81 matches found
PYSEC-2026-367 Kedro deserialization vulnerability
A Remote Code Execution RCE vulnerability has been identified in the Kedro ShelveStore class version 0.19.8. This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class use...
CVE-2026-3840
A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The getversionedpath method in kedro/io/core.py directly interpolates user-supplied version strings into filesystem paths without sanitization. This enables an attacker to...
CVE-2026-3840 Path Traversal in kedro-org/kedro
A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The getversionedpath method in kedro/io/core.py directly interpolates user-supplied version strings into filesystem paths without sanitization. This enables an attacker to...
CVE-2026-3840
CVE-2026-3840 affects Kedro 1.2.0 and allows path traversal via unsanitized version strings. The vulnerability stems from _get_versioned_path() interpolating user-supplied version strings into filesystem paths and from _split_load_versions() not validating versions, making it possible to escape t...
CVE-2026-3840 Path Traversal in kedro-org/kedro
A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The getversionedpath method in kedro/io/core.py directly interpolates user-supplied version strings into filesystem paths without sanitization. This enables an attacker to...
CVE-2026-3840 Path Traversal in kedro-org/kedro
A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The getversionedpath method in kedro/io/core.py directly interpolates user-supplied version strings into filesystem paths without sanitization. This enables an attacker to...
PT-2026-48927
A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The get versioned path method in kedro/io/core.py directly interpolates user-supplied version strings into filesystem paths without sanitization. This enables an attacker to...
CVE-2026-35492
Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a...
CVE-2026-35171
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDROLOGGINGCONFIG environment variable and loads it without validation. The logging configuration schema supports the special key, which enables arbitrary...
CVE-2026-35167
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the getversionedpath method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences...
CVE-2026-35492
Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a...
CVE-2026-35492
Kedro-Datasets PartitionedDataset has a path traversal vulnerability prior to 9.3.0, where partition IDs were concatenated with the dataset base path without validation, potentially allowing writing outside the dataset directory on local FS or storage backends (S3, GCS, etc.). The issue affects a...
CVE-2026-35492 Kedro-Datasets has a path traversal vulnerability in PartitionedDataset allows arbitrary file write
Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a...
CVE-2026-35492 Kedro-Datasets has a path traversal vulnerability in PartitionedDataset allows arbitrary file write
Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a...
CVE-2026-35492
Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a...
CVE-2026-35492 Kedro-Datasets has a path traversal vulnerability in PartitionedDataset allows arbitrary file write
Kedro-Datasets is a Kendo plugin providing data connectors. Prior to 9.3.0, PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a...
Kedro-Plugins 路径遍历漏洞
Kedro-Plugins is an official plugin collection for the Kedro framework, developed by Kedro itself. Versions of Kedro-Plugins prior to 9.3.0 contained a path traversal vulnerability. This vulnerability stemmed from PartitionedDataset connecting partition IDs directly with the basic dataset path...
PYSEC-2026-71
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the getversionedpath method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences...
PYSEC-2026-72
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDROLOGGINGCONFIG environment variable and loads it without validation. The logging configuration schema supports the special key, which enables arbitrary...
corradin-opioid-project (=0.1.0), eensight (>=1.0.0 <=1.0.2) +48 more potentially affected by CVE-2026-35171 via kedro (>=0.15.9 <=1.0.0)
kedro PYPI version =0.15.9, =1.0.0, =0.1.0, =0.1.0, =0.1.9, =0.1.0, =0.0.4, =0.1.0, =0.2.1, =0.1.0, =0.1.0, =0.3.0, =0.5.1 and more Source cves: CVE-2026-35171 Source advisory: OSV:PYSEC-2026-72...