CVE-2026-31225

The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The parseoppart function in query.py uses the unsafe eval function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although...

PT-2026-40059

PySyft Syft Datasite/Server versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions via @sy.syft function for remote execution on the server. While a...

PT-2026-40312

Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0...

OPENSUSE-SU-2026:10760-1 python311-click-8.3.3-2.1 on GA media

These are all security issues fixed in the python311-click-8.3.3-2.1 package on the GA media of openSUSE Tumbleweed...

ROS-20260512-73-0004

Vulnerability in python-PyPDF2 related to uncontrolled resource consumption. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

cognee 安全漏洞

Cognee is an open-source tool developed by Topoteretes, designed to provide AI agents with shared memory and context management capabilities. Cognee versions prior to v0.4.0 contained security vulnerabilities. These vulnerabilities stemmed from the use of the unsafe exec function in notebook cell...

CVE-2026-31220

CVE-2026-31220 affects PySyft (Syft Datasite/Server)

OPENSUSE-SU-2026:10758-1 python311-GitPython-3.1.49-1.1 on GA media

These are all security issues fixed in the python311-GitPython-3.1.49-1.1 package on the GA media of openSUSE Tumbleweed...

Heym 安全漏洞

Heym is an open-source AI-native workflow automation platform developed by heymrun. Versions of Heym prior to 0.0.21 contained security vulnerabilities. These vulnerabilities stemmed from sandbox escape vulnerabilities in custom Python tool executors, which could allow authenticated workflow...

CVE-2026-31220

PySyft Syft Datasite/Server versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions via @sy.syftfunction for remote execution on the server. While a...

CVE-2026-31229

The ART (Adversarial Robustness Toolbox) package up to v1.20.1 contains an insecure deserialization vulnerability in its Kubeflow component’s model loading path. Loading model weights (e.g., model.pt) uses torch.load() without weights_only=True, allowing arbitrary Python object deserialization vi...

CVE-2026-31220

PySyft Syft Datasite/Server versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions via @sy.syftfunction for remote execution on the server. While a...

ROS-20260512-73-0001

Vulnerability in python-PyPDF2 related to unrestricted resource allocation. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

Google Says Hackers Used AI to Develop a Zero-Day Exploit

Google researchers say hackers used AI to develop zero-day exploits, Android backdoors, and automated supply chain attacks targeting GitHub and PyPI...

CLSA-2026-1778535928 python: Fix of 2 CVEs

CVE-2021-3733: fix ReDoS in urllib2 AbstractBasicAuthHandler regex; the legacy '?:.,' prefix is replaced with the upstream-3.x form '?:^|,' and the scheme charset excludes ',' to prevent quadratic backtracking on crafted WWW-Authenticate headers - CVE-2021-23336: stop accepting ';' as a default...

a2cli (>=0.1.0 <=0.2.1), a2py (>=0.2.1 <=0.2.3) +851 more potentially affected by unknown CVE via mistralai (>=0.0.11 <=2.4.5)

mistralai PYPI version =0.0.11, =0.1.0, =0.2.1, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.1.36, =0.1.0, =0.1.0, =0.0.1, =0.1.2 and more Source cves: unknown CVE Source advisory: SNYK:PYTHON-MISTRALAI-16641237...

CVE-2026-44336

PraisonAI is a multi-agent teams system. Prior to version 4.6.34, PraisonAI's MCP Model Context Protocol server praisonai mcp serve registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a pat...

[SECURITY] [DLA 4579-1] python-authlib security update

Debian LTS Advisory DLA-4579-1 [email protected] https://www.debian.org/lts/security/ Emmanuel Arias May 11, 2026 https://wiki.debian.org/LTS Package : python-authlib Version : 0.15.4-1+deb11u2 CVE ID : CVE-2026-27962 CVE-2026-28490 CVE-2026-28498 Three security vulnerabilities were...

EUVD-2026-29101

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...

CVE-2026-31254

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...