CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSSF Malicious Packages•added 4 days ago•8 views

Malicious code in anthropy (PyPI)

5.8AI score

ATTACKERKB•added 4 days ago•6 views

CVE-2026-45409

Internationalized Domain Names in Applications IDNA for Python provides support for Internationalized Domain Names in Applications IDNA and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as "\u0660" N or "\u30fb" N + "\u6f22" utilize the validcontexto function pri...

7.5CVSS6.6AI score0.00748EPSS

Exploits1References2Affected Software1

Debian CVE•added 4 days ago•5 views

CVE-2026-45409

6.9CVSS6.3AI score0.00014EPSS

Exploits0

Vulnrichment•added 4 days ago•3 views

CVE-2026-45409 Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix

6.9CVSS5.4AI score0.00014EPSS

CVE•added 4 days ago•11 views

CVE-2026-45409

CVE-2026-45409 affects Python’s IDNA handling (idna.encode) in Python-idna. A specially crafted input could cause heavy resource consumption and potential DoS. The issue mirrors CVE-2024-3651; fixes were extended in 3.14–3.15 to reject long inputs earlier and more broadly (per-label conversions a...

6.9CVSS6.3AI score0.00014EPSS

EUVD•added 4 days ago•6 views

EUVD-2026-34921

7.5CVSS5.4AI score0.00748EPSS

Exploits1References1

PyPA•added 4 days ago•3 views

PYSEC-0000-CVE-2026-45758

Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai 0.10.1 to PyPI. Aany user who installed guardrails-ai==0.10.1 from PyPI on May 11, 2026 may be affected. Security...

9.6CVSS5.5AI score0.00038EPSS

Exploits0References3Affected Software1

7.2CVSS5.7AI score0.0006EPSS

CVE-2026-40072

web3.py allows you to interact with the Ethereum blockchain using Python. From 6.0.0b3 to before 7.15.0 and 8.0.0b2, web3.py implements CCIP Read / OffchainLookup EIP-3668 by performing HTTP requests to URLs supplied by smart contracts in offchainlookuppayload"urls". The implementation uses these...

Exploits2References1

2.9CVSS5.5AI score0.00006EPSS

CVE-2026-40947

Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 have an unintended DLL search path...

4.3CVSS5.5AI score0.00011EPSS

CVE-2026-3073

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI package protection rules and upload restricted packages due to...

CVE•added 4 days ago•11 views

CVE-2026-45758

CVE-2026-45758 affects Guardrails AI (Python framework). A malicious PyPI release, guardrails-ai==0.10.1, was published on 2026-05-11. Security telemetry reports no observed requests to Guardrails AI infrastructure from 0.10.1 and no data exfiltration evidence, but affected users should act. The ...

9.6CVSS5.5AI score0.00038EPSS

Exploits0References3Affected Software1

EUVD•added 4 days ago•7 views

EUVD-2026-34912

9.6CVSS5.5AI score0.00038EPSS

Exploits0References3

Cvelist•added 4 days ago•27 views

CVE-2026-45758 Malicious code in guardrails-ai 0.10.1 (supply chain compromise)

9.6CVSS0.00038EPSS

Exploits0References3

5.7CVSS5.4AI score0.00005EPSS

CVE-2026-6550

Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be...

6.8CVSS5.5AI score0.0002EPSS

CVE-2026-42312

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general",...

Exploits1References1

5.5CVSS5.5AI score0.00055EPSS

CVE-2026-46383

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a...

7.4CVSS6.2AI score0.00099EPSS

CVE-2026-39421

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the LDPRELOAD-based...

5CVSS5.5AI score0.00013EPSS

CVE-2026-44972

GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject...

8.8CVSS6.3AI score0.00053EPSS

CVE-2026-7466

AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipelinepath parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to...