CVE-2026-31072

The JSONSerializer and CBORSerializer in APScheduler all versions including 3.10.x and 4.0.0a5 are vulnerable to Remote Code Execution RCE via Insecure Deserialization. The unmarshalobject function allows for arbitrary class instantiation and state injection by dynamically importing modules and...

EUVD-2026-25857

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run...

CVE-2026-6357 pip self-update functionality can import newly installed modules after wheel installation

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run...

Exploit for CVE-2026-0911

CVE-2026-0911 — Hustle modül import PoC WordPress eklentisi...

Python Install Manager 安全漏洞

Python Install Manager is an open-source installation management tool for Python. Python Install Manager has a security vulnerability that stems from including the current working directory in the sys.path, which may allow malicious modules to be imported from a directory controlled by the attack...

PT-2026-29288

A vulnerability was found in CMS Made Simple up to 2.2.22. This impacts the function copyFilesToFolder in the library modules/UserGuide/lib/class.UserGuideImporterExporter.php of the component UserGuide Module XML Import. The manipulation results in path traversal. It is possible to launch the...

GHSA-CWXJ-RR6W-M6W7 Scrapy: Arbitrary Module Import via Referrer-Policy Header in RefererMiddleware

Impact Since version 1.4.0, Scrapy respects the Referrer-Policy response header to decide whether and how to set a Referer header on follow-up requests. If the header value looked like a valid Python import path, Scrapy would import the referenced object and call it, assuming it referred to a...

CVE-2026-26020 AutoGPT Affected by Remote Code Execution via Dynamic Module Import in Block Loading (__import__)

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to 0.6.48, an authenticated user could achieve Remote Code Execution RCE on the backend server by embedding a disabled block inside a graph. The...

CVE-2026-26216

Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec. The import builtin was included in the allowed builtins, allowing unauthenticated remote...

WordPress Hustle plugin <= 7.8.9.2 - Authenticated (Subscriber+) Arbitrary File Upload via Module Import vulnerability

Authenticated Subscriber+ Arbitrary File Upload via Module Import vulnerability discovered by Williwollo CybrX in WordPress Plugin Hustle versions = 7.8.9.2...

CVE-2026-0911 Hustle <= 7.8.9.2 - Authenticated (Subscriber+) Arbitrary File Upoload via Module Import

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the actionimportmodule function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, wi...

CVE-2026-0911 Hustle <= 7.8.9.2 - Authenticated (Subscriber+) Arbitrary File Upoload via Module Import

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the actionimportmodule function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, wi...

CVE-2026-0911

CVE-2026-0911 concerns the Hustle – Email Marketing, Lead Generation, Optins, Popups WordPress plugin. The vulnerability allows authenticated users with low privileges (e.g., Subscriber+) to upload arbitrary files due to improper file type validation in action_import_module() across versions up t...

rsc-rce-poc

React Server Actions RCE Vulnerability - Proof of Concept Cre...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the CSS-to-JavaScript module conversion feature. An attacker can execute arbitrary JavaScript code by injecting $... expressions into CSS files, which are then evaluated when the resulting JavaScript module i...

EUVD-2025-177042

Malicious code in process-float-sanitize-module-import npm...

EUVD-2015-1480

Malware in sbrugna...

EUVD-2025-24871

Malicious code in bioql PyPI...

This Week in Spring - September 16th, 2025

Hi, Spring fans! Welcome to another extra special installment of This Week in Spring , wherein we celebrate a very auspicious day indeed: the release of Java 25 and GraalVM 25! That's right: an incredible new iteration of the JVM has just dropped and with it come a ton of features! Let's go throu...

CVE-2025-49131

The CVE-2025-49131 affects FastGPT’s sandbox container (fastgpt-sandbox) prior to 4.9.11. The issue is insufficient isolation and overly permissive syscalls that allow bypassing Python import restrictions, enabling reads/writes of arbitrary files and potential sandbox escape. A PoC exploit exists...