SQL injection
It is possible to read and extract any data from any table in the pycsw database that the database user has access to. On PostgreSQL (at least) it is possible to perform updates/inserts/deletes, and database modifications to any table the database user has access to.