33 matches found
OESA-2026-2308 python-GitPython security update
GitPython is a python library used to interact with git repositories, high-level like git-porcelain, or low-level like git-plumbing. Security Fixes: Summary GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and...
OESA-2026-2307 python-GitPython security update
GitPython is a python library used to interact with git repositories, high-level like git-porcelain, or low-level like git-plumbing. Security Fixes: Summary GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and...
EUVD-2026-28411
GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an...
CVE-2026-42215
GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an...
CVE-2026-42215 GitPython: Command injection via Git options bypass
GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an...
GitPython 操作系统命令注入漏洞
GitPython is a Python library developed by gitpython-developers, used for interacting with Git repositories. Versions of GitPython from 3.1.30 to 3.1.47 contained an operating system command injection vulnerability. This vulnerability stemmed from allowing dangerous Git options without proper...
Insertion of Sensitive Information into Log File
Overview langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through the Client handling of events. An attacker can bypass redaction controls and...
(Pwn2Own) QNAP TS-453E server_handlers.pyc rr2s.kwargs Error Message Information Disclosure Vulnerability
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of QNAP TS-453E devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the...
CVE-2026-27953 ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "pkonly": true into a JSON request body. By injecting "pkonly": true into a JSON...
CVE-2026-27953 ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "pkonly": true into a JSON request body. By injecting "pkonly": true into a JSON...
CVE-2026-27953 ormar has a Pydantic Validation Bypass via Kwargs Injection in Model Constructor
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting "pkonly": true into a JSON request body. By injecting "pkonly": true into a JSON...
Information Exposure
Overview apache-airflow-task-sdk is a The Apache Airflow Task SDK includes interfaces for Dag authors and Task execution logic for Python. Affected versions of this package are vulnerable to Information Exposure in the error messages in the UI when a DAG fails during parsing. A user can obtain...
CVE-2025-65995
CVE-2025-65995 is associated with Apache Airflow, described in connected PT-Security data as “Disclosure of secrets to UI via kwargs.” The affected surface is the UI, where secrets may be exposed through kwargs passed to the UI, per the PT-Security entry. The available documents do not specify af...
CVE-2025-65995
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values such as secrets, they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. The issue...
CVE-2025-65995 Apache Airflow: Disclosure of secrets to UI via kwargs
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values such as secrets, they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. The issue...
Apache Airflow 安全漏洞
Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. Versions of Apache Airflow prior to 3.1.4 and 2.11.1...
Denial Of Service (DoS)
vllm is vulnerable to Denial Of Service DoS. The vulnerability is due to unrestricted Jinja template injection through the chattemplate and chattemplatekwargs parameters, where crafted templates can trigger unbounded loops or heavy rendering operations, and attackers can exploit this to exhaust C...
CVE-2025-62426
vLLM is an inference and serving engine for large language models LLMs. From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chattemplatekwargs request parameter that is used in the code before it is properly validated against the chat template. With the...
CVE-2025-62426 vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
vLLM is an inference and serving engine for large language models LLMs. From version 0.5.5 to before 0.11.1, the /v1/chat/completions and /tokenize endpoints allow a chattemplatekwargs request parameter that is used in the code before it is properly validated against the chat template. With the...
vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
Summary The /v1/chat/completions and /tokenize endpoints allow a chattemplatekwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chattemplatekwargs parameters, it is possible to block processing of the API server for long...