CVE-2026-33310

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell, the command ma...

CVE-2026-33310 Intake has a Command Injection via shell() Expansion in Parameter Defaults

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell, the command ma...

Intake has a Command Injection via shell() Expansion in Parameter Defaults

Summary The shell syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell, the command may be executed when the catalog source is accessed. This means that if a user loads a malicious...

EUVD-2019-2175

Malware in sbrugna...

EUVD-2022-5525

Malicious code in bioql PyPI...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the podman kube play command. An attacker can cause sensitive data corruption and system crashes by supplying a malicious Kubernetes YAML file that results in overwriting critical host files. The attacker only...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the podman kube play command. An attacker can cause sensitive data corruption and system crashes by supplying a malicious Kubernetes YAML file that results in overwriting critical host files. The attacker only...

SUSE CVE-2024-10846

The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7 included...

CVE-2024-10846 Excessive Platform Resource Consumption within a Loop when unmarshalling Compose file having recursive loop

The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7 included...

CVE-2024-10846 Excessive Platform Resource Consumption within a Loop when unmarshalling Compose file having recursive loop

The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7 included...

GHSA-36GQ-35J3-P9R9 Excessive Platform Resource Consumption within a Loop when unmarshalling Compose file having recursive loop

Impact The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7 included...

Excessive Platform Resource Consumption within a Loop when unmarshalling Compose file having recursive loop

Impact The compose-go library component in versions v2.10-v2.4.0 allows an authorized user who sends malicious YAML payloads to cause the compose-go to consume excessive amount of Memory and CPU cycles while parsing YAML, such as used by Docker Compose from versions v2.27.0 to v2.29.7 included...

go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents

A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document...

SnakeYaml: Constructor Deserialization Remote Code Execution

A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution RCE...

UBUNTU-CVE-2023-49297

PyDrive2 is a wrapper library of google-api-python-client that simplifies many common Google Drive API V2 tasks. Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution if PyDrive2 is run in the same directory as it, o...

PT-2023-31157 · Google · Google-Api-Python-Client

Name of the Vulnerable Software and Affected Versions: PyDrive2 versions prior to 1.16.2 Description: PyDrive2 is a wrapper library of google-api-python-client that simplifies many common Google Drive API V2 tasks. Unsafe YAML deserialization will result in arbitrary code execution. A maliciously...

SnakeYaml: Constructor Deserialization Remote Code Execution

A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution RCE...

kubernetes-client: Insecure deserialization in unmarshalYaml method

A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML...

K000134748: Kubernetes vulnerabilities CVE-2019-1002100, CVE-2019-11254, CVE-2017-1002101, and CVE-2017-1002102

Security Advisory Description CVE-2019-1002100 In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, users that are authorized to make patch requests to the Kubernetes API Server can send a specially crafted patch of type "json-patch" e.g. kubectl patch --type json or "Content-Type:...

SnakeYaml: Constructor Deserialization Remote Code Execution

A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution RCE...