RLSA-2024:4244 Moderate: python3.11-PyMySQL security update

This package contains a pure-Python MySQL client library. The goal of PyMySQL is to be a drop-in replacement for MySQLdb and work on CPython, PyPy, IronPython and Jython. Security Fixes: python-pymysql: SQL injection if used with untrusted JSON input CVE-2024-36039 For more details about the...

acatome-chat (>=0.2.1 <=0.4.2), acatome-extract (>=0.2.0 <=0.6.1) +133 more potentially affected by CVE-2025-46656 via markdownify (>=0.10.3 <=0.13.1)

markdownify PYPI version =0.10.3, =0.2.1, =0.2.0, =1.0.1, =0.8.1, =0.15.0, =0.0.18, =0.3.3, =0.1.46, =0.1.0, =0.1.0, =0.0.1, =1.0.1, =1.0.9 and more Source cves: CVE-2025-46656 Source advisory: SNYK:PYTHON-MARKDOWNIFY-9833926...

LightDSA: a Python-Based Hybrid Digital Signature Library and Performance Analysis of RSA, DSA, ECDSA and EdDSA in Variable Configurations, Elliptic Curve Forms and Curves

Digital signature algorithms DSAs are fundamental to cryptographic security, ensuring data integrity and authentication. While RSA, DSA, ECDSA, and EdDSA are widely used, their performance varies significantly depending on key sizes, hash functions, and elliptic curve configurations. In this pape...

h11 环境问题漏洞

h11 is a small HTTP/1.1 library written from scratch in Python by the individual developer Nathaniel J. Smith. An environment issue vulnerability exists in versions of h11 prior to 0.16.0, which stems from improper parsing of line terminators and could lead to a request entrapment attack...

openwebui-token-tracking (=0.1.7) potentially affected by CVE-2025-29446 via open-webui (=0.6.0)

open-webui PYPI version =0.6.0 is affected by a known vulnerability. The following packages have a transitive dependency on open-webui and may be impacted: - openwebui-token-tracking =0.1.7 Source cves: CVE-2025-29446 Source advisory: SNYK:PYTHON-OPENWEBUI-9789616...

Wappalyzer-Next - Python library that uses Wappalyzer extension (and its fingerprints) to detect technologies

This project is a command line tool and python library that uses Wappalyzer extension and its fingerprints to detect technologies. Other projects emerged after discontinuation of the official open source project are using outdated fingerpints and lack accuracy when used on dynamic web-apps, this...

dev-laiser (>=0.0.2 <=0.2.17), dillema (>=0.1.1 <=0.1.6) +15 more potentially affected by CVE-2025-32381 via xgrammar (>=0.1.11 <=0.1.17)

xgrammar PYPI version =0.1.11, =0.0.2, =0.1.1, =0.1.1, =0.0.2, =0.0.7, =1.2.0, =0.1.20, =0.0.2, =0.1.2, =1.2.0, =0.1.0, =0.1.2 and more Source cves: CVE-2025-32381 Source advisory: SNYK:PYTHON-XGRAMMAR-9724725...

BIT-PYTHON-MIN-2025-0938 URL parser allowed square brackets in domain names

The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in...

python311-PyJWT-2.10.1-2.1 on GA media (moderate)

python311-PyJWT-2.10.1-2.1 on GA media Announcement ID: openSUSE-SU-2025:14987-1 Rating: moderate Cross-References: CVE-2022-29217 CVSS scores: CVE-2022-29217 SUSE : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can...

The vulnerability of the HTTP library Urllib3 in the Python programming language involves authentication process errors, which allow attackers to access sensitive data and compromise its integrity.

The vulnerability of the HTTP library Urllib3 in the Python programming language is related to errors in the certificate validation process. Exploiting this vulnerability can allow an attacker to gain access to confidential data and compromise its integrity...

ai-dynamo (=0.1.0), bento-sgl-router (>=0.0.1 <=0.0.6) +22 more potentially affected by CVE-2025-32375 via bentoml (>=1.0.0a7 <=1.4.7)

bentoml PYPI version =1.0.0a7, =0.0.1, =0.2.3, =0.1.0, =0.0.1, =1.0.1, =0.1.0, =0.2.0, =0.3.12, =0.0.1, =1.0.3, =1.0.4 and more Source cves: CVE-2025-32375 Source advisory: SNYK:PYTHON-BENTOML-9679274...

GHSA-V7X6-RV5Q-MHWC Picklescan missing detection when calling built-in python library function timeit.timeit()

Summary Using timeit.timeit function, which is a built-in python library function to execute remote pickle file. Details Pickle’s deserialization process is known to allow execution of function via reduce method. While Picklescan is meant to detect such exploits, this attack evades detection by...

CVE-2025-27520

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution RCE vulnerability caused by insecure deserialization has been identified in the latest version v1.4.2 of BentoML. It allows any unauthenticated user to execute...

CVE-2025-27520

BentoML 1.4.2 contains an insecure deserialization flaw in serde.py that enables unauthenticated RCE via crafted payloads. The issue, described across CVE-2025-27520 sources, is fixed in 1.4.3. Public PoCs and exploit modules exist (GitHub, Metasploit) illustrating remote command execution attemp...

apss (>=0.1.0 <=0.3.0), hebo-mindspore (>=0.2.0 <=0.2.1) +12 more potentially affected by CVE-2025-3145 via mindspore (>=2.7.0 <=2.9.0)

mindspore PYPI version =2.7.0, =0.1.0, =0.2.0, =1.6.0, =0.2.0, =1.4.0, =0.0.12, =1.0.0, =0.0.1, =0.0.1, =0.1.0, =0.1.4 Source cves: CVE-2025-3145 Source advisory: SNYK:PYTHON-MINDSPORE-10361605...

01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +25158 more potentially affected by CVE-2025-3136 via torch (>=1.0.0 <=2.5.1)

torch PYPI version =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.10 and more Source cves: CVE-2025-3136 Source advisory: OSV:PYSEC-2025-197...

CLSA-2025-1742919946 python3.9: Fix of 2 CVEs

CVE-2024-11168: fix improper validation of bracketed hosts in urllib.parse.urlsplit and urlparse functions - CVE-2025-0938: fix incomplete algorithm of validating hosts by disallowing square brackets in domain names...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-8061 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-8061 Source advisory: SNYK:PYTHON-AIM-9511136...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-6483 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-6483 Source advisory: SNYK:PYTHON-AIM-9511134...

agentverse (=0.1.8.1), airoboros (=2.1.1) +35 more potentially affected by CVE-2024-12376 via fschat (>=0.2.2 <=0.2.36)

fschat PYPI version =0.2.2, =0.3.0, =0.0.1, =1.1.0, =0.1.1, =0.1.1, =0.9.0.8, =0.1.1, =0.1.8 and more Source cves: CVE-2024-12376 Source advisory: SNYK:PYTHON-FSCHAT-9553180...