13 matches found
Spotipy has a XSS vulnerability in its OAuth callback server
Summary XSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. Details Vulnerable Code: spotipy/oauth2.py lines 1238-1274 RequestHandler.doGET The...
deezspot-spotizerr (>=2.2.4 <=3.1.5), deezspot-spotizerr-phoenix (>=0.0.11 <=0.0.14) +36 more potentially affected by CVE-2025-66040 via spotipy (>=2.10.0 <=2.25.1)
spotipy PYPI version =2.10.0, =2.2.4, =0.0.11, =0.0.10, =2.6.0, =0.0.3, =0.0.1, =0.2.0, =0.1.1, =0.1.0, =0.115.0 and more Source cves: CVE-2025-66040 Source advisory: SNYK:PYTHON-SPOTIPY-14135648...
CVE-2025-66040 Spotipy has a XSS vulnerability in OAuth callback server
Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's brows...
spotipy -- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
https://github.com/spotipy-dev/spotipy/security/advisories/GHSA-r77h-rpp9-w2xm reports: Spotipy is a Python library for the Spotify Web API. Prior to version 2.25.2, there is a cross-site scripting XSS vulnerability in the OAuth callback server that allows for JavaScript injection through the...
EUVD-2023-0527
Malicious code in bioql PyPI...
CVE-2025-47928 Spotipy repo vulnerable to secrets exfiltration via `pull_request_target`
Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using pullrequesttarget on .github/workflows/integrationtests.yml followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be execute...
CVE-2025-47928 Spotipy repo vulnerable to secrets exfiltration via `pull_request_target`
Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using pullrequesttarget on .github/workflows/integrationtests.yml followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be execute...
CVE-2025-47928
Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using pullrequesttarget on .github/workflows/integrationtests.yml followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be execute...
CVE-2025-47928 Spotipy repo vulnerable to secrets exfiltration via `pull_request_target`
Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using pullrequesttarget on .github/workflows/integrationtests.yml followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be execute...
CVE-2025-27154
CVE-2025-27154 affects Spotipy’s CacheHandler file permissions. Before version 2.25.1, the cache file is created with 644 permissions by default, exposing the Spotify auth token to other users or processes on the same machine. Version 2.25.1 tightens permissions to 600, reducing token exposure. T...
CVE-2023-23608 spotipy Path traversal vulnerability that may lead to type confusion in URI handling code
Spotipy is a light weight Python library for the Spotify Web API. In versions prior to 2.22.1, if a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended. The code Spotipy uses to parse URIs and URLs allows an...
discogrify (>=0.0.10 <=0.0.11), djtools (>=2.6.0 <=2.7.13rc13) +14 more potentially affected by CVE-2023-23608 via spotipy (>=2.10.0 <=2.22.0)
spotipy PYPI version =2.10.0, =0.0.10, =2.6.0, =0.0.1, =0.1.0, =0.0.2.dev4, =1.0.0, =0.0.1, =6.0.0, =0.1.1, =0.1.0, =1.0.0, =1.3.0 and more Source cves: CVE-2023-23608 Source advisory: OSV:GHSA-Q764-G6FM-555V...
PT-2023-19070 · Pypi · Spotipy
Name of the Vulnerable Software and Affected Versions: Spotipy versions prior to 2.22.1 Description: The issue arises when a malicious URI is passed to the library, allowing it to be tricked into performing an operation on a different API endpoint than intended. This is possible because the code...