path,
+            # where the overridden sys.stdout.write JSON-encodes the value)
+            # must be returned unchanged — stringifying them via str() yields
+            # Python repr() output that the API consumer cannot parse.
+            return value
 
         try:
             retVal = value.encode(encoding, errors="replace").decode(encoding, errors="replace")

From dfbba622fc49dc195c6ec06455043f6c912d94dd Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Sat, 2 May 2026 08:59:38 +0200
Subject: [PATCH 16/17] Minor update

---
 data/txt/sha256sums.txt | 6 +++---
 lib/core/convert.py     | 5 +----
 lib/core/settings.py    | 2 +-
 3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index b19c23fbe..5a7ca3dfa 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -169,7 +169,7 @@ d69e84f1648cdb907f5d2dd454f03874a4613752b07867510145d51d84b3c56f  lib/controller
 b13462712ec5ac07541dba98631ddcda279d210b838f363d15ac97a1413b67a2  lib/core/bigarray.py
 c265eb478d912aba53ebd1d93de2646a7738b7a0e621a2c38a35f0ba897d3db6  lib/core/common.py
 a6397b10de7ae7c56ed6b0fa3b3c58eb7a9dbede61bf93d786e73258175c981e  lib/core/compat.py
-a9997e97ebe88e0bf7efcf21e878bc5f62c72348e5aba18f64d6861390a4dcf2  lib/core/convert.py
+461f2666d500f9a91210fec558e6ee68af61c752de5498490bc96c11b32a6b0a  lib/core/convert.py
 c03dc585f89642cfd81b087ac2723e3e1bb3bfa8c60e6f5fe58ef3b0113ebfe6  lib/core/data.py
 6acb645b1f285b21673c70824b03f6209acc5993b50e50da5ed2c713a30626f5  lib/core/datatype.py
 70fb2528e580b22564899595b0dff6b1bc257c6a99d2022ce3996a3d04e68e4e  lib/core/decorators.py
@@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9  lib/core/optio
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-b9d9e12200b65a63d8893364b83ec5ae8ef5b6f3b9b2ea1bcddfdaaf6c6324ad  lib/core/settings.py
+f65fc4590e23853f728f742019b5c5a9849a0c43ff1a20858771da3e21f493d9  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
@@ -241,7 +241,7 @@ f552b6140d4069be6a44792a08f295da8adabc1c4bb6a5e100f222f87144ca9d  lib/techniques
 1966ca704961fb987ab757f0a4afddbf841d1a880631b701487c75cef63d60c3  lib/techniques/union/__init__.py
 30cae858e2a5a75b40854399f65ad074e6bb808d56d5ee66b94d4002dc6e101b  lib/techniques/union/test.py
 a8a795f29ec6fd66482926f04b054ed492a033982c3b7837c5d2ea32368acec0  lib/techniques/union/use.py
-f8c30ed8e79f93a6b5535e2d8977b9c10bdc10142418760213f8a2548bf199ad  lib/utils/api.py
+f64f2e9df844061ff0b7b97907ac959e6e03c0eda4cbb273145985b90adc081d  lib/utils/api.py
 ea5e14f8c9d74b0fb17026b14e3fb70ee90e4046e51ab2c16652d86b3ca9b949  lib/utils/brute.py
 da5bcbcda3f667582adf5db8c1b5d511b469ac61b55d387cec66de35720ed718  lib/utils/crawler.py
 a94958be0ec3e9d28d8171813a6a90655a9ad7e6aa33c661e8d8ebbfcf208dbb  lib/utils/deps.py
diff --git a/lib/core/convert.py b/lib/core/convert.py
index c8286e3f3..3d24fb541 100644
--- a/lib/core/convert.py
+++ b/lib/core/convert.py
@@ -439,10 +439,7 @@ def stdoutEncode(value):
         if isinstance(value, (bytes, bytearray)):
             value = getUnicode(value, encoding)
         elif not isinstance(value, str):
-            # Non-string values (e.g. dicts passed through the REST API path,
-            # where the overridden sys.stdout.write JSON-encodes the value)
-            # must be returned unchanged — stringifying them via str() yields
-            # Python repr() output that the API consumer cannot parse.
+            # Reference: https://github.com/sqlmapproject/sqlmap/issues/6054
             return value
 
         try:
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 6c0137c11..87b5cebb5 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.4.13"
+VERSION = "1.10.5.0"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

From 1a6a5b12268a8f123f77446969872a78589a6e59 Mon Sep 17 00:00:00 2001
From: Your Name <miroslav.stampar@gmail.com>
Date: Fri, 8 May 2026 17:45:27 +0200
Subject: [PATCH 17/17] Fixes #6059

---
 data/txt/sha256sums.txt             | 4 ++--
 lib/core/settings.py                | 2 +-
 plugins/dbms/spanner/enumeration.py | 4 ++++
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index 5a7ca3dfa..4a6d510ed 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -188,7 +188,7 @@ d197388e8e2aabe19f2529bfcac780e18e22a905d01319080d7afe4cb2b1c4c9  lib/core/optio
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-f65fc4590e23853f728f742019b5c5a9849a0c43ff1a20858771da3e21f493d9  lib/core/settings.py
+399d2fb45efa471982eb1d43e4dfc8a965fbca2165f484e73c68071eebdbf267  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
@@ -440,7 +440,7 @@ b76606fe4dee18467bc0d19af1e6ab38c0b5593c6c0f2068a8d4c664d4bd71d8  plugins/dbms/r
 859cc5b9be496fe35f2782743f8e573ff9d823de7e99b0d32dbc250c361c653e  plugins/dbms/snowflake/syntax.py
 da43fed8bfa4a94aaceb63e760c69e9927c1640e45e457b8f03189be6604693f  plugins/dbms/snowflake/takeover.py
 0163ce14bfa49b7485ab430be1fa33366c9f516573a89d89120f812ffdbc0c83  plugins/dbms/spanner/connector.py
-6392bd210e740df6c21befc1c4f74cc88ab8ee8d774fd41c0389d132c11c745a  plugins/dbms/spanner/enumeration.py
+cb2c802d695d0b3bdc0769a2f767e58351c73a900db2ddb8f89f863bd5546947  plugins/dbms/spanner/enumeration.py
 672dc9b3d291aa4f5d6c4cbe364e92b92e19ee6de86f6d9b9a4dda7d5611b409  plugins/dbms/spanner/filesystem.py
 30f4caea09eb300a8b16ff2609960d165d8a7fa0f3034c345fea24002fea2670  plugins/dbms/spanner/fingerprint.py
 7c46a84ece581b5284ffd604b54bacb38acc87ea7fbac31aae38e20eb4ead31a  plugins/dbms/spanner/__init__.py
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 87b5cebb5..f0f72e1f6 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.5.0"
+VERSION = "1.10.5.1"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/plugins/dbms/spanner/enumeration.py b/plugins/dbms/spanner/enumeration.py
index 93ab9bb7c..afeddf496 100644
--- a/plugins/dbms/spanner/enumeration.py
+++ b/plugins/dbms/spanner/enumeration.py
@@ -44,3 +44,7 @@ class Enumeration(GenericEnumeration):
         logger.warning(warnMsg)
 
         return {}
+
+    def getHostname(self):
+        warnMsg = "on Spanner it is not possible to enumerate the hostname"
+        logger.warning(warnMsg)