Lucene search
K
PypaMost viewed

5612 matches found

PyPA
PyPA
added 2026/06/29 11:50 a.m.3 views

OpenStack os-vif Ageing time of 0 disables linuxbridge MAC learning

In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instance...

9.1CVSS7.2AI score0.02591EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.3 views

OpenStack Object Storage (swift) Code Injection vulnerability

OpenStack Object Storage swift before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object...

9.8CVSS7.6AI score0.06518EPSS
Exploits0References19Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.3 views

OpenStack Murano Code Execution

OpenStack Murano before 1.0.3 liberty and 2.x before 2.0.1 mitaka, Murano-dashboard before 1.0.3 liberty and 2.x before 2.0.1 mitaka, and python-muranoclient before 0.7.3 liberty and 0.8.x before 0.8.5 mitaka improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files,...

9.8CVSS7.6AI score0.03166EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.3 views

Radicale is vulnerable to directory traversal on Windows Filesystem Storage Backend component

The filesystem storage backend in Radicale before 1.1 on Windows allows remote attackers to read or write to arbitrary files via a crafted path, as demonstrated by /c:/file/ignore...

10CVSS7.4AI score0.02592EPSS
Exploits0References11Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.3 views

web2py remote code execution via hardcoded encryption key in session.connect function

The sample web application in web2py before 2.14.2 might allow remote attackers to execute arbitrary code via vectors involving use of a hardcoded encryption key when calling the session.connect function...

9.8CVSS7.2AI score0.0499EPSS
Exploits2References9Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.3 views

ReviewBoard and Djblets library are vulnerable to code execution

An eval vulnerability exists in Python Software Foundation Djblets version before 0.6.30 and 0.7.0 before 0.7.19 and Beanbag Review Board before 1.7.15 when parsing JSON requests allowing an attacker to execute arbitrary Python code...

9.8CVSS7.4AI score0.0304EPSS
Exploits0References17Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.3 views

OpenStack Octavia Amphora-Agent not requiring Client-Certificate

Amphora Images in OpenStack Octavia =0.10.0 =3.0.0 =4.0.0 4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the...

9.1CVSS6.7AI score0.02296EPSS
Exploits0References18Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.3 views

SQL injection in calibreweb

Calibre-Web before 0.6.18 allows user table SQL Injection...

9.8CVSS7.2AI score0.01094EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.3 views

Cobbler has Exposed Dangerous Method or Function

It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon...

9.8CVSS7.2AI score0.6786EPSS
Exploits0References16Affected Software1
PyPA
PyPA
added 2026/06/29 11:50 a.m.3 views

Command injection in libvcs and vcspull

The package libvcs before 0.11.1 are vulnerable to Command Injection via argument injection. When calling the updaterepo function when using hg, the url parameter is passed to the hg clone command. By injecting some hg options it was possible to get arbitrary command execution...

9.8CVSS7.3AI score0.03652EPSS
Exploits0References10Affected Software1
PyPA
PyPA
added 2026/06/23 7:17 p.m.3 views

PYSEC-2026-588

Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.9, the Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through...

8.6CVSS6AI score0.00289EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2026/06/23 7:17 p.m.3 views

PYSEC-2026-587

Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.8, the Docker API server's SSRF protection validatewebhookurl / validateurldestination in deploy/docker/utils.py used an explicit IPv4/IPv6 CIDR blocklist that missed several address families. An attacker could reach...

7.5CVSS6AI score0.00267EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2026/06/22 10:16 p.m.3 views

PYSEC-2026-596

Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reac...

9.2CVSS6.1AI score0.00276EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/05/28 7:16 p.m.3 views

PYSEC-2026-601

An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token...

8.8CVSS6AI score0.00328EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2026/05/28 7:16 p.m.3 views

PYSEC-2026-599

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application...

8.8CVSS6AI score0.00303EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2026/05/28 7:16 p.m.3 views

PYSEC-2026-600

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforcecall unconditionally merges the raw JSON request body into the policy enforcement dictionary via policydict.updatejsoninput.copy, overwriting trusted target data that was previously set from...

8.8CVSS6.1AI score0.00329EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2026/05/19 8:16 p.m.3 views

PYSEC-2026-595

In the AWS Secrets Manager and SSM Parameter Store secrets backends of apache-airflow-providers-amazon prior to 9.28.0, the team-scoping logic could resolve a connid containing a / e.g. "myteam/conn" to the same path as another team's team-scoped secret when the caller had no team context. A...

5.3CVSS5.9AI score0.00413EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2026/01/20 12:15 a.m.3 views

PYSEC-2026-598

Chainlit versions prior to 2.9.4 contain an arbitrary file read vulnerability in the /project/element update flow. An authenticated client can send a custom Element with a user-controlled path value, causing the server to copy the referenced file into the attacker’s session. The resulting element...

7.1CVSS6.2AI score0.08843EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2022/11/22 7:15 p.m.3 views

PYSEC-2022-42995

A vulnerability was found in keylime. This security issue happens in some circumstances, due to some improperly handled exceptions, there exists the possibility that a rogue agent could create errors on the verifier that stopped attestation attempts for that host leaving it in an attested state b...

5.1CVSS6.5AI score0.00247EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2022/10/11 10:15 p.m.3 views

PYSEC-2022-43045

The d8s-xml package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-html package. The affected version is 0.1.0...

9.8CVSS7AI score0.01168EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/10/11 10:15 p.m.3 views

PYSEC-2022-43037

The d8s-lists package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-dicts package. The affected version is 0.1.0...

9.8CVSS7AI score0.01168EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/10/11 10:15 p.m.3 views

PYSEC-2022-43038

The d8s-algorithms package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-dicts package. The affected version is 0.1.0...

9.8CVSS7AI score0.0483EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/10/11 10:15 p.m.3 views

PYSEC-2022-43036

The d8s-asns package for Python, as distributed on PyPI, included a potential code-execution backdoor inserted by a third party. The backdoor is the democritus-csv package. The affected version is 0.1.0...

9.8CVSS7AI score0.01168EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2022/07/28 11:15 p.m.3 views

PYSEC-2022-43163

WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package...

9.8CVSS7.8AI score0.01011EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2022/03/01 9:15 p.m.3 views

PYSEC-2022-43051

Fluture-Node is a FP-style HTTP and streaming utils for Node based on Fluture. Using followRedirects or followRedirectsWith with any of the redirection strategies built into fluture-node 4.0.0 or 4.0.1, paired with a request that includes confidential headers such as Authorization or Cookie,...

6.1CVSS7AI score0.00815EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2021/12/23 6:15 p.m.3 views

PYSEC-2021-859

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service ReDoS attacks. The vulnerability is present in...

7.5CVSS6.9AI score0.02668EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2021/12/17 9:15 p.m.3 views

PYSEC-2021-890

Buffer overflow in ajaxsoundstudio.com Pyo and 1.03 in the Serverjackinit function. which allows attackers to conduct Denial of Service attacks by arbitrary constructing a overlong server name...

7.5CVSS7.3AI score0.01066EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/11/05 9:15 p.m.3 views

PYSEC-2021-416

TensorFlow is an open source platform for machine learning. In affected versions the implementation of SparseFillEmptyRows can be made to trigger a heap OOB access. This occurs whenever the size of indices does not match the size of values. The fix will be included in TensorFlow 2.7.0. We will al...

7.1CVSS6.9AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/10/26 11:15 a.m.3 views

PYSEC-2021-872

An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client which defaults to using LocalCluster would mistakenly configure their respective Dask workers to listen on extern...

9.8CVSS7.6AI score0.02876EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2021/08/23 10:15 p.m.3 views

PYSEC-2021-884

A float point exception in the printLong function in tagsint.cpp of Exiv2 0.27.99.0 allows attackers to cause a denial of service DOS via a crafted tif file...

6.5CVSS6.7AI score0.01309EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2021/08/12 10:15 p.m.3 views

PYSEC-2021-594

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of SVDF in TFLite is vulnerable to a null pointer error. The GetVariableInput function can return a null pointer but GetTensorData assumes that the argument is always a valid tensor...

7.8CVSS7AI score0.00173EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2021/08/12 10:15 p.m.3 views

PYSEC-2021-270

TensorFlow is an end-to-end open source platform for machine learning. In affected versions the code for tf.rawops.SaveV2 does not properly validate the inputs and an attacker can trigger a null pointer dereference. The implementation uses ValidateInputs to check that the input arguments are vali...

7.8CVSS7.2AI score0.00186EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2021/08/12 10:15 p.m.3 views

PYSEC-2021-310

TensorFlow is an end-to-end open source platform for machine learning. In affected versions an attacker can craft a TFLite model that would trigger a null pointer dereference, which would result in a crash and denial of service. The implementation unconditionally dereferences a pointer. We have...

7.8CVSS6.9AI score0.00165EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2021/07/30 10:15 p.m.3 views

PYSEC-2021-335

The module AccessControl defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of Script Python objects. The policies defined in AccessControl severely restrict access to...

7.2CVSS8AI score0.02032EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.3 views

PYSEC-2021-543

TensorFlow is an end-to-end open source platform for machine learning. The implementation of ParseAttrValuehttps://github.com/tensorflow/tensorflow/blob/c22d88d6ff33031aa113e48aa3fc9aa74ed79595/tensorflow/core/framework/attrvalueutil.ccL397-L453 can be tricked into stack overflow due to recursion...

5.5CVSS7.2AI score0.00204EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.3 views

PYSEC-2021-502

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.rawops.MaxPool3DGradGrad exhibits undefined behavior by dereferencing null pointers backing attacker-supplied empty tensors. The...

7.8CVSS6.9AI score0.00201EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.3 views

PYSEC-2021-205

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger undefined behavior by binding to null pointer in tf.rawops.ParameterizedTruncatedNormal. This is because the...

7.8CVSS7AI score0.00197EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.3 views

PYSEC-2021-519

TensorFlow is an end-to-end open source platform for machine learning. TFlite graphs must not have loops between nodes. However, this condition was not checked and an attacker could craft models that would result in infinite loop during evaluation. In certain cases, the infinite loop would be...

7.8CVSS7AI score0.00262EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.3 views

PYSEC-2021-154

TensorFlow is an end-to-end open source platform for machine learning. A malicious user could trigger a division by 0 in Conv3D implementation. The implementationhttps://github.com/tensorflow/tensorflow/blob/42033603003965bffac51ae171b51801565e002d/tensorflow/core/kernels/convops3d.ccL143-L145 do...

5.5CVSS6.9AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.3 views

PYSEC-2021-717

TensorFlow is an end-to-end open source platform for machine learning. TFlite graphs must not have loops between nodes. However, this condition was not checked and an attacker could craft models that would result in infinite loop during evaluation. In certain cases, the infinite loop would be...

7.8CVSS7AI score0.00262EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.3 views

PYSEC-2021-695

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.rawops.MaxPoolGradWithArgmax can cause reads outside of bounds of heap allocated data if attacker supplies specially crafted inputs. The...

7.1CVSS7AI score0.00198EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.3 views

PYSEC-2021-442

TensorFlow is an end-to-end open source platform for machine learning. If the splits argument of RaggedBincount does not specify a valid SparseTensorhttps://www.tensorflow.org/apidocs/python/tf/sparse/SparseTensor, then an attacker can trigger a heap buffer overflow. This will cause a read from...

7.8CVSS7.3AI score0.00211EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.3 views

PYSEC-2021-501

TensorFlow is an end-to-end open source platform for machine learning. The implementation of tf.rawops.MaxPoolGradWithArgmax is vulnerable to a division by 0. The...

5.5CVSS6.9AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.3 views

PYSEC-2021-164

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a division by 0 in tf.rawops.QuantizedConv2D. This is because the...

5.5CVSS7AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.3 views

PYSEC-2021-193

TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service via a FPE runtime error in tf.rawops.Reverse. This is because the...

5.5CVSS6.8AI score0.00189EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/05/14 8:15 p.m.3 views

PYSEC-2021-737

TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in SparseReshape results in a denial of service based on a CHECK-failure. The...

5.5CVSS6.9AI score0.00202EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2021/04/15 9:15 p.m.3 views

PYSEC-2021-21

Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it...

7.5CVSS6.8AI score0.01833EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added 2021/03/26 8:15 p.m.3 views

PYSEC-2021-133

Synapse is a Matrix reference homeserver written in python pypi package matrix-synapse. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synapse was vulnerable to cross-site scripting XSS attacks. The...

8.2CVSS6.1AI score0.01221EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2020/09/17 1:15 p.m.3 views

PYSEC-2020-222

While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary access to Python’s os package in the web application process in versions 0.37.1. It was thus...

8.8CVSS7.1AI score0.03076EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added yesterday2 views

Boltz contains an insecure deserialization vulnerability in its molecule loading functionality

Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achie...

8.4CVSS6.6AI score0.00143EPSS
Exploits0References6Affected Software1
Total number of security vulnerabilities5000