PYSEC-2024-127

Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the SSRFPROTECTIONENABLED environment variable can be bypassed to access...

PYSEC-2024-151

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin rawcall even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics o...

PYSEC-2024-30

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning FL and Multi-Party Computation MPC. Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. This vulnerability is...

PYSEC-2024-33

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning FL and Multi-Party Computation MPC. Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not expose...

PYSEC-2024-34

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning FL and Multi-Party Computation MPC. Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not expose...

PYSEC-2024-31

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning FL and Multi-Party Computation MPC. It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this...

PYSEC-2024-32

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning FL and Multi-Party Computation MPC. There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a tas...

PYSEC-2024-25

DuckDB =0.9.2 and DuckDB extension-template =0.9.2 are vulnerable to malicious extension injection via the custom extension feature...

PYSEC-2024-27

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and Local In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI...

PYSEC-2024-24

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'followsymlinks' can be used to determine whether to follow symboli...

PYSEC-2024-26

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against...

PYSEC-2024-21

A vulnerability classified as critical was found in vanderSchaar LAB TemporAI 0.0.3. Affected by this vulnerability is the function loadfromfile of the component PKL File Handler. The manipulation leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the...

PYSEC-2024-14

Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access.This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version...

PYSEC-2024-13

Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enablexcompickling=False" configuration setting resulting in poisoned data after XCom deserialization. This vulnerability is considered low since it...

PYSEC-2024-128

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to download a HTML file that executed malicious...

PYSEC-2024-126

Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting XSS vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary...

PYSEC-2024-19

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the element method in app/routes.py does not validate the user-controlled srctype and elementurl variables and passes them to the send method which sends a GET request on lines 339-343 in requests.py. The returned...

PYSEC-2024-23

Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and prior have a limited file write vulnerability when the configuration options in Whoogle are enabled. The config function in app/routes.py does not validate the user-controlled name variable on line 447 and configdata variable o...

PYSEC-2024-20

Whoogle Search is a self-hosted metasearch engine. In versions prior to 0.8.4, the element method in app/routes.py does not validate the user-controlled srctype and elementurl variables and passes them to the send method which sends a GET request on lines 339-343 in request.py, which leads to a...

PYSEC-2024-18

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the window endpoint does not sanitize user-supplied input from the location variable and passes it to the send method which sends a GET request on lines 339-343 in request.py, which leads to a server-side request...

PYSEC-2024-22

TuiTse-TsuSin is a package for organizing the comparative corpus of Taiwanese Chinese characters and Roman characters, and extracting sentences of the Taiwanese Chinese characters and the Roman characters. Prior to version 1.3.2, when using tuitsehtml without quoting the input, there is a html...

PYSEC-2024-16

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that suppo...

PYSEC-2024-12

LlamaIndex aka llamaindex through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. For example, an attacker might be able to delete this year's student records via "Dro...

PYSEC-2024-9

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.runscript passes shell metacharacters to subprocess.Popen...

PYSEC-2024-7

The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument...

PYSEC-2024-8

The JSON loader in Embedchain before 0.1.57 allows a ReDoS regular expression denial of service via a long string to json.py...

PYSEC-2024-15

changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint /api/v1/watch//history can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party...

PYSEC-2024-103

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. The concat built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The root cause is that the buildIR for concat doesn't properly adhere to the API of co...

PYSEC-2024-17

pyLoad is a free and open-source Download Manager written in pure Python. The pyload API allows any API call to be made using GET requests. Since the session cookie is not set to SameSite: strict, this opens the library up to severe attack possibilities via a Cross-Site Request Forgery CSRF attac...

PYSEC-2024-11

Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2.Users are recommended to upgrade to version 1.3.0, which fixes the issue...

PYSEC-2024-10

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable...

PYSEC-2024-6

cdo-local-uuid project provides a specialized UUID-generating function that can, on user request, cause a program to generate deterministic UUIDs. An information leakage vulnerability is present in cdo-local-uuid at version 0.4.0, and in case-utils in unpatched versions matching the pattern 0.x.0...

PYSEC-2024-5

cdo-local-uuid project provides a specialized UUID-generating function that can, on user request, cause a program to generate deterministic UUIDs. An information leakage vulnerability is present in cdo-local-uuid at version 0.4.0, and in case-utils in unpatched versions matching the pattern 0.x.0...

PYSEC-2024-4

GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run git, as well as when it runs bash.exe to interpret hooks. If either of those features are used on...

PYSEC-2024-2

In Appwrite CLI before 3.0.0, when using the login command, the credentials of the Appwrite user are stored in a /.appwrite/prefs.json file with 0644 as UNIX permissions. Any user of the local system can access those credentials...

PYSEC-2024-3

PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack...

gratient 0.5 contains credential harvesting code

gratient is a user-facing library for generating color gradients of text.Version 0.5 contained obfuscated, malicious code targetingWindows platforms, harvesting information and credentials from theuser's system and sending them to a remote server.Services may include Mullvad VPN and Telegram...

PYSEC-2024-129

FPE in paddle.nanmedian in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

PYSEC-2024-144

Nullptr dereference in paddle.cropin PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

PYSEC-2024-141

Heap buffer overflow in paddle.repeatinterleavein PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible...

PYSEC-2024-134

Nullptr in paddle.nextafterin PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

PYSEC-2024-140

FPE in paddle.aminin PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

PYSEC-2024-142

PaddlePaddle before 2.6.0 has a command injection in getonlinepassinterval. This resulted in the ability to execute arbitrary commands on the operating system...

PYSEC-2024-138

FPE in paddle.lerpin PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

PYSEC-2024-139

Stack overflow in paddle.linalg.luunpackin PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage...

PYSEC-2024-132

FPE in paddle.linalg.eig in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

PYSEC-2024-146

PaddlePaddle before 2.6.0 has a command injection in convertshapecompare. This resulted in the ability to execute arbitrary commands on the operating system...

PYSEC-2024-145

FPE in paddle.argmin and paddle.argmaxin PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

PYSEC-2024-135

Nullptr in paddle.putalongaxisin PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service...

PYSEC-2024-143

PaddlePaddle before 2.6.0 has a command injection in wgetdownload. This resulted in the ability to execute arbitrary commands on the operating system...