01os (>=0.0.1 <=0.0.14), a2a-acl (=0.0.14) +647 more potentially affected by unknown CVE via litellm (>=1.0.0 <=1.82.3)

litellm PYPI version =1.0.0, =0.0.1, =0.0.1a0, =0.3.5, =0.1.0, =0.4.0, =0.8.1, =0.1.0, =0.1.39, =0.2.1, =0.1.0, =0.14.1a0, =0.64.1 and more Source cves: unknown CVE Source advisory: SNYK:PYTHON-LITELLM-15870298...

2dify (=1.0.1), a2grunnerp (>=0.1.0 <=0.1.8) +719 more potentially affected by unknown CVE via fonttools (>=4.0.0 <=4.61.1)

fonttools PYPI version =4.0.0, =0.1.0, =0.0.2, =1.0.0, =0.1.3, =3.0.1, =0.0.3.20, =0.0.1, =1.1.2, =1.5.0 and more Source cves: unknown CVE Source advisory: SNYK:PYTHON-FONTTOOLS-15869939...

[SECURITY] Fedora 43 Update: python-gstreamer1-1.26.11-1.fc43

This module contains PyGObject overrides to make it easier to write applications that use GStreamer 1.x in Python...

Low: python3.12-pip

Issue Overview: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical...

Important: python3-tornado

Issue Overview: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates...

Mageia: Security Advisory (MGASA-2026-0079)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

AlmaLinux 8 : python3.11 (ALSA-2026:6281)

The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:6281 advisory. python: Python: Command-line option injection in webbrowser.open via crafted URLs CVE-2026-4519 Tenable has extracted the preceding description block directly from...

Oracle Linux 8 : python3.12 (ELSA-2026-6283)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-6283 advisory. 3.12.12-4 - Security fix for CVE-2026-4519 Resolves: RHEL-158029 Tenable has extracted the preceding description block directly from the Oracle Linux security...

Amazon Linux 2023 : python3.11-pip, python3.11-pip-wheel (ALAS2023-2026-1531)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1531 advisory. When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation...

Photon OS 4.0: Python3 PHSA-2026-4.0-0990

An update of the python3 package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-4.0-0990. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

python311-nltk-3.9.4-1.1 on GA media (moderate)

python311-nltk-3.9.4-1.1 on GA media Announcement ID: openSUSE-SU-2026:10461-1 Rating: moderate Cross-References: CVE-2026-33230 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in the...

OPENSUSE-SU-2026:10478-1 python311-3.11.15-4.1 on GA media

These are all security issues fixed in the python311-3.11.15-4.1 package on the GA media of openSUSE Tumbleweed...

Low: python3.11-pip

Issue Overview: When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical...

OPENSUSE-SU-2026:10477-1 python310-3.10.20-3.1 on GA media

These are all security issues fixed in the python310-3.10.20-3.1 package on the GA media of openSUSE Tumbleweed...

Enhancing REST API Fuzzing with Access Policy Violation Checks and Injection Attacks

Due to their widespread use in industry, several techniques have been proposed in the literature to fuzz REST APIs. Existing fuzzers for REST APIs have been focusing on detecting crashes e.g., 500 HTTP server error status code. However, security vulnerabilities can have major drastic consequences...

Amazon Linux 2 : python3, --advisory ALAS2-2026-3217 (ALAS-2026-3217)

The version of python3 installed on the remote host is prior to 3.7.16-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3217 advisory. The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update, |...

Amazon Linux 2 : python-tornado, --advisory ALAS2-2026-3214 (ALAS-2026-3214)

The version of python-tornado installed on the remote host is prior to 4.2.1-3. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3214 advisory. Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit...

AlmaLinux 9 : python3.11 (ALSA-2026:6286)

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:6286 advisory. python: Python: Command-line option injection in webbrowser.open via crafted URLs CVE-2026-4519 Tenable has extracted the preceding description block directly from...

Important: python-tornado

Issue Overview: Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates...

PT-2026-29824

Summary run python in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "" and passing it to subprocess.run..., shell=True. The escaping logic only handles and ", leaving $ and backtick substitutions unescaped, allowing arbitrary OS command executio...