5613 matches found
Boltz contains an insecure deserialization vulnerability in its molecule loading functionality
Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achie...
SageMaker Python SDK has Exposed HMAC
SummarySageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API has been identified. Impact- Function and Payload...
Wagtail has improper permission handling on admin preview endpoints
ImpactDue to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data ...
picklescan missing detection by simple obfuscation of a `builtins.eval` call
SummaryAn unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the host loading a pickle payload from an untrusted source. DetailsIt's possible to hide the eval call nested under another callable via getattr. PoCpythonimport builtinsclass EvilClass:...
SageMaker Python SDK has Insecure TLS Configuration
SummarySageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where SSL certificate verification was globally disabled in the Triton Python backend has been found. ImpactArbitrary Code Execution: Disabling SSL verification...
Khoj has an IDOR in Notion OAuth Flow that Enables Index Poisoning
SummaryAn IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion...
pip Path Traversal vulnerability
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations...
Malicious code in tiktoken-mcp (PyPI)
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of tiktoken-mcp were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...
Malicious code in ray-mcp-server (PyPI)
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of ray-mcp-server were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...
Malicious code in orchestr8-platform (PyPI)
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of orchestr8-platform were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials...
Malicious code in openai-mcp (PyPI)
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of openai-mcp were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...
Malicious code in mem8 (PyPI)
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of mem8 were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials and...
Malicious code in langchain-core-mcp (PyPI)
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,malicious phantom releases of langchain-core-mcp were published to PyPI using stolencredentials. The package executes a bundled JavaScript payload via the Bunruntime on import that harvests and exfiltrates credentials...
Unfurl's unbounded zlib decompression allows decompression bomb DoS
SummaryThe compressed data parser uses zlib.decompress without a maximum output size. A small, highly compressed payload can expand to a very large output, causing memory exhaustion and denial of service. Details- unfurl/parsers/parsecompressed.py calls zlib.decompressdecoded with no size limit.-...
Salt Authentication Protocol Version Downgrade Allows Minion Impersonation
Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues...
Lollms has an Improper Access Control vulnerability
A vulnerability in the lollmsgenerationevents.py component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The addevents function registers event handlers such as generatetext, cancelgeneration, generatemsg, and generatemsgfrom without implementing...
Hugging Face Text Generation Inference vulnerable to Uncontrolled Resource Consumption
A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET...
Llama Stack exposes secret in initialization log
Llama Stack aka llama-stack before 0.4.0rc3 does not censor the pgvector password in the initialization log...
llama-index-core vulnerable to Uncontrolled Resource Consumption
The SimpleDirectoryReader component in llamaindex.core version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit numfileslimit is applied after all files in a directory are loaded into memory. Thi...
Salt junos Module Vulnerable to Code Injection via Specially Crafted YAML Payload
Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process...
mlflow Creates of Temporary File in Directory with Insecure Permissions
In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions 0o777. This vulnerability allows an attacker with write access to the /tmp directory to exploit a race condition and overwrite .py files in the virtual...
protobuf affected by a JSON recursion depth bypass
A denial-of-service DoS vulnerability exists in google.protobuf.jsonformat.ParseDict in Python, where the maxrecursiondepth limit can be bypassed when parsing nested google.protobuf.Any messages.Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supp...
BentoML has a Path Traversal via Bentofile Configuration
SummaryBentoML's bentofile.yaml configuration allows path traversal attacks through multiple file path fields description, docker.setupscript, docker.dockerfiletemplate, conda.environmentyml. An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files fro...
GI-DocGen vulnerable to Reflected XSS via unescaped query strings
A flaw was found in GI-DocGen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter reflected DOM XSS...
AutoGPT is Vulnerable to RCE via Disabled Block Execution
SummaryAutoGPT Platform's block execution endpoints both main web API and external API allow executing blocks by UUID without checking the disabled flag. Any authenticated user can execute the disabled BlockInstallationBlock, which writes arbitrary Python code to the server filesystem and execute...
askbot inexhaustive permissions check allows any user to modify a different user's profile picture
All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users. This issue affects askbot: 0.12.2...
Gakido vulnerable to HTTP Header Injection (CRLF Injection)
A vulnerability was discovered in Gakido that allowed HTTP Header Injection through CRLF Carriage Return Line Feed sequences in user-supplied header values and names.When making HTTP requests with user-controlled header values containing \r\n CRLF, \n LF, or \x00 null byte characters, an attacker...
Langflow affected by Remote Code Execution via validate_code() exec()
Langflow execglobals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.The specific...
Sentencepiece has a a heap overflow issue
Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure...
sigstore CSRF possibility in OIDC authentication during signing
SummaryThe sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. DetailsOAuthSession creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Fix shou...
MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field
SummaryA Stored Cross-site Scripting XSS vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The android:host attribute from elements is rendered in HTML reports without...
PyTorch Vulnerable to Remote Code Execution via Untrusted Checkpoint Files
SummaryA vulnerability in PyTorch's weightsonly unpickler allows an attacker to craft a malicious checkpoint file .pth that, when loaded with torch.load..., weightsonly=True, can corrupt memory and potentially lead to arbitrary code execution. Vulnerability DetailsThe weightsonly=True unpickler...
Python-Multipart has Arbitrary File Write via Non-Default Configuration
SummaryA Path Traversal vulnerability exists when using non-default configuration options UPLOADDIR and UPLOADKEEPFILENAME=True. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. DetailsWhen UPLOADDIR is set and UPLOADKEEPFILENAME is...
pypdf has possible Infinite Loop when processing outlines/bookmarks
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. PatchesThis has been fixed in pypdf 6.6.2. WorkaroundsIf projects cannot upgrade yet, consider applying the changes from PR 3610...
vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector
SummaryA Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting...
OctoPrint has Timing Side-Channel Vulnerability in API Key Authentication
ImpactOctoPrint versions up to and including 1.11.5 are affected by a theoretical timing attack vulnerability that allows API key extraction over the network.Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a...
docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage
ImpactA PyYAML-related Remote Code Execution RCE vulnerability, namely CVE-2020-14343, is exposed in docling-core =2.21.0, 2.48.4 and, specifically only if the application uses pyyaml 5.4 and invokes doclingcore.types.doc.DoclingDocument.loadfromyaml passing it untrusted YAML data. PatchesThe...
Copier safe template has arbitrary filesystem read access via symlinks when _preserve_symlinks: false
ImpactCopier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently include arbitrary files/directories outside...
Swing Music has a Directory Traversal & Filesystem can be accessed by a non-admin user
SummarySwing Music's listfolders function in the /folder/dir-browser endpoint is vulnerable to directory traversal attacks. Any authenticated user including non-admin can browse arbitrary directories on the server filesystem. DetailsThe @api.post"/dir-browser" endpoint lacks proper path validatio...
WeasyPrint has a Server-Side Request Forgery (SSRF) Protection Bypass via HTTP Redirect
SummaryA Server-Side Request Forgery SSRF Protection Bypass exists in WeasyPrint's defaulturlfetcher. The vulnerability allows attackers to access internal network resources such as localhost services or cloud metadata endpoints even when a developer has implemented a custom urlfetcher to block...
ChatterBot Vulnerable to Denial of Service via Database Connection Pool Exhaustion
SummaryChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the getresponse method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service...
Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack
Summary - Vulnerability Type: Path Traversal CWE-22 leading to Arbitrary File Permission Modification. - Root Cause Component: wheel.cli.unpack.unpack function. - Affected Packages: 1. wheel Upstream source 2. setuptools Downstream, vendors wheel - Severity: High Allows modifying system file...
Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_symlinks: true
ImpactCopier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write to arbitrary directories outside the...
pyasn1 has a DoS vulnerability in decoder
SummaryAfter reviewing pyasn1 v0.6.1 a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. DetailsThe integer issue can be found in the decoder as reloid += subId 7 + nextSubId,:...
FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection
ImpactTiming side-channel vulnerability in verifykey. The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a...
Chainlit contain a server-side request forgery (SSRF) vulnerability
Chainlit versions prior to 2.9.4 contain a server-side request forgery SSRF vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy...
pytest has vulnerable tmpdir handling
pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-user name pattern, which allows local users to cause a denial of service or possibly gain privileges...
Moonraker affected by LDAP search filter injection
ImpactInstances of Moonraker configured with the ldap component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LD...
Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization
A critical deserialization vulnerability exists in Tendenci Helpdesk module NOTE, by default, Helpdesk is NOT enabled, affecting the version 15.3.11 and earlier. This vulnerability allows remote code execution RCE by an authenticated user with staff security level due to using Python's pickle...
vLLM affected by RCE via auto_map dynamic module loading during model initialization
SummaryvLLM loads Hugging Face automap dynamic modules during model resolution without gating on trustremotecode, allowing attacker-controlled Python code in a model repo/path to execute at server startup.--- ImpactAn attacker who can influence the model repo/path local directory or remote Huggin...