python311-PyJWT-2.10.1-2.1 on GA media (moderate)

python311-PyJWT-2.10.1-2.1 on GA media Announcement ID: openSUSE-SU-2025:14987-1 Rating: moderate Cross-References: CVE-2022-29217 CVSS scores: CVE-2022-29217 SUSE : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can...

The vulnerability of the HTTP library Urllib3 in the Python programming language involves authentication process errors, which allow attackers to access sensitive data and compromise its integrity.

The vulnerability of the HTTP library Urllib3 in the Python programming language is related to errors in the certificate validation process. Exploiting this vulnerability can allow an attacker to gain access to confidential data and compromise its integrity...

ai-dynamo (=0.1.0), bento-sgl-router (>=0.0.1 <=0.0.6) +22 more potentially affected by CVE-2025-32375 via bentoml (>=1.0.0a7 <=1.4.7)

bentoml PYPI version =1.0.0a7, =0.0.1, =0.2.3, =0.1.0, =0.0.1, =1.0.1, =0.1.0, =0.2.0, =0.3.12, =0.0.1, =1.0.3, =1.0.4 and more Source cves: CVE-2025-32375 Source advisory: SNYK:PYTHON-BENTOML-9679274...

GHSA-V7X6-RV5Q-MHWC Picklescan missing detection when calling built-in python library function timeit.timeit()

Summary Using timeit.timeit function, which is a built-in python library function to execute remote pickle file. Details Pickle’s deserialization process is known to allow execution of function via reduce method. While Picklescan is meant to detect such exploits, this attack evades detection by...

CVE-2025-27520

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution RCE vulnerability caused by insecure deserialization has been identified in the latest version v1.4.2 of BentoML. It allows any unauthenticated user to execute...

CVE-2025-27520

BentoML 1.4.2 contains an insecure deserialization flaw in serde.py that enables unauthenticated RCE via crafted payloads. The issue, described across CVE-2025-27520 sources, is fixed in 1.4.3. Public PoCs and exploit modules exist (GitHub, Metasploit) illustrating remote command execution attemp...

apss (>=0.1.0 <=0.3.0), hebo-mindspore (>=0.2.0 <=0.2.1) +12 more potentially affected by CVE-2025-3145 via mindspore (>=2.7.0 <=2.9.0)

mindspore PYPI version =2.7.0, =0.1.0, =0.2.0, =1.6.0, =0.2.0, =1.4.0, =0.0.12, =1.0.0, =0.0.1, =0.0.1, =0.1.0, =0.1.4 Source cves: CVE-2025-3145 Source advisory: SNYK:PYTHON-MINDSPORE-10361605...

01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +25158 more potentially affected by CVE-2025-3136 via torch (>=1.0.0 <=2.5.1)

torch PYPI version =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.10 and more Source cves: CVE-2025-3136 Source advisory: OSV:PYSEC-2025-197...

CLSA-2025-1742919946 python3.9: Fix of 2 CVEs

CVE-2024-11168: fix improper validation of bracketed hosts in urllib.parse.urlsplit and urlparse functions - CVE-2025-0938: fix incomplete algorithm of validating hosts by disallowing square brackets in domain names...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-8061 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-8061 Source advisory: SNYK:PYTHON-AIM-9511136...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-6483 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-6483 Source advisory: SNYK:PYTHON-AIM-9511134...

agentverse (=0.1.8.1), airoboros (=2.1.1) +35 more potentially affected by CVE-2024-12376 via fschat (>=0.2.2 <=0.2.36)

fschat PYPI version =0.2.2, =0.3.0, =0.0.1, =1.1.0, =0.1.1, =0.1.1, =0.9.0.8, =0.1.1, =0.1.8 and more Source cves: CVE-2024-12376 Source advisory: SNYK:PYTHON-FSCHAT-9553180...

3d-rcnet (>=0.2.2 <=0.2.3), aa-prepflow (>=0.1.0 <=0.1.1) +1128 more potentially affected by CVE-2024-12217 via gradio (>=1.7.7 <=6.9.0)

gradio PYPI version =1.7.7, =0.2.2, =0.1.0, =0.2.5, =0.3.0, =0.0.3, =0.1.5, =0.8.2.4, =0.2.1, =0.1.0, =0.1.0, =0.1.0, =2.0.0, =3.3.9 and more Source cves: CVE-2024-12217 Source advisory: SNYK:PYTHON-GRADIO-9510952...

ace-step (=0.1.0), aiconfigurator (>=0.1.0 <=0.2.0) +206 more potentially affected by CVE-2024-10624 via gradio (>=4.38.1 <=5.25.2)

gradio PYPI version =4.38.1, =0.1.0, =0.0.4, =0.1.1, =0.1.0, =25.3.1, =0.0.1, =0.1.0, =0.1.0, =0.1.1, =0.1.0a20, =1.1.1, =25.3.1, =25.3.8 - cleaners =0.1.0 and more Source cves: CVE-2024-10624 Source advisory: SNYK:PYTHON-GRADIO-9487018...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-7760 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-7760 Source advisory: SNYK:PYTHON-AIM-9637809...

sagemaker-python-sdk 安全漏洞

sagemaker-python-sdk is an Amazon Web Services open source library for training and deploying machine learning models on Amazon SageMaker. A security vulnerability exists in sagemaker-python-sdk that stems from an MD5 hash collision in the SageMaker Workflow component that could result in workflo...

[SECURITY] Fedora 42 Update: python-spotipy-2.25.1-1.fc42

A light weight Python library for the Spotify Web API...

The vulnerability of the Babel.Locale function in the library that helps to internationalize and localize Python applications allows attackers to execute arbitrary code.

The vulnerability of the Babel.Locale function in the library for helping with internationalization and localization of Python applications is related to an incorrect restriction on the path to a limited directory. Exploiting this vulnerability could allow an attacker to execute arbitrary code...

CLSA-2025-1741635940 python3: Fix of 2 CVEs

CVE-2024-11168: fix improper validation of bracketed hosts in urllib.parse.urlsplit and urlparse functions - CVE-2025-0938: fix incomplete algorithm of validating hosts by disallowing square brackets in domain names...

[SECURITY] Fedora 40 Update: python-spotipy-2.25.1-1.fc40

A light weight Python library for the Spotify Web API...