SUSE: Security Advisory (SUSE-SU-2026:20933-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

MiracleLinux 9 : python3.12-3.12.12-4.el9_7.2 (AXSA:2026-390:11)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2026-390:11 advisory. python: Python: Command-line option injection in webbrowser.open via crafted URLs CVE-2026-4519 Tenable has extracted the preceding description block directly...

MiracleLinux 9 : python3.11-3.11.13-5.2.el9_7 (AXSA:2026-385:07)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2026-385:07 advisory. python: Python: Command-line option injection in webbrowser.open via crafted URLs CVE-2026-4519 Tenable has extracted the preceding description block directly...

SUSE: Security Advisory (SUSE-SU-2026:20930-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

OPENSUSE-SU-2026:10485-1 python311-Flask-Cors-6.0.2-1.1 on GA media

These are all security issues fixed in the python311-Flask-Cors-6.0.2-1.1 package on the GA media of openSUSE Tumbleweed...

SUSE: Security Advisory (SUSE-SU-2026:20934-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE: Security Advisory (SUSE-SU-2026:20919-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

python314-3.14.3-4.1 on GA media (moderate)

python314-3.14.3-4.1 on GA media Announcement ID: openSUSE-SU-2026:10481-1 Rating: moderate Cross-References: CVE-2025-13462 CVE-2026-3644 CVE-2026-4224 CVE-2026-4519 CVSS scores: CVE-2025-13462 SUSE : 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2025-13462 SUSE : 2...

python313-3.13.12-3.1 on GA media (moderate)

python313-3.13.12-3.1 on GA media Announcement ID: openSUSE-SU-2026:10480-1 Rating: moderate Cross-References: CVE-2025-13462 CVE-2026-3644 CVE-2026-4224 CVE-2026-4519 CVSS scores: CVE-2025-13462 SUSE : 2.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N CVE-2025-13462 SUSE : 2...

SUSE CVE-2026-34513

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4...

GHSA-7GGG-PVRF-458V OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic

Summary PIPINDEXURL and UVINDEXURL bypass host exec env sanitization and redirect Python package-index traffic Current Maintainer Triage - Status: narrow - Normalized severity: high - Assessment: v2026.3.28 still allows Python package-index env redirection through host exec, but scope should stay...

Malicious code in pycolorlib3 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 22c84d1bcfac7d68fb2db1c9610d281372db5e2ef93edb1a90903c6a6b772e6c During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

Malicious code in nwin64tls (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 72555231efbf126e61cb3aa59d3482bc7967af46898e46eb2b9b7f81af8cd40e Importing the module starts a loop that listens to key strokes and on every capslock press exfiltrates screenshot to a hardcoded location. --- Category:...

MAL-2026-2432 Malicious code in nwin64tls (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 72555231efbf126e61cb3aa59d3482bc7967af46898e46eb2b9b7f81af8cd40e Importing the module starts a loop that listens to key strokes and on every capslock press exfiltrates screenshot to a hardcoded location. --- Category:...

MAL-2026-2431 Malicious code in nwin32tls (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a47778618cad57dbc584afdff7ed138032b69c423a9812e1bc8f86c13129f01d Importing the module starts a loop that listens to key strokes and on every capslock press exfiltrates screenshot to a hardcoded location. --- Category:...

CVE-2026-34591

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

CVE-2026-34591

CVE-2026-34591 is linked to a wheel path traversal in Poetry. The connected advisories (GHSA-2599-H6XX-HPXP / OSV) show that a crafted wheel can include non-contained ../ paths, allowing arbitrary file write during installation via the wheel destination logic (wheel_installer and executable path ...

Agno is vulnerable to Eval Injection

Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the fieldtype parameter passed to eval. Attackers can influence the fieldtype value in a FunctionCall to achieve...

EUVD-2026-18334

Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the fieldtype parameter passed to eval. Attackers can influence the fieldtype value in a FunctionCall to achieve...

CVE-2026-35002

Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the fieldtype parameter passed to eval. Attackers can influence the fieldtype value in a FunctionCall to achieve...