807 matches found
GHSA-FQQ6-7VQF-W3FG Picklescan is missing detection when calling built-in python doctest.debug_script
Summary Using doctest.debugscript function, which is a built-in python library function to execute remote pickle file. Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to doctest.debugscript function in reduce method Then when the victim...
GHSA-P9W7-82W4-7Q8M Picklescan is missing detection when calling built-in python lib2to3.pgen2.pgen.ParserGenerator.make_label
Summary Using lib2to3.pgen2.pgen.ParserGenerator.makelabel function, which is a built-in python library function to execute remote pickle file. Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to...
GHSA-X696-VM39-CP64 Picklescan has a missing detection when calling built-in python profile.Profile.run
Summary Using profile.Profile.run, which is a built-in python library function to execute remote pickle file. Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to profile.Profile.run function in reduce method Then when the victim after...
K000153042: Python urllib vulnerability CVE-2019-18348
Security Advisory Description An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the...
fast-whisper-diarizer (>=0.1.2 <=0.1.32), faster-whisper-hotkey (>=0.2.7 <=0.4.3) +7 more potentially affected by CVE-2025-23303 via nemo-toolkit (>=2.0.0rc0 <=2.3.0)
nemo-toolkit PYPI version =2.0.0rc0, =0.1.2, =0.2.7, =1.0.0, =0.1.0, =1.0.0, =1.0.7 Source cves: CVE-2025-23303 Source advisory: SNYK:PYTHON-NEMOTOOLKIT-12089392...
fast-whisper-diarizer (>=0.1.2 <=0.1.32), faster-whisper-hotkey (>=0.2.7 <=0.4.3) +7 more potentially affected by CVE-2025-23304 via nemo-toolkit (>=2.0.0rc0 <=2.3.0)
nemo-toolkit PYPI version =2.0.0rc0, =0.1.2, =0.2.7, =1.0.0, =0.1.0, =1.0.0, =1.0.7 Source cves: CVE-2025-23304 Source advisory: SNYK:PYTHON-NEMOTOOLKIT-11953977...
CVE-2025-54886
The CVE-2025-54886 issue affects the Python library skops, specifically the Card.get_model path. In versions 0.12.0 and earlier, when loading models, Card.get_model does not adequately prevent arbitrary code execution: if a non-.zip file is provided, it silently falls back from the secure skops l...
CVE-2025-54381
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server to make arbitrary HTTP...
CVE-2025-54430
CVE-2025-54430 affects the Deduplicate (dedupe) Python library. The issue resides in the GitHub Actions workflow .github/workflows/benchmark-bot.yml, where an issue_comment can trigger and cause untrusted code to run because the workflow checks out the PR branch via ${{ github.event.issue.number ...
CVE-2025-54430 dedupe is vulnerable to secret exfiltration via `issue_comment`
dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issuecomme...
Dedupe Python Library 操作系统命令注入漏洞
Dedupe Python Library is an open source Python library for accurate and scalable fuzzy matching, de-duplication from Dedupe.io. Dedupe Python Library suffers from an operating system command injection vulnerability that stems from issuecomment triggering the execution of untrusted code in the...
PT-2025-31382 · Dedupe · Dedupe
Name of the Vulnerable Software and Affected Versions: dedupe versions prior to commit 3f61e79 Description: dedupe is a Python library used for fuzzy matching, deduplication, and entity resolution on structured data. A critical severity issue exists in the .github/workflows/benchmark-bot.yml...
CVE-2025-54381 BentoML is Vulnerable to an SSRF Attack Through File Upload Processing
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server to make arbitrary HTTP...
CVE-2025-54412
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain a inconsistency in the OperatorFuncNode which can be exploited to hide the execution of untrusted operator methods. This can then be used in a code reuse attack to invoke...
CVE-2025-54413
CVE-2025-54413 affects the Python package skops (versions ≤ 0.11.0) due to an inconsistency in the internal MethodNode, which can be exploited to access arbitrary object fields via dot notation during load. This can lead to arbitrary code execution at load time . The issue is fixed in version 12....
CVE-2025-54413 skops' MethodNode can access unexpected object fields through dot notation, leading to arbitrary code execution at load time
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at loa...
CVE-2025-54413 skops' MethodNode can access unexpected object fields through dot notation, leading to arbitrary code execution at load time
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at loa...
CVE-2025-54412 skops' Inconsistent Trusted Type Validation Enables Hidden `operator` Methods Execution
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain a inconsistency in the OperatorFuncNode which can be exploited to hide the execution of untrusted operator methods. This can then be used in a code reuse attack to invoke...
CVE-2025-54412 skops' Inconsistent Trusted Type Validation Enables Hidden `operator` Methods Execution
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain a inconsistency in the OperatorFuncNode which can be exploited to hide the execution of untrusted operator methods. This can then be used in a code reuse attack to invoke...
CVE-2025-54412 skops' Inconsistent Trusted Type Validation Enables Hidden `operator` Methods Execution
skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain a inconsistency in the OperatorFuncNode which can be exploited to hide the execution of untrusted operator methods. This can then be used in a code reuse attack to invoke...