abadpour (>=6.13.1 <=7.24.1), abcli (>=9.273.1 <=9.572.1) +694 more potentially affected by unknown CVE via mlflow (>=3.0.0rc2 <=3.6.0rc0)

mlflow PYPI version =3.0.0rc2, =6.13.1, =9.273.1, =2.0.0, =0.1.0, =0.1.0, =0.4.4, =0.3.0, =0.1.0, =1.0.0, =0.1.0, =0.20.9, =0.21.10 and more Source cves: unknown CVE Source advisory: SNYK:PYTHON-MLFLOW-14806999...

MAL-2025-193008 Malicious code in telegreph (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 cca72e5a6a205d657e13d29aee3f5448061afd17f222f11db168ef8a20744992 The package, distinguished as a speed testing or typosquatted Telegram library, contains a Telegram bot to perform remote control of the computer --- Category:...

ai-box-lib (>=0.1.0 <=0.1.9), aligned-py (>=0.1.0 <=0.2.0a0) +78 more potentially affected by CVE-2025-68131 via cbor2 (>=5.0.1 <=5.7.1)

cbor2 PYPI version =5.0.1, =0.1.0, =0.1.0, =0.13.0, =0.5.5.post5, =0.5.5.post4, =0.2.0, =0.10.6, =0.7.1a0, =0.1.0, =2.0.1, =1.0.0, =0.0.1, =0.0.5 and more Source cves: CVE-2025-68131 Source advisory: SNYK:PYTHON-CBOR2-14742478...

GHSA-955R-X9J8-7RHH Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.methodcaller

Summary Picklescan uses operator.methodcaller, which is a built-in python library function to execute remote pickle files. Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling to operator.methodcaller function in reduce method - Then when...

a-data-processing (=0.0.1), a-mailx (=0.1.0) +1225 more potentially affected by CVE-2025-68664 via langchain-core (>=0.0.1 <=0.3.8)

langchain-core PYPI version =0.0.1, =0.1.0, =0.1.3, =0.1.0b0, =4.8.2, =0.1.3, =0.1.0, =3.2.0, =2.1.7, =0.0.2, =0.0.5 and more Source cves: CVE-2025-68664 Source advisory: SNYK:PYTHON-LANGCHAINCORE-14560681...

01os (=0.0.14), 3-04-2025-ttm (=0.1.0) +11304 more potentially affected by CVE-2025-14921 via transformers (>=2.10.0 <=5.9.0)

transformers PYPI version =2.10.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.1.0.dev1, =0.1.0, =0.10.11, =0.5.5, =0.0.4.80, =4.0.2 - aait-store-cut-part-001 =0.0.1 and more Source cves: CVE-2025-14921 Source advisory: SNYK:PYTHON-TRANSFORMERS-14564365...

[SECURITY] Fedora 42 Update: fonttools-4.61.0-1.fc42

fontTools is a library for manipulating fonts, written in Python. The project includes the TTX tool, that can convert TrueType and OpenType fonts to and fr om an XML text format, which is also called TTX. It supports TrueType, OpenType, AFM and to an extent Type 1 and some Mac-specific formats...

CVE-2025-66418

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory...

MAL-2025-192579 Malicious code in smtblib (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 15a295f1d98fcbbdd6a077bc3a849966ca3f73919c0d47e58948ff382481e5b6 Malicious copy of a standard library module that during class initialization downloads and executes remote code and after that attempts to cover its tracks by...

CVE-2025-66471

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than...

aa-charlink (>=0.1.1 <=1.0.0), aa-drifters (=0.1.0a0) +509 more potentially affected by CVE-2025-13372 via django (>=4.0.0 <=4.2.26)

django PYPI version =4.0.0, =0.1.1, =1.0.0, =0.1.0a0, =0.11.0a0, =0.1.1, =1.1.0, =0.1.0, =0.0.3, =4.0.9.0, =65.10.0, =65.10.3 and more Source cves: CVE-2025-13372 Source advisory: SNYK:PYTHON-DJANGO-14157810...

[SECURITY] Fedora 42 Update: python-spotipy-2.25.2-1.fc42

A light weight Python library for the Spotify Web API...

EUVD-2025-199770

Spotipy has a XSS vulnerability in its OAuth callback server...

AZL-71264 CVE-2025-13836 affecting package python3 for versions less than 3.12.9-7

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS...

trytoncalidae-authentication-dummy (=7.2.0), trytoncalidae-jinja-report (>=7.2.0 <=7.2.1) +211 more potentially affected by CVE-2025-66424 via trytond (=7.2.23)

trytond PYPI version =7.2.23 is affected by a known vulnerability. The following packages have a transitive dependency on trytond and may be impacted: - trytoncalidae-authentication-dummy =7.2.0 - trytoncalidae-jinja-report =7.2.0, =7.2.0, =7.2.0, =7.2.0, =7.2.0, =7.2.0, =7.2.0, =7.2.0, =7.2.0,...

abilian-sbe (>=1.1.0 <=1.1.12), acfx (>=0.3.1 <=0.3.7.dev2) +688 more potentially affected by CVE-2025-66221 via werkzeug (>=3.0.0 <=3.1.3)

werkzeug PYPI version =3.0.0, =1.1.0, =0.3.1, =4.11.0, =1.0.0, =0.1.3, =0.2.4.1, =0.0.1, =1.3.0, =0.1.0, =0.1.1, =0.5.7, =0.1.0, =0.4.72, =1.0.0, =1.1.0a20250428 and more Source cves: CVE-2025-66221 Source advisory: SNYK:PYTHON-WERKZEUG-14151620...

accessiqlue (=2025.12.21154255), agent-builder (>=0.0.2 <=0.1.7) +320 more potentially affected by CVE-2025-65106 via langchain-core (>=0.4.0.dev0 <=1.0.5)

langchain-core PYPI version =0.4.0.dev0, =0.0.2, =0.1.0, =0.1.1 - ai-benchmark-analyzer =2025.12.21193050 - ai-claim-essence =2025.12.20202921 - ai-design-insights =2025.12.21145447 - ai-mysql-translator =2025.12.21101721 - ai-reliability-analyzer =2025.12.21171415 - ai-risk-extractor...

joserfc 安全漏洞

joserfc is a Python library open-sourced by Authlib. A security vulnerability exists in joserfc version 1.3.3 up to and including version 1.3.5 and version 1.4.0 up to and including version 1.4.2, which stems from an ExceededSizeError exception message embedded in the Undecoded JWT Token section,...

MAL-2025-191753 Malicious code in hexadec (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f9d0ae8ccf24a6f5bfc3a0d5e39a983576d6edb2c64d9fe31fcb758236a4aa25 Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...

MGASA-2025-0289 Updated python-py packages fix security vulnerability

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS Regular expression Denial of Service attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. CVE-2022-42969...