Lucene search
K
PypaMost viewed

5620 matches found

PyPA
PyPA
•added 2024/11/18 12:15 p.m.•9 views

PYSEC-2024-124

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in django CMS Association django-cms allows Cross-Site Scripting XSS.This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3...

4.8CVSS5.9AI score0.00493EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2024/11/15 9:15 a.m.•9 views

PYSEC-2024-182

Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially...

7.5CVSS6.8AI score0.01295EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/11/12 6:15 p.m.•9 views

PYSEC-2024-204

TorchGeo Remote Code Execution Vulnerability...

8.1CVSS7.5AI score0.01221EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/11/05 7:15 p.m.•9 views

PYSEC-2024-201

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain reflected XSS vulnerabilities in the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victim into clicking on...

6.1CVSS6.1AI score0.00265EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/11/05 4:4 p.m.•9 views

PYSEC-2024-115

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain-community version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service DoS by deleting all data, breaches in multi-tena...

9.8CVSS7.8AI score0.13803EPSS
Exploits2References4Affected Software2
PyPA
PyPA
•added 2024/11/04 11:15 p.m.•9 views

PYSEC-2024-262

In agentscope =v0.0.4, the file agentscope\web\workstation\workflowutils.py has the function iscallableexpression. Within this function, the line result = evals poses a security risk as it can directly execute user-provided commands...

9.8CVSS5.8AI score0.00788EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/10/29 3:15 p.m.•9 views

PYSEC-2024-211

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportunity to call getpeername waitress won't correctly clean up the connection leading to the main thread attempting to write to a socket that no longer...

7.5CVSS6.8AI score0.01386EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2024/10/29 1:15 p.m.•9 views

PYSEC-2024-113

In the latest version 20240628 of gaizhenbiao/chuanhuchatgpt, an issue exists in the /file endpoint that allows authenticated users to access the chat history of other users. When a user logs in, a directory is created in the history folder with the user's name. By manipulating the /file endpoint...

6.5CVSS6.5AI score0.00479EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/10/24 9:15 p.m.•9 views

PYSEC-2024-292

A heap-buffer-overflow vulnerability has been identified in the OpenDDLParser::parseStructure function within the Assimp library, specifically during the processing of OpenGEX files...

5.5CVSS6.2AI score0.00223EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2024/10/24 9:15 p.m.•9 views

PYSEC-2024-293

A segmentation fault SEGV was detected in the Assimp::SplitLargeMeshesProcessTriangle::UpdateNode function within the Assimp library during fuzz testing using AddressSanitizer. The crash occurs due to a read access violation at address 0x000000000460, which points to the zero page, indicating a...

5.5CVSS6.4AI score0.00239EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2024/10/10 10:15 p.m.•9 views

PYSEC-2024-214

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to CORS origin validation accepting a null origin. When a Gradio server is deployed locally, the localhostaliases variable includes "null" as a valid origin. This allows attackers to make unauthoriz...

6.9CVSS6.8AI score0.00274EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/10/10 10:15 p.m.•9 views

PYSEC-2024-197

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a one-level read path traversal in the /customcomponent endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulating the file path in the...

5.3CVSS6.7AI score0.00421EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/10/08 4:15 p.m.•9 views

PYSEC-2024-102

An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize and urlizetrunc template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters...

7.5CVSS6.9AI score0.25327EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/09/25 3:15 p.m.•9 views

PYSEC-2024-99

OpenSlides 4.0.15 was discovered to be using a weak hashing algorithm to store passwords...

7.5CVSS7.2AI score0.00248EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/09/17 7:15 p.m.•9 views

PYSEC-2024-91

A vulnerability was found in MicroPython 1.23.0. It has been classified as critical. Affected is the function mpvfsumount of the file extmod/vfs.c of the component VFS Unmount Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The exploit...

7.5CVSS7.4AI score0.01006EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2024/09/12 1:15 p.m.•9 views

PYSEC-2024-83

Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction...

7.5CVSS7.6AI score0.00481EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/08/22 8:15 p.m.•9 views

PYSEC-2024-192

An issue was discovered in llamaindex before 0.10.38. download/integration.py includes an exec call for import clsname...

8.8CVSS7AI score0.00528EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2024/08/07 3:15 p.m.•9 views

PYSEC-2024-69

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters...

7.5CVSS7AI score0.00954EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/07/17 10:15 a.m.•9 views

PYSEC-2024-173

Unrestricted Upload of File with dangerous type vulnerability in Apache StreamPipes.Such a dangerous type might be an executable file that may lead to a remote code execution RCE.The unrestricted upload is only possible for authenticated and authorized users.This issue affects Apache StreamPipes:...

8.8CVSS8.2AI score0.01106EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/07/17 9:15 a.m.•9 views

PYSEC-2024-174

Server-Side Request Forgery SSRF vulnerability in Apache StreamPipes during installation process of pipeline elements.Previously, StreamPipes allowed users to configure custom endpoints from which to install additional pipeline elements. These endpoints were not properly validated, allowing an...

7.5CVSS7.1AI score0.00738EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/07/11 4:15 p.m.•9 views

PYSEC-2024-86

Wagtail is an open source content management system built on Django. A bug in Wagtail's parsequerystring would result in it taking a long time to process suitably crafted inputs. When used to parse sufficiently long strings of characters without a space, parsequerystring would take an unexpectedl...

6.5CVSS6.8AI score0.0061EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/06/12 3:15 p.m.•9 views

PYSEC-2024-98

UNSUPPORTED WHEN ASSIGNED Incorrect Authorization vulnerability in Apache Submarine Server Core.This issue affects Apache Submarine Server Core: from 0.8.0.As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restri...

9.8CVSS6.9AI score0.00733EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/06/11 10:15 p.m.•9 views

PYSEC-2024-236

Jupyter Server Proxy allows users to run arbitrary external processes alongside their notebook server and provide authenticated web access to them. Versions of 3.x prior to 3.2.4 and 4.x prior to 4.2.0 have a reflected cross-site scripting XSS issue. The /proxy endpoint accepts a host path segmen...

9.6CVSS5.8AI score0.00442EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2024/06/10 8:15 p.m.•9 views

PYSEC-2024-177

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/customcomponent" endpoint and provide a Python script...

9.8CVSS8.1AI score0.00923EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/06/06 7:16 p.m.•9 views

PYSEC-2024-110

A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data within the stopwords...

4.7CVSS6.6AI score0.00187EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/06/06 7:16 p.m.•9 views

PYSEC-2024-108

A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in version 5.9.0. The vulnerability arises due to improper validation of file paths between Windows and Linux environments, allowing attackers to traverse...

7.5CVSS6.4AI score0.00881EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2024/06/06 7:15 p.m.•9 views

PYSEC-2024-105

A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of...

3.1CVSS6.7AI score0.00289EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/06/06 6:15 p.m.•9 views

PYSEC-2024-184

A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the postprocess function within gradio/components/jsoncomponent.py, where a user-controlled string is parsed as JSON. If the parsed JSON...

7.5CVSS6.6AI score0.0083EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2024/05/28 11:15 p.m.•9 views

PYSEC-2024-166

Nautobot is a Network Source of Truth and Network Automation Platform. A user with permissions to view Dynamic Group records extras.viewdynamicgroup permission can use the Dynamic Group detail UI view /extras/dynamic-groups// and/or the members REST API view /api/extras/dynamic-groups//members/ t...

6.5CVSS6.8AI score0.00398EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/05/14 4:17 p.m.•9 views

PYSEC-2024-237

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the autologinLocal option is enabled within config.yaml, even if the...

9.4CVSS7AI score0.00897EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2024/05/01 3:15 a.m.•9 views

PYSEC-2024-285

lunasvg v2.3.9 was discovered to contain a segmentation violation via the component compositionsolidsourceover...

9.8CVSS5.7AI score0.00847EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2024/04/25 6:15 p.m.•9 views

PYSEC-2024-163

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a default function is a very sparsely...

5.3CVSS6.9AI score0.00415EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/04/25 6:15 p.m.•9 views

PYSEC-2024-208

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the createfromblueprint builtin can result in a double eval vulnerability when rawargs=True and the args argument has side-effects. It can be seen that the buildcreateIR function of t...

5.3CVSS7AI score0.00451EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/04/16 12:15 a.m.•9 views

PYSEC-2024-288

Cross-site Scripting XSS - Stored in mindsdb/mindsdb...

6.1CVSS6.2AI score0.00368EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/03/15 8:15 p.m.•9 views

PYSEC-2024-47

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words method with html=True and the truncatewordshtml template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because ...

5.3CVSS7.5AI score0.01854EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/02/26 4:28 p.m.•9 views

PYSEC-2024-40

orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents...

7.5CVSS7AI score0.01187EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2024/02/06 12:15 p.m.•9 views

PYSEC-2024-36

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLENOLOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive...

5.5CVSS8.4AI score0.00301EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2024/01/31 5:15 p.m.•9 views

PYSEC-2024-127

Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the SSRFPROTECTIONENABLED environment variable can be bypassed to access...

5.3CVSS6.8AI score0.00737EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2024/01/30 1:15 a.m.•9 views

PYSEC-2024-27

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and Local In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI...

9.8CVSS7.2AI score0.00731EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/01/22 1:15 a.m.•9 views

PYSEC-2024-12

LlamaIndex aka llamaindex through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Dro...

9.8CVSS8AI score0.00654EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/01/03 9:15 a.m.•9 views

PYSEC-2024-129

FPE in paddle.nanmedian in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

7.5CVSS6.8AI score0.00484EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/01/03 9:15 a.m.•9 views

PYSEC-2024-146

PaddlePaddle before 2.6.0 has a command injection in convertshapecompare. This resulted in the ability to execute arbitrary commands on the operating system...

9.8CVSS8.2AI score0.01172EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/01/03 9:15 a.m.•9 views

PYSEC-2024-134

Nullptr in paddle.nextafterin PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

7.5CVSS6.8AI score0.00541EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/12/29 5:16 p.m.•9 views

PYSEC-2023-271

Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Hail relies on OpenID Connect OIDC email addresses from ID tokens to verify the validity of a user's domain, but because users have the ability to change...

5.3CVSS6.7AI score0.00367EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2023/12/12 2:15 a.m.•9 views

PYSEC-2023-261

SAPBTPSecurity Services Integration Library Pythonsap-xssec - versions 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application...

9.8CVSS7.5AI score0.01109EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2023/12/04 9:15 p.m.•9 views

PYSEC-2023-272

The Jupyter Server provides the backend i.e. the core services, APIs, and REST endpoints for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. Unhandled errors in API requests coming from an authenticated user include traceback information, which can include path information...

4.3CVSS6.8AI score0.00841EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/11/21 11:15 p.m.•9 views

PYSEC-2023-288

The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are...

6.5CVSS7AI score0.00414EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2023/11/16 6:15 p.m.•9 views

PYSEC-2023-243

Missing SSL certificate validation in localstack v2.3.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack...

7.4CVSS6.8AI score0.00298EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/10/19 10:15 p.m.•9 views

PYSEC-2023-229

ArchiveBox is an open source self-hosted web archiving system. Any users who are using the wget extractor and view the content it outputs. The impact is potentially severe if you are logged in to the ArchiveBox admin site in the same browser session and view an archived malicious page designed to...

6.4CVSS6.5AI score0.00674EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/10/04 9:15 p.m.•9 views

PYSEC-2023-193

Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface ZMI. All versions of Zope 4 and Zope 5 are affected. Patches will be released wit...

4.8CVSS7.1AI score0.00404EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities5000