PYSEC-2022-43176

The Zibal package in PyPI v1.0.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges...

drxhello 安全漏洞

drxhello is a pip package for individual developers. A security vulnerability exists in the PyPI v0.0.1 version of the drxhello package. An attacker exploited the vulnerability to access sensitive user information and digital currency keys, as well as to elevate privileges...

PyPI cloudlabeling 安全漏洞

PyPI is a software repository for Python's official third-party software suite from the Python Foundation. cloudlabeling is an API for individual developers to deploy CloudLabeling locally. A security vulnerability exists in the PyPI v0.0.1 version of the cloudlabeling package. An attacker...

CVE-2022-30882

pyanxdns package in PyPI version 0.2 is vulnerable to code execution backdoor. The impact is: execute arbitrary code remote. When installing the pyanxdns package of version 0.2, the request package will be installed...

CVE-2022-30877

The keep for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.2...

Malicious code in requessts (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 281d687d37b55f2d202f7ae0a8b421b286a71ebd2992bf7608ebe030ec6f8e53 Malicious packages typosquatting the popular requests package. payload execute a cryptomining malware...

Malicious code in requestts (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 0c0ffc8f86c690c110698019cf875b931478cfd7c059ea4da99532950ae57829 Malicious packages typosquatting the popular requests package. payload execute a cryptomining malware...

Malicious code in equests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx b07d61adac5cc418902b2b527453dcd02eacb4411a61ea7456c8a9546479e59a Malicious packages typosquatting the popular requests package. payload execute a cryptomining malware...

PYSEC-2022-199

The ctx hosted project on PyPI was taken over via user account compromise and replaced with a malicious project which contained runtime code which collected the content of os.environ.items when instantiating Ctx objects...

CVE-2022-28470

marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor...

PYSEC-2022-185

marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor...

GitLab 输入验证错误漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD Continuous Integration and Continuous Delivery and other features. An input validation error vulnerability exists in Gitlab Community Edition...

CVE-2022-0273

Improper Access Control in Pypi calibreweb prior to 0.6.16...

CVE-2022-0339

Server-Side Request Forgery SSRF in Pypi calibreweb prior to 0.6.16...

PYSEC-2022-22

Improper Access Control in Pypi calibreweb prior to 0.6.16...

PYSEC-2022-18

Cross-site Scripting XSS - Reflected in Pypi calibreweb prior to 0.6.16...

PYSEC-2021-840

A dependency confusion vulnerability was reported in the Antilles open-source software prior to version 1.0.1 that could allow for remote code execution during installation due to a package listed in requirements.txt not existing in the public package index PyPi. MITRE classifies this weakness as...

PyPI Python Package Repository Patches Critical Supply Chain Flaw

The maintainers of Python Package Index PyPI last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository. The security weaknesses were discovered and reported by Japanes...

Cryptominers Slither into Python Projects in Supply-Chain Campaign

A group of cryptominers was found to have infiltrated the Python Package Index PyPI, which is a repository of software code created in the Python programming language. Similar to other repositories like GitHub, npm and RubyGems, PyPI is part of the software supply chain. It offers a place where...

complaintclassify (=0.0.9) potentially affected by CVE-2021-29606 via tensorflow-cpu (=2.4.0)

tensorflow-cpu PYPI version =2.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on tensorflow-cpu and may be impacted: - complaintclassify =0.0.9 Source cves: CVE-2021-29606 Source advisory: OSV:PYSEC-2021-534...