Lucene search
K
PypaMost viewed

5616 matches found

PyPA
PyPA
•added 2026/02/12 11:16 p.m.•12 views

PYSEC-2026-57

DokuWiki 2018-04-22b contains a username enumeration vulnerability in its password reset functionality that allows attackers to identify valid user accounts. Attackers can submit different usernames to the password reset endpoint and distinguish between existing and non-existing accounts by...

6.9CVSS5.8AI score0.00407EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2026/02/09 11:16 a.m.•12 views

PYSEC-2026-12

Apache Airflow versions 3.0.0 - 3.1.7, has vulnerability that allows authenticated UI users with permission to one or more specific Dags to view import errors generated by other Dags they did not have access to. Users are advised to upgrade to 3.1.7 or later, which resolves this issue...

6.5CVSS5.8AI score0.00739EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2026/02/09 11:16 a.m.•12 views

PYSEC-2026-11

Apache Airflow versions 3.1.0 through 3.1.6 contain an authorization flaw that can allow an authenticated user with custom permissions limited to task access to view task logs without having task log access. Users are recommended to upgrade to Apache Airflow 3.1.7 or later, which resolves this...

6.5CVSS5.8AI score0.00382EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2026/02/06 10:16 p.m.•12 views

PYSEC-2026-95

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOADDIR / file.name. Malicious filenames containing ../ sequences allow attackers to...

7.5CVSS6.5AI score0.03212EPSS
Exploits3References3Affected Software1
PyPA
PyPA
•added 2026/02/03 3:16 p.m.•12 views

PYSEC-2026-46

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.FilteredRelation is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed to QuerySet methods annotate, aggregate...

5.4CVSS7.3AI score0.00754EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2026/02/02 11:16 p.m.•12 views

PYSEC-2026-138

A stored cross-site scripting XSS vulnerability in the Forums module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload...

5.4CVSS5.9AI score0.00235EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2026/01/16 11:16 a.m.•12 views

PYSEC-2026-9

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed coremaxtemplatedfieldlength, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include...

7.5CVSS5.8AI score0.00586EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2026/01/12 11:15 p.m.•12 views

PYSEC-2026-75

LangChain versions up to and including 0.3.1 contain a regular expression denial-of-service ReDoS vulnerability in the MRKLOutputParser.parse method libs/langchain/langchain/agents/mrkl/outputparser.py. The parser applies a backtracking-prone regular expression when extracting tool actions from...

8.7CVSS6AI score0.0041EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2026/01/05 6:15 p.m.•12 views

PYSEC-2026-116

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation...

9.1CVSS5.8AI score0.00204EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2025/12/31 2:15 a.m.•12 views

PYSEC-2025-90

cbor2 provides encoding and decoding for the Concise Binary Object Representation CBOR serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag 28 persist in memory an...

7.5CVSS7.1AI score0.00423EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/12/16 1:15 a.m.•12 views

PYSEC-2025-233

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue...

4.3CVSS5.8AI score0.00235EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/12/16 12:16 a.m.•12 views

PYSEC-2025-231

Weblate is a web based localization tool. The Create Component functionality in Weblate allows authorized users to add new translation components by specifying both a version control system and a source code repository URL to pull from. However, prior to version 5.15, the repository URL field is...

5CVSS5.9AI score0.00182EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2025/12/14 11:15 p.m.•12 views

PYSEC-2025-134

A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is...

6.1CVSS4.2AI score0.00392EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2025/12/08 7:15 p.m.•12 views

PYSEC-2025-89

NUT-14 allows cashu tokens to be created with a preimage hash. However, nutshell cashubtc/nuts before 0.18.0 do not validate the size of preimage when the token is spent. The preimage is stored by the mint and attacker can exploit this vulnerability to fill the mint's db nd disk with arbitrary da...

9.1CVSS5.9AI score0.00364EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2025/10/20 8:15 p.m.•12 views

PYSEC-2025-187

Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim. This issue has been...

7.1CVSS5.7AI score0.00231EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/10/15 8:15 a.m.•12 views

PYSEC-2025-184

This issue affects Apache Spark versions before 3.4.4,3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.When spark.network.crypto.enabled is set to true it is set to false by default, but...

6.5CVSS7.2AI score0.00223EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2025/09/26 8:15 a.m.•12 views

PYSEC-2025-85

Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values.In Airflow 3.0.3, this model was unintentional...

6.5CVSS8AI score0.00903EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2025/09/19 9:15 a.m.•12 views

PYSEC-2025-76

The Keras Model.loadmodelmethod can be exploited to achieve arbitrary code execution, even with safemode=True.One can create a specially crafted .kerasmodel archive that, when loaded via Model.loadmodel, will trigger arbitrary code to be executed. This is achieved by crafting a special config.jso...

8.6CVSS7.5AI score0.00186EPSS
Exploits0References2
PyPA
PyPA
•added 2025/09/17 12:15 p.m.•12 views

PYSEC-2025-153

A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via...

9.3CVSS7.5AI score0.00761EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2025/09/17 11:15 a.m.•12 views

PYSEC-2025-152

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check CRC, which causes the...

9.8CVSS7.5AI score0.01428EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2025/07/07 1:15 p.m.•12 views

PYSEC-2025-65

A path traversal vulnerability exists in run-llama/llamaindex versions 0.12.27 through 0.12.40, specifically within the encodeimage function in genericutils.py. This vulnerability allows an attacker to manipulate the imagepath input to read arbitrary files on the server, including sensitive syste...

7.5CVSS6.8AI score0.00545EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/06/19 6:15 p.m.•12 views

PYSEC-2025-186

A vulnerability has been found in wasm3 0.5.0 and classified as problematic. This vulnerability affects the function MarkSlotAllocated of the file source/m3compile.c. The manipulation leads to out-of-bounds write. An attack has to be approached locally. The exploit has been disclosed to the publi...

4.8CVSS4.7AI score0.00184EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2025/06/13 2:15 p.m.•12 views

PYSEC-2025-150

Weak password requirements in OpenC3 COSMOS v6.0.0 allow attackers to bypass authentication via a brute force attack...

9.8CVSS5.8AI score0.00542EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/06/13 2:15 p.m.•12 views

PYSEC-2025-149

A remote code execution RCE vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file...

9.8CVSS6.7AI score0.00914EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/06/10 4:15 p.m.•12 views

PYSEC-2025-74

Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot, a...

7.1CVSS5.8AI score0.00303EPSS
Exploits0References5
PyPA
PyPA
•added 2025/05/30 7:15 p.m.•12 views

PYSEC-2025-55

vLLM is an inference and serving engine for large language models LLMs. Version 0.8.0 up to but excluding 0.9.0 have a Denial of Service ReDoS that causes the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to...

6.5CVSS7AI score0.00453EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2025/04/02 1:15 p.m.•12 views

PYSEC-2025-14

An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.views.LoginView, django.contrib.auth.views.LogoutView, and django.views.i18n.setlanguage are subject to a potential denial-of-service attack v...

7.5CVSS7AI score0.00997EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•12 views

PYSEC-2025-95

A stored cross-site scripting XSS vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, affecting version git 20b2e02. The vulnerability arises from improper sanitization of HTML tags in chat history uploads. Specifically, the sanitization logic fails to handle HTML tags within code...

6.8CVSS6.8AI score0.00505EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•12 views

PYSEC-2025-11

A vulnerability in the KnowledgeBaseWebReader class of the run-llama/llamaindex repository, version latest, allows an attacker to cause a Denial of Service DoS by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the getarticleurls method, exhausting...

5.9CVSS7AI score0.0064EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2025/03/10 1:15 p.m.•12 views

PYSEC-2025-190

A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnqSigmoid of the component Quantized Sigmoid Module. The manipulation of the argument scale/zeropoint leads to improper initialization. The attack needs to be approached...

2.5CVSS4.1AI score0.00235EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2025/03/06 7:15 p.m.•12 views

PYSEC-2025-13

An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings...

7.5CVSS7AI score0.00748EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2025/03/03 5:15 p.m.•12 views

PYSEC-2025-25

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allowcredentia...

8.7CVSS6.7AI score0.00179EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2025/01/24 7:56 p.m.•12 views

uniapi version 1.0.7 contained an information harvesting script.

uniapi version 1.0.7 introduces code that would executeon import of the module and download a script from a remote URL,and would then execute the downloaded script in a thread.The downloaded script would harvest system informationand POST the information to another remote URL.This code was found ...

7AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/01/23 1:15 a.m.•12 views

PYSEC-2025-128

lunasvg v3.0.0 was discovered to contain a segmentation violation via the component blendtransformedtiledargb.isra.0...

6.5CVSS5.7AI score0.00386EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/01/23 1:15 a.m.•12 views

PYSEC-2025-129

lunasvg v3.0.0 was discovered to contain a segmentation violation via the component plutovgblend...

6.5CVSS5.7AI score0.00334EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/11/28 5:15 p.m.•12 views

PYSEC-2024-161

Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources for example, user-supplied input files. This...

9.8CVSS7.7AI score0.02322EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/10/25 11:15 p.m.•12 views

PYSEC-2024-302

pyLoad is a free and open-source Download Manager. The folder /.pyload/scripts has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be...

9.1CVSS6.7AI score0.00679EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2024/09/26 4:15 p.m.•12 views

PYSEC-2024-291

Assimp v5.4.3 is vulnerable to Buffer Overflow via the MD5Importer::LoadMD5MeshFile function...

4.3CVSS5.8AI score0.00468EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2024/09/25 3:15 p.m.•12 views

PYSEC-2024-290

OpenSlides 4.0.15 verifies passwords by comparing password hashes using a function with content-dependent runtime. This can allow attackers to obtain information about the password hash using a timing attack...

7.5CVSS5.8AI score0.00359EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/08/21 4:15 p.m.•12 views

PYSEC-2024-181

Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting attack when clicking on a provider documentation link. This would require the provider to be installed on the web server and theuser to click the provid...

6.1CVSS6.5AI score0.01804EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/05/01 3:15 a.m.•12 views

PYSEC-2024-281

lunasvg v2.3.9 was discovered to contain a stack-buffer-underflow at lunasvg/source/layoutcontext.cpp...

7.5CVSS5.8AI score0.00744EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2024/01/09 9:15 a.m.•12 views

PYSEC-2024-2

In Appwrite CLI before 3.0.0, when using the login command, the credentials of the Appwrite user are stored in a /.appwrite/prefs.json file with 0644 as UNIX permissions. Any user of the local system can access those credentials...

5.5CVSS6.6AI score0.00293EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2023/09/29 9:14 p.m.•12 views

PYSEC-2023-184

opencv-python-headless versions before v4.8.1.78 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. opencv-python-headless v4.8.1.78 upgrades the bundled libwebp binary to v1.3.2...

8.8CVSS8.1AI score0.99735EPSS
Exploits9References3Affected Software1
PyPA
PyPA
•added 2023/08/22 7:15 p.m.•12 views

PYSEC-2023-150

Buffer Overflow vulnerability in tEXtToDataBuf function in pngimage.cpp in Exiv2 0.27.1 allows remote attackers to cause a denial of service and other unspecified impacts via use of crafted file...

7.8CVSS7AI score0.00697EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2022/10/28 9:15 p.m.•12 views

PYSEC-2022-43187

wasm-interp v1.0.29 was discovered to contain a heap overflow via the component std::vector::size at /bits/stlvector.h...

7.8CVSS7.1AI score0.0032EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2022/02/04 11:15 p.m.•12 views

PYSEC-2022-79

Tensorflow is an Open Source Machine Learning Framework. When decoding a tensor from protobuf, TensorFlow might do a null-dereference if attributes of some mutable arguments to some operations are missing from the proto. This is guarded by a DCHECK. However, DCHECK is a no-op in production builds...

6.5CVSS6.9AI score0.00992EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2022/02/03 12:15 p.m.•12 views

PYSEC-2022-111

Tensorflow is an Open Source Machine Learning Framework. The implementation of ThreadPoolHandle can be used to trigger a denial of service attack by allocating too much memory. This is because the numthreads argument is only checked to not be negative, but there is no upper bound on its value. Th...

6.5CVSS6.8AI score0.00765EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2021/10/18 3:15 p.m.•12 views

PYSEC-2021-849

The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python in pybluemonday, does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements...

9.8CVSS7AI score0.01514EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2021/08/31 5:15 p.m.•12 views

PYSEC-2021-425

Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership list of members, with their display names of a room if they know the ID of the room. The vulnerability is limited to rooms with shared history...

3.5CVSS6.8AI score0.01457EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2021/05/14 8:15 p.m.•12 views

PYSEC-2021-202

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a null pointer dereference in the implementation of tf.rawops.SparseFillEmptyRows. This is because of missing...

5.5CVSS6.9AI score0.00189EPSS
Exploits1References2Affected Software1
Total number of security vulnerabilities5000