BIT-MLFLOW-2026-2614 Arbitrary File Read via Prompt Tag Source Validation Bypass in mlflow/mlflow

A vulnerability in the createmodelversion handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag...

DEBIAN-CVE-2026-9538

Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header. readtar reads each entry's payload with $handle-read$$data, $block, where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that...

CVE-2026-2611

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...

apscheduler 安全漏洞

apscheduler is a Python task scheduling and queueing system developed by Alex Grönholm. There are security vulnerabilities in the apscheduler 3.10.x version and 4.0.0a5 version. These vulnerabilities stem from the unmarshalobject function in JSONSerializer and CBORSerializer, which allows arbitra...

GHSA-MQ5J-PW29-JCV3 Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`

Summary Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a local .tar.gz that is not recognized as a plugin-format bundle, APM probes whether it is a...

CVE-2026-43964

Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number...

RHCOS 3 : Red Hat OpenShift Container Platform 3.10 (RHSA-2018:2709)

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2709 advisory. - atomic-openshift: oc patch with json causes masterapi service crash CVE-2018-14632 - haproxy: Out-of-bounds read in HPACK decoder...

RHCOS 3 : Red Hat OpenShift Container Platform 3.10 atomic-openshift (RHSA-2019:1632)

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2019:1632 advisory. - kubernetes: Incomplete fix for CVE-2019-1002101 allows for arbitrary file write via kubectl cp CVE-2019-11246 Note that Nessus has not test...

CVE-2026-41140

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supporte...

CVE-2026-41140

Poetry 2.x prior to 2.3.4 is affected by a path-traversal in extractall() for tar archives when tarfile.data_filter is unavailable. Affected Python ranges are 3.10.0–3.10.12 and 3.11.0–3.11.4; the vulnerability could allow writing files outside the extraction directory during sdist handling in po...

CVE-2026-41140 Poetry: Path traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supporte...

GHSA-73H3-MF4W-8647 Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

Summary The extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 ...

Directory Traversal

Overview poetry is a Python dependency management and packaging made easy. Affected versions of this package are vulnerable to Directory Traversal via the extractall function in src/poetry/utils/helpers.py that extracts sdist tarballs without path traversal protection on Python versions where...

Apache OpenMeetings has an Improper Handling of Insufficient Privileges vulnerability

Sny registered user can query web service with their credentials and get files/sub-folders of any folder by ID metadata only NOT contents. Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object. This issue affects Apache OpenMeetings: from...

PT-2026-31639

Name of the Vulnerable Software and Affected Versions Apache OpenMeetings versions prior to 9.0.0 Description A registered user can query a web service with their credentials and retrieve metadata id, type, name, and other fields from the FileItemDTO object for files and sub-folders of any folder...

OPENSUSE-SU-2026:10520-1 python310-3.10.20-4.1 on GA media

These are all security issues fixed in the python310-3.10.20-4.1 package on the GA media of openSUSE Tumbleweed...

[SECURITY] Fedora 43 Update: pypy3.10-7.3.19-11.3.10.fc43

PyPy's implementation of Python 3.10, featuring a Just-In-Time compiler on some CPU architectures, and various optimized implementations of the standard types strings, dictionaries, etc.. This build of PyPy has JIT-compilation enabled...

BUGSCANNER---PHP-Web-Security-Scanner-for-Bug-Bounty-Penetration-Testing

!Pythonhttps://img.shields.io/badge/Python-3.10%2B-3776AB?st...

Fedora 43 : python3.10 (2026-41f576f846)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-41f576f846 advisory. Update to 3.10.20 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested...

01os (>=0.0.5 <=0.0.13), 3m (>=0.1.0 <=0.1.3) +2331 more potentially affected by CVE-2026-27025 via pypdf (>=3.10.0 <=6.7.0)

pypdf PYPI version =3.10.0, =0.0.5, =0.1.0, =0.4.1, =0.2.5, =0.0.2, =0.2.0, =1.2.27, =0.1.0, =1.2.32, =0.1.1, =1.0.0, =2.0.0 and more Source cves: CVE-2026-27025 Source advisory: OSV:GHSA-WGVP-VG3V-2XQ3...