Security Bulletin: IBM watsonx.ai on Cloud Pak for Data is vulnerable to python-Python-3.12.0b4 (Publicly disclosed vulnerability found by Mend) due to python pip package ( CVE-2023-5752, PRISMA-2022-0168)

Summary IBM watsonx.ai on Cloud Pak for Data internally uses CVE-2023-5752 Vulnerability Details CVEID:CVE-2023-5752 DESCRIPTION: When installing a package from a Mercurial VCS URL ie "pip install hg+..." with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

cve-2026...

Security Bulletin: Multiple vulnerabilities in IBM Observability with Instana (OnPrem)

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana OnPrem build 1.0.319 Vulnerability Details CVEID:CVE-2025-66418 DESCRIPTION: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the...

Exploit for Missing Authentication for Critical Function in Mcpjam Inspector

CVE-2026-23744-MCPJAM-RCE-exploit This Python proof-of-concept...

MOLOT System Card: Malicious Operational Logic Observation Transformer

MOLOT Malicious Operational Logic Observation Transformer is a static malicious-code detection system designed for SAST setup where package metadata, maintainer history, and dynamic execution traces may be unavailable or unreliable. The system represents source code as behavior sequences derived...

Fedora 43 : python-starlette (2026-e0f378428e)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-e0f378428e advisory. Backport fix for CVE-2026-48710 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

OPENSUSE-SU-2026:10963-1 python311-aiohttp-3.14.0-1.1 on GA media

These are all security issues fixed in the python311-aiohttp-3.14.0-1.1 package on the GA media of openSUSE Tumbleweed...

Security update for python-pyOpenSSL (moderate)

openSUSE security update: security update for python-pyopenssl ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20897-1 Rating: moderate References: bsc1262803 Cross-References: CVE-2026-40475 CVSS scores: CVE-2026-40475 SUSE : 5.5...

Fedora 44 : python-starlette (2026-3bce8d3f11)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-3bce8d3f11 advisory. Backport fix for CVE-2026-48710 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

CVE-2026-48522

A flaw was found in PyJWT, a JSON Web Token implementation in Python. The PyJWKClient component, prior to version 2.13.0, directly passes its Uniform Resource Identifier URI argument to urllib.request.urlopen. This allows a remote attacker, by influencing the application's jku URL ingestion path,...

CVE-2026-48524

A flaw was found in PyJWT, a Python library for JSON Web Token JWT implementation. A remote attacker can exploit this vulnerability by sending specially crafted JWTs with unknown 'kid' key ID values. This can force the PyJWKClient.getsigningkey function to make an unlimited number of unrate-limit...

MAL-2026-5184 Malicious code in sf-silly-goose-requests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d1b2d16ce881d1e9b356ed424f8144ce9324d09010efa8761ad13ac8a46e7b60 Package uses trufflehog to detect secrets and exfiltrates them to a hardcoded location --- Category: MALICIOUS - The campaign has clearly malicious intent, lik...

Malicious code in sf-silly-goose-requests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d1b2d16ce881d1e9b356ed424f8144ce9324d09010efa8761ad13ac8a46e7b60 Package uses trufflehog to detect secrets and exfiltrates them to a hardcoded location --- Category: MALICIOUS - The campaign has clearly malicious intent, lik...

1cijferho (=0.1.0), 203-python-project-rc (>=0.2.0 <=0.2.2) +3215 more potentially affected by CVE-2026-10804 via streamlit (>=0.49.0 <=1.9.2)

streamlit PYPI version =0.49.0, =0.2.0, =0.1.0, =0.1.0, =0.7.1, =0.1.6, =0.1.0, =0.0.1, =1.1.0, =2.0.0, =0.0.0, =0.0.15 and more Source cves: CVE-2026-10804 Source advisory: SNYK:PYTHON-STREAMLIT-17176399...

a2 (>=0.1.0 <=0.3.17), abnativ (>=1.1.0 <=1.2.9) +347 more potentially affected by CVE-2026-10803 via mlflow (>=0.8.2 <=3.10.0)

mlflow PYPI version =0.8.2, =0.1.0, =1.1.0, =0.0.5, =0.1.0, =0.1.0, =1.7.0, =1.7.0, =1.8.0, =1.7.0, =1.7.0, =0.1.1, =0.1.5 - anovos =1.1.0 and more Source cves: CVE-2026-10803 Source advisory: OSV:PYSEC-2026-195...

CVE-2026-10801

CVE-2026-10801 affects modelscope ms-swift up to 4.2.0 and targets the PIL Image Cache Key Handler, specifically the function Template._save_pil_image in swift/template/base.py. The issue is a manipulation that results in the use of a weak hash, enabling a local attack. The CVE notes a high attac...

ROOT-APP-PYPI-CVE-2026-27026 CVE-2026-27026 in rootio-pypdf - Patched by Root

Root has patched CVE-2026-27026 in the rootio-pypdf package for Root:PyPI. Multiple fixed versions available...

MAL-2026-5183 Malicious code in hpe-glcp-automation-lib (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 53256c57763ad4be286cf74bf0162b67413edc085338e3778ac9bc2afa1b4b93 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Malicious code in hpe-glcp-automation-lib (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 53256c57763ad4be286cf74bf0162b67413edc085338e3778ac9bc2afa1b4b93 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

Netsweeper <=6.4.3 - Python Code Injection

Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php with certain Referer headers launches a command line with client-supplied parameters, and allows injection of shell metacharacters. id: CVE-2020-13167 info: name: Netsweeper =6.4.4 to mitiga...