Lucene search
K

2050117 matches found

PyPA
PyPA
added 6 hours ago3 views

`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes

lxmlhtmlclean.Cleaner does not strip javascript: URLs from namespaced URL attributes xlink:hrefReporter: Guillem Lefait · Date: 2026-05-10Affected: lxml ≤ 6.1.0 and lxmlhtmlclean ≤ 0.4.4 latest stableConfirmed against: lxml 6.1.0 + lxmlhtmlclean 0.4.4 on Python 3.13.5, 3.14.4, and 3.15.0a8 libxml...

8.2CVSS6.2AI score
Exploits0References5Affected Software1
PyPA
PyPA
added 6 hours ago3 views

Open WebUI vulnerable to Stored XSS via iFrame in citations model

SummaryManually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponised document...

7.3CVSS6.2AI score0.00194EPSS
Exploits1References6Affected Software1
OSV
OSV
added 6 hours ago2 views

PYSEC-2026-3061 Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE

Summary Serena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port TCP 24282, hardcoded as 0x5EDA in constants.py. The server has no authentication, no CSRF protection, and no Host header validation. A DNS rebinding attack allows a malicious webpage to reach...

8.3CVSS6.6AI score0.00237EPSS
Exploits0References7
OSV
OSV
added 6 hours ago2 views

PYSEC-2026-2689 ONNX has Null Pointer Dereference in Upsample Version Converter Adapter (Zero Inputs)

Summary Null pointer dereference SIGSEGV in Upsample67::adaptupsample67 onnx/versionconverter/adapters/upsample67.h:31 when convertversion processes a model with an Upsample node that has zero inputs. The adapter accesses node-inputs0-sizes without checking input count. 107-byte PoC crashes on...

5.5CVSS6.1AI score0.0017EPSS
Exploits1References7
OSV
OSV
added 6 hours ago2 views

PYSEC-2026-2769 Open WebUI vulnerable to Stored XSS via iFrame in citations model

Summary Manually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponised document...

7.3CVSS6.2AI score0.00194EPSS
Exploits1References6
OSV
OSV
added 6 hours ago2 views

PYSEC-2026-2614 `lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes

lxmlhtmlclean.Cleaner does not strip javascript: URLs from namespaced URL attributes xlink:href Reporter: Guillem Lefait · Date: 2026-05-10 Affected: lxml ≤ 6.1.0 and lxmlhtmlclean ≤ 0.4.4 latest stable Confirmed against: lxml 6.1.0 + lxmlhtmlclean 0.4.4 on Python 3.13.5, 3.14.4, and 3.15.0a8...

8.2CVSS6.2AI score
Exploits0References5
OSV
OSV
added 6 hours ago1 views

PYSEC-2026-2713 Open WebUI allows limited stored XSS vila uploaded html file

Summary Low privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open the file in the browser and trigger the JavaScript code in the user's browser. Under the default settings, files...

6.4CVSS6.1AI score0.003EPSS
Exploits1References8
PyPA
PyPA
added 6 hours ago2 views

Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE

SummarySerena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port TCP 24282, hardcoded as 0x5EDA in constants.py. The server has no authentication, no CSRF protection, and no Host header validation. A DNS rebinding attack allows a malicious webpage to reach...

8.3CVSS6.6AI score0.00237EPSS
Exploits0References7Affected Software1
OSV
OSV
added 6 hours ago2 views

PYSEC-2026-2716 Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions

Summary A vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a chat transcript. The JavaScript code will be executed in the user's browser every time that chat transcript is opened, allowing attackers to retrieve the user's...

8.7CVSS6.4AI score0.00449EPSS
Exploits1References8
OSV
OSV
added 6 hours ago2 views

PYSEC-2026-2482 flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module`

Unauthenticated Command Execution via HTTP MCP executemodule Summary The HTTP MCP endpoint POST /mcp in flyto-core accepts unauthenticated JSON-RPC tools/call requests and dispatches them to arbitrary registered modules, including sandbox.executeshell, which passes attacker-controlled input...

8.4CVSS6.5AI score
Exploits0References5
PyPA
PyPA
added 6 hours ago2 views

Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879

Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. The query text is influenceable by prompt injection direct user input or indirect content the agent reads back via RAG, so an attacker who can...

9.8CVSS6.1AI score0.00461EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 6 hours ago1 views

Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls

SQLChatAgent validatequery dangerous-pattern regex is bypassable via quoted/commented/qualified function names SummaryThe SQLChatAgent SQL-injection mitigation, with default allowdangerousoperations=False, combines a raw-text regex blocklist DANGEROUSSQLPATTERNS with a sqlglot SELECT-only stateme...

9.3CVSS6.2AI score0.00646EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 6 hours ago3 views

Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases

SummaryThe SQLite databases are created at predictable static paths in /tmp. Any user can therefore create a symlink at these paths in /tmp pointing to arbitrary files. The monitoring scripts then follows these symlinks and then creates their database at the symlink target.This becomes really...

5.1CVSS6.3AI score
Exploits0References5Affected Software1
PyPA
PyPA
added 6 hours ago1 views

Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command

SummaryWhen a check plugin places user provided input inside a command which is passed to shellexec, an attacker can abuse this to run arbitrary commands. This is mainly dangerous for plugins which are listed in the sudoers file, because this allows an attacker controlling the nagios user to get...

7.8CVSS6.3AI score
Exploits0References5Affected Software1
OSV
OSV
added 6 hours ago2 views

PYSEC-2026-2577 Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls

SQLChatAgent validatequery dangerous-pattern regex is bypassable via quoted/commented/qualified function names Summary The SQLChatAgent SQL-injection mitigation, with default allowdangerousoperations=False, combines a raw-text regex blocklist DANGEROUSSQLPATTERNS with a sqlglot SELECT-only...

9.3CVSS6.2AI score0.00646EPSS
Exploits0References5
OSV
OSV
added 6 hours ago2 views

PYSEC-2026-2576 Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879

Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. The query text is influenceable by prompt injection direct user input or indirect content the agent reads back via RAG, so an attacker who can...

9.2CVSS6.1AI score0.00461EPSS
Exploits0References5
OSV
OSV
added 6 hours ago1 views

PYSEC-2026-3412 WeasyPrint has CSS Injection via Presentational Hints

Summary A CSS injection issue exists in WeasyPrint when HTML presentational hints are enabled. Unescaped attribute values are embedded into CSS, allowing injection of arbitrary CSS declarations. This affects applications processing untrusted HTML input. Details File: weasyprint/css/init.py The...

6.5CVSS6.2AI score
Exploits0References5
PyPA
PyPA
added 6 hours ago2 views

flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module`

Unauthenticated Command Execution via HTTP MCP executemodule SummaryThe HTTP MCP endpoint POST /mcp in flyto-core accepts unauthenticated JSON-RPC tools/call requests and dispatches them to arbitrary registered modules, including sandbox.executeshell, which passes attacker-controlled input direct...

8.4CVSS6.5AI score
Exploits0References5Affected Software1
OSV
OSV
added 6 hours ago2 views

PYSEC-2026-2594 Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command

Summary When a check plugin places user provided input inside a command which is passed to shellexec, an attacker can abuse this to run arbitrary commands. This is mainly dangerous for plugins which are listed in the sudoers file, because this allows an attacker controlling the nagios user to get...

7.8CVSS6.3AI score
Exploits0References5
OSV
OSV
added 6 hours ago2 views

PYSEC-2026-2579 Langroid: handle_message() executes user-supplied tool JSON without sender verification

Summary A Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with use=False, handle=True. Details enablemessage..., use=False, handle=True only prevents the LLM from being instructed to generate...

8.1CVSS6.1AI score0.00392EPSS
Exploits0References5
Rows per page
Query Builder