Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
added 2026/05/28 4:16 p.m.99 views

PYSEC-2026-192

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and...

8.2CVSS5.9AI score0.00335EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2023/11/10 6:15 p.m.95 views

PYSEC-2023-241

Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a savepoints name...

9.1CVSS8.1AI score0.00776EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2014/05/02 2:55 p.m.74 views

PYSEC-2014-68

Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API...

5.5CVSS6.7AI score0.00951EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2014/05/02 2:55 p.m.74 views

PYSEC-2014-66

Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API...

5.5CVSS6.7AI score0.00951EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2020/12/09 5:15 p.m.71 views

PYSEC-2020-52

jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users...

7.9CVSS9.1AI score0.00471EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2019/10/05 11:15 p.m.67 views

PYSEC-2019-116

Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper aka Redis Wrapper before 0.3.0 allows attackers to execute arbitrary scripts...

9.8CVSS7.5AI score0.03158EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/06/08 12:15 a.m.65 views

PYSEC-2023-90

Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in...

9.1CVSS7AI score0.00651EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/06/01 5:17 p.m.64 views

PYSEC-2026-196

pip would treat consolescripts and guiscripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory...

5.5CVSS5.4AI score0.0032EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/12/17 4:16 p.m.64 views

PYSEC-2025-185

In python-jose 3.3.0 specifically jwe.decrypt, a vulnerability allows an attacker to cause a Denial-of-Service DoS condition by crafting a malicious JSON Web Encryption JWE token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant...

5.3CVSS5.8AI score0.00166EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2024/12/03 5:15 p.m.59 views

PYSEC-2024-287

Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the...

5.3CVSS6.4AI score0.00419EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2026/04/09 4:16 p.m.53 views

PYSEC-2026-135

In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs...

8.1CVSS5.8AI score0.00278EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2025/12/23 9:15 p.m.49 views

PYSEC-2025-217

Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this...

7.8CVSS7.6AI score0.00315EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2019/07/29 3:15 p.m.47 views

PYSEC-2019-24

invenio-app before 1.1.1 allows host header injection...

6.1CVSS7AI score0.00922EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2020/09/17 6:15 p.m.46 views

PYSEC-2020-93

A heap overflow in Sqreen PyMiniRacer aka Python Mini Racer before 0.3.0 allows remote attackers to potentially exploit heap corruption...

9.8CVSS7.3AI score0.02498EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2014/04/30 11:58 p.m.46 views

PYSEC-2014-98

Cross-site scripting XSS vulnerability in plugins/main/content/js/ajenti.coffee in Eugene Pankov Ajenti 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via the command field in the Cron functionality...

3.5CVSS6.1AI score0.01487EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/02/17 2:16 p.m.45 views

PYSEC-2026-113

Use After Free vulnerability in Apache Arrow C++.This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file but not an IPC stream with pre-buffering enabled, if the IPC file contains data with variadic buffers such as Binary View and String...

7CVSS5.6AI score0.00807EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2024/02/29 11:15 a.m.45 views

PYSEC-2024-245

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk...

5.9CVSS6.9AI score0.00343EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2026/05/11 6:16 p.m.44 views

PYSEC-2026-58

The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin ro...

8.5CVSS5.9AI score0.00301EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2023/03/26 7:15 p.m.44 views

PYSEC-2023-45

redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time in the case of a pipeline operation, and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions fo...

6.5CVSS7AI score0.01034EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2026/05/11 4:17 p.m.41 views

PYSEC-2026-150

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This...

5.3CVSS5.8AI score0.00256EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2017/09/14 7:29 p.m.40 views

PYSEC-2017-5

An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability...

7.8CVSS7.8AI score0.02967EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/05/11 4:17 p.m.39 views

PYSEC-2026-147

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2020/01/23 9:15 p.m.39 views

PYSEC-2020-85

An open redirect on the login form and possibly other places in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redirect to an attacker's site...

6.1CVSS6.9AI score0.00923EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2021/01/08 12:15 p.m.38 views

PYSEC-2021-72

This affects the package pwntools before 4.3.1. The shellcraft generator for affected versions of this module are vulnerable to Server-Side Template Injection SSTI, which can lead to remote code execution...

9.8CVSS7.9AI score0.04162EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2026/01/15 2:16 p.m.37 views

PYSEC-2026-73

Allocation of Resources Without Limits or Throttling in the HDF5 weight loading componentin GoogleKeras3.0.0 through 3.13.0on all platformsallows a remote attackerto cause a Denial of Service DoS through memory exhaustion and a crash of the Python interpretervia a crafted .keras archive containin...

7.5CVSS6.8AI score0.00299EPSS
Exploits3References2Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.35 views

PYSEC-2014-59

Multiple open redirect vulnerabilities in 1 marmosetpatch.py, 2 publish.py, and 3 principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors...

5.8CVSS7.1AI score0.0119EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2026/04/09 7:16 p.m.33 views

PYSEC-2026-151

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following...

5CVSS5.8AI score0.00117EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.33 views

PYSEC-2014-61

memberportrait.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to modify or delete portraits of other users via unspecified vectors...

5.5CVSS6.9AI score0.01255EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2026/05/11 4:17 p.m.32 views

PYSEC-2026-148

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to f...

6.5CVSS5.8AI score0.00174EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2026/05/11 4:17 p.m.32 views

PYSEC-2026-149

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it...

6.5CVSS5.8AI score0.00201EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2026/05/11 6:16 p.m.31 views

PYSEC-2026-126

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general",...

6.8CVSS5.8AI score0.00174EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/11/24 6:15 p.m.31 views

PYSEC-2025-77

A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module TPM device but claiming an existing agent's unique identifier UUID. This action overwrites the legitimate agent's identity, enabling the...

8.2CVSS5.7AI score0.0038EPSS
Exploits0References10
PyPA
PyPA
added yesterday30 views

Graphite Web Cross-site Scripting vulnerability

A vulnerability has been found in Graphite Web and classified as problematic. This vulnerability affects unknown code of the component Cookie Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used...

5.4CVSS3.8AI score0.00765EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added 2026/05/11 6:16 p.m.30 views

PYSEC-2026-128

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .. after replacement partial removal, leaving .. which can be exploited when the path is later resolve...

6.5CVSS5.8AI score0.00342EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/11/26 7:15 p.m.30 views

PYSEC-2025-219

An issue was discovered in Overhang.IO tutor-open-edx overhangio/tutor 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks...

3.3CVSS5.8AI score0.00195EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2024/10/09 6:15 p.m.29 views

PYSEC-2024-312

Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtim...

5.5CVSS5.8AI score0.00244EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday28 views

Graphite Web Cross-site Scripting vulnerability

A vulnerability was found in Graphite Web and classified as problematic. This issue affects some unknown processing of the component Template Name Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be...

5.4CVSS3.8AI score0.00733EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added yesterday28 views

Graphite Web Cross-site Scripting vulnerability

A vulnerability was found in Graphite Web. It has been classified as problematic. Affected is an unknown function of the component Absolute Time Range Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the publi...

5.4CVSS3.9AI score0.00765EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added 2026/05/12 6:17 p.m.28 views

PYSEC-2026-29

changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpathfilter switches to XML mode for XML/RSS content and creates etree.XMLParserstripcdata=False without explicitly disabling external entity resolution, external DTD loading, or network-backed entity...

8.2CVSS5.8AI score0.00266EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2026/03/05 6:16 a.m.27 views

PYSEC-2026-56

An open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled it is disabled by default, which may allow an attacker to redirect users to an arbitrary external website via a crafted URL...

6.1CVSS5.9AI score0.00159EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/06/03 2:16 p.m.26 views

PYSEC-2026-200

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when failsilently=True, which allows on-path network attackers to read emai...

3.1CVSS5.4AI score0.0015EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/05/27 5:16 p.m.26 views

PYSEC-2026-180

Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file...

6.5CVSS5.8AI score0.00345EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2026/05/08 3:16 p.m.25 views

PYSEC-2026-37

An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dashuploader/httprequesthandler.py, dashuploader/upload.py in the Upload function and maxfilesize parameter, dashuploader/configureupload.py components...

7.5CVSS6.2AI score0.02643EPSS
Exploits5References9Affected Software1
PyPA
PyPA
added 2026/05/04 6:16 p.m.25 views

PYSEC-2026-105

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval function on array-like command parameters, which allows a user-supplied payload to execute in the browser when...

4.6CVSS6AI score0.002EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/03/20 10:15 a.m.25 views

PYSEC-2025-97

An authentication bypass vulnerability exists in gaizhenbiao/ChuanhuChatGPT, as of commit 3856d4f, allowing any user to read and delete other users' chat history. The vulnerability arises because the username is provided via an HTTP request from the client side, rather than being read from a secu...

8.1CVSS7.3AI score0.00581EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2026/06/01 9:16 a.m.24 views

PYSEC-2026-181

A Dag author could either a create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process read-path attack — e.g. /etc/passwd or airflow.cfg or b supply a taskid containing .. sequences accepted by the Task SDK's KEYREGEX write-path attack, and...

6.5CVSS5.9AI score0.00665EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/05/25 10:16 a.m.24 views

PYSEC-2026-166

Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...

8.1CVSS5.8AI score0.0059EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/04/24 5:16 p.m.24 views

PYSEC-2026-87

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration with resolveentities=True allows untrusted XML input to read local files. Setting the resolveentities option explicitly to resolveentities='internal' ...

7.5CVSS5.8AI score0.00324EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2026/04/18 7:16 a.m.24 views

PYSEC-2026-19

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to...

3.7CVSS5.8AI score0.00421EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2025/07/31 2:34 p.m.24 views

After a successful phishing attack, new versions of `num2words` were published containing malware.

The num2words project was compromised via a phishing attackand two new versions were uploaded to PyPI containing malicious code.The affected versions have been removed from PyPI,and users are advised to remove the affected versions from their environments...

7AI score
Exploits0References2Affected Software1
Total number of security vulnerabilities5000