CLSA-2025-1742919946 python3.9: Fix of 2 CVEs

CVE-2024-11168: fix improper validation of bracketed hosts in urllib.parse.urlsplit and urlparse functions - CVE-2025-0938: fix incomplete algorithm of validating hosts by disallowing square brackets in domain names...

adclaw (>=1.0.0 <=1.0.4), agentjet (=0.0.1) +24 more potentially affected by CVE-2024-8438 via agentscope (>=0.1.0 <=1.0.7)

agentscope PYPI version =0.1.0, =1.0.0, =0.3.0, =0.1.0, =0.2.0, =0.1.5, =1.0.0.post2, =0.1.0, =0.1.0, =0.1.0.post1, =0.2.0, =0.4.0, =0.1.6, =0.1.84 and more Source cves: CVE-2024-8438 Source advisory: SNYK:PYTHON-AGENTSCOPE-9511412...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-8061 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-8061 Source advisory: SNYK:PYTHON-AIM-9511136...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-6483 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-6483 Source advisory: SNYK:PYTHON-AIM-9511134...

agentverse (=0.1.8.1), airoboros (=2.1.1) +35 more potentially affected by CVE-2024-12376 via fschat (>=0.2.2 <=0.2.36)

fschat PYPI version =0.2.2, =0.3.0, =0.0.1, =1.1.0, =0.1.1, =0.1.1, =0.9.0.8, =0.1.1, =0.1.8 and more Source cves: CVE-2024-12376 Source advisory: SNYK:PYTHON-FSCHAT-9553180...

3d-rcnet (>=0.2.2 <=0.2.3), aa-prepflow (>=0.1.0 <=0.1.1) +1116 more potentially affected by CVE-2024-12217 via gradio (>=1.7.7 <=6.9.0)

gradio PYPI version =1.7.7, =0.2.2, =0.1.0, =0.3.0, =0.0.3, =0.1.5, =0.8.2.4, =0.2.1, =0.1.0, =0.1.0, =0.1.0, =2.0.0, =0.1.4, =0.1.11 and more Source cves: CVE-2024-12217 Source advisory: SNYK:PYTHON-GRADIO-9510952...

ace-step (=0.1.0), aiconfigurator (>=0.1.0 <=0.2.0) +207 more potentially affected by CVE-2024-10624 via gradio (>=4.38.1 <=5.25.2)

gradio PYPI version =4.38.1, =0.1.0, =0.0.4, =0.1.1, =0.1.0, =25.3.1, =0.0.1, =0.1.0, =0.1.0, =0.1.1, =0.1.0a20, =1.1.1, =25.3.1, =25.3.8 - cleaners =0.1.0 and more Source cves: CVE-2024-10624 Source advisory: SNYK:PYTHON-GRADIO-9487018...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-7760 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-7760 Source advisory: SNYK:PYTHON-AIM-9637809...

sagemaker-python-sdk 安全漏洞

sagemaker-python-sdk is an Amazon Web Services open source library for training and deploying machine learning models on Amazon SageMaker. A security vulnerability exists in sagemaker-python-sdk that stems from an MD5 hash collision in the SageMaker Workflow component that could result in workflo...

[SECURITY] Fedora 42 Update: python-spotipy-2.25.1-1.fc42

A light weight Python library for the Spotify Web API...

CLSA-2025-1741635940 python3: Fix of 2 CVEs

CVE-2024-11168: fix improper validation of bracketed hosts in urllib.parse.urlsplit and urlparse functions - CVE-2025-0938: fix incomplete algorithm of validating hosts by disallowing square brackets in domain names...

[SECURITY] Fedora 40 Update: python-spotipy-2.25.1-1.fc40

A light weight Python library for the Spotify Web API...

[SECURITY] Fedora 41 Update: python-spotipy-2.25.1-1.fc41

A light weight Python library for the Spotify Web API...

Linux Distros Unpatched Vulnerability : CVE-2024-23346

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Pymatgen Python Materials Genomics is an open-source Python library for materials analysis. A critical security vulnerability exists in the...

aether-observer (>=0.1.0 <=0.1.1), agloom (>=0.1.8 <=0.1.54) +74 more potentially affected by unknown CVE via kuzu (>=0.0.11 <=0.7.1)

kuzu PYPI version =0.0.11, =0.1.0, =0.1.8, =0.1.0, =0.1.0, =4.3.12, =0.1.0, =0.2.0, =0.1.1, =0.2.1, =0.1.3, =1.0.2, =0.1.0, =0.1.2, =0.1.4 and more Source cves: unknown CVE Source advisory: SNYK:PYTHON-KUZU-12179282...

CVE-2025-27154 Spotipy's cache file, containing spotify auth token, is created with overly broad permissions

Spotipy is a lightweight Python library for the Spotify Web API. The CacheHandler class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has rw-r--r-- 644 permissions by default, when it could be locked down to rw------- 600 permissions. This leads to overly...

CLSA-2025-1740645491 python3.11: Fix of CVE-2023-27043

CVE-2023-27043: add a strict parsing mode to prevent incorrect address interpretation. By default, strict=True is enabled. If you need the legacy behavior, explicitly set strict=False when calling parseaddr or getaddresses - Additionally, strict parsing can be disabled globally by setting the...

PYSEC-2025-4 When using the project to bypass Deezer API restrictions, project exfiltrates user data to a hardcoded server.

Published in 2019, the automslc package is a Python library that bypasses Deezer API restrictions to download music. The package was found to exfiltrate user data to a hardcoded server, which could be used for malicious purposes...

PYSEC-2025-5 Exfiltrates user cookies to hardcoded server endpoint during normal operations

Published in 2020, the autodzee package is a Python library that bypasses Deezer API restrictions to download music. The package was found to exfiltrate user data to a hardcoded server, which could be used for malicious purposes...

PYSEC-2025-6 Exfiltrates cookies to hardcoded IP address

Published in 2021, the colabrun package is a Python library that exfiltrates user cookies to a hardcoded IP address. The package was found to exfiltrate user data to a hardcoded server, which could be used for malicious purposes...