CVE-2026-31251

CVE-2026-31251 affects CosyVoice’s gRPC server component. During startup, the server loads the speech synthesis model from a user-specified directory via torch.load() without enabling the weights_only=True security parameter, enabling the pickle-based deserialization of arbitrary Python objects. ...

CosyVoice 安全漏洞

CosyVoice is an open-source voice generation and AI voice cloning platform developed by FunAudioLLM. CosyVoice has a security vulnerability, which stems from the gRPC server component using torch.load to load the voice synthesis model without enabling the weights-only=True security parameter. Thi...

CVE-2026-5536

A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpcserver.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted early about this...

CVE-2026-5536

A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpcserver.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted early about this...

CVE-2026-5536 FedML-AI FedML gRPC server grpc_server.py sendMessage deserialization

A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpcserver.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted early about this...

CVE-2026-5536

FedML-AI prior to 0.8.9 contains a deserialization vulnerability in the gRPC server component, specifically the sendMessage function in grpc_server.py. The issue allows remote manipulation that can lead to deserialization of crafted input, potentially impacting confidentiality, integrity, and ava...

PT-2026-30407

A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpc server.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted early about this...

kedro-dagster (>=0.3.0 <=0.5.1), kedro-grpc-server (=0.1.0) +3 more potentially affected by CVE-2026-35171 via kedro (=1.0.0)

kedro PYPI version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on kedro and may be impacted: - kedro-dagster =0.3.0, =0.0.2, =1.0.1, =0.2.0, =0.3.11 Source cves: CVE-2026-35171 Source advisory: SNYK:PYTHON-KEDRO-15875404...

kedro-dagster (>=0.3.0 <=0.5.1), kedro-grpc-server (=0.1.0) +3 more potentially affected by CVE-2026-35167 via kedro (=1.0.0)

kedro PYPI version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on kedro and may be impacted: - kedro-dagster =0.3.0, =0.0.2, =1.0.1, =0.2.0, =0.3.11 Source cves: CVE-2026-35167 Source advisory: SNYK:PYTHON-KEDRO-15870168...

AWS VDP: V2Plugin.Decrypt panics on empty ciphertext (Remote DoS)

A vulnerability was discovered in the "aws-encryption-provider" component where the "V2Plugin.Decrypt" function accessed the ciphertext slice without checking if it was empty, leading to a panic and crashing the entire gRPC server process...

GO-2026-4289 CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages in github.com/coredns/coredns

CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages in github.com/coredns/coredns...

EUVD-2024-2795

Malicious code in bioql PyPI...

EUVD-2025-22342

Malicious code in bioql PyPI...

CVE-2025-51481

Local File Inclusion in dagster.grpc.impl.getnotebookdata in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebookpath field of ExternalNotebookData requests, bypassing the intended extension-based check...

Dagster Local File Inclusion vulnerability

Local File Inclusion in dagster.grpc.impl.getnotebookdata in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebookpath field of ExternalNotebookData requests, bypassing the intended extension-based check...

CVE-2025-51481

CVE-2025-51481 affects Dagster 1.10.14 and relates to a Local File Inclusion in dagster._grpc.impl.get_notebook_data, where a path traversal sequence in the notebook_path field of ExternalNotebookData requests can cause arbitrary file reads by bypassing the extension-based check. Public sources c...

CVE-2025-51481

Local File Inclusion in dagster.grpc.impl.getnotebookdata in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebookpath field of ExternalNotebookData requests, bypassing the intended extension-based check...

CVE-2025-51481

Local File Inclusion in dagster.grpc.impl.getnotebookdata in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebookpath field of ExternalNotebookData requests, bypassing the intended extension-based check...

PT-2025-30442 · Dagster · Dagster

Name of the Vulnerable Software and Affected Versions: Dagster version 1.10.14 Description: A local file inclusion issue exists in the dagster. grpc.impl.get notebook data function. Attackers with access to the gRPC server can read arbitrary files by providing path traversal sequences in the...

SUSE CVE-2023-4785

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms ex. Linux allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Jav...