Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
•added 2012/07/22 4:55 p.m.•8 views

PYSEC-2012-39

virt/disk/api.py in OpenStack Compute Nova Folsom 2012.2, Essex 2012.1, and Diablo 2011.3 allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image...

5.5CVSS6.9AI score0.02582EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2012/06/21 3:55 p.m.•8 views

PYSEC-2012-37

The 1 EC2 and 2 OS APIs in OpenStack Compute Nova Folsom 2012.2, Essex 2012.1, and Diablo 2011.3 do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restriction...

4.3CVSS7AI score0.02626EPSS
Exploits1References12Affected Software1
PyPA
PyPA
•added 2012/06/07 7:55 p.m.•8 views

PYSEC-2012-36

Openstack Compute Nova Folsom, 2012.1, and 2011.3 does not limit the number of security group rules, which allows remote authenticated users with certain permissions to cause a denial of service CPU and hard drive consumption via a network request that triggers a large number of iptables rules...

3.5CVSS6.7AI score0.0148EPSS
Exploits0References13Affected Software1
PyPA
PyPA
•added 2012/06/05 10:55 p.m.•8 views

PYSEC-2012-32

Cross-site scripting XSS vulnerability in the refresh mechanism in the log viewer in horizon/static/horizon/js/horizon.js in OpenStack Dashboard Horizon folsom-1 and 2012.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the guest console...

4.3CVSS6AI score0.02415EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2012/05/23 8:55 p.m.•8 views

PYSEC-2012-5

CRLF injection vulnerability in the tornado.web.RequestHandler.setheader function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input...

5CVSS7.5AI score0.01362EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2011/07/19 8:55 p.m.•8 views

PYSEC-2011-25

Unspecified vulnerability in 1 Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and 2 PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability...

7.5CVSS7.3AI score0.03171EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2011/06/06 7:55 p.m.•8 views

PYSEC-2011-15

Cross-site scripting XSS vulnerability in the safehtml filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422...

4.3CVSS6AI score0.01257EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2011/02/22 6:0 p.m.•8 views

PYSEC-2011-6

Cross-site scripting XSS vulnerability in the reStructuredText rst parser in parser/textrst.py in MoinMoin before 1.9.3, when docutils is installed or when "format rst" is set, allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in the refuri attribute. NOTE: some...

2.6CVSS6.1AI score0.02517EPSS
Exploits1References15Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•8 views

PYSEC-2010-7

Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.1 allows remote attackers to cause a denial of service daemon outage by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, a different...

4.3CVSS7AI score0.01582EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2010/10/19 8:0 p.m.•8 views

PYSEC-2010-4

Multiple directory traversal vulnerabilities in FTPServer.py in pyftpdlib before 0.3.0 allow remote authenticated users to access arbitrary files and directories via vectors involving a symlink in a pathname to a 1 CWD, 2 DELE, 3 STOR, or 4 RETR command...

6.5CVSS7.1AI score0.01412EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2010/08/05 1:22 p.m.•8 views

PYSEC-2010-18

Multiple cross-site scripting XSS vulnerabilities in MoinMoin 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to 1 action/SlideShow.py, 2 action/anywikidraw.py, and 3 action/languagesetup.py, a similar issue to CVE-2010-2487...

4.3CVSS6AI score0.02657EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2010/03/29 8:30 p.m.•8 views

PYSEC-2010-13

MoinMoin 1.7.x before 1.7.3 and 1.8.x before 1.8.3 checks parent ACLs in certain inappropriate circumstances during processing of hierarchical ACLs, which allows remote attackers to bypass intended access restrictions by requesting an item, a different vulnerability than CVE-2008-6603...

7.5CVSS7.1AI score0.03001EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2009/12/23 9:30 p.m.•8 views

PYSEC-2009-7

Multiple unspecified vulnerabilities in Trac before 0.11.6 have unknown impact and attack vectors, possibly related to 1 "policy checks in report results when using alternate formats" or 2 a "check for the 'raw' role that is missing in docutils 0.6."...

7.5CVSS7AI score0.01968EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2009/10/13 10:30 a.m.•8 views

PYSEC-2009-4

Algorithmic complexity vulnerability in the forms library in Django 1.0 before 1.0.4 and 1.1 before 1.1.1 allows remote attackers to cause a denial of service CPU consumption via a crafted 1 EmailField email address or 2 URLField URL that triggers a large amount of backtracking in a regular...

5CVSS6.7AI score0.03686EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2009/08/07 7:30 p.m.•8 views

PYSEC-2009-8

Unspecified vulnerability in Zope Object Database ZODB before 3.8.2, when certain Zope Enterprise Objects ZEO database sharing is enabled, allows remote attackers to execute arbitrary Python code via vectors involving the ZEO network protocol...

6.5CVSS7.8AI score0.02163EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2009/08/07 7:30 p.m.•8 views

PYSEC-2009-9

Zope Object Database ZODB before 3.8.2, when certain Zope Enterprise Objects ZEO database sharing is enabled, allows remote attackers to bypass authentication via vectors involving the ZEO network protocol...

7.5CVSS7.2AI score0.0286EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2009/02/03 11:30 a.m.•8 views

PYSEC-2009-16

Heap-based buffer overflow in the qtdemuxparsesamples function in gst/qtdemux/qtdemux.c in GStreamer Good Plug-ins aka gst-plugins-good 0.10.9 through 0.10.11, and GStreamer Plug-ins aka gstreamer-plugins 0.8.5, might allow remote attackers to execute arbitrary code via crafted Time-to-sample aka...

9.3CVSS6.4AI score0.07147EPSS
Exploits1References22Affected Software1
PyPA
PyPA
•added 2008/09/04 5:41 p.m.•8 views

PYSEC-2008-2

The administration application in Django 0.91, 0.95, and 0.96 stores unauthenticated HTTP POST requests and processes them after successful authentication occurs, which allows remote attackers to conduct cross-site request forgery CSRF attacks and delete or modify data via unspecified requests...

5.8CVSS7.3AI score0.00931EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2008/07/27 10:41 p.m.•8 views

PYSEC-2008-4

Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter, possibly related to the quickjump function...

6.1CVSS7AI score0.01834EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2008/05/23 3:32 p.m.•8 views

PYSEC-2008-1

Cross-site scripting XSS vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request...

4.3CVSS6AI score0.01312EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2008/03/20 12:44 a.m.•8 views

PYSEC-2008-14

Multiple cross-site request forgery CSRF vulnerabilities in Plone CMS 3.0.5 and 3.0.6 allow remote attackers to 1 add arbitrary accounts via the joinform page and 2 change the privileges of arbitrary groups via the prefsgroupsoverview page...

4.3CVSS7.3AI score0.00642EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2007/11/07 9:46 p.m.•8 views

PYSEC-2007-4

Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the 1 statusmessages or 2 linkintegrity module, which the module unpickles and executes...

7.5CVSS7.9AI score0.02187EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2007/03/10 10:19 p.m.•8 views

PYSEC-2007-3

Trac before 0.10.3.1 does not send a Content-Disposition HTTP header specifying an attachment in certain "unsafe" situations, which has unknown impact and remote attack vectors...

10CVSS7AI score0.01342EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2006/12/07 11:28 p.m.•8 views

PYSEC-2006-10

Unspecified vulnerability in PlonePAS in Plone 2.5 and 2.5.1, when anonymous member registration is enabled, allows an attacker to "masquerade as a group."...

4.3CVSS5.8AI score0.00996EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added yesterday•7 views

Malicious code in orchestr8-platform (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of orchestr8-platform were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added yesterday•7 views

Server-Side Request Forgery in gradio

A Server-Side Request Forgery SSRF vulnerability exists in the gradio-app/gradio and was discovered in version 4.21.0, specifically within the /queue/join endpoint and the saveurltocache function. The vulnerability arises when the path value, obtained from the user and expected to be a URL, is us...

8.6CVSS7.2AI score0.37366EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added yesterday•7 views

No protection against brute-force attacks on login page

ImpactPrevious versions of Kiwi TCMS do not impose rate limits which makes it easier to attempt brute-force attacks against the login page. PatchesUsers should upgrade to v12.0 or later. WorkaroundsUsers may install and configure a rate-limiting proxy in front of Kiwi TCMS. For example nginx...

9.8CVSS7.2AI score0.00902EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2026/06/29 11:50 a.m.•7 views

NASA AIT-Core vulnerable to remote code execution

An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via a crafted packet...

9.3CVSS6.3AI score0.00438EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2026/06/23 5:17 p.m.•7 views

PYSEC-0000-CVE-2026-55423

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0...

6.1CVSS5.8AI score0.00152EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2026/06/12 6:16 p.m.•7 views

PYSEC-2026-217

MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysqlrealescapestring and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections,...

9.8CVSS5.5AI score0.00419EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2026/06/09 9:16 a.m.•7 views

PYSEC-2026-208

The Apache Airflow Samba provider's GCSToSambaOperator joined GCS object names to the SMB destination path without a containment check, so an object named with ../ segments resolved a write path outside the configured destinationpath. An attacker able to write objects into the source GCS bucket —...

6.5CVSS5.5AI score0.00695EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2026/06/04 12:16 p.m.•7 views

PYSEC-0000-CVE-2026-10804

A vulnerability has been found in Streamlit up to 1.53.0. Impacted is an unknown function in the library lib/streamlit/runtime/caching/hashing.py of the component Palette Handler. Such manipulation leads to use of weak hash. Local access is required to approach this attack. The attack requires a...

4.7CVSS4.2AI score0.00083EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2026/06/04 12:16 a.m.•7 views

PYSEC-0000-CVE-2026-10783

A security flaw has been discovered in gradio-app gradio 6.14.0. This affects the function saveaudiotocache of the component Audio Cache Key Handler. Performing a manipulation results in use of weak hash. The attack must be initiated from a local position. The attack is considered to have high...

2.5CVSS4AI score0.00106EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2026/06/03 2:16 p.m.•7 views

PYSEC-2026-213

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...

7.5CVSS5.3AI score0.00328EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2025/09/25 4:15 p.m.•7 views

PYSEC-2025-205

A syntax error in the component proxytensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service DoS...

7.5CVSS5.7AI score0.00381EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2025/03/03 4:15 p.m.•7 views

PYSEC-2025-15

Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3...

5.3CVSS6.9AI score0.00304EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2025/02/26 9:19 p.m.•7 views

Posts scraped data to IP address associated with other malware distribution attacks.

Published in 2021, the imblog package is a Python librarythat scrapes data from a blog page to an IP address associated with other malware distribution attacks...

6.8AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/02/26 8:59 p.m.•7 views

Exfiltrates cookies to hardcoded IP address

Published in 2021, the colabrun package is a Python librarythat exfiltrates user cookies to a hardcoded IP address.The package was found to exfiltrate user data to a hardcoded server,which could be used for malicious purposes...

6.7AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/02/03 5:15 p.m.•7 views

PYSEC-2025-127

lunasvg v3.0.1 was discovered to contain a segmentation violation via the component grayfindcell...

6.5CVSS5.7AI score0.00402EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/01/29 9:15 p.m.•7 views

PYSEC-2025-26

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. A function from the...

7CVSS7.8AI score0.003EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/12/13 5:15 a.m.•7 views

PYSEC-2024-158

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks...

7.1CVSS7.1AI score0.00547EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2024/12/06 12:15 p.m.•7 views

PYSEC-2024-156

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The striptags method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities...

7.5CVSS6.8AI score0.01398EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2024/11/19 10:15 p.m.•7 views

PYSEC-2024-160

lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as , and . This behavior deviates from how web browsers parse and interpret such tags...

7.7CVSS5.8AI score0.00472EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/11/18 3:15 p.m.•7 views

PYSEC-2024-313

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. Prior to version 6.1.9, the regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed...

8.2CVSS5.3AI score0.00442EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/11/15 11:15 a.m.•7 views

PYSEC-2024-123

An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this vulnerability to redirect users to malicious sites, which can be used for phishing or other...

6.1CVSS6.8AI score0.00319EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/11/08 10:15 p.m.•7 views

PYSEC-2024-305

wasm3 139076a contains memory leaks in Readutf8...

8.4CVSS5.8AI score0.00266EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/11/06 8:15 p.m.•7 views

PYSEC-2024-275

Gradio is an open-source Python package designed to enable quick builds of a demo or web application. If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary file...

6.5CVSS5.9AI score0.00672EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2024/11/05 7:15 p.m.•7 views

PYSEC-2024-202

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user...

6.5CVSS6.4AI score0.00282EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/10/29 3:15 p.m.•7 views

PYSEC-2024-210

Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recvbytes defaults to 8192 long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled default we won't read any more requests, and when the...

9.1CVSS6.8AI score0.00496EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2024/10/29 1:15 p.m.•7 views

PYSEC-2024-114

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service DoS by deleting all...

9.8CVSS7.4AI score0.0031EPSS
Exploits1References3Affected Software1
Total number of security vulnerabilities5000