Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
•added 2026/06/03 2:16 p.m.•7 views

PYSEC-2026-213

daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 unlimited, an unauthenticated remote attacker could send arbitrarily large WebSocket messages or frames, causing excessive memory...

7.5CVSS5.3AI score0.00328EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2025/09/25 4:15 p.m.•7 views

PYSEC-2025-205

A syntax error in the component proxytensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service DoS...

7.5CVSS5.7AI score0.00381EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2025/03/03 4:15 p.m.•7 views

PYSEC-2025-15

Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3...

5.3CVSS6.9AI score0.00304EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2025/02/26 9:19 p.m.•7 views

Posts scraped data to IP address associated with other malware distribution attacks.

Published in 2021, the imblog package is a Python librarythat scrapes data from a blog page to an IP address associated with other malware distribution attacks...

6.8AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/02/26 8:59 p.m.•7 views

Exfiltrates cookies to hardcoded IP address

Published in 2021, the colabrun package is a Python librarythat exfiltrates user cookies to a hardcoded IP address.The package was found to exfiltrate user data to a hardcoded server,which could be used for malicious purposes...

6.7AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/02/03 5:15 p.m.•7 views

PYSEC-2025-127

lunasvg v3.0.1 was discovered to contain a segmentation violation via the component grayfindcell...

6.5CVSS5.7AI score0.00402EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/01/29 9:15 p.m.•7 views

PYSEC-2025-26

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. A function from the...

7CVSS7.8AI score0.003EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/12/13 5:15 a.m.•7 views

PYSEC-2024-158

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks...

7.1CVSS7.1AI score0.00547EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2024/12/06 12:15 p.m.•7 views

PYSEC-2024-156

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The striptags method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities...

7.5CVSS6.8AI score0.01398EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2024/11/19 10:15 p.m.•7 views

PYSEC-2024-160

lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as , and . This behavior deviates from how web browsers parse and interpret such tags...

7.7CVSS5.8AI score0.00472EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/11/18 3:15 p.m.•7 views

PYSEC-2024-313

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. Prior to version 6.1.9, the regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed...

8.2CVSS5.3AI score0.00442EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/11/15 11:15 a.m.•7 views

PYSEC-2024-123

An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this vulnerability to redirect users to malicious sites, which can be used for phishing or other...

6.1CVSS6.8AI score0.00319EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/11/08 10:15 p.m.•7 views

PYSEC-2024-305

wasm3 139076a contains memory leaks in Readutf8...

8.4CVSS5.8AI score0.00266EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/11/06 8:15 p.m.•7 views

PYSEC-2024-275

Gradio is an open-source Python package designed to enable quick builds of a demo or web application. If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary file...

6.5CVSS5.9AI score0.00672EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2024/11/05 7:15 p.m.•7 views

PYSEC-2024-202

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user...

6.5CVSS6.4AI score0.00282EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/10/29 3:15 p.m.•7 views

PYSEC-2024-210

Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recvbytes defaults to 8192 long, followed by a secondary request using HTTP pipelining. When request lookahead is disabled default we won't read any more requests, and when the...

9.1CVSS6.8AI score0.00496EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2024/10/29 1:15 p.m.•7 views

PYSEC-2024-119

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240628 allows for a Denial of Service DOS attack. When uploading a file, if an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering ChuanhuChatGPT...

7.5CVSS6.8AI score0.00604EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/10/29 1:15 p.m.•7 views

PYSEC-2024-111

A path traversal vulnerability exists in the getFullPath method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read .txt files, and delete files. The vulnerability is exploited through the...

9.1CVSS6.8AI score0.00545EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/10/29 1:15 p.m.•7 views

PYSEC-2024-114

A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service DoS by deleting all...

9.8CVSS7.4AI score0.0031EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/10/24 10:15 p.m.•7 views

PYSEC-2024-191

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Prior to version 3.12.3, when the logging level was set by the user to DEBUG, the Connector could have logged Duo passcodes when specified...

5.5CVSS6.6AI score0.00203EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2024/10/10 11:15 p.m.•7 views

PYSEC-2024-217

Gradio is an open-source Python package designed for quick prototyping. This is a data validation vulnerability affecting several Gradio components, which allows arbitrary file leaks through the post-processing step. Attackers can exploit these components by crafting requests that bypass expected...

7.5CVSS6.8AI score0.00804EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/10/10 10:15 p.m.•7 views

PYSEC-2024-215

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to Server-Side Request Forgery SSRF in the /queue/join endpoint. Gradio’s asyncsaveurltocache function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This...

9.8CVSS6.8AI score0.00463EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/10/10 10:15 p.m.•7 views

PYSEC-2024-213

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to the bypass of directory traversal checks within the isinorequal function. This function, intended to check if a file resides within a given directory, can be bypassed with certain payloads that...

6.5CVSS7AI score0.00687EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/10/10 10:15 p.m.•7 views

PYSEC-2024-196

Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to CORS origin validation, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio...

8.3CVSS7AI score0.00484EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/09/17 7:15 p.m.•7 views

PYSEC-2024-92

A vulnerability was found in MicroPython 1.22.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file py/objarray.c. The manipulation leads to use after free. The attack can be launched remotely. The complexity of an attack is rather high. The...

8.1CVSS7.2AI score0.01029EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2024/09/17 7:15 p.m.•7 views

PYSEC-2024-93

A vulnerability was found in MicroPython 1.23.0. It has been classified as critical. Affected is the function mpvfsumount of the file extmod/vfs.c of the component VFS Unmount Handler. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The exploit...

7.5CVSS7.4AI score0.01006EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 2024/09/12 1:15 p.m.•7 views

PYSEC-2024-77

An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine,...

8.8CVSS7.9AI score0.02148EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/09/12 1:15 p.m.•7 views

PYSEC-2024-84

Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it...

7.5CVSS7.6AI score0.00481EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/09/12 1:15 p.m.•7 views

PYSEC-2024-82

Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with...

8.8CVSS7.6AI score0.0068EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/09/12 1:15 p.m.•7 views

PYSEC-2024-79

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list creation. If such a query i...

8.8CVSS7.9AI score0.00864EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/09/12 1:15 p.m.•7 views

PYSEC-2024-80

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for site column creation. If such a...

8.8CVSS7.8AI score0.00864EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/09/07 8:15 a.m.•7 views

PYSEC-2024-266

Example DAG: exampleinleteventextra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the...

8.8CVSS6.1AI score0.01237EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/08/08 3:15 p.m.•7 views

PYSEC-2024-200

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the admin:users scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that...

7.2CVSS7.2AI score0.0059EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/07/24 6:15 p.m.•7 views

PYSEC-2024-203

DuckDB is a SQL database management system. In versions 1.0.0 and prior, content in filesystem is accessible for reading using sniffcsv, even with enableexternalaccess=false. This vulnerability provides an attacker with access to filesystem even when access is expected to be disabled and other...

7.5CVSS7.4AI score0.00813EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2024/07/17 8:15 p.m.•7 views

PYSEC-2024-63

In Roundup before 2.4.0, classhelpers generic.help.html allow XSS...

6.1CVSS7AI score0.00289EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/07/17 8:15 p.m.•7 views

PYSEC-2024-65

Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents...

5.4CVSS6.4AI score0.00324EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/07/17 9:15 a.m.•7 views

PYSEC-2024-172

Time-of-check Time-of-use TOCTOU Race Condition vulnerability in Apache StreamPipes in user self-registration.This allows an attacker to potentially request the creation of multiple accounts with the same email address until the email address is registered, creating many identical users and...

5.3CVSS7AI score0.0066EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/07/16 11:15 p.m.•7 views

PYSEC-2024-66

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it...

7.8CVSS6.8AI score0.00372EPSS
Exploits1References11Affected Software1
PyPA
PyPA
•added 2024/07/10 5:15 a.m.•7 views

PYSEC-2024-57

An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate method allows remote attackers to enumerate users via a timing attack involving login requests for users with an unusable password...

5.3CVSS8.1AI score0.00889EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/07/05 7:15 p.m.•7 views

PYSEC-2024-230

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.05.30 and prior to 2024.07.4 recognized root certificates from GLOBALTRUST. Certifi 2024.07.04 removes root certificates...

7.5CVSS6.8AI score0.01049EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2024/06/27 10:15 p.m.•7 views

PYSEC-2024-167

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averagedperceptrontagger and punkt...

9.8CVSS8.2AI score0.01346EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/06/24 6:15 p.m.•7 views

PYSEC-2024-54

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of CodeChecker store are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine o...

6.5CVSS6.6AI score0.0073EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2024/06/14 9:15 a.m.•7 views

PYSEC-2024-195

Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow.Airflow did not return "Cache-Control" header for dynamic content, which in case of some browsers could result in potentially storing sensitive data in local cache of the browser.This issue affects Apache...

5.5CVSS6.6AI score0.00318EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2024/06/12 2:15 p.m.•7 views

PYSEC-2024-97

UNSUPPORTED WHEN ASSIGNED Improper Authentication vulnerability in Apache Submarine Commons Utils.This issue affects Apache Submarine Commons Utils: from 0.8.0.As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or...

9.8CVSS6.9AI score0.01008EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2024/06/06 7:15 p.m.•7 views

PYSEC-2024-242

A Local File Inclusion LFI vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../'. An attacker can...

7.5CVSS6.5AI score0.21847EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2024/06/06 7:15 p.m.•7 views

PYSEC-2024-170

A stored Cross-Site Scripting XSS vulnerability was identified in the zenml-io/zenml repository, specifically within the 'logourl' field. By injecting malicious payloads into this field, an attacker could send harmful messages to other users, potentially compromising their accounts. The...

4.8CVSS5.8AI score0.00364EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2024/06/06 7:15 p.m.•7 views

PYSEC-2024-118

A Denial-of-Service DoS vulnerability exists in the SitemapLoader class of the langchain-ai/langchain repository, affecting all versions. The parsesitemap method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the...

4.7CVSS6.9AI score0.00301EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2024/06/06 4:15 p.m.•7 views

PYSEC-2024-165

The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows...

7.5CVSS7.2AI score0.00699EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/05/16 9:15 a.m.•7 views

PYSEC-2024-244

A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulnerability arises from the application's handling of artifact URLs, where a '' character can be used to insert a path into the fragment, effectively...

7.5CVSS6.7AI score0.89716EPSS
Exploits2References5Affected Software1
PyPA
PyPA
•added 2024/05/06 12:15 a.m.•7 views

PYSEC-2024-175

WordOps through 3.20.0 has a wo/cli/plugins/stackpref.py TOCTOU race condition because the confpath os.open does not use a mode parameter during file creation...

7.7CVSS6.9AI score0.00181EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities5000