Lucene search
K
PypaMost viewed

5612 matches found

PyPA
PyPA
added 2024/02/01 5:15 p.m.6 views

PYSEC-2024-149

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice function uses a non-literal argument for the start ...

9.8CVSS7.1AI score0.00902EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2024/01/30 4:15 p.m.6 views

PYSEC-2024-30

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning FL and Multi-Party Computation MPC. Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is...

8.8CVSS7.9AI score0.01266EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2024/01/29 11:15 p.m.6 views

PYSEC-2024-24

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symboli...

7.5CVSS6.8AI score0.76875EPSS
Exploits15References5Affected Software1
PyPA
PyPA
added 2024/01/23 6:15 p.m.6 views

PYSEC-2024-22

TuiTse-TsuSin is a package for organizing the comparative corpus of Taiwanese Chinese characters and Roman characters, and extracting sentences of the Taiwanese Chinese characters and the Roman characters. Prior to version 1.3.2, when using tuitsehtml without quoting the input, there is a html...

6.1CVSS7.1AI score0.00428EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2024/01/21 5:15 p.m.6 views

PYSEC-2024-8

The JSON loader in Embedchain before 0.1.57 allows a ReDoS regular expression denial of service via a long string to json.py...

7.5CVSS6.8AI score0.00768EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2024/01/18 12:15 a.m.6 views

PYSEC-2024-17

pyLoad is a free and open-source Download Manager written in pure Python. The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery CSRF attac...

9.6CVSS6.9AI score0.00948EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2024/01/03 10:31 p.m.6 views

gratient 0.5 contains credential harvesting code

gratient is a user-facing library for generating color gradients of text.Version 0.5 contained obfuscated, malicious code targetingWindows platforms, harvesting information and credentials from theuser's system and sending them to a remote server.Services may include Mullvad VPN and Telegram...

7.1AI score
Exploits0References2Affected Software1
PyPA
PyPA
added 2024/01/03 9:15 a.m.6 views

PYSEC-2024-133

OOB access in paddle.modein PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

7.5CVSS6.8AI score0.00484EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2024/01/03 9:15 a.m.6 views

PYSEC-2024-139

Stack overflow in paddle.linalg.luunpackin PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage...

9.8CVSS7.2AI score0.00529EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2024/01/03 9:15 a.m.6 views

PYSEC-2024-142

PaddlePaddle before 2.6.0 has a command injection in getonlinepassinterval. This resulted in the ability to execute arbitrary commands on the operating system...

9.8CVSS8.2AI score0.01172EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2024/01/03 9:15 a.m.6 views

PYSEC-2024-143

PaddlePaddle before 2.6.0 has a command injection in wgetdownload. This resulted in the ability to execute arbitrary commands on the operating system...

9.8CVSS8.2AI score0.01172EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2024/01/03 9:15 a.m.6 views

PYSEC-2024-136

Stack overflow in paddle.searchsortedin PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage...

9.8CVSS7.2AI score0.00576EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2024/01/03 9:15 a.m.6 views

PYSEC-2024-130

FPE in paddle.linalg.matrixrank in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

7.5CVSS6.8AI score0.00484EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2024/01/03 9:15 a.m.6 views

PYSEC-2024-144

Nullptr dereference in paddle.cropin PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

7.5CVSS6.8AI score0.00484EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2024/01/03 9:15 a.m.6 views

PYSEC-2024-141

Heap buffer overflow in paddle.repeatinterleavein PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible...

9.8CVSS7.3AI score0.00538EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2023/12/29 5:15 a.m.6 views

PYSEC-2023-256

A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function pollsetaddfd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The...

9.8CVSS6.9AI score0.00892EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2023/12/29 5:15 a.m.6 views

PYSEC-2023-257

A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function pollsetaddfd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The...

9.8CVSS6.9AI score0.00892EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2023/12/29 5:15 a.m.6 views

PYSEC-2023-258

A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview. Affected by this issue is the function pollsetaddfd of the file extmod/modselect.c. The manipulation leads to use after free. The exploit has been disclosed to the public and may be used. The...

9.8CVSS6.9AI score0.00892EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2023/12/22 5:15 p.m.6 views

PYSEC-2023-287

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level extras.runjob permission is checked i.e., does the user have...

4.3CVSS6.8AI score0.00448EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2023/12/21 10:15 a.m.6 views

PYSEC-2023-265

Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to...

6.5CVSS6.5AI score0.018EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2023/12/21 10:15 a.m.6 views

PYSEC-2023-266

Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation.As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the executio...

6.5CVSS7AI score0.01032EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2023/12/13 10:15 a.m.6 views

PYSEC-2023-295

An XSS vulnerability stored in Repox has been identified, which allows a local attacker to store a specially crafted JavaScript payload on the server, due to the lack of proper sanitisation of field elements, allowing the attacker to trigger the malicious payload when the application loads...

5.5CVSS6AI score0.00373EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2023/12/12 4:15 a.m.6 views

PYSEC-2023-281

Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository mlflow/mlflow prior to 2.9.2...

10CVSS6.7AI score0.0093EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2023/12/11 7:15 p.m.6 views

PYSEC-2023-277

MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a server-side request forgery vulnerability in file.py. This can lead to limited information disclosure. Users should use MindsDB's staging branch or v23.11.4.1, which contain a fix for the issu...

6.5CVSS6.6AI score0.00422EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/11/29 8:15 p.m.6 views

PYSEC-2023-251

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request e.g. insert a new header or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if th...

5.3CVSS6.7AI score0.0094EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2023/11/17 5:41 p.m.6 views

PYSEC-2023-238

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources for example user-supplied input files...

9.8CVSS7.9AI score0.14414EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2023/11/16 6:15 p.m.6 views

PYSEC-2023-245

PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining CBC mode in AES encryption. This vulnerability can lead to the disclosure of information and communications...

7.5CVSS6.5AI score0.00473EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/11/14 9:15 p.m.6 views

PYSEC-2023-246

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTPNOEXTENSIONS is enabled or not using a prebuilt wheel. These bugs have...

7.5CVSS7AI score0.0085EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2023/11/14 9:15 p.m.6 views

PYSEC-2023-304

vantage6 is a framework to manage and deploy privacy enhancing technologies like Federated Learning FL and Multi-Party Computation MPC. In affected versions a node does not check if an image is allowed to run if a parentid is set. A malicious party that breaches the server may modify it to set a...

8.8CVSS6.9AI score0.00446EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2023/11/14 9:15 p.m.6 views

PYSEC-2023-303

vantage6 is a framework to manage and deploy privacy enhancing technologies like Federated Learning FL and Multi-Party Computation MPC. In affected versions a node does not check if an image is allowed to run if a parentid is set. A malicious party that breaches the server may modify it to set a...

8.8CVSS6.9AI score0.00446EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2023/11/14 3:15 a.m.6 views

PYSEC-2023-239

An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation...

6.8CVSS7.1AI score0.00867EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2023/11/06 6:15 p.m.6 views

PYSEC-2023-233

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds write was found in Exiv2 version v0.28.0. The vulnerable function, BmffImage::brotliUncompress, is new in v0.28.0, so earlier versions of Exiv2 are not...

8.8CVSS7AI score0.00965EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/11/02 6:15 a.m.6 views

PYSEC-2023-222

An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS denial of service attack via certain inputs with a very large number of...

7.5CVSS7AI score0.49774EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/10/25 6:17 p.m.6 views

PYSEC-2023-220

Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the ?depth= query parameter, can expose hashed user passwords as stored in the database to...

6.5CVSS6.6AI score0.00529EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2023/10/22 7:15 p.m.6 views

PYSEC-2023-210

views.py in Wagtail CRX CodeRed Extensions formerly CodeRed CMS or coderedcms before 0.22.3 allows upward protected/..%2f..%2f path traversal when serving protected media...

6.5CVSS7AI score0.0071EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2023/10/20 5:15 p.m.6 views

PYSEC-2023-217

Cross-Site Request Forgery CSRF in GitHub repository modoboa/modoboa prior to 2.2.2...

8.8CVSS6.7AI score0.00428EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2023/10/20 5:15 p.m.6 views

PYSEC-2023-216

Cross-site Scripting XSS - DOM in GitHub repository modoboa/modoboa prior to 2.2.2...

7.1CVSS6.2AI score0.00514EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2023/10/14 10:15 a.m.6 views

PYSEC-2023-197

Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read information about task instances in other DAGs.Users of Apache Airflow are advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with...

6.5CVSS6.6AI score0.01551EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2023/10/14 10:15 a.m.6 views

PYSEC-2023-203

Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to...

6.5CVSS6.6AI score0.01433EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/10/10 6:15 p.m.6 views

PYSEC-2023-199

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation which...

4.9CVSS6.8AI score0.01166EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2023/10/04 5:15 p.m.6 views

PYSEC-2023-192

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak...

8.1CVSS6.5AI score0.01207EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2023/10/03 5:15 a.m.6 views

PYSEC-2023-189

Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. Note: This issue is a result of missing checks for services that require an active session...

7.5CVSS6.8AI score0.00454EPSS
Exploits1References12Affected Software1
PyPA
PyPA
added 2023/09/27 3:19 p.m.6 views

PYSEC-2023-180

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event if they knew the room ID and event ID. Note that the users were not able to view the events, but simply mark it as read. This could be confusing as...

4.3CVSS6.7AI score0.0065EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2023/09/27 3:19 p.m.6 views

PYSEC-2023-185

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as...

3.7CVSS6.9AI score0.00362EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2023/09/27 3:19 p.m.6 views

PYSEC-2023-191

Vyper is a Pythonic Smart Contract Language for the EVM. The abidecode function does not validate input when it is nested in an expression. Uses of abidecode can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue has not yet been fixed, but a...

7.5CVSS6.8AI score0.00554EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2023/09/21 3:15 p.m.6 views

PYSEC-2023-311

plone.namedfile allows users to handle File and Image fields targeting, but not depending on, Plone Dexterity content. Prior to versions 5.6.1, 6.0.3, 6.1.3, and 6.2.1, there is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this by...

5.4CVSS6AI score0.00475EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added 2023/09/18 9:16 p.m.6 views

PYSEC-2023-305

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine EVM. Starting in version 0.2.9 and prior to version 0.3.10, locks of the type @nonreentrant"" or @nonreentrant'' do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.10. As a workaround, ensure...

5.3CVSS6.7AI score0.00423EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2023/09/05 11:15 a.m.6 views

PYSEC-2023-169

Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. Anything that uses Git Providers with different environments can get garbage data or the wrong data, which can lead to wrongful data disclosure, wrongfu...

7.8CVSS7AI score0.00286EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2023/09/01 4:15 p.m.6 views

PYSEC-2023-163

An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library...

9.8CVSS8.1AI score0.01322EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added 2023/08/30 10:15 p.m.6 views

PYSEC-2023-165

GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the .git directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the .git...

6.5CVSS7.3AI score0.01012EPSS
Exploits1References3Affected Software1
Total number of security vulnerabilities5000