Lucene search
K
PypaMost viewed

5624 matches found

PyPA
PyPA
•added 2024/05/28 11:15 p.m.•9 views

PYSEC-2024-166

Nautobot is a Network Source of Truth and Network Automation Platform. A user with permissions to view Dynamic Group records extras.viewdynamicgroup permission can use the Dynamic Group detail UI view /extras/dynamic-groups// and/or the members REST API view /api/extras/dynamic-groups//members/ t...

6.5CVSS6.8AI score0.00398EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/05/14 4:17 p.m.•9 views

PYSEC-2024-237

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the autologinLocal option is enabled within config.yaml, even if the...

9.4CVSS7AI score0.00897EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2024/04/25 6:15 p.m.•9 views

PYSEC-2024-208

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the createfromblueprint builtin can result in a double eval vulnerability when rawargs=True and the args argument has side-effects. It can be seen that the buildcreateIR function of t...

5.3CVSS7AI score0.00451EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/04/16 12:15 a.m.•9 views

PYSEC-2024-288

Cross-site Scripting XSS - Stored in mindsdb/mindsdb...

6.1CVSS6.2AI score0.00368EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/03/20 8:15 p.m.•9 views

PYSEC-2024-234

Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing...

9.8CVSS7.6AI score0.01021EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2024/03/15 8:15 p.m.•9 views

PYSEC-2024-47

In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words method with html=True and the truncatewordshtml template filter are subject to a potential regular expression denial-of-service attack via a crafted string. NOTE: this issue exists because ...

5.3CVSS7.5AI score0.01854EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/02/26 4:28 p.m.•9 views

PYSEC-2024-40

orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents...

7.5CVSS7AI score0.01187EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2024/02/06 12:15 p.m.•9 views

PYSEC-2024-36

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLENOLOG configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive...

5.5CVSS8.4AI score0.00301EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2024/01/31 5:15 p.m.•9 views

PYSEC-2024-127

Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the SSRFPROTECTIONENABLED environment variable can be bypassed to access...

5.3CVSS6.8AI score0.00737EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2024/01/30 1:15 a.m.•9 views

PYSEC-2024-27

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and Local In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI...

9.8CVSS7.2AI score0.00731EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/01/22 1:15 a.m.•9 views

PYSEC-2024-12

LlamaIndex aka llamaindex through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Dro...

9.8CVSS8AI score0.00654EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/01/03 9:15 a.m.•9 views

PYSEC-2024-129

FPE in paddle.nanmedian in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

7.5CVSS6.8AI score0.00484EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/01/03 9:15 a.m.•9 views

PYSEC-2024-146

PaddlePaddle before 2.6.0 has a command injection in convertshapecompare. This resulted in the ability to execute arbitrary commands on the operating system...

9.8CVSS8.2AI score0.01172EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/01/03 9:15 a.m.•9 views

PYSEC-2024-134

Nullptr in paddle.nextafterin PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

7.5CVSS6.8AI score0.00541EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/12/29 5:16 p.m.•9 views

PYSEC-2023-271

Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Hail relies on OpenID Connect OIDC email addresses from ID tokens to verify the validity of a user's domain, but because users have the ability to change...

5.3CVSS6.7AI score0.00367EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2023/12/12 2:15 a.m.•9 views

PYSEC-2023-261

SAPBTPSecurity Services Integration Library Pythonsap-xssec - versions 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application...

9.8CVSS7.5AI score0.01109EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2023/12/04 9:15 p.m.•9 views

PYSEC-2023-272

The Jupyter Server provides the backend i.e. the core services, APIs, and REST endpoints for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. Unhandled errors in API requests coming from an authenticated user include traceback information, which can include path information...

4.3CVSS6.8AI score0.00841EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/11/21 11:15 p.m.•9 views

PYSEC-2023-288

The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are...

6.5CVSS7AI score0.00414EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2023/11/16 6:15 p.m.•9 views

PYSEC-2023-243

Missing SSL certificate validation in localstack v2.3.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack...

7.4CVSS6.8AI score0.00298EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/10/19 10:15 p.m.•9 views

PYSEC-2023-229

ArchiveBox is an open source self-hosted web archiving system. Any users who are using the wget extractor and view the content it outputs. The impact is potentially severe if you are logged in to the ArchiveBox admin site in the same browser session and view an archived malicious page designed to...

6.4CVSS6.5AI score0.00674EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/09/12 2:15 a.m.•9 views

PYSEC-2023-172

The Create Single Payment application of SAP S/4HANA- versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment.When clicked on the XML file in the attachment section, the file gets opened in the browser to cause theentity loops to slow down...

4.3CVSS6.9AI score0.00414EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/09/04 6:15 p.m.•9 views

PYSEC-2023-168

Vyper is a Pythonic Smart Contract Language. In affected versions the order of evaluation of the arguments of the builtin functions uint256addmod, uint256mulmod, ecadd and ecmul does not follow source order. This behaviour is problematic when the evaluation of one of the arguments produces side...

5.3CVSS6.6AI score0.00455EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/08/25 1:15 a.m.•9 views

PYSEC-2023-154

Datasette is an open source multi-tool for exploring and publishing data. This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location but with authentication enabled using a plugin such as datasette-auth-passwords. The /-/ap...

5.3CVSS7.1AI score0.00464EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/07/15 11:15 p.m.•9 views

PYSEC-2023-312

Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command specifically, a SET command. NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this...

5.9CVSS7.4AI score0.01309EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2023/07/06 4:15 p.m.•9 views

PYSEC-2023-111

SQLFluff is a SQL linter. Prior to version 2.1.2, in environments where untrusted users have access to the config files, there is a potential security vulnerability where those users could use the librarypath config value to allow arbitrary python code to be executed via macros. For many users wh...

7.8CVSS7.6AI score0.00414EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/06/22 11:15 p.m.•9 views

PYSEC-2023-94

Flask-AppBuilder is an application development framework, built on top of Flask. Prior to version 4.3.2, an authenticated malicious actor with Admin privileges, could by adding a special character on the add, edit User forms trigger a database error, this error is surfaced back to this actor on t...

2.7CVSS6.7AI score0.00676EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/06/14 3:15 p.m.•9 views

PYSEC-2023-91

Langchain 0.0.171 is vulnerable to Arbitrary Code Execution...

9.8CVSS7.1AI score0.01681EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/05/25 10:15 a.m.•9 views

PYSEC-2023-75

Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL...

6.1CVSS6.8AI score0.01132EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/04/24 10:15 p.m.•9 views

PYSEC-2023-273

Kiwi TCMS is an open source test management system. In kiwitcms/Kiwi v12.2 and prior and kiwitcms/enterprise v12.2 and prior,the changelog.yml workflow is vulnerable to command injection attacks because of using an untrusted github.headref field. The github.headref value is an attacker-controlled...

8.8CVSS7.6AI score0.03596EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2023/04/18 10:15 p.m.•9 views

PYSEC-2023-87

sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS Regular Expression Denial of Service. This issue was introduced by commit e75e358. The vulnerability may lead to Denial of Service DoS. This...

7.5CVSS7.6AI score0.0098EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2023/03/01 9:15 p.m.•9 views

PYSEC-2023-53

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization B, they will retain...

6.5CVSS6.8AI score0.00375EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/02/23 12:15 a.m.•9 views

PYSEC-2023-24

Denial of service could be caused to markdown-it-py, before v2.2.0, if an attacker was allowed to force null assertions with specially crafted input...

5.5CVSS6.8AI score0.00225EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/02/22 11:15 p.m.•9 views

PYSEC-2023-23

Denial of service could be caused to the command line interface of markdown-it-py, before v2.2.0, if an attacker was allowed to use invalid UTF-8 characters as input...

5.5CVSS7AI score0.00225EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/02/15 3:15 p.m.•9 views

PYSEC-2023-49

Starlite is an Asynchronous Server Gateway Interface ASGI framework. Prior to version 1.5.2, the request body parsing in starlite allows a potentially unauthenticated attacker to consume a large amount of CPU time and RAM. The multipart body parser processes an unlimited number of file parts and ...

7.5CVSS7AI score0.01004EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/01/31 10:15 a.m.•9 views

PYSEC-2023-51

ubireaderextractfiles is vulnerable to path traversal when run against specifically crafted UBIFS files, allowing the attacker to overwrite files outside of the extraction directory provided the process has write access to that file or directory. This is due to the fact that a node name...

5.5CVSS7AI score0.0039EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/01/30 5:15 p.m.•9 views

PYSEC-2023-6

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 before 0.13.3...

7.5CVSS7AI score0.01331EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/01/26 10:15 p.m.•9 views

PYSEC-2023-30

Cross-site Scripting XSS - Stored in GitHub repository modoboa/modoboa prior to 2.0.4...

7.1CVSS6AI score0.00613EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/11/07 3:15 p.m.•9 views

PYSEC-2022-43093

The d8s-xml for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-utility package. The affected version of d8s-htm is 0.1.0...

9.8CVSS7.6AI score0.00997EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2022/11/07 3:15 p.m.•9 views

PYSEC-2022-43090

The d8s-timer for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. A potential code execution backdoor inserted by third parties is the democritus-dates package. The affected version of d8s-htm is 0.1.0...

8.8CVSS7.6AI score0.00972EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/09/26 5:15 a.m.•9 views

PYSEC-2022-288

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the predispatch flag in Parallel class due to the eval statement...

9.8CVSS5.5AI score0.01975EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/09/21 8:15 a.m.•9 views

PYSEC-2022-280

In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in the webserver's /confirm endpoint...

6.1CVSS6.9AI score0.01452EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/09/19 4:15 p.m.•9 views

PYSEC-2022-43119

The d8s-archives for python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-strings package. The affected version is 0.1.0...

9.8CVSS7AI score0.01238EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2022/09/02 7:15 a.m.•9 views

PYSEC-2022-261

In Apache Airflow prior to 2.3.4, an insecure umask was configured for numerous Airflow components when running with the --daemon flag which could result in a race condition giving world-writable files in the Airflow home directory and allowing local users to expose arbitrary file contents via th...

4.7CVSS6.6AI score0.00593EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/09/02 7:15 a.m.•9 views

PYSEC-2022-263

In Apache Airflow versions 2.2.4 through 2.3.3, the database webserver session backend was susceptible to session fixation...

9.8CVSS7AI score0.01881EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/08/29 3:15 a.m.•9 views

PYSEC-2022-257

NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity...

9.8CVSS7.2AI score0.08529EPSS
Exploits3References1Affected Software1
PyPA
PyPA
•added 2022/07/26 6:15 a.m.•9 views

PYSEC-2022-243

untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts recursive entity references in DTDs. By exploiting this vulnerability, a remote unauthenticated attacker may cause a denial-of-service DoS condition on the server where the...

7.5CVSS7.1AI score0.01396EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/07/15 6:15 p.m.•9 views

PYSEC-2022-43143

OpenZeppelin Contracts for Cairo is a library for contract development written in Cairo for StarkNet, a decentralized ZK Rollup. Version 0.2.0 is vulnerable to an error that renders account contracts unusable on live networks. This issue affects all accounts vanilla and ethereum flavors in the...

6.5CVSS6.9AI score0.01115EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2022/07/04 4:15 p.m.•9 views

PYSEC-2022-213

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc and Extract database functions are subject to SQL injection if untrusted data is used as a kind/lookupname value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected...

9.8CVSS8AI score0.73274EPSS
Exploits3References4Affected Software1
PyPA
PyPA
•added 2022/06/24 9:15 p.m.•9 views

PYSEC-2022-217

The cryptoasset-data-downloader package in PyPI v1.0.0 to v1.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges...

9.8CVSS8AI score0.01857EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/05/20 7:15 p.m.•9 views

PYSEC-2022-43154

WASM3 v0.5.0 was discovered to contain a heap overflow via the component /wabt/bin/poc.wasm...

7.8CVSS7.6AI score0.0039EPSS
Exploits1References4Affected Software1
Total number of security vulnerabilities5000