Lucene search
K
PypaMost viewed

5612 matches found

PyPA
PyPA
•added 6 days ago•3 views

Out-of-bounds Read and Out-of-bounds Write in OpenCV

An issue was discovered in OpenCV before 3.4.7 and 4.x before 4.1.1 OpenCV-Python before 3.4.7.28 and 4.x before 4.1.1.26. There is an out of bounds read/write in the function HaarEvaluator::OptFeature::calc in modules/objdetect/src/cascadedetect.hpp, which leads to denial of service...

7.5CVSS6.7AI score0.0276EPSS
Exploits1References8Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Out-of-bounds Write in OpenCV

OpenCV Open Source Computer Vision Library through 3.3 corresponding to OpenCV-Python and OpenCV-Contrib-Python 3.3.0.9 has an out-of-bounds write error in the FillColorRow8 function in utils.cpp when reading an image file by using cv::imread...

8.8CVSS6.8AI score0.0197EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Denial of Service in OpenCV

OpenCV Open Source Computer Vision Library through 3.3 corresponding to OpenCV-Python 3.3.0.9 has a denial of service memory consumption issue, as demonstrated by the 10-opencv-dos-memory-exhaust test case...

7.8CVSS7.1AI score0.02969EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Out-of-bounds Write in OpenCV

OpenCV Open Source Computer Vision Library through 3.3 corresponding to OpenCV-Python and OpenCV-Contrib-Python 3.3.0.9 has an invalid write in the cv::RLByteStream::getBytes function in modules/imgcodecs/src/bitstrm.cpp when reading an image file by using cv::imread, as demonstrated by the...

8.8CVSS6.8AI score0.0197EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Improper Restriction of Operations within the Bounds of a Memory Buffer in OpenCV

OpenCV Open Source Computer Vision Library through 3.3 corresponding to OpenCV-Python 3.3.0.9 has a buffer overflow in the cv::BmpDecoder::readData function in modules/imgcodecs/src/grfmtbmp.cpp when reading an image file by using cv::imread, as demonstrated by the 4-buf-overflow-readData-memcpy...

8.8CVSS7.1AI score0.02071EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Improper Restriction of Operations within the Bounds of a Memory Buffer in OpenCV

In modules/imgcodecs/src/grfmtpxm.cpp, the length of buffer AutoBuffer src is small than expected, which will cause copy buffer overflow later. If the image is from remote, may lead to remote code execution or denial of service. This affects OpenCV 3.3 corresponding to OpenCV-Python 3.3.0.9 and...

8.8CVSS7.5AI score0.03066EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Out-of-bounds Write in OpenCV

OpenCV Open Source Computer Vision Library through 3.3 corresponding to OpenCV-Python and OpenCV-Contrib-Python 3.3.0.9 has an out-of-bounds write error in the FillUniColor function in utils.cpp when reading an image file by using cv::imread...

8.8CVSS6.8AI score0.0197EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Denial of Service in OpenCV

OpenCV Open Source Computer Vision Library through 3.3 corresponding to OpenCV-Python 3.3.0.9 has a denial of service CPU consumption issue, as demonstrated by the 11-opencv-dos-cpu-exhaust test case...

7.8CVSS7.1AI score0.02222EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Out-of-bounds Write in OpenCV

OpenCV Open Source Computer Vision Library through 3.3 corresponding to OpenCV-Python and OpenCV-Contrib-Python 3.3.0.9 has an out-of-bounds write error in the function FillColorRow4 in utils.cpp when reading an image file by using cv::imread...

8.8CVSS6.8AI score0.0197EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Cross-site scripting in Contentful

Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py...

6.1CVSS6.4AI score0.0249EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>

ImpactUntrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook. PatchesPatched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21. ReferencesOWASP Page on Restricting Form Submissions For more informationIf you have any...

9.6CVSS7.6AI score0.02638EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Improper Input Validation in OpenCV

OpenCV 3.0.0 allows remote attackers to cause a denial of service segfault via vectors involving corrupt chunks. This issue was fixed in OpenCV version 3.3.1 corresponding to OpenCV 3.3.1.11...

5.5CVSS6.5AI score0.01031EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Out-of-bounds Read in OpenCV

OpenCV Open Source Computer Vision Library through 3.3 corresponding to OpenCV-Python 3.3.0.9 has an out-of-bounds read error in the cv::RBaseStream::readBlock function in modules/imgcodecs/src/bitstrm.cpp when reading an image file by using cv::imread, as demonstrated by the...

8.8CVSS6.7AI score0.0197EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Out-of-bounds Write in OpenCV

OpenCV Open Source Computer Vision Library through 3.3 corresponding to opencv-python and opencv-contrib-python through 3.3.0.9 has an out-of-bounds write error in the function FillColorRow1 in utils.cpp when reading an image file by using cv::imread...

8.8CVSS6.8AI score0.0197EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Improper Restriction of XML External Entity Reference in Plone

Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata therefore, only available to the Manager role...

8.8CVSS7.2AI score0.01066EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Temporary urls leaked via logging

In OpenStack Swift prior to 2.15.2, the proxy-server logs full tempurl paths, potentially leaking reusable tempurl signatures to anyone with read access to these logs. All Swift deployments using the tempurl middleware are affected...

4.3CVSS5.9AI score0.00789EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Double Free in OpenCV

OpenCV 3.0.0 has a double free issue that allows attackers to execute arbitrary code. This issue was fixed in OpenCV version 3.3.1 corresponding to OpenCV-Python and and OpenCV-Contrib-Python 3.3.1.11...

8.8CVSS7AI score0.02337EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Missing Authentication for Critical Function in Saleor

An issue was discovered in Mirumee Saleor 2.x before 2.9.1. Incorrect access control in the checkoutCustomerAttach mutations allows attackers to attach their checkouts to any user ID and consequently leak user data e.g., name, address, and previous orders of any other customer...

5.3CVSS6.2AI score0.01083EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Out-of-bounds Read in OpenCV

OpenCV Open Source Computer Vision Library through 3.3 corresponding to OpenCV-Python 3.3.0.9 has an out-of-bounds read error in the function icvCvtBGRA2BGR8uC4C3R when reading an image file by using cv::imread...

8.8CVSS6.7AI score0.0197EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Apache Airflow vulnerable to XSS and local file disclosure

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process...

4.8CVSS6.2AI score0.01345EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

XSS in jQuery as used in Drupal, Backdrop CMS, and other products

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extendtrue, , ... because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype...

6.1CVSS6.8AI score0.87218EPSS
Exploits4References112Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Moderate severity vulnerability that affects mailman

An issue was discovered in GNU Mailman before 2.1.28. A crafted URL can cause arbitrary text to be displayed on a web page from a trusted site...

6.5CVSS6.7AI score0.02541EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Open Redirect vulnerability in jupyterhub and notebook

An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.8 and some browsers Chrome, Firefox in JupyterHub before 0.9.6 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a baseurl prefix are not affecte...

6.1CVSS6.6AI score0.01741EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

High severity vulnerability that affects Plone and Zope2

Unspecified vulnerability in 1 Zope 2.12.x before 2.12.19 and 2.13.x before 2.13.8, as used in Plone 4.x and other products, and 2 PloneHotfix20110720 for Plone 3.x allows attackers to gain privileges via unspecified vectors, related to a "highly serious vulnerability." NOTE: this vulnerability...

7.5CVSS6AI score0.03171EPSS
Exploits0References17Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Improper Restriction of XML External Entity Reference in Plone

Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role...

8.8CVSS7.2AI score0.01066EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

SSRF attacks via tracebacks in Plone

Plone before 5.2.3 allows SSRF attacks via the tracebacks feature only available to the Manager role...

8.8CVSS7.2AI score0.01066EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Memory leak in Nanopb

ImpactDecoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern whe...

7.5CVSS6.7AI score0.0261EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Moderate severity vulnerability that affects Products.PlonePAS

The PlonePAS product 3.x before 3.9 and 3.2.x before 3.2.2, a product for Plone, does not properly handle the login form, which allows remote authenticated users to acquire the identity of an arbitrary user via unspecified vectors...

6CVSS6.1AI score0.00962EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 6 days ago•3 views

Moderate severity vulnerability that affects Zope2

Cross-site scripting XSS vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages...

4.3CVSS6.5AI score0.0195EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added last week•3 views

Malicious code in uprobe (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of uprobe were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added last week•3 views

PYSEC-2026-616

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, reflected cross-site scripting XSS vulnerability exists on the dynamic image URL generator view within the Wagtail admin interface. A user with a limited-permission editor account for...

7.3CVSS5.7AI score0.00203EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added last week•3 views

PYSEC-2026-615

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the "Can submit translation" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in...

4.3CVSS5.9AI score0.00162EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added last week•3 views

PYSEC-2026-612

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, the Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could se...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added last week•3 views

PYSEC-2026-613

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation. The vulnerability is not...

4.3CVSS5.8AI score0.0022EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added last week•3 views

Malicious code in ufish (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of ufish were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added last week•3 views

Malicious code in synago (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of synago were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added last week•3 views

Malicious code in pantheon-toolsets (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of pantheon-toolsets were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added last week•3 views

Malicious code in pantheon-agents (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of pantheon-agents were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials an...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added last week•3 views

Malicious code in okite (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of okite were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added last week•3 views

Malicious code in nucbox (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of nucbox were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added last week•3 views

Malicious code in napari-ufish (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of napari-ufish were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added 2026/06/30 11:17 p.m.•3 views

PYSEC-2026-798

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /executejs endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary...

9.2CVSS6.3AI score0.00334EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2026/06/30 9:23 p.m.•3 views

Malicious code in mrbios (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of mrbios were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added 2026/06/30 9:6 p.m.•3 views

Malicious code in magique-ai (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of magique-ai were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added 2026/06/30 8:41 p.m.•3 views

Malicious code in magique (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of magique were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added 2026/06/30 8:24 p.m.•3 views

Malicious code in funcdesc (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of funcdesc were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added 2026/06/30 8:12 p.m.•3 views

Malicious code in executor-http (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of executor-http were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added 2026/06/30 8:6 p.m.•3 views

Malicious code in executor-engine (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of executor-engine were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials an...

5.9AI score
Exploits0References3Affected Software1
PyPA
PyPA
•added 2026/06/30 1:16 a.m.•3 views

PYSEC-2026-597

NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue 3504. The UNSAFENOPROTOCOLRE regex in nltk/data.py checks for literal ../ sequences but fails to account for percent-encoded traversal sequences such as ..%2f. The url2pathname function decodes...

7.5CVSS7.2AI score0.0051EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2026/06/29 8:46 p.m.•3 views

Malicious code in coolbox (PyPI)

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of coolbox were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...

5.9AI score
Exploits0References3Affected Software1
Total number of security vulnerabilities5000