GHSA-9MQQ-JQXF-GRVW PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection

Summary PraisonAI's MCP Model Context Protocol server praisonai mcp serve registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joi...

CVE-2026-5713 Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target

The "profiling.sampling" module Python 3.15+ and "asyncio introspection capabilities" 3.14+, "python -m asyncio ps" and "python -m asyncio pstree" features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via t...

EUVD-2024-0090

Malicious code in bioql PyPI...

CVE-2024-0115

NVIDIA CV-CUDA for Ubuntu 20.04, Ubuntu 22.04, and Jetpack contains a vulnerability in Python APIs where a user may cause an uncontrolled resource consumption issue by a long running CV-CUDA Python process. A successful exploit of this vulnerability may lead to denial of service and data loss...

CVE-2022-36027

TensorFlow is an open source platform for machine learning. When converting transposed convolutions using per-channel weight quantization the converter segfaults and crashes the Python process. We have patched the issue in GitHub commit aa0b852a4588cea4d36b74feb05d93055540b450. The fix will be...

GHSA-7C85-87CP-MR6G LlamaIndex Vulnerable to Denial of Service (DoS)

A Denial of Service DoS vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llamaindex project, affecting version latestv0.12.15. The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the maxdepth...

LlamaIndex Vulnerable to Denial of Service (DoS)

A Denial of Service DoS vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llamaindex project, affecting version latestv0.12.15. The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the maxdepth...

CVE-2025-1752

A Denial of Service DoS vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llamaindex project, affecting version latestv0.12.15. The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the maxdepth...

CVE-2025-1752

A Denial of Service DoS vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llamaindex project, affecting version latestv0.12.15. The vulnerability arises due to inappropriate secure coding measures, specifically the lack of proper implementation of the maxdepth...

CVE-2025-2000

A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats 13. A python process calling Qiskit 0.18.0 through 1.4.1's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded...

CVE-2025-2000 Qiskit SDK code execution

A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats 13. A python process calling Qiskit 0.18.0 through 1.4.1's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded ...

CVE-2024-2965

A Denial-of-Service DoS vulnerability exists in the SitemapLoader class of the langchain-ai/langchain repository, affecting all versions. The parsesitemap method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the...

CVE-2024-2965

CVE-2024-2965 affects the LangChain SitemapLoader in langchain-ai/langchain. The parse_sitemap function lacks a guard against self-referential sitemap recursion, enabling an infinite recursion loop that can exhaust server resources and crash the Python process. Multiple trusted sources (NVD, Red ...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-cryptography (SUSE-SU-2024:0763-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2024:0763-1 advisory. - cryptography is a package designed to expose cryptographic primitives and recipes to Python developers...

Denial Of Service (DoS)

cryptography is vulnerable to Denial Of Service DoS. The vulnerability is caused when a certificate's public key and the provided private key do not match, and the hmachash method is called within the privateFormat.PKCS12.encryptionbuilder object. This vulnerability allows an attacker to crash th...

CVE-2024-26130

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serializekeyandcertificates is called with both a certificate whose public key did not match the provided private key and an...

CVE-2024-26130 cryptography NULL pointer deference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serializekeyandcertificates is called with both a certificate whose public key did not match the provided private key and an...

CVE-2022-36027 Segfault TFLite converter on per-channel quantized transposed convolutions in TensorFlow

TensorFlow is an open source platform for machine learning. When converting transposed convolutions using per-channel weight quantization the converter segfaults and crashes the Python process. We have patched the issue in GitHub commit aa0b852a4588cea4d36b74feb05d93055540b450. The fix will be...

PYSEC-2019-41

psutil aka python-psutil through 5.6.5 can have a double free. This occurs because of refcount mishandling within a while or for loop that converts system data into a Python object...

SUSE-RU-2019:2505-1 Recommended update for python-jmespath, python-jsonschema, python-paramiko, python-pexpect, python-pip, python-ply, python-pretend, python-process-tests, python-pycodestyle, python-pyflakes, python-pyxdg, python-tabulate, python-vcversioner

This update for python-jmespath, python-jsonschema, python-paramiko, python-pexpect, python-pip, python-ply, python-pretend, python-process-tests, python-pycodestyle, python-pyflakes, python-pyxdg, python-tabulate, python-vcversioner fixes the following issues: python-pip was updated to 10.0.1...