Label Studio - Sensitive Information Exposure

An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on the platform by exploiting Django's Object Relational Mapper ORM. Since the results of query can be manipulated by the ORM filter, an attacker can leak these sensitive fields character by...

CVE-2026-40102

Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F expression without validation unlike the regular AnalyticsEndpoint, which checks against an allowlist, causing ORM Field...

CVE-2026-33530

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints e.g. /api/part/, /api/stock/,...

CVE-2026-33530 InvenTree Vulnerable to ORM Filter Injection

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints e.g. /api/part/, /api/stock/,...

InvenTree 安全漏洞

InvenTree is an open-source inventory management system developed by InvenTree. It provides robust low-level inventory control and parts tracking capabilities. Versions of InvenTree prior to 1.2.6 contained security vulnerabilities. These vulnerabilities stemmed from the batch operation API...

PT-2026-28488

Name of the Vulnerable Software and Affected Versions InvenTree versions prior to 1.2.6 InvenTree versions 1.2.6 through 1.3.0 Description InvenTree is an Open Source Inventory Management System. Certain API endpoints associated with bulk data operations can be exploited to exfiltrate sensitive...

Exploit for SQL Injection in Djangoproject Django

CTF Challenge: Django ORM Injection CVE-2025-64459 Catego...

CVE-2023-47117

Label Studio is an open source data labeling tool. In all current versions of Label Studio prior to 1.9.2post0, the application allows users to insecurely set filters for filtering tasks. An attacker can construct a filter chain to filter tasks based on sensitive fields for all user accounts on t...

croquemort (=2.1.0), django-nameko-standalone (=2.0.1) +4 more potentially affected by CVE-2021-41078 via nameko (>=2.11.0 <=2.12.0)

nameko PYPI version =2.11.0, =2.3.0, =28.0.0, =30.8.0 Source cves: CVE-2021-41078 Source advisory: OSV:PYSEC-2021-383...

croquemort (=2.1.0), django-nameko-standalone (=2.0.1) +4 more potentially affected by CVE-2021-41078 via nameko (>=2.11.0 <=2.12.0)

nameko PYPI version =2.11.0, =2.3.0, =28.0.0, =30.8.0 Source cves: CVE-2021-41078 Source advisory: OSV:GHSA-6P52-JR3Q-C94G...

[SECURITY] Fedora 16 Update: python-celery-2.2.8-1.fc16

An open source asynchronous task queue/job queue based on distributed message passing. It is focused on real-time operation, but supports scheduling as well. The execution units, called tasks, are executed concurrently on one or more worker nodes using multiprocessing, Eventlet or gevent. Tasks c...

[SECURITY] Fedora 15 Update: python-celery-2.2.8-1.fc15

An open source asynchronous task queue/job queue based on distributed message passing. It is focused on real-time operation, but supports scheduling as well. The execution units, called tasks, are executed concurrently on one or more worker nodes using multiprocessing, Eventlet or gevent. Tasks c...