Lucene search
K
PypaMost viewed

3786 matches found

PyPA
PyPA
added 2023/11/10 6:15 p.m.94 views

PYSEC-2023-241

Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a savepoints name...

9.1CVSS8.1AI score0.00776EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2014/05/02 2:55 p.m.74 views

PYSEC-2014-68

Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API...

5.5CVSS6.7AI score0.00951EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2014/05/02 2:55 p.m.74 views

PYSEC-2014-66

Products/CMFPlone/CatalogTool.py in Plone 3.3 through 4.3.2 allows remote administrators to bypass restrictions and obtain sensitive information via an unspecified search API...

5.5CVSS6.7AI score0.00951EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/05/28 4:16 p.m.73 views

PYSEC-2026-192

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and...

8.2CVSS5.9AI score0.00335EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2026/06/01 5:17 p.m.62 views

PYSEC-2026-196

pip would treat consolescripts and guiscripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory...

5.5CVSS5.4AI score0.0032EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/12/17 4:16 p.m.63 views

PYSEC-2025-185

In python-jose 3.3.0 specifically jwe.decrypt, a vulnerability allows an attacker to cause a Denial-of-Service DoS condition by crafting a malicious JSON Web Encryption JWE token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant...

5.3CVSS5.8AI score0.00166EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2024/12/03 5:15 p.m.58 views

PYSEC-2024-287

Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the...

5.3CVSS6.4AI score0.00419EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2014/04/30 11:58 p.m.46 views

PYSEC-2014-98

Cross-site scripting XSS vulnerability in plugins/main/content/js/ajenti.coffee in Eugene Pankov Ajenti 1.2.13 allows remote authenticated users to inject arbitrary web script or HTML via the command field in the Cron functionality...

3.5CVSS6.1AI score0.01487EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2025/12/23 9:15 p.m.45 views

PYSEC-2025-217

Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this...

7.8CVSS7.6AI score0.00315EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2026/05/11 6:16 p.m.44 views

PYSEC-2026-58

The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the syncproviderdata endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadatasource. An authenticated user with the Enterprise Admin ro...

8.5CVSS5.9AI score0.00301EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2023/03/26 7:15 p.m.44 views

PYSEC-2023-45

redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time in the case of a pipeline operation, and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions fo...

6.5CVSS7AI score0.01034EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added 2026/02/17 2:16 p.m.42 views

PYSEC-2026-113

Use After Free vulnerability in Apache Arrow C++.This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It can be triggered when reading an Arrow IPC file but not an IPC stream with pre-buffering enabled, if the IPC file contains data with variadic buffers such as Binary View and String...

7CVSS5.6AI score0.00807EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2020/12/09 5:15 p.m.41 views

PYSEC-2020-52

jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users...

7.9CVSS9.1AI score0.00471EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2026/05/11 4:17 p.m.40 views

PYSEC-2026-150

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This...

5.3CVSS5.8AI score0.00256EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2017/09/14 7:29 p.m.40 views

PYSEC-2017-5

An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability...

7.8CVSS7.8AI score0.02967EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2026/05/11 4:17 p.m.38 views

PYSEC-2026-147

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information. This vulnerability is fixed in 7.0.7...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2024/02/29 11:15 a.m.38 views

PYSEC-2024-245

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI.Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk...

5.9CVSS6.9AI score0.00343EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2026/01/15 2:16 p.m.37 views

PYSEC-2026-73

Allocation of Resources Without Limits or Throttling in the HDF5 weight loading componentin GoogleKeras3.0.0 through 3.13.0on all platformsallows a remote attackerto cause a Denial of Service DoS through memory exhaustion and a crash of the Python interpretervia a crafted .keras archive containin...

7.5CVSS6.8AI score0.00299EPSS
Exploits3References2Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.35 views

PYSEC-2014-59

Multiple open redirect vulnerabilities in 1 marmosetpatch.py, 2 publish.py, and 3 principiaredirect.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors...

5.8CVSS7.1AI score0.0119EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2026/04/09 7:16 p.m.33 views

PYSEC-2026-151

Wasmtime is a runtime for WebAssembly. In 43.0.0, cloning a wasmtime::Linker is unsound and can result in use-after-free bugs. This bug is not controllable by guest Wasm programs. It can only be triggered by a specific sequence of embedder API calls made by the host. Specifically, the following...

5CVSS5.8AI score0.00117EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2014/03/11 7:37 p.m.33 views

PYSEC-2014-61

memberportrait.py in Plone 2.1 through 4.1, 4.2.x through 4.2.5, and 4.3.x through 4.3.1 allows remote authenticated users to modify or delete portraits of other users via unspecified vectors...

5.5CVSS6.9AI score0.01255EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2026/05/11 4:17 p.m.32 views

PYSEC-2026-149

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it...

6.5CVSS5.8AI score0.00201EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2026/05/11 4:17 p.m.32 views

PYSEC-2026-148

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to f...

6.5CVSS5.8AI score0.00174EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2019/07/29 3:15 p.m.32 views

PYSEC-2019-24

invenio-app before 1.1.1 allows host header injection...

6.1CVSS7AI score0.00922EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/11/24 6:15 p.m.31 views

PYSEC-2025-77

A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module TPM device but claiming an existing agent's unique identifier UUID. This action overwrites the legitimate agent's identity, enabling the...

8.2CVSS5.7AI score0.0038EPSS
Exploits0References10
PyPA
PyPA
added 2026/05/12 6:17 p.m.28 views

PYSEC-2026-29

changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpathfilter switches to XML mode for XML/RSS content and creates etree.XMLParserstripcdata=False without explicitly disabling external entity resolution, external DTD loading, or network-backed entity...

8.2CVSS5.8AI score0.00266EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2026/06/03 2:16 p.m.26 views

PYSEC-2026-200

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.django.core.mail.backends.smtp.EmailBackend in Django fails to prevent reuse of a partially-initialized connection after a failed STARTTLS handshake when failsilently=True, which allows on-path network attackers to read emai...

3.1CVSS5.4AI score0.0015EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/03/05 6:16 a.m.26 views

PYSEC-2026-56

An open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled it is disabled by default, which may allow an attacker to redirect users to an arbitrary external website via a crafted URL...

6.1CVSS5.9AI score0.00159EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2019/10/05 11:15 p.m.26 views

PYSEC-2019-116

Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper aka Redis Wrapper before 0.3.0 allows attackers to execute arbitrary scripts...

9.8CVSS7.5AI score0.03158EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2026/05/08 3:16 p.m.25 views

PYSEC-2026-37

An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dashuploader/httprequesthandler.py, dashuploader/upload.py in the Upload function and maxfilesize parameter, dashuploader/configureupload.py components...

7.5CVSS6.2AI score0.02643EPSS
Exploits5References9Affected Software1
PyPA
PyPA
added 2025/03/20 10:15 a.m.25 views

PYSEC-2025-97

An authentication bypass vulnerability exists in gaizhenbiao/ChuanhuChatGPT, as of commit 3856d4f, allowing any user to read and delete other users' chat history. The vulnerability arises because the username is provided via an HTTP request from the client side, rather than being read from a secu...

8.1CVSS7.3AI score0.00581EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2024/10/09 6:15 p.m.25 views

PYSEC-2024-312

Wasmtime is an open source runtime for WebAssembly. Wasmtime's implementation of WebAssembly tail calls combined with stack traces can result in a runtime crash in certain WebAssembly modules. The runtime crash may be undefined behavior if Wasmtime was compiled with Rust 1.80 or prior. The runtim...

5.5CVSS5.8AI score0.00244EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2026/06/01 9:16 a.m.24 views

PYSEC-2026-181

A Dag author could either a create a symlink under their task's log directory pointing to an arbitrary file readable by the API server process read-path attack — e.g. /etc/passwd or airflow.cfg or b supply a taskid containing .. sequences accepted by the Task SDK's KEYREGEX write-path attack, and...

6.5CVSS5.9AI score0.00665EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/05/25 10:16 a.m.24 views

PYSEC-2026-166

Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...

8.1CVSS5.8AI score0.0059EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/04/24 5:16 p.m.24 views

PYSEC-2026-87

lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration with resolveentities=True allows untrusted XML input to read local files. Setting the resolveentities option explicitly to resolveentities='internal' ...

7.5CVSS5.8AI score0.00324EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/07/31 2:34 p.m.24 views

After a successful phishing attack, new versions of `num2words` were published containing malware.

The num2words project was compromised via a phishing attackand two new versions were uploaded to PyPI containing malicious code.The affected versions have been removed from PyPI,and users are advised to remove the affected versions from their environments...

7AI score
Exploits0References2Affected Software1
PyPA
PyPA
added 2026/05/11 9:16 a.m.23 views

PYSEC-2026-23

The OpenSearch logging provider, when configured with a host URL that embeds credentials for example https://user:[email protected]:9200, wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend...

6.5CVSS5.8AI score0.0041EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2026/04/18 7:16 a.m.23 views

PYSEC-2026-19

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to...

3.7CVSS5.8AI score0.00421EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2025/03/20 10:15 a.m.23 views

PYSEC-2025-57

A Denial of Service DoS vulnerability in zenml-io/zenml version 0.66.0 allows unauthenticated attackers to cause excessive resource consumption by sending malformed multipart requests with arbitrary characters appended to the end of multipart boundaries. This flaw in the multipart request boundar...

7.5CVSS7AI score0.00896EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2026/03/31 3:15 a.m.22 views

PYSEC-2026-35

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography...

6.3CVSS5.7AI score0.00154EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2026/03/16 5:16 p.m.22 views

PYSEC-2026-162

Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions = 0.2.14 and 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context.To...

6.8CVSS5.9AI score0.00131EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/04/09 4:15 p.m.22 views

PYSEC-2025-235

XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to 0.1.18, Xgrammar includes a cache for compiled grammars to increase performance with repeated use of the same grammar. This cache is held in memory. Since the cache is unbounded, a system maki...

6.5CVSS6.5AI score0.00434EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2024/11/08 10:15 p.m.22 views

PYSEC-2024-306

wasm3 139076a contains a Use-After-Free in ForEachModule...

8.4CVSS5.8AI score0.00221EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2017/08/29 8:29 p.m.22 views

PYSEC-2017-110

Error responses from Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating included stack trace, exposing excessive information...

7.5CVSS7AI score0.02053EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2017/08/18 6:29 p.m.22 views

PYSEC-2017-11

Cross-site request forgery CSRF vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors...

8.8CVSS7AI score0.01036EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2026/05/14 5:16 p.m.21 views

PYSEC-2026-41

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...

8.8CVSS6.5AI score0.00562EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/06/05 3:15 a.m.21 views

PYSEC-2025-47

An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are...

5.3CVSS7.4AI score0.006EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2021/01/08 12:15 p.m.21 views

PYSEC-2021-72

This affects the package pwntools before 4.3.1. The shellcraft generator for affected versions of this module are vulnerable to Server-Side Template Injection SSTI, which can lead to remote code execution...

9.8CVSS7.9AI score0.04162EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2018/06/13 10:29 p.m.21 views

PYSEC-2018-95

An issue was discovered in Yelp OSXCollector. A maliciously crafted Universal/fat binary can evade third-party code signing checks. By not completing full inspection of the Universal/fat binary, the user of the third-party tool will believe that the code is signed by Apple, but the malicious...

7.8CVSS7.2AI score0.00857EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2026/05/28 5:16 p.m.20 views

PYSEC-2026-191

Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1...

6.8CVSS5.8AI score0.00128EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities3786