Lucene search
K
PypaMost viewed

5620 matches found

PyPA
PyPA
•added 2025/07/20 12:15 p.m.•8 views

PYSEC-2025-234

A vulnerability, which was classified as problematic, has been found in Huashengdun WebSSH up to 1.6.2. Affected by this issue is some unknown functionality of the component Login Page. The manipulation of the argument hostname/port leads to cross site scripting. The attack may be launched...

6.1CVSS4AI score0.00429EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2025/05/30 7:15 p.m.•8 views

PYSEC-2025-54

vLLM is an inference and serving engine for large language models LLMs. In versions 0.8.0 up to but excluding 0.9.0, hitting the /v1/completions API with a invalid jsonschema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex...

6.5CVSS6.9AI score0.00453EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2025/05/17 4:15 p.m.•8 views

PYSEC-2025-49

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in PackageIndex is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with...

8.8CVSS8.2AI score0.01479EPSS
Exploits4References7Affected Software1
PyPA
PyPA
•added 2025/04/09 4:15 p.m.•8 views

PYSEC-2025-32

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized...

9.8CVSS7.4AI score0.45773EPSS
Exploits4References3Affected Software1
PyPA
PyPA
•added 2025/04/07 8:15 p.m.•8 views

PYSEC-2025-117

Buffer Overflow vulnerability in gdal 3.10.2 allows a local attacker to cause a denial of service via the OGRSpatialReference::Release function. NOTE: the Supplier indicates that the report is invalid and could not be reproduced...

5.5CVSS5.8AI score0.00199EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/03/25 8:15 a.m.•8 views

PYSEC-2025-162

A vulnerability has been found in Open Asset Import Library Assimp 5.4.3 and classified as problematic. This vulnerability affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation of the argument na...

8.8CVSS4.9AI score0.00618EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2025/03/25 8:15 a.m.•8 views

PYSEC-2025-163

A vulnerability was found in Open Asset Import Library Assimp 5.4.3 and classified as problematic. This issue affects the function fastatorealmove in the library include/assimp/fastatof.h of the component CSM File Handler. The manipulation leads to out-of-bounds read. The attack may be initiated...

8.8CVSS4.9AI score0.00623EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2025/03/10 12:15 p.m.•8 views

PYSEC-2025-20

picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan...

6.5CVSS6.8AI score0.00307EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2025/02/21 10:15 p.m.•8 views

PYSEC-2025-29

vyper is a Pythonic Smart Contract Language for the EVM. Vyper sqrt builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results. This issue is being addressed a...

7.5CVSS6.8AI score0.00302EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2025/02/07 8:15 p.m.•8 views

PYSEC-2025-62

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Maliciously constructed statements can lead to hash collisions, resulting in cache reuse, which can interfere with subsequent responses and cause unintended behavior. Prefix caching makes use of Python's built-i...

2.6CVSS6.6AI score0.00184EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2025/01/29 9:15 p.m.•8 views

PYSEC-2025-26

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. A function from the...

7CVSS7.8AI score0.003EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/01/23 1:15 a.m.•8 views

PYSEC-2025-132

lunasvg v3.0.0 was discovered to contain a segmentation violation via the component compositionsourceover...

6.5CVSS5.7AI score0.00334EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/01/23 1:15 a.m.•8 views

PYSEC-2025-133

lunasvg v3.0.0 was discovered to contain a segmentation violation via the component grayrecordcell...

6.5CVSS5.7AI score0.00334EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/01/14 7:15 p.m.•8 views

PYSEC-2025-118

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List ACL for file paths can be bypassed by altering the letter case of a blocked file or directory path. This...

8.7CVSS5.8AI score0.00836EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/01/14 6:16 p.m.•8 views

PYSEC-2025-33

Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover 0x1 and Identity 0x4, the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall executi...

7.5CVSS7.2AI score0.00643EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/12/13 5:15 a.m.•8 views

PYSEC-2024-158

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks...

7.1CVSS7.1AI score0.00558EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2024/11/20 9:15 p.m.•8 views

PYSEC-2024-178

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to...

8.2CVSS7.2AI score0.01004EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2024/11/15 11:15 a.m.•8 views

PYSEC-2024-123

An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this vulnerability to redirect users to malicious sites, which can be used for phishing or other...

6.1CVSS6.8AI score0.00319EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/11/12 6:15 p.m.•8 views

PYSEC-2024-231

LightGBM Remote Code Execution Vulnerability...

8.1CVSS7.5AI score0.01384EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/11/08 10:15 p.m.•8 views

PYSEC-2024-305

wasm3 139076a contains memory leaks in Readutf8...

8.4CVSS5.8AI score0.00266EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/11/06 8:15 p.m.•8 views

PYSEC-2024-275

Gradio is an open-source Python package designed to enable quick builds of a demo or web application. If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary file...

6.5CVSS5.9AI score0.00672EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2024/11/06 3:15 p.m.•8 views

PYSEC-2024-238

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the API URL ends with Authentication. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints includ...

10CVSS7AI score0.40058EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/11/05 4:4 p.m.•8 views

PYSEC-2024-115

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain-community version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service DoS by deleting all data, breaches in multi-tena...

9.8CVSS7.8AI score0.13803EPSS
Exploits2References4Affected Software2
PyPA
PyPA
•added 2024/10/29 1:15 p.m.•8 views

PYSEC-2024-119

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240628 allows for a Denial of Service DOS attack. When uploading a file, if an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering ChuanhuChatGPT...

7.5CVSS6.8AI score0.00604EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/10/29 1:15 p.m.•8 views

PYSEC-2024-112

An arbitrary file read vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240628 due to insufficient validation when loading prompt template files. An attacker can read any file that matches specific criteria using an absolute path. The file must not have a .json extension and, except f...

7.5CVSS7AI score0.00781EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/10/29 1:15 p.m.•8 views

PYSEC-2024-111

A path traversal vulnerability exists in the getFullPath method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read .txt files, and delete files. The vulnerability is exploited through the...

9.1CVSS6.8AI score0.00545EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/10/10 11:15 p.m.•8 views

PYSEC-2024-199

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a timing attack in the way Gradio compares hashes for the analyticsdashboard function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response ti...

3.7CVSS6.7AI score0.00285EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/10/10 10:15 p.m.•8 views

PYSEC-2024-197

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a one-level read path traversal in the /customcomponent endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulating the file path in the...

5.3CVSS6.7AI score0.00421EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/10/02 8:15 p.m.•8 views

PYSEC-2024-101

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. A path traversal vulnerability inside of LocalMode's openlocalfile method allows an authenticated user with adequate permissions to download any .txt via the ScreensControllersh...

6.5CVSS6.9AI score0.00932EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2024/09/17 7:15 p.m.•8 views

PYSEC-2024-88

A vulnerability was found in MicroPython 1.23.0. It has been rated as critical. Affected by this issue is the function mpzasbytes of the file py/objint.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and ma...

7.5CVSS7.3AI score0.00985EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2024/09/17 7:15 p.m.•8 views

PYSEC-2024-95

A vulnerability was found in MicroPython 1.23.0. It has been classified as critical. Affected is the function mpvfsumount of the file extmod/vfs.c of the component VFS Unmount Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The exploit...

7.5CVSS7.4AI score0.01006EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2024/09/17 7:15 p.m.•8 views

PYSEC-2024-89

A vulnerability was found in MicroPython 1.23.0. It has been rated as critical. Affected by this issue is the function mpzasbytes of the file py/objint.c. The manipulation leads to heap-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and ma...

7.5CVSS7.3AI score0.00985EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2024/08/18 7:15 p.m.•8 views

PYSEC-2024-71

A vulnerability in corydolphin/flask-cors up to version 4.0.1 allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant...

7.5CVSS6.8AI score0.00677EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2024/08/14 9:15 p.m.•8 views

PYSEC-2024-188

WebOb provides objects for HTTP requests and responses. When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urlparse, and joining it to the base URL. urlparse however treats a // at the...

6.1CVSS6.8AI score0.00497EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/08/08 3:15 p.m.•8 views

PYSEC-2024-200

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the admin:users scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that...

7.2CVSS7.2AI score0.0059EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/08/07 3:15 p.m.•8 views

PYSEC-2024-67

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent...

7.5CVSS7AI score0.012EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/07/31 1:15 a.m.•8 views

PYSEC-2024-73

A vulnerability in the JSON file handling of gaizhenbiao/chuanhuchatgpt version 20240410 allows any user to delete any JSON file on the server, including critical configuration files such as config.json and dsconfigchatbot.json. This issue arises due to improper validation of file paths, enabling...

9.1CVSS6.9AI score0.13092EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/07/24 6:15 p.m.•8 views

PYSEC-2024-203

DuckDB is a SQL database management system. In versions 1.0.0 and prior, content in filesystem is accessible for reading using sniffcsv, even with enableexternalaccess=false. This vulnerability provides an attacker with access to filesystem even when access is expected to be disabled and other...

7.5CVSS7.4AI score0.00813EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2024/07/17 9:15 a.m.•8 views

PYSEC-2024-172

Time-of-check Time-of-use TOCTOU Race Condition vulnerability in Apache StreamPipes in user self-registration.This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and...

5.3CVSS7AI score0.0066EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/07/17 8:15 a.m.•8 views

PYSEC-2024-190

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a docmd parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to...

8.8CVSS7.6AI score0.01726EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2024/07/15 5:15 a.m.•8 views

PYSEC-2024-62

Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if the...

8.5CVSS8.1AI score0.01864EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2024/07/11 11:15 a.m.•8 views

PYSEC-2024-61

A Stored Cross-Site Scripting XSS vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410. This vulnerability allows an attacker to inject malicious JavaScript code into the chat history file. When a victim uploads this file, the malicious script is executed in the victim's browser...

7.4CVSS5.6AI score0.00371EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/06/27 10:15 p.m.•8 views

PYSEC-2024-167

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averagedperceptrontagger and punkt...

9.8CVSS8.2AI score0.01346EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/06/16 3:15 p.m.•8 views

PYSEC-2024-53

langchainexperimental aka LangChain Experimental before 0.0.61 for LangChain provides Python REPL access without an opt-in step. NOTE; this issue exists because of an incomplete fix for CVE-2024-27444...

9.8CVSS7AI score0.00766EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/06/06 7:15 p.m.•8 views

PYSEC-2024-170

A stored Cross-Site Scripting XSS vulnerability was identified in the zenml-io/zenml repository, specifically within the 'logourl' field. By injecting malicious payloads into this field, an attacker could send harmful messages to other users, potentially compromising their accounts. The...

4.8CVSS5.8AI score0.00364EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2024/06/06 7:15 p.m.•8 views

PYSEC-2024-118

A Denial-of-Service DoS vulnerability exists in the SitemapLoader class of the langchain-ai/langchain repository, affecting all versions. The parsesitemap method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the...

4.7CVSS6.9AI score0.00301EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2024/05/16 9:15 a.m.•8 views

PYSEC-2024-244

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '' character can be used to insert a path into the fragment, effectively...

7.5CVSS6.7AI score0.89716EPSS
Exploits2References5Affected Software1
PyPA
PyPA
•added 2024/04/26 12:15 a.m.•8 views

PYSEC-2024-232

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217...

6.5CVSS7AI score0.00307EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/04/25 6:15 p.m.•8 views

PYSEC-2024-209

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the sqrt builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the buildIR function of the sqrt builtin doesn't cache the argument to...

5.3CVSS7AI score0.00451EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2024/04/23 6:15 p.m.•8 views

PYSEC-2024-50

Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate...

6.5CVSS6.7AI score0.01463EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities5000