Arbitrary Code Injection

Overview upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents Affected versions of this package are vulnerable to Arbitrary Code Injection via the MCP server task creation functionality. An attacker can execute arbitrary operating system commands with the...

ai-safety-engine (=0.1.0) potentially affected by CVE-2026-0773 via upsonic (=0.60.0a1754435135)

upsonic PYPI version =0.60.0a1754435135 is affected by a known vulnerability. The following packages have a transitive dependency on upsonic and may be impacted: - ai-safety-engine =0.1.0 Source cves: CVE-2026-0773 Source advisory: SNYK:PYTHON-UPSONIC-15091585...

Deserialization of Untrusted Data

Overview upsonic is a Task oriented AI agent framework for digital workers and vertical AI agents Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the addtool endpoint, which listens on TCP port 7541 by default, and uses cloudpickle.loads. An attacker can...

EUVD-2025-18698

Malicious code in bioql PyPI...

CVE-2025-6279

A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/addtool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may ...

Upsonic is vulnerable to Path Traversal attack through its os.path.join function

A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used...

GHSA-RPFV-46XJ-5984 Upsonic has vulnerability in Pickle Handler component that can lead to deserialization

A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/addtool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may ...

CVE-2025-6279

A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/addtool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may ...

CVE-2025-6279

A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/addtool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may ...

CVE-2025-6279

CVE-2025-6279 affects Upsonic up to 0.55.6. The vulnerability resides in the Pickle Handler’s function cloudpickle.loads (file /tools/add_tool) and enables deserialization due to the underlying root cause described in the coordinated disclosure. Exploit information is publicly disclosed according...

CVE-2025-6279 Upsonic Pickle add_tool cloudpickle.loads deserialization

A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/addtool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may ...

CVE-2025-6278

Upsonic (affected up to version 0.55.6) is vulnerable to a path traversal in the os.path.join call within markdown/server.py. The vulnerability stems from manipulating the file.filename argument, enabling traversal and potential access to restricted paths. The public disclosure indicates exploita...