UBUNTU-CVE-2026-41140

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supporte...

CVE-2026-41140

Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supporte...

Linux Distros Unpatched Vulnerability : CVE-2026-34591

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without...

CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

CVE-2026-34591

CVE-2026-34591 is linked to a wheel path traversal in Poetry. The connected advisories (GHSA-2599-H6XX-HPXP / OSV) show that a crafted wheel can include non-contained ../ paths, allowing arbitrary file write during installation via the wheel destination logic (wheel_installer and executable path ...

aana (>=0.2.1 <=0.2.4), abao-ai (=0.0.5) +1069 more potentially affected by CVE-2026-32981 via ray (>=0.5.0 <=2.8.0)

ray PYPI version =0.5.0, =0.2.1, =0.0.6, =0.0.1b1, =0.1.1, =0.2.0, =0.0.2, =0.1.1, =0.2.0, =0.0.1, =0.0.0, =0.2.11 and more Source cves: CVE-2026-32981 Source advisory: OSV:PYSEC-2026-130...

aad-fastapi-dl37 (>=1.0.0 <=1.0.2), agentiq (>=1.2.0a20250730 <=1.2.0rc4) +220 more potentially affected by CVE-2026-27962 via authlib (>=1.0.0 <=1.6.8)

authlib PYPI version =1.0.0, =1.0.0, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.5.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2026-27962 Source advisory:...

metasploit-mcp

metasploit-mcp Metasploit Framework MCP server for exploit ex...

coati-payroll (>=1.0.1 <=1.10.0), now-lms (>=1.0.3 <=1.2.3) +1 more potentially affected by CVE-2026-27641 via flask-reuploaded (>=1.2.0 <=1.4.0)

flask-reuploaded PYPI version =1.2.0, =1.0.1, =1.0.3, =4.6.1, =5.0.0 Source cves: CVE-2026-27641 Source advisory: SNYK:PYTHON-FLASKREUPLOADED-15363340...

a-mailx (=0.1.0), aaaai (>=0.1.3 <=0.3.0) +22 more potentially affected by CVE-2026-25528 via langsmith (>=0.4.11 <=0.6.2)

langsmith PYPI version =0.4.11, =0.1.3, =0.1.3, =2.1.7, =0.1.3, =3.0.0, =0.1.4, =1.0.2, =0.1.0, =0.1.0, =0.2.1, =0.2.2 and more Source cves: CVE-2026-25528 Source advisory: SNYK:PYTHON-LANGSMITH-15253026...

CVE-2025-23298

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering...

0x20bf (=0.0.1), 31 (=2.3.0) +4166 more potentially affected by CVE-2025-68146 via filelock (>=3.0.10 <=3.20.0)

filelock PYPI version =3.0.10, =0.0.3, =0.1.0, =1.0.5, =0.0.1b1, =0.2.3, =0.2.7 - ac-solver =0.1.0 - acceldata-o2a =1.0.0 and more Source cves: CVE-2025-68146 Source advisory: SNYK:PYTHON-FILELOCK-14458335...

anubis-policy-api (>=0.3.0 <=0.6.0), awsdf (=0.1.12) +29 more potentially affected by CVE-2025-61385 via pg8000 (>=1.12.1 <=1.31.4)

pg8000 PYPI version =1.12.1, =0.3.0, =2.0.0, =0.17.1, =0.4.0, =2050.0.0, =0.0.6, =1.0.5, =0.5.2, =0.1.0, =0.0.1, =2.40.0, =1.0.0, =0.2.2, =1.0.1, =1.0.3 and more Source cves: CVE-2025-61385 Source advisory: SNYK:PYTHON-PG8000-13723709...

EUVD-2025-18458

Malicious code in bioql PyPI...

NVIDIA Merlin Transformers4Rec Code Injection Vulnerability

NVIDIA Merlin Transformers4Rec is a software for building serialized and conversational recommender systems from NVIDIA. NVIDIA Merlin Transformers4Rec suffers from a code injection vulnerability, which originates from a Python dependency, that can be exploited by an attacker to perform malicious...

CVE-2025-23298

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via a python dependency. An attacker can execute arbitrary code, escalate privileges, access sensitive information, and tamper with data by injecting malicious input. Remediation A fix was pushed into the master...

CVE-2025-23298

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering...

CVE-2025-23298

Summary: CVE-2025-23298 affects NVIDIA Merlin Transformers4Rec. A vulnerability arises from a Python dependency in Transformers4Rec where loading a checkpoint with PyTorch’s torch.load() can deserialize objects via Python’s pickle, enabling arbitrary code execution. This could allow an attacker t...

CVE-2025-23298

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering...