CVE-2025-52467

pgai is a Python library that transforms PostgreSQL into a retrieval engine for RAG and Agentic applications. Prior to commit 8eb3567, the pgai repository was vulnerable to an attack allowing the exfiltration of all secrets used in one workflow. In particular, the GITHUBTOKEN with write permissio...

CVE-2025-52467 pgai secrets exfiltration via `pull_request_target`

pgai is a Python library that transforms PostgreSQL into a retrieval engine for RAG and Agentic applications. Prior to commit 8eb3567, the pgai repository was vulnerable to an attack allowing the exfiltration of all secrets used in one workflow. In particular, the GITHUBTOKEN with write permissio...

CVE-2025-52467 pgai secrets exfiltration via `pull_request_target`

pgai is a Python library that transforms PostgreSQL into a retrieval engine for RAG and Agentic applications. Prior to commit 8eb3567, the pgai repository was vulnerable to an attack allowing the exfiltration of all secrets used in one workflow. In particular, the GITHUBTOKEN with write permissio...

AZL-64170 CVE-2025-50181 affecting package python-urllib3 for versions less than 1.26.19-2

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attemptin...

nautobot-chatops (>=1.6.0 <=1.7.1), nautobot-chatops-arista-cloudvision (>=1.0.1 <=1.3.0) +7 more potentially affected by CVE-2025-49142 via nautobot (>=1.0.3 <=1.5.16)

nautobot PYPI version =1.0.3, =1.6.0, =1.0.1, =1.1.0, =0.9.2, =1.5.0, =0.9.0, =0.1.0, =0.1.0, =0.2.0 Source cves: CVE-2025-49142 Source advisory: OSV:PYSEC-2025-79...

SignXML 安全漏洞

SignXML is an open source XML signing and XAdES library for Python from XML-Security. A security vulnerability exists in SignXML versions prior to 4.0.4, which stems from an algorithm obfuscation flaw that could lead to the use of unintended keys to verify signatures...

SignXML 安全漏洞

SignXML is an open source XML signing and XAdES library for Python from XML-Security. A security vulnerability exists in SignXML versions prior to 4.0.4, which stems from a timing attack flaw that could lead to HMAC key disclosure...

[SECURITY] Fedora 42 Update: mingw-python-flit-core-3.12.0-1.fc42

MinGW Python flitcore library...

ace-step (=0.1.0), ambientagi (>=0.1.1 <=0.2.12) +39 more potentially affected by CVE-2025-48889 via gradio (>=5.0.0 <=5.29.1)

gradio PYPI version =5.0.0, =0.1.1, =0.0.1, =1.0.1, =0.1.2, =0.0.5, =0.1.0, =0.0.2, =0.1.0, =2.0.0, =1.1.8b3, =1.0.0, =2025.1.24, =2025.11.0b3 and more Source cves: CVE-2025-48889 Source advisory: SNYK:PYTHON-GRADIO-10265012...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2025-5321 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2025-5321 Source advisory: SNYK:PYTHON-AIM-10288918...

3d-rcnet (>=0.2.2 <=0.2.3), aa-prepflow (>=0.1.0 <=0.1.1) +1128 more potentially affected by CVE-2025-5320 via gradio (>=1.7.7 <=6.9.0)

gradio PYPI version =1.7.7, =0.2.2, =0.1.0, =0.2.5, =0.3.0, =0.0.3, =0.1.5, =0.8.2.4, =0.2.1, =0.1.0, =0.1.0, =0.1.0, =2.0.0, =3.3.9 and more Source cves: CVE-2025-5320 Source advisory: SNYK:PYTHON-GRADIO-10265013...

CVE-2024-55587

python-libarchive through 4.2.1 allows directory traversal to create files in extract in zip.py for ZipFile.extractall and ZipFile.extract...

CVE-2022-30885

The pyesasky for python, as distributed on PyPI, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.2.0-1.4.2...

Open edX Platform 安全漏洞

Open edX Platform is an open source course management system CMS from Open edX Open Source. The system can be used for MOOCs Massive Open Online Courses as well as smaller courses and training modules. A security vulnerability exists in versions prior to Open edX Platform 6740e75, which stems fro...

CVE-2025-47928

CVE-2025-47928 affects the Spotipy Python library for the Spotify Web API. The issue arises from using GitHub Actions pull_request_target, which can execute untrusted code from a fork with base-repo secrets in the context of the base repository. This can lead to exfiltration of secrets such as GI...

Important: Red Hat Security Advisory: Red Hat OpenStack Platform 18.0 (python-h11) security update

An update for python-h11 is now available for Red Hat OpenStack Platform 18.0 Antelope. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

python: cpython: URL parser allowed square brackets in domain names

A flaw was found in Python. The Python standard library functions urllib.parse.urlsplit and urlparse accept domain names that included square brackets, which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs...

[SECURITY] Fedora 40 Update: python-h11-0.14.0-7.fc40

This is a little HTTP/1.1 library written from scratch in Python, heavily inspired by hyper-h2. It is a "bring-your-own-I/O" library; h11 contains no IO code whatsoever. This means you can hook h11 up to your favorite network API, and that could be anything you want: synchronous, threaded,...

[SECURITY] Fedora 42 Update: python-h11-0.14.0-7.fc42

This is a little HTTP/1.1 library written from scratch in Python, heavily inspired by hyper-h2. It is a "bring-your-own-I/O" library; h11 contains no IO code whatsoever. This means you can hook h11 up to your favorite network API, and that could be anything you want: synchronous, threaded,...

USN-7503-1 python-h11 vulnerability

Jeppe Bonde Weikop discovered that h11 incorrectly handled crafted HTTP requests. A remote attacker could possibly use this issue to smuggle malicious HTTP requests, which could potentially lead to security control bypass and information leakage...