CVE-2025-47928

CVE-2025-47928 affects the Spotipy Python library for the Spotify Web API. The issue arises from using GitHub Actions pull_request_target, which can execute untrusted code from a fork with base-repo secrets in the context of the base repository. This can lead to exfiltration of secrets such as GI...

Important: Red Hat Security Advisory: Red Hat OpenStack Platform 18.0 (python-h11) security update

An update for python-h11 is now available for Red Hat OpenStack Platform 18.0 Antelope. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

python: cpython: URL parser allowed square brackets in domain names

A flaw was found in Python. The Python standard library functions urllib.parse.urlsplit and urlparse accept domain names that included square brackets, which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs...

[SECURITY] Fedora 40 Update: python-h11-0.14.0-7.fc40

This is a little HTTP/1.1 library written from scratch in Python, heavily inspired by hyper-h2. It is a "bring-your-own-I/O" library; h11 contains no IO code whatsoever. This means you can hook h11 up to your favorite network API, and that could be anything you want: synchronous, threaded,...

[SECURITY] Fedora 42 Update: python-h11-0.14.0-7.fc42

This is a little HTTP/1.1 library written from scratch in Python, heavily inspired by hyper-h2. It is a "bring-your-own-I/O" library; h11 contains no IO code whatsoever. This means you can hook h11 up to your favorite network API, and that could be anything you want: synchronous, threaded,...

USN-7503-1 python-h11 vulnerability

Jeppe Bonde Weikop discovered that h11 incorrectly handled crafted HTTP requests. A remote attacker could possibly use this issue to smuggle malicious HTTP requests, which could potentially lead to security control bypass and information leakage...

RLSA-2024:4244 Moderate: python3.11-PyMySQL security update

This package contains a pure-Python MySQL client library. The goal of PyMySQL is to be a drop-in replacement for MySQLdb and work on CPython, PyPy, IronPython and Jython. Security Fixes: python-pymysql: SQL injection if used with untrusted JSON input CVE-2024-36039 For more details about the...

acatome-chat (>=0.2.1 <=0.4.2), acatome-extract (>=0.2.0 <=0.6.1) +133 more potentially affected by CVE-2025-46656 via markdownify (>=0.10.3 <=0.13.1)

markdownify PYPI version =0.10.3, =0.2.1, =0.2.0, =1.0.1, =0.8.1, =0.15.0, =0.0.18, =0.3.3, =0.1.46, =0.1.0, =0.1.0, =0.0.1, =1.0.1, =1.0.9 and more Source cves: CVE-2025-46656 Source advisory: SNYK:PYTHON-MARKDOWNIFY-9833926...

LightDSA: a Python-Based Hybrid Digital Signature Library and Performance Analysis of RSA, DSA, ECDSA and EdDSA in Variable Configurations, Elliptic Curve Forms and Curves

Digital signature algorithms DSAs are fundamental to cryptographic security, ensuring data integrity and authentication. While RSA, DSA, ECDSA, and EdDSA are widely used, their performance varies significantly depending on key sizes, hash functions, and elliptic curve configurations. In this pape...

h11 环境问题漏洞

h11 is a small HTTP/1.1 library written from scratch in Python by the individual developer Nathaniel J. Smith. An environment issue vulnerability exists in versions of h11 prior to 0.16.0, which stems from improper parsing of line terminators and could lead to a request entrapment attack...

openwebui-token-tracking (=0.1.7) potentially affected by CVE-2025-29446 via open-webui (=0.6.0)

open-webui PYPI version =0.6.0 is affected by a known vulnerability. The following packages have a transitive dependency on open-webui and may be impacted: - openwebui-token-tracking =0.1.7 Source cves: CVE-2025-29446 Source advisory: SNYK:PYTHON-OPENWEBUI-9789616...

Wappalyzer-Next - Python library that uses Wappalyzer extension (and its fingerprints) to detect technologies

This project is a command line tool and python library that uses Wappalyzer extension and its fingerprints to detect technologies. Other projects emerged after discontinuation of the official open source project are using outdated fingerpints and lack accuracy when used on dynamic web-apps, this...

dev-laiser (>=0.0.2 <=0.2.17), dillema (>=0.1.1 <=0.1.6) +14 more potentially affected by CVE-2025-32381 via xgrammar (>=0.1.11 <=0.1.17)

xgrammar PYPI version =0.1.11, =0.0.2, =0.1.1, =0.1.1, =0.0.2, =0.0.7, =1.2.0, =0.1.20, =0.0.2, =0.1.2, =1.2.0, =0.1.0, =0.19.0, =1.0.0rc1 and more Source cves: CVE-2025-32381 Source advisory: SNYK:PYTHON-XGRAMMAR-9724725...

BIT-PYTHON-MIN-2025-0938 URL parser allowed square brackets in domain names

The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in...

python311-PyJWT-2.10.1-2.1 on GA media (moderate)

python311-PyJWT-2.10.1-2.1 on GA media Announcement ID: openSUSE-SU-2025:14987-1 Rating: moderate Cross-References: CVE-2022-29217 CVSS scores: CVE-2022-29217 SUSE : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can...

ai-dynamo (=0.1.0), bento-sgl-router (>=0.0.1 <=0.0.6) +23 more potentially affected by CVE-2025-32375 via bentoml (>=1.0.0a7 <=1.4.7)

bentoml PYPI version =1.0.0a7, =0.0.1, =0.2.3, =0.1.0, =0.0.1, =1.0.1, =0.1.0, =0.2.0, =0.3.12, =0.0.1, =1.0.3, =1.0.4 and more Source cves: CVE-2025-32375 Source advisory: SNYK:PYTHON-BENTOML-9679274...

GHSA-V7X6-RV5Q-MHWC Picklescan missing detection when calling built-in python library function timeit.timeit()

Summary Using timeit.timeit function, which is a built-in python library function to execute remote pickle file. Details Pickle’s deserialization process is known to allow execution of function via reduce method. While Picklescan is meant to detect such exploits, this attack evades detection by...

CVE-2025-27520

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution RCE vulnerability caused by insecure deserialization has been identified in the latest version v1.4.2 of BentoML. It allows any unauthenticated user to execute...

CVE-2025-27520

BentoML 1.4.2 contains an insecure deserialization flaw in serde.py that enables unauthenticated RCE via crafted payloads. The issue, described across CVE-2025-27520 sources, is fixed in 1.4.3. Public PoCs and exploit modules exist (GitHub, Metasploit) illustrating remote command execution attemp...

apss (>=0.1.0 <=0.3.0), hebo-mindspore (>=0.2.0 <=0.2.1) +12 more potentially affected by CVE-2025-3145 via mindspore (>=2.7.0 <=2.9.0)

mindspore PYPI version =2.7.0, =0.1.0, =0.2.0, =1.6.0, =0.2.0, =1.4.0, =0.0.12, =1.0.0, =0.0.1, =0.0.1, =0.1.0, =0.1.4 Source cves: CVE-2025-3145 Source advisory: SNYK:PYTHON-MINDSPORE-10361605...