53 matches found
PYSEC-0000-CVE-2026-48524
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.getsigningkey forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a denial of service in cbor2 [CVE-2026-26209]
Summary IBM Watson Speech Services Cartridge is vulnerable to adenial of service in cbor2, caused by uncontrolled recursion when decoding deeply nested CBOR structures CVE-2026-26209. Cbor2 is used in our speech runtimes. This vulnerabilitiy has been addressed. Please read the details for...
CVE-2026-44661
python-utcp is the python implementation of UTCP. Prior to 1.1.3, the utcp-http plugin is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registermanual validates the discovery URL against an HTTPS /...
Universal Tool Calling Protocol 安全漏洞
Universal Tool Calling Protocol is an official Python implementation of the UTCP open-source protocol. Versions prior to 1.1.3 of Universal Tool Calling Protocol contained security vulnerabilities; these vulnerabilities stemmed from the prepareenvironment method passing complete environment...
Universal Tool Calling Protocol 代码问题漏洞
Universal Tool Calling Protocol is an official Python implementation of the UTCP open-source protocol. Versions prior to 1.1.3 of Universal Tool Calling Protocol had code vulnerabilities, which stemmed from inconsistent trust boundaries and could lead to man-in-the-middle server request forgery...
[SECURITY] Fedora 44 Update: pypy-7.3.21-8.fc44
PyPy's implementation of Python, featuring a Just-In-Time compiler on some CPU architectures, and various optimized implementations of the standard types strings, dictionaries, etc This build of PyPy has JIT-compilation enabled...
[SECURITY] Fedora 43 Update: pypy-7.3.21-8.fc43
PyPy's implementation of Python, featuring a Just-In-Time compiler on some CPU architectures, and various optimized implementations of the standard types strings, dictionaries, etc This build of PyPy has JIT-compilation enabled...
[SECURITY] Fedora 43 Update: pypy-7.3.21-3.fc43
PyPy's implementation of Python, featuring a Just-In-Time compiler on some CPU architectures, and various optimized implementations of the standard types strings, dictionaries, etc This build of PyPy has JIT-compilation enabled...
GHSA-3C37-WWVX-H642 cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads
Summary - The cbor2 library is vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. - This vulnerability affects both the pure Python implementation and the C extension cbor2. The C extension correctly uses Python's C-API for...
CVE-2026-26209 cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads
cbor2 provides encoding and decoding for the Concise Binary Object Representation CBOR serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the...
Exploit for Deserialization of Untrusted Data in Facebook React
CVE-2025-55182: React Server Components RCE Scanner A compreh...
EUVD-2023-49474
Malicious code in bioql PyPI...
EUVD-2025-11981
Malicious code in bioql PyPI...
EUVD-2025-6723
Malicious code in bioql PyPI...
CVE-2025-57804
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without...
CVE-2025-57804 h2 allows HTTP Request Smuggling due to illegal characters in headers
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without...
CVE-2025-53366 MCP SDK Vulnerable to FastMCP Server Validation Error, Leading to Denial of Service
The MCP Python SDK, called mcp on PyPI, is a Python implementation of the Model Context Protocol MCP. Prior to version 1.9.4, a validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability 500 errors until manually...
CVE-2025-48994
SignXML (Python) prior to 4.0.4 is vulnerable to an algorithm confusion attack when verifying signatures with require_x509=False and hmac_key is set, allowing an attacker to forge a signature under a different algorithm if the expected signature algorithms are not restricted (verify(expect_config...
CVE-2024-3219
The “socket” module provides a pure-Python fallback to the socket.socketpair function for platforms that don’t support AFUNIX, such as Windows. This pure-Python implementation uses AFINET or AFINET6 to create a local connected pair of sockets. The connection between the two sockets was not verifi...
CVE-2025-43859 h11 accepts some malformed Chunked-Encoding bodies
h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires...