CVE-2026-48797

Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and...

PT-2026-50132

Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and...

CVE-2026-42544 vulnerabilities

Vulnerabilities for packages: reflex...

CVE-2026-42545 vulnerabilities

Vulnerabilities for packages: reflex...

GHSA-VRG7-482J-P6F6 vulnerabilities

Vulnerabilities for packages: reflex...

GHSA-F5P7-9FR5-8JMJ vulnerabilities

Vulnerabilities for packages: reflex...

GHSA-2H4P-VJRC-8XPQ vulnerabilities

Vulnerabilities for packages: reflex, airflow...

CVE-2026-44307 vulnerabilities

Vulnerabilities for packages: reflex, airflow...

CVE-2026-42544 vulnerabilities

Vulnerabilities for packages: reflex, litellm...

CVE-2026-42545 vulnerabilities

Vulnerabilities for packages: reflex, litellm...

GHSA-F5P7-9FR5-8JMJ vulnerabilities

Vulnerabilities for packages: reflex, litellm...

GHSA-VRG7-482J-P6F6 vulnerabilities

Vulnerabilities for packages: reflex, litellm...

A Taxonomy of Cognitive Security

Last week, I listened to a fascinating talk by K. Melton on cognitive security, cognitive hacking, and reality pentesting. The slides from the talk are here, but--even better--Menton has a long essay laying out the basic concepts and ideas. The whole thing is important and well worth reading, and...

CVE-2025-62379

Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirectto query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a...

EUVD-2025-34684

reflex-dev/reflex has an Open Redirect vulnerability...

pycodium (>=0.1.0 <=0.2.1), reflex-ai (>=0.1.0a1 <=0.1.0a18) +10 more potentially affected by CVE-2025-62379 via reflex (>=0.6.0a4 <=0.8.0a7)

reflex PYPI version =0.6.0a4, =0.1.0, =0.1.0a1, =0.2.0, =0.0.1, =0.1.6, =1.0.0, =0.0.9, =10.0.11, =10.0.28 Source cves: CVE-2025-62379 Source advisory: OSV:GHSA-RFH5-C9H5-Q8JM...

pycodium (>=0.1.0 <=0.2.1), reflex-ai (>=0.1.0a1 <=0.1.0a18) +10 more potentially affected by CVE-2025-62379 via reflex (>=0.6.0a4 <=0.8.0a7)

reflex PYPI version =0.6.0a4, =0.1.0, =0.1.0a1, =0.2.0, =0.0.1, =0.1.6, =1.0.0, =0.0.9, =10.0.11, =10.0.28 Source cves: CVE-2025-62379 Source advisory: SNYK:PYTHON-REFLEX-13560525...

Open Redirect

Overview reflex is a Web apps in pure Python. Affected versions of this package are vulnerable to Open Redirect via the redirectto query parameter in the /auth-codespace route, which is assigned directly to client-side links without validation and triggers automatic navigation. An attacker can...

GHSA-RFH5-C9H5-Q8JM reflex-dev/reflex has an Open Redirect vulnerability

Mitigation Make sure GITHUBCODESPACESPORTFORWARDINGDOMAIN is not set in a production environment. So the following is correct: assert os.getenv"GITHUBCODESPACESPORTFORWARDINGDOMAIN" is None Vulnerability Description --- Vulnerability Overview - When the GET /auth-codespace page loads in a GitHub...

CVE-2025-62379

Reflex is a library to build full-stack web apps in pure Python. In versions 0.5.4 through 0.8.14, the /auth-codespace endpoint automatically assigns the redirectto query parameter value directly to client-side links without any validation and triggers automatic clicks when the page loads in a...