Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
added 2014/05/27 1:55 p.m.8 views

PYSEC-2014-110

Multiple cross-site scripting XSS vulnerabilities in apps/common/templates/calculateformtitle.html in Mayan EDMS 0.13 allow remote authenticated users to inject arbitrary web script or HTML via a 1 tag or the 2 title of a source in a Staging folder, 3 Name field in a bootstrap setup, or Title fie...

3.5CVSS5.7AI score0.03476EPSS
Exploits1References10Affected Software1
PyPA
PyPA
added 2014/05/20 2:55 p.m.8 views

PYSEC-2014-86

The 1 makenonce, 2 generatenonce, and 3 generateverifier functions in SimpleGeo python-oauth2 uses weak random numbers to generate nonces, which makes it easier for remote attackers to guess the nonce via a brute force attack...

5.8CVSS6.9AI score0.0243EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/04/23 3:55 p.m.8 views

PYSEC-2014-3

The 1 FilePathField, 2 GenericIPAddressField, and 3 IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, relate...

10CVSS7.2AI score0.04753EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.8 views

PYSEC-2014-52

traverser.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers with administrator privileges to cause a denial of service infinite loop and resource consumption via unspecified vectors related to "retrieving information for certain resources."...

4.3CVSS6.7AI score0.01347EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.8 views

PYSEC-2014-60

The object manager implementation objectmanager.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 does not properly restrict access to internal methods, which allows remote attackers to obtain sensitive information via a crafted request...

5CVSS6.5AI score0.0138EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.8 views

PYSEC-2014-58

The WYSIWYG component wysiwyg.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote attackers to obtain sensitive information via a crafted URL, which reveals the installation path in an error message...

4.3CVSS6.6AI score0.01214EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2014/01/28 12:55 a.m.8 views

PYSEC-2014-117

The parser cache functionality in parsergenerator.py in RPLY aka python-rply before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-.json file with a predictable name...

2.1CVSS5.8AI score0.00351EPSS
Exploits0References7
PyPA
PyPA
added 2014/01/28 12:55 a.m.8 views

PYSEC-2014-17

The parser cache functionality in parsergenerator.py in RPLY aka python-rply before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-.json file with a predictable name...

2.1CVSS6.6AI score0.00351EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2014/01/21 4:6 p.m.8 views

PYSEC-2014-64

The isURLInPortal method in the URLTool class in inportal.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 treats URLs starting with a space as a relative URL, which allows remote attackers to bypass the allowexternalloginsites filtering property, redirect users to...

5.8CVSS6.9AI score0.02264EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2013/09/27 10:8 a.m.8 views

PYSEC-2013-34

Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to 1 remotestorage.py, 2 storage.py, 3 render/datalib.py, and 4 whitelist/views.py, a different vulnerability than CVE-2013-5093...

6.8CVSS8.1AI score0.38668EPSS
Exploits5References3Affected Software1
PyPA
PyPA
added 2013/09/27 10:8 a.m.8 views

PYSEC-2013-4

Multiple cross-site scripting XSS vulnerabilities in Graphite before 0.9.11 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors...

4.3CVSS6AI score0.0117EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2013/05/21 6:55 p.m.8 views

PYSEC-2013-41

OpenStack Identity Keystone Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token...

6CVSS7AI score0.02468EPSS
Exploits1References11Affected Software1
PyPA
PyPA
added 2013/05/02 2:55 p.m.8 views

PYSEC-2013-17

The form library in Django 1.3.x before 1.3.6, 1.4.x before 1.4.4, and 1.5 before release candidate 2 allows remote attackers to bypass intended resource limits for formsets and cause a denial of service memory consumption or trigger server errors via a modified maxnum parameter...

5CVSS6.9AI score0.02574EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2012/11/04 10:55 p.m.8 views

PYSEC-2012-17

Tweepy does not verify that the server hostname matches a domain name in the subject's Common Name CN or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the Python httplib library...

5.8CVSS6.9AI score0.00597EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2012/07/22 4:55 p.m.8 views

PYSEC-2012-39

virt/disk/api.py in OpenStack Compute Nova Folsom 2012.2, Essex 2012.1, and Diablo 2011.3 allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image...

5.5CVSS6.9AI score0.02582EPSS
Exploits1References14Affected Software1
PyPA
PyPA
added 2012/06/21 3:55 p.m.8 views

PYSEC-2012-37

The 1 EC2 and 2 OS APIs in OpenStack Compute Nova Folsom 2012.2, Essex 2012.1, and Diablo 2011.3 do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restriction...

4.3CVSS7AI score0.02626EPSS
Exploits1References12Affected Software1
PyPA
PyPA
added 2012/06/07 7:55 p.m.8 views

PYSEC-2012-36

Openstack Compute Nova Folsom, 2012.1, and 2011.3 does not limit the number of security group rules, which allows remote authenticated users with certain permissions to cause a denial of service CPU and hard drive consumption via a network request that triggers a large number of iptables rules...

3.5CVSS6.7AI score0.0148EPSS
Exploits0References13Affected Software1
PyPA
PyPA
added 2012/06/05 10:55 p.m.8 views

PYSEC-2012-32

Cross-site scripting XSS vulnerability in the refresh mechanism in the log viewer in horizon/static/horizon/js/horizon.js in OpenStack Dashboard Horizon folsom-1 and 2012.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the guest console...

4.3CVSS6AI score0.02415EPSS
Exploits0References10Affected Software1
PyPA
PyPA
added 2012/05/23 8:55 p.m.8 views

PYSEC-2012-5

CRLF injection vulnerability in the tornado.web.RequestHandler.setheader function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input...

5CVSS7.5AI score0.01362EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2011/07/19 8:55 p.m.8 views

PYSEC-2011-25

Unspecified vulnerability in 1 Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and 2 PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability...

7.5CVSS7.3AI score0.03171EPSS
Exploits0References10Affected Software1
PyPA
PyPA
added 2011/06/06 7:55 p.m.8 views

PYSEC-2011-15

Cross-site scripting XSS vulnerability in the safehtml filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422...

4.3CVSS6AI score0.01257EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2011/02/22 6:0 p.m.8 views

PYSEC-2011-6

Cross-site scripting XSS vulnerability in the reStructuredText rst parser in parser/textrst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the refuri attribute. NOTE: some...

2.6CVSS6.1AI score0.02517EPSS
Exploits1References15Affected Software1
PyPA
PyPA
added 2010/10/19 8:0 p.m.8 views

PYSEC-2010-4

Multiple directory traversal vulnerabilities in FTPServer.py in pyftpdlib before 0.3.0 allow remote authenticated users to access arbitrary files and directories via vectors involving a symlink in a pathname to a 1 CWD, 2 DELE, 3 STOR, or 4 RETR command...

6.5CVSS7.1AI score0.01412EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2010/10/19 8:0 p.m.8 views

PYSEC-2010-7

Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.1 allows remote attackers to cause a denial of service daemon outage by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, a different...

4.3CVSS7AI score0.01582EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added 2010/08/05 1:22 p.m.8 views

PYSEC-2010-18

Multiple cross-site scripting XSS vulnerabilities in MoinMoin 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to 1 action/SlideShow.py, 2 action/anywikidraw.py, and 3 action/languagesetup.py, a similar issue to CVE-2010-2487...

4.3CVSS6AI score0.02657EPSS
Exploits1References14Affected Software1
PyPA
PyPA
added 2010/03/29 8:30 p.m.8 views

PYSEC-2010-13

MoinMoin 1.7.x before 1.7.3 and 1.8.x before 1.8.3 checks parent ACLs in certain inappropriate circumstances during processing of hierarchical ACLs, which allows remote attackers to bypass intended access restrictions by requesting an item, a different vulnerability than CVE-2008-6603...

7.5CVSS7.1AI score0.03001EPSS
Exploits1References10Affected Software1
PyPA
PyPA
added 2009/12/23 9:30 p.m.8 views

PYSEC-2009-7

Multiple unspecified vulnerabilities in Trac before 0.11.6 have unknown impact and attack vectors, possibly related to 1 "policy checks in report results when using alternate formats" or 2 a "check for the 'raw' role that is missing in docutils 0.6."...

7.5CVSS7AI score0.01968EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added 2009/10/13 10:30 a.m.8 views

PYSEC-2009-4

Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service CPU consumption via a crafted 1 EmailField email address or 2 URLField URL that triggers a large amount of backtracking in a regular...

5CVSS6.7AI score0.03686EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added 2009/08/07 7:30 p.m.8 views

PYSEC-2009-8

Unspecified vulnerability in Zope Object Database ZODB before 3.8.2, when certain Zope Enterprise Objects ZEO database sharing is enabled, allows remote attackers to execute arbitrary Python code via vectors involving the ZEO network protocol...

6.5CVSS7.8AI score0.02163EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2009/08/07 7:30 p.m.8 views

PYSEC-2009-9

Zope Object Database ZODB before 3.8.2, when certain Zope Enterprise Objects ZEO database sharing is enabled, allows remote attackers to bypass authentication via vectors involving the ZEO network protocol...

7.5CVSS7.2AI score0.0286EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2009/02/03 11:30 a.m.8 views

PYSEC-2009-16

Heap-based buffer overflow in the qtdemuxparsesamples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins aka gst-plugins-good 0.10.9 through 0.10.11, and GStreamer Plug-ins aka gstreamer-plugins 0.8.5, might allow remote attackers to execute arbitrary code via crafted Time-to-sample aka...

9.3CVSS6.4AI score0.07147EPSS
Exploits1References22Affected Software1
PyPA
PyPA
added 2008/09/04 5:41 p.m.8 views

PYSEC-2008-2

The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery CSRF attacks and delete or modify data via unspecified requests...

5.8CVSS7.3AI score0.00931EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added 2008/07/27 10:41 p.m.8 views

PYSEC-2008-4

Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter, possibly related to the quickjump function...

6.1CVSS7AI score0.01834EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2008/05/23 3:32 p.m.8 views

PYSEC-2008-1

Cross-site scripting XSS vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request...

4.3CVSS6AI score0.01312EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added 2008/03/20 12:44 a.m.8 views

PYSEC-2008-14

Multiple cross-site request forgery CSRF vulnerabilities in Plone CMS 3.0.5 and 3.0.6 allow remote attackers to 1 add arbitrary accounts via the joinform page and 2 change the privileges of arbitrary groups via the prefsgroupsoverview page...

4.3CVSS7.3AI score0.00642EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2007/11/07 9:46 p.m.8 views

PYSEC-2007-4

Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the 1 statusmessages or 2 linkintegrity module, which the module unpickles and executes...

7.5CVSS7.9AI score0.02187EPSS
Exploits0References12Affected Software1
PyPA
PyPA
added 2007/03/10 10:19 p.m.8 views

PYSEC-2007-3

Trac before 0.10.3.1 does not send a Content-Disposition HTTP header specifying an attachment in certain "unsafe" situations, which has unknown impact and remote attack vectors...

10CVSS7AI score0.01342EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2006/12/07 11:28 p.m.8 views

PYSEC-2006-10

Unspecified vulnerability in PlonePAS in Plone 2.5 and 2.5.1, when anonymous member registration is enabled, allows an attacker to "masquerade as a group."...

4.3CVSS5.8AI score0.00996EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday7 views

Malicious code in orchestr8-platform (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of orchestr8-platform were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.7 views

Apache Airflow Google Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0...

9.8CVSS7.2AI score0.01583EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.7 views

NASA AIT-Core vulnerable to remote code execution

An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via a crafted packet...

9.3CVSS6.3AI score0.00438EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/06/23 5:17 p.m.7 views

PYSEC-0000-CVE-2026-55423

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0...

6.1CVSS5.8AI score0.00152EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2026/06/12 6:16 p.m.7 views

PYSEC-2026-217

MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysqlrealescapestring and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections,...

9.8CVSS5.5AI score0.00419EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2026/06/09 9:16 a.m.7 views

PYSEC-2026-208

The Apache Airflow Samba provider's GCSToSambaOperator joined GCS object names to the SMB destination path without a containment check, so an object named with ../ segments resolved a write path outside the configured destinationpath. An attacker able to write objects into the source GCS bucket —...

6.5CVSS5.5AI score0.00695EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/06/04 12:16 p.m.7 views

PYSEC-0000-CVE-2026-10804

A vulnerability has been found in Streamlit up to 1.53.0. Impacted is an unknown function in the library lib/streamlit/runtime/caching/hashing.py of the component Palette Handler. Such manipulation leads to use of weak hash. Local access is required to approach this attack. The attack requires a...

4.7CVSS4.2AI score0.00083EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2026/06/04 12:16 a.m.7 views

PYSEC-0000-CVE-2026-10783

A security flaw has been discovered in gradio-app gradio 6.14.0. This affects the function saveaudiotocache of the component Audio Cache Key Handler. Performing a manipulation results in use of weak hash. The attack must be initiated from a local position. The attack is considered to have high...

2.5CVSS4AI score0.00106EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2026/06/03 2:16 p.m.7 views

PYSEC-2026-213

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...

7.5CVSS5.3AI score0.00328EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2025/12/23 9:15 p.m.7 views

PYSEC-2025-212

Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this...

7.8CVSS7.6AI score0.00262EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2025/09/25 4:15 p.m.7 views

PYSEC-2025-205

A syntax error in the component proxytensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service DoS...

7.5CVSS5.7AI score0.00381EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/09/25 4:15 p.m.7 views

PYSEC-2025-208

A buffer overflow occurs in pytorch v2.7.0 when a PyTorch model consists of torch.nn.Conv2d, torch.nn.functional.hardshrink, and torch.Tensor.view-torch.mv and is compiled by Inductor, leading to a Denial of Service DoS...

7.5CVSS6AI score0.0042EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities5000