CVE-2026-27953 ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor

ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "pkonly": true into a JSON request body. By injecting "pkonly": true into a JSON...

aad-fastapi-dl37 (>=1.0.0 <=1.0.2), agentiq (>=1.2.0a20250730 <=1.2.0rc4) +225 more potentially affected by CVE-2026-28498 via authlib (>=1.0.0 <=1.6.8)

authlib PYPI version =1.0.0, =1.0.0, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.5.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0a20250730, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2026-28498 Source advisory:...

aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +283 more potentially affected by CVE-2026-28498 via authlib (>=0.10.0 <=1.6.8)

authlib PYPI version =0.10.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.5.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2026-28498 Source advisory: OSV:GHSA-M344-F55W-2M6J...

aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +283 more potentially affected by CVE-2026-28490 via authlib (>=0.10.0 <=1.6.8)

authlib PYPI version =0.10.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.5.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2026-28490 Source advisory: OSV:GHSA-7432-952R-CW78...

GHSA-7432-952R-CW78 Authlib Vulnerable to JWE RSA1_5 Bleichenbacher Padding Oracle

Executive Summary A cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption JWE RSA15 key management algorithm. Authlib registers RSA15 in its default algorithm registry without requiring explicit opt-in,...

aad-fastapi (>=1.0.0 <=1.1.2), aad-fastapi-dl37 (>=1.0.0 <=1.0.3) +283 more potentially affected by CVE-2026-27962 via authlib (>=0.10.0 <=1.6.8)

authlib PYPI version =0.10.0, =1.0.0, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.2.0a20250730, =1.1.0, =1.2.0a20250730, =0.4.0, =0.1.0, =0.5.0, =0.1.0a1, =1.2.0, =1.2.0a20250730, =1.2.0a20250730, =1.2.0rc4 and more Source cves: CVE-2026-27962 Source advisory: OSV:GHSA-WVWJ-CVRP-7PV5...

evennia (>=1.0.0 <=6.0.0), fastapi-casbin-auth (>=1.3.0 <=1.5.0) +6 more potentially affected by CVE-2026-32640 via simpleeval (>=1.0.0 <=1.0.4)

simpleeval PYPI version =1.0.0, =1.0.0, =1.3.0, =2.8.0, =3.2.0, =1.0.0, =0.53.6, =0.54.0a10 Source cves: CVE-2026-32640 Source advisory: SNYK:PYTHON-SIMPLEEVAL-15610288...

Malicious code in fastapi-middleware-cors (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 305178589615e2247b892b3e305e5fd69a0fc02092f0b115b6b384441f5ddd46 Library disguised as FastAPI helper is executing obfuscated code during importing the module. The code is highly obfuscated; the code seems to contain an...

MAL-2026-1422 Malicious code in fastapi-middleware-cors (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 305178589615e2247b892b3e305e5fd69a0fc02092f0b115b6b384441f5ddd46 Library disguised as FastAPI helper is executing obfuscated code during importing the module. The code is highly obfuscated; the code seems to contain an...

Malicious code in fastapi-requests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8e414a858711540d25b63ced50114d396e150157b65a70056beccc38948a4199 The package clones a legitimate library and contains hidden code that executes remote scripts. During the analysis, the remote code was no longer available ---...

MAL-2026-1261 Malicious code in fastapi-requests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8e414a858711540d25b63ced50114d396e150157b65a70056beccc38948a4199 The package clones a legitimate library and contains hidden code that executes remote scripts. During the analysis, the remote code was no longer available ---...

did-sdk-python (>=1.0.0 <=1.1.3), django-ninja-aio-crud (>=1.0.5 <=2.32.0) +9 more potentially affected by CVE-2026-27932 via joserfc (>=0.9.0 <=1.6.1)

joserfc PYPI version =0.9.0, =1.0.0, =1.0.5, =2.5.0, =2.0.0, =3.0.2, =0.1.3, =0.18.1, =0.1.0, =0.9.0, =0.1.0, =0.5.0rc2 Source cves: CVE-2026-27932 Source advisory: OSV:GHSA-W5R5-M38G-F9F9...

CVE-2026-2979 FastApiAdmin Scheduled Task API controller.py user_avatar_upload_controller unrestricted upload

A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function useravataruploadcontroller of the file /backend/app/api/v1/modulesystem/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched...

CVE-2026-2979

A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function useravataruploadcontroller of the file /backend/app/api/v1/modulesystem/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched...

CVE-2026-2978 FastApiAdmin Scheduled Task API controller.py upload_file_controller unrestricted upload

A vulnerability was detected in FastApiAdmin up to 2.2.0. This vulnerability affects the function uploadfilecontroller of the file /backend/app/api/v1/modulesystem/params/controller.py of the component Scheduled Task API. Performing a manipulation results in unrestricted upload. The attack can be...

CVE-2026-2978 FastApiAdmin Scheduled Task API controller.py upload_file_controller unrestricted upload

A vulnerability was detected in FastApiAdmin up to 2.2.0. This vulnerability affects the function uploadfilecontroller of the file /backend/app/api/v1/modulesystem/params/controller.py of the component Scheduled Task API. Performing a manipulation results in unrestricted upload. The attack can be...

CVE-2026-2978

CVE-2026-2978 relates to FastApiAdmin (up to 2.2.0) and affects the file path /backend/app/api/v1/module_system/params/controller.py, specifically the upload_file_controller function of the Scheduled Task API. The vulnerability arises from input manipulation that permits unrestricted file uploads...

CVE-2026-2976

A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function downloadcontroller of the file /backend/app/api/v1/modulecommon/file/controller.py of the component Download Endpoint. This manipulation of the argument filepath causes information disclosure. It is...

CVE-2026-2976 FastApiAdmin Download Endpoint controller.py download_controller information disclosure

A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function downloadcontroller of the file /backend/app/api/v1/modulecommon/file/controller.py of the component Download Endpoint. This manipulation of the argument filepath causes information disclosure. It is...

CVE-2026-2975

FastApiAdmin (up to 2.2.0) contains a vulnerability in the Custom Documentation Endpoint. The affected area is the function reset_api_docs in /backend/app/plugin/init_app.py, which allows information disclosure. The vulnerability can be exploited remotely, and public exploits are available. No re...