3d-rcnet (>=0.2.2 <=0.2.3), aa-prepflow (>=0.1.0 <=0.1.1) +1128 more potentially affected by CVE-2024-12217 via gradio (>=1.7.7 <=6.9.0)

gradio PYPI version =1.7.7, =0.2.2, =0.1.0, =0.2.5, =0.3.0, =0.0.3, =0.1.5, =0.8.2.4, =0.2.1, =0.1.0, =0.1.0, =0.1.0, =2.0.0, =3.3.9 and more Source cves: CVE-2024-12217 Source advisory: SNYK:PYTHON-GRADIO-9510952...

ace-step (=0.1.0), aiconfigurator (>=0.1.0 <=0.2.0) +206 more potentially affected by CVE-2024-10624 via gradio (>=4.38.1 <=5.25.2)

gradio PYPI version =4.38.1, =0.1.0, =0.0.4, =0.1.1, =0.1.0, =25.3.1, =0.0.1, =0.1.0, =0.1.0, =0.1.1, =0.1.0a20, =1.1.1, =25.3.1, =25.3.8 - cleaners =0.1.0 and more Source cves: CVE-2024-10624 Source advisory: SNYK:PYTHON-GRADIO-9487018...

ado-sfttrainer (>=1.0.1 <=1.8.0), aim-mlflow (>=0.1.0 <=0.2.1) +27 more potentially affected by CVE-2024-7760 via aim (>=3.17.4 <=4.0.3)

aim PYPI version =3.17.4, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =4.46.1, =0.0.1, =0.0.3, =0.0.1, =1.1.5, =0.1.1, =0.22.0, =0.0.1, =0.0.1, =2.0.1, =2.0.7 and more Source cves: CVE-2024-7760 Source advisory: SNYK:PYTHON-AIM-9637809...

sagemaker-python-sdk 安全漏洞

sagemaker-python-sdk is an Amazon Web Services open source library for training and deploying machine learning models on Amazon SageMaker. A security vulnerability exists in sagemaker-python-sdk that stems from an MD5 hash collision in the SageMaker Workflow component that could result in workflo...

[SECURITY] Fedora 42 Update: python-spotipy-2.25.1-1.fc42

A light weight Python library for the Spotify Web API...

The vulnerability of the Babel.Locale function in the library that helps to internationalize and localize Python applications allows attackers to execute arbitrary code.

The vulnerability of the Babel.Locale function in the library for helping with internationalization and localization of Python applications is related to an incorrect restriction on the path to a limited directory. Exploiting this vulnerability could allow an attacker to execute arbitrary code...

CLSA-2025-1741635940 python3: Fix of 2 CVEs

CVE-2024-11168: fix improper validation of bracketed hosts in urllib.parse.urlsplit and urlparse functions - CVE-2025-0938: fix incomplete algorithm of validating hosts by disallowing square brackets in domain names...

[SECURITY] Fedora 40 Update: python-spotipy-2.25.1-1.fc40

A light weight Python library for the Spotify Web API...

[SECURITY] Fedora 41 Update: python-spotipy-2.25.1-1.fc41

A light weight Python library for the Spotify Web API...

Linux Distros Unpatched Vulnerability : CVE-2024-23346

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Pymatgen Python Materials Genomics is an open-source Python library for materials analysis. A critical security vulnerability exists in the...

aether-observer (>=0.1.0 <=0.1.1), agloom (>=0.1.65 <=0.1.91) +83 more potentially affected by unknown CVE via kuzu (>=0.0.11 <=0.7.1)

kuzu PYPI version =0.0.11, =0.1.0, =0.1.65, =0.1.0, =0.3.0, =0.1.0, =4.3.12, =0.1.0, =0.2.0, =0.1.11, =0.1.1, =0.2.1, =0.1.3, =1.0.2, =1.0.3 - cognee-community-graph-adapter-spanner =0.1.0 and more Source cves: unknown CVE Source advisory: SNYK:PYTHON-KUZU-12179282...

CVE-2025-27154 Spotipy's cache file, containing spotify auth token, is created with overly broad permissions

Spotipy is a lightweight Python library for the Spotify Web API. The CacheHandler class creates a cache file to store the auth token. Prior to version 2.25.1, the file created has rw-r--r-- 644 permissions by default, when it could be locked down to rw------- 600 permissions. This leads to overly...

CLSA-2025-1740645491 python3.11: Fix of CVE-2023-27043

CVE-2023-27043: add a strict parsing mode to prevent incorrect address interpretation. By default, strict=True is enabled. If you need the legacy behavior, explicitly set strict=False when calling parseaddr or getaddresses - Additionally, strict parsing can be disabled globally by setting the...

PYSEC-2025-4 When using the project to bypass Deezer API restrictions, project exfiltrates user data to a hardcoded server.

Published in 2019, the automslc package is a Python library that bypasses Deezer API restrictions to download music. The package was found to exfiltrate user data to a hardcoded server, which could be used for malicious purposes...

PYSEC-2025-5 Exfiltrates user cookies to hardcoded server endpoint during normal operations

Published in 2020, the autodzee package is a Python library that bypasses Deezer API restrictions to download music. The package was found to exfiltrate user data to a hardcoded server, which could be used for malicious purposes...

PYSEC-2025-6 Exfiltrates cookies to hardcoded IP address

Published in 2021, the colabrun package is a Python library that exfiltrates user cookies to a hardcoded IP address. The package was found to exfiltrate user data to a hardcoded server, which could be used for malicious purposes...

PYSEC-2025-7 Posts scraped data to IP address associated with other malware distribution attacks.

Published in 2021, the imblog package is a Python library that scrapes data from a blog page to an IP address associated with other malware distribution attacks...

Posts scraped data to IP address associated with other malware distribution attacks.

Published in 2021, the imblog package is a Python librarythat scrapes data from a blog page to an IP address associated with other malware distribution attacks...

Exfiltrates cookies to hardcoded IP address

Published in 2021, the colabrun package is a Python librarythat exfiltrates user cookies to a hardcoded IP address.The package was found to exfiltrate user data to a hardcoded server,which could be used for malicious purposes...

Exfiltrates user cookies to hardcoded server endpoint during normal operations

Published in 2020, the autodzee package is a Python librarythat bypasses Deezer API restrictions to download music.The package was found to exfiltrate user data to a hardcoded server,which could be used for malicious purposes...