966 matches found
CVE-2024-9701
A Remote Code Execution RCE vulnerability has been identified in the Kedro ShelveStore class version 0.19.8. This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class use...
CVE-2024-10252
A vulnerability in langgenius/dify versions =v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the deletion of...
CVE-2024-7806 Remote Code Execution by Non-Admin Users via CSRF in open-webui/open-webui
A vulnerability in open-webui/open-webui versions = 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery CSRF. The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious...
CVE-2024-9701
CVE-2024-9701 —Kedro’s ShelveStore (version 0.19.8) is vulnerable to Remote Code Execution due to unsafe deserialization: it uses Python’s shelve (pickle-based) and a crafted payload stored in the shelve file can execute arbitrary code upon deserialization. Details are tied to Kedro 0.19.8; no re...
CVE-2024-9701 Remote Code Execution in kedro-org/kedro
A Remote Code Execution RCE vulnerability has been identified in the Kedro ShelveStore class version 0.19.8. This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class use...
Arbitrary Code Execution (ACE)
Qiskit is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to unsafe deserialization in the qiskit.qpy.load function, which allows a maliciously crafted QPY file to execute embedded Python code without privilege escalation...
Qiskit allows arbitrary code execution decoding QPY format versions < 13
Impact A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats 13. A python process calling Qiskit's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded in the corre...
CVE-2025-1497
A vulnerability, that could result in Remote Code Execution RCE, has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting t...
GHSA-2HMP-5WQG-F24H PlotAI eval vulnerability
A vulnerability, that could result in Remote Code Execution RCE, has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. PlotAI commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting t...
PlotAI eval vulnerability
A vulnerability, that could result in Remote Code Execution RCE, has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. PlotAI commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting t...
CVE-2025-1497
A vulnerability, that could result in Remote Code Execution RCE, has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting t...
CVE-2025-1497
A vulnerability, that could result in Remote Code Execution RCE, has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting t...
CVE-2025-1497 Remote Code Execution in PlotAI
A vulnerability, that could result in Remote Code Execution RCE, has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting t...
PT-2025-10588
Name of the Vulnerable Software and Affected Versions PlotAI affected versions not specified Description A vulnerability has been found that could result in Remote Code Execution RCE. The issue is due to the lack of validation of LLM-generated output, which allows an attacker to execute arbitrary...
AZL-75804 CVE-2025-27516 affecting package nodejs24 for versions less than 24.13.0-1
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the...
DEBIAN-CVE-2025-27516
Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the...
Jinja2 -- Sandbox breakout through attr filter selecting format method
[email protected] reports: Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the...
Linux Distros Unpatched Vulnerability : CVE-2024-39705
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used...
Linux Distros Unpatched Vulnerability : CVE-2012-5485
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an arbitrary Python code execution in Jinja [CVE-2024-56326]
Summary IBM Watson Speech Services Cartridge is vulnerable to an arbitrary Python code execution in Jinja , caused by a sandbox breakout flaw CVE-2024-56326. Jinja is used by our Speech Runtimes. This vulnerabilitiy has been addressed. Please read the details for remediation below. Vulnerability...