Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
•added 2023/07/12 10:15 a.m.•7 views

PYSEC-2023-103

Apache Airflow, versions before 2.6.3, is affected by a vulnerability that allows an unauthorized actor to gain access to sensitive information in Connection edit view. This vulnerability is considered low since it requires someone with access to Connection resources specifically updating the...

6.5CVSS6.7AI score0.00886EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/07/11 3:15 p.m.•7 views

PYSEC-2023-116

xalpha v0.11.4 is vulnerable to Remote Command Execution RCE...

9.8CVSS7.2AI score0.01406EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/07/06 2:15 p.m.•7 views

PYSEC-2023-110

SQL injection vulnerability in langchain v.0.0.64 allows a remote attacker to obtain sensitive information via the SQLDatabaseChain component...

7.5CVSS7.8AI score0.01237EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/07/05 10:15 p.m.•7 views

PYSEC-2023-107

Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal directory traversal vulnerability affects fides versions lower than version 2.15.1, allowing...

7.5CVSS7AI score0.01491EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/07/03 5:15 p.m.•7 views

PYSEC-2023-113

Products.CMFCore are the key framework services for the Zope Content Management Framework CMF. The use of Python's marshal module to handle unchecked input in a public method on PortalFolder objects can lead to an unauthenticated denial of service and crash situation. The code in question is...

7.5CVSS7.1AI score0.00723EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/07/03 1:15 p.m.•7 views

PYSEC-2023-100

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS regular expression denial of service attack via a very large number of domain name labels of emails and URLs...

7.5CVSS6.8AI score0.02978EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2023/06/30 8:15 p.m.•7 views

PYSEC-2023-99

A dependency confusion in pipreqs v0.3.0 to v0.4.11 allows attackers to execute arbitrary code via uploading a crafted PyPI package to the chosen repository server...

9.8CVSS7.8AI score0.01187EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2023/06/30 6:15 p.m.•7 views

PYSEC-2023-93

pacparserfindproxy in Pacparser before 1.4.2 allows JavaScript injection, and possibly privilege escalation, when the attacker controls the URL which may be realistic within enterprise security products...

6.1CVSS7AI score0.00362EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2023/06/29 9:15 p.m.•7 views

PYSEC-2023-95

py-xml v1.0 was discovered to contain an XML External Entity Injection XXE vulnerability which allows attackers to execute arbitrary code via a crafted XML file...

7.5CVSS8.5AI score0.00795EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/06/20 3:15 p.m.•7 views

PYSEC-2023-92

Langchain 0.0.171 is vulnerable to Arbitrary code execution in loadprompt...

9.8CVSS7.7AI score0.00943EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/06/19 9:15 a.m.•7 views

PYSEC-2023-89

In Apache Airflow, some potentially sensitive values were being shown to the user in certain situations.This vulnerability is mitigated by the fact configuration is not shown in the UI by default only if webserver exposeconfig is set to non-sensitive-only, and not all uncensored values are actual...

6.5CVSS7AI score0.01518EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/06/08 9:15 p.m.•7 views

PYSEC-2023-88

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Versions prior to 3.0.2 are vulnerable to command injection via single sign-onSSO browser URL authentication. In order to exploit the...

8.8CVSS8.1AI score0.01841EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/06/06 7:15 p.m.•7 views

PYSEC-2023-84

Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are true: 1. JSON Web Tokens are enabled for login via the...

5.4CVSS6.6AI score0.00752EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2023/05/30 6:16 a.m.•7 views

PYSEC-2023-81

A vulnerability classified as problematic was found in MindSpore 2.0.0-alpha/2.0.0-rc1. This vulnerability affects the function JsonHelper::UpdateArray of the file mindspore/ccsrc/minddata/dataset/util/jsonhelper.cc. The manipulation leads to memory corruption. The name of the patch is...

6.5CVSS6.8AI score0.00875EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2023/05/26 2:15 p.m.•7 views

PYSEC-2023-65

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver receiving some events can validate that those events are...

5CVSS6.8AI score0.00635EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/05/18 5:15 p.m.•7 views

PYSEC-2023-299

Insecure Temporary File in GitHub repository huggingface/transformers prior to 4.30.0...

4.7CVSS6.8AI score0.00282EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2023/05/11 9:15 p.m.•7 views

PYSEC-2023-77

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, during codegen, the length word of a dynarray is written before the data, which can result in out-of-bounds array access in the case where the dynarray is on both the lhs and rhs of an assignment...

9.1CVSS7AI score0.01241EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2023/05/09 3:15 p.m.•7 views

PYSEC-2023-64

mage-ai is an open-source data pipeline tool for transforming and integrating data. Those who use Mage starting in version 0.8.34 and prior to 0.8.72 with user authentication enabled may be affected by a vulnerability. The terminal could be accessed by users who are not signed in or do not have...

9.8CVSS6.9AI score0.00659EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2023/04/28 12:15 a.m.•7 views

PYSEC-2023-68

Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1...

10CVSS6.8AI score0.04153EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/04/24 10:15 p.m.•7 views

PYSEC-2023-131

Vyper is a Pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.1 through 0.3.7, the Vyper compiler generates the wrong bytecode. Any contract that uses the rawcall with revertonfailure=False and maxoutsize=0 receives the wrong response from rawcall. Depending on the...

7.5CVSS6.8AI score0.00883EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2023/04/21 9:15 p.m.•7 views

PYSEC-2023-27

mindsdb is a Machine Learning platform to help developers build AI solutions. In affected versions an unsafe extraction is being performed using tarfile.extractall from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. Sometimes, the...

7.5CVSS6.5AI score0.01EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/04/21 1:15 p.m.•7 views

PYSEC-2023-36

Cross-Site Request Forgery CSRF in GitHub repository modoboa/modoboa prior to 2.1.0...

6.8CVSS6.7AI score0.00378EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2023/04/17 8:15 a.m.•7 views

PYSEC-2023-44

In Apache Spark versions prior to 3.4.0, applications using spark-submit can specify a 'proxy-user' to run as, limiting privileges. The application can execute code with the privileges of the submitting user, however, by providing malicious configuration-related classes on the classpath. This...

9.9CVSS7.9AI score0.01109EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/04/17 8:15 a.m.•7 views

PYSEC-2023-8

Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component on 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database.This problem is fixed from version 0.13.4 of...

9.8CVSS7AI score0.01447EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/04/17 7:15 a.m.•7 views

PYSEC-2023-7

Improper Authentication vulnerability in Apache Software Foundation Apache IoTDB.This issue affects Apache IoTDB Grafana Connector: from 0.13.0 through 0.13.3.Attackers could login without authorization. This is fixed in 0.13.4...

9.8CVSS6.9AI score0.01222EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/04/03 5:15 p.m.•7 views

PYSEC-2023-56

Wagtail is an open source content management system built on Django. Prior to versions 4.1.4 and 4.2.2, a memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A use...

4.9CVSS6.7AI score0.0107EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2023/04/03 4:15 p.m.•7 views

PYSEC-2023-263

An improper array index validation vulnerability exists in the stlfixnormaldirections functionality of ADMesh Master Commit 767a105 and v0.98.4. A specially-crafted stl file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability...

8.8CVSS7.2AI score0.01061EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/03/31 8:15 p.m.•7 views

zstd vulnerable to buffer overrun

A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun...

7.5CVSS7.4AI score0.01588EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/03/30 7:15 p.m.•7 views

PYSEC-2023-26

MindsDB is an open source machine learning platform. An unsafe extraction is being performed using shutil.unpackarchive from a remotely retrieved tarball. Which may lead to the writing of the extracted files to an unintended location. This vulnerability is sometimes called a TarSlip or a ZipSlip...

8.8CVSS6.8AI score0.00883EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2023/03/06 11:15 p.m.•7 views

PYSEC-2023-270

A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images...

2.8CVSS6.4AI score0.00323EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/03/05 7:15 p.m.•7 views

PYSEC-2023-209

A vulnerability, which was classified as critical, has been found in json-logic-js 2.0.0. Affected by this issue is some unknown functionality of the file logic.js. The manipulation leads to command injection. Upgrading to version 2.0.1 is able to address this issue. The patch is identified as...

9.8CVSS7.3AI score0.02187EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/03/01 5:15 p.m.•7 views

PYSEC-2023-52

vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. vantage6 does not inform the user of wrong username/password combination if the username actually exists. This is an attempt to prevent bots from obtaining usernames. However, if a wrong password is...

6.5CVSS6.9AI score0.00591EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2023/02/17 6:15 p.m.•7 views

PYSEC-2023-47

Buffer Overflow vulnerability in Saltstack v.3003 and before allows attacker to execute arbitrary code via the func variable in salt/salt/modules/status.py file...

9.8CVSS8AI score0.01642EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2023/02/14 8:15 p.m.•7 views

PYSEC-2023-58

Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. ...

7.5CVSS7.5AI score0.0142EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2023/02/10 8:15 p.m.•7 views

PYSEC-2023-17

IPython Interactive Python is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requir...

7CVSS9.5AI score0.01295EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2023/02/07 10:15 p.m.•7 views

PYSEC-2023-276

An XSS vulnerability was discovered in the Mayan EDMS DMS. Successful XSS exploitation was observed in the in-product tagging system...

5.4CVSS6.4AI score0.00582EPSS
Exploits2References3Affected Software1
PyPA
PyPA
•added 2023/02/01 7:15 p.m.•7 views

PYSEC-2023-12

In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very larg...

7.5CVSS6.8AI score0.47102EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2023/01/30 5:15 a.m.•7 views

PYSEC-2023-298

isInList in the safeurl-python package before 1.2 for Python has an insufficiently restrictive regular expression for external domains, leading to SSRF...

5.3CVSS7AI score0.00558EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2023/01/28 11:15 p.m.•7 views

PYSEC-2023-43

A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects unknown code of the file psiturk/experiment.py. The manipulation of the argument mode leads to improper neutralization of special elements used in a template engine. The exploit has...

8.8CVSS7.3AI score0.00898EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2023/01/20 7:15 p.m.•7 views

PYSEC-2023-290

An issue was discovered with assimp 5.1.4, a use after free occurred in function ColladaParser::ExtractDataObjectFromChannel in file /code/AssetLib/Collada/ColladaParser.cpp...

8.8CVSS7AI score0.00723EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2023/01/05 8:15 a.m.•7 views

PYSEC-2023-19

A vulnerability, which was classified as problematic, was found in kakwa LdapCherry up to 0.x. Affected is an unknown function of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.0.0 is able to address...

6.1CVSS6AI score0.00537EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2023/01/04 3:15 p.m.•7 views

PYSEC-2023-4

Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions...

9.8CVSS7.4AI score0.0255EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2022/12/27 3:15 p.m.•7 views

PYSEC-2022-43007

Failure to Sanitize Special Elements into a Different Plane Special Element Injection in GitHub repository ikus060/rdiffweb prior to 2.5.5...

6.6CVSS6.7AI score0.00485EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/12/27 11:15 a.m.•7 views

PYSEC-2022-43014

A vulnerability, which was classified as problematic, has been found in cocagne pysrp up to 1.0.16. This issue affects the function calculatex of the file srp/ctsrp.py. The manipulation leads to information exposure through discrepancy. Upgrading to version 1.0.17 is able to address this issue. T...

7.5CVSS6.8AI score0.00705EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2022/12/23 12:15 a.m.•7 views

PYSEC-2022-42991

An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server...

7.5CVSS7.3AI score0.01804EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2022/12/16 11:15 p.m.•7 views

PYSEC-2022-42993

GuardDog is a CLI tool to identify malicious PyPI packages. Versions prior to v0.1.8 are vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package. Extracting files using shutil.unpackarchive from a potentially malicious tarball without validating that the destinati...

6.5CVSS7.1AI score0.00704EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/12/15 9:15 p.m.•7 views

PYSEC-2022-42990

A vulnerability was found in collective.task up to 3.0.9. It has been classified as problematic. This affects the function renderCell/AssignedGroupColumn of the file src/collective/task/browser/table.py. The manipulation leads to cross site scripting. It is possible to initiate the attack remotel...

6.1CVSS6.1AI score0.00542EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/12/14 3:15 p.m.•7 views

PYSEC-2022-42989

A vulnerability, which was classified as problematic, has been found in collective.dms.basecontent up to 1.6. This issue affects the function renderCell of the file src/collective/dms/basecontent/browser/column.py. The manipulation leads to cross site scripting. The attack may be initiated...

6.1CVSS6AI score0.00492EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2022/11/22 1:15 a.m.•7 views

PYSEC-2022-42987

CKAN through 2.9.6 account takeovers by unauthenticated users when an existing user id is sent via an HTTP POST request. This allows a user to take over an existing account including superuser accounts...

8.8CVSS7AI score0.00679EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2022/11/17 11:15 p.m.•7 views

PYSEC-2022-43140

A heap buffer overflow in the LIEF::MachO::BinaryParser::parsedyldinfogenericbind function of LIEF v0.12.1 allows attackers to cause a Denial of Service DoS via a crafted MachO file...

6.5CVSS7.2AI score0.0066EPSS
Exploits1References3Affected Software1
Total number of security vulnerabilities5000