CVE-2025-43948

Codemers KLIMS 1.6.DEV allows Python code injection. A user can provide Python code as an input value for a parameter or qualifier such as for sorting, which will get executed on the server side...

CVE-2025-43948

Codemers KLIMS 1.6.DEV allows Python code injection. A user can provide Python code as an input value for a parameter or qualifier such as for sorting, which will get executed on the server side...

jinja2: Jinja sandbox breakout through attr filter selecting format method

A flaw was found in Jinja. In affected versions, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker who controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content o...

Robot Operating System 安全漏洞

Robot Operating System is a meta-operating system for robots. A security vulnerability exists in Robot Operating System, which originates from YAML deserialization and could lead to the execution of arbitrary Python code by a local or remote user...

EulerOS 2.0 SP13 : python-jinja2 (EulerOS-SA-2025-1324)

According to the versions of the python-jinja2 package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that...

jinja2: Jinja sandbox breakout through attr filter selecting format method

A flaw was found in Jinja. In affected versions, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker who controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content o...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Jinja

Summary Multiple vulnerabilities in Jinja that is used by InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2024-56326 DESCRIPTION: Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format...

Security Bulletin: IBM Maximo Application Suite Predict Component vulnerable to arbitrary code execution

Summary Security Bulletin: IBM Maximo Application Suite Predict Component may be vulnerable to arbitrary code execution of Python code through the use of Jinja. Vulnerability Details CVEID:CVE-2024-56326 DESCRIPTION: Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how th...

Kedro deserialization vulnerability

A Remote Code Execution RCE vulnerability has been identified in the Kedro ShelveStore class version 0.19.8. This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class use...

Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability

A vulnerability in open-webui/open-webui versions = 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery CSRF. The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious...

CVE-2024-9701

A Remote Code Execution RCE vulnerability has been identified in the Kedro ShelveStore class version 0.19.8. This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class use...

CVE-2024-10252

A vulnerability in langgenius/dify versions =v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the deletion of...

CVE-2024-7806 Remote Code Execution by Non-Admin Users via CSRF in open-webui/open-webui

A vulnerability in open-webui/open-webui versions = 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery CSRF. The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious...

CVE-2024-9701 Remote Code Execution in kedro-org/kedro

A Remote Code Execution RCE vulnerability has been identified in the Kedro ShelveStore class version 0.19.8. This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class use...

CVE-2024-9701

CVE-2024-9701 —Kedro’s ShelveStore (version 0.19.8) is vulnerable to Remote Code Execution due to unsafe deserialization: it uses Python’s shelve (pickle-based) and a crafted payload stored in the shelve file can execute arbitrary code upon deserialization. Details are tied to Kedro 0.19.8; no re...

Arbitrary Code Execution (ACE)

Qiskit is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to unsafe deserialization in the qiskit.qpy.load function, which allows a maliciously crafted QPY file to execute embedded Python code without privilege escalation...

Qiskit allows arbitrary code execution decoding QPY format versions < 13

Impact A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats 13. A python process calling Qiskit's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded in the corre...

CVE-2025-1497

A vulnerability, that could result in Remote Code Execution RCE, has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting t...

GHSA-2HMP-5WQG-F24H PlotAI eval vulnerability

A vulnerability, that could result in Remote Code Execution RCE, has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. PlotAI commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting t...

PlotAI eval vulnerability

A vulnerability, that could result in Remote Code Execution RCE, has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code. PlotAI commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting t...