Lucene search
K

7035 matches found

PyPA
PyPA
added yesterday4 views

Python Liquid: Infinite loop when parsing malformed `{% case %}` tags

ImpactGiven a malformed % case % tag without associated % when % or % else % block, and no terminating % endcase % tag, Python Liquid hangs in an infinite loop at parse time. This allows malicious template authors to craft templates for a denial of service attack. PatchesThe issue is fixed in...

7.1CVSS6.1AI score0.00451EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

py7zr: Arbitrary File Write Vulnerability

SummaryThere exists an arbitrary file write vulnerability in py7zr 1.1.0, latest, which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using extractall to extract an archive, the library restores these symbolic links, linki...

8CVSS6.3AI score0.00404EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

PGHoard: Password written to debug log

ImpactWhen using .pgpass, database connection information including the username and password will be logged at the debug level. PatchesUpgrade to version 2.7.1 or greater. WorkaroundsFilter out debug-level logs. ReferencesThis issue was discovered by BugCrowd user DRAKOKORIAN...

2.4CVSS6.1AI score
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday2 views

jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories

Summaryjupyterlab-git 0.53.0 latest, 2026-04-30 uses fnmatch.fnmatchcase in GitHandler.prepare jupyterlabgit/handlers.py:91 to enforce the admin-configured excludedpaths security control. Because fnmatchcase is unconditionally case-sensitive, an authenticated user on a case-insensitive filesystem...

7.1CVSS6.2AI score0.00285EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

jupyterlab-git extension: Stored XSS leading to RCE

OverviewAmazon Web Services AWS Security has identified a stored cross-site scripting XSS issue in the jupyterlab-git JupyterLab extension that can lead to remote code execution RCE. The issue exists in thePlainTextDiff.ts component, where the createHeader method passes Git filenames directly to...

9.3CVSS6.6AI score0.00284EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

BBOT: Arbitrary File Write in postman_download Module

The postmandownload module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker...

6.5CVSS6.2AI score0.00251EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID

Development Runner Telephony WebSocket /ws Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID SummaryThe pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without any authentication. An unauthenticated remote attacker who c...

7.5CVSS6.1AI score0.00327EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing

The dockerpull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication reques...

3.1CVSS6.2AI score0.00167EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday5 views

Hermes Agent creates response_store.db and webhook_subscriptions.json with world-readable permissions (mode 0o644)

Hermes Agent before 0.16.0 creates responsestore.db and webhooksubscriptions.json with world-readable permissions mode 0o644, exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain sensitive data including...

6.8CVSS6.1AI score0.00108EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added yesterday3 views

pdfkit: Path traversal in from_string

In JazzCore python-pdfkit 1.0.0, the fromstring method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files...

8.4CVSS6.2AI score0.00392EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

Hermes Agent contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation

Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events endpoints, enabling...

8.7CVSS6.2AI score0.006EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added yesterday3 views

BBOT: Symlink-Following Arbitrary Write via github_workflows Module

The githubworkflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location...

2.2CVSS6.1AI score0.00091EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

marimo contains a reflected cross-site scripting vulnerability in the notebook page

marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...

6.1CVSS6.1AI score0.00239EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday4 views

OpenStack Horizon RC file generation does not escape special characters in project names

OpenStack Horizon before 25.7.4 produces scripts for OpenStack RC file downloading that may have a crafted project name with shell metacharacters. NOTE: some parties consider this a security hardening opportunity to address certain types of user error, not a vulnerability...

6CVSS6.1AI score0.0019EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284

The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools e.g. GNU tar which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extractio...

9.6CVSS6.1AI score0.00658EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday5 views

Open WebUI: Cross-origin postMessage confirmation bypass via action:submit

SummaryThe chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorize...

7.1CVSS6.1AI score0.00162EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday5 views

Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field

summaryPOST /api/chat/completions accepts an imageurl.url value that, when it does NOT start with http://, https://, or data:image/, is interpreted as a file id and resolved against the global file table with no ownership check. An authenticated user can therefore set imageurl.url to another user...

6.5CVSS6AI score0.00225EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI: Stored XSS in Mermaid Markdown Preview

SummaryOpen WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML.Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload...

8.7CVSS6.2AI score0.002EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter

SummarySeveral direct, index-addressed Ollama proxy routes accept a caller-supplied urlidxpath parameter and use it as a raw index into the admin-configured OLLAMABASEURLSlist. Access control on these routes validates only whether the user may use therequested model, never which backend the reque...

6.3CVSS6.2AI score0.0021EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}

SummaryA path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache directory, by exploiting an incomplete startswith containment check that lacks a trailing path separator.Th...

4.3CVSS6.1AI score0.00244EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: Stored XSS to Account Takeover via Model Profile Images

Stored XSS to Account Takeover via Model Profile Images in Open WebUIAffected: Open WebUI = 0.9.5Bypass of: GHSA-3wgj-c2hg-vm6q, GHSA-3856-3vxq-m6fc--- TL;DROpen WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply the same fix to model profile images. The...

7.6CVSS6.1AI score0.00174EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion

SummaryOpen WebUI's prompt version-history endpoints authorize the promptid in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt historyentry.promptid == prompt.id. Three operations are affected:- GET...

6.4CVSS6.2AI score0.00169EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal

SummaryThe terminal-server reverse proxy in backend/openwebui/routers/terminals.py does not fully confine the user-controlled path segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal server can craft path values...

7.7CVSS6.2AI score0.00349EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday2 views

Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion

SummaryOpen WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two...

7.1CVSS6.2AI score0.00198EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)

Summarybackend/openwebui/utils/oauth.py::processpictureurl v0.9.5, lines 1435-1470 calls validateurlpictureurl on the initial URL only, then invokes aiohttp.ClientSession.getpictureurl, ... without allowredirects=False. aiohttp's default is allowredirects=True, maxredirects=10; the function does...

8.5CVSS6.1AI score0.00203EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: Any authenticated user can read other users' private notes via Socket.IO

SummaryThe ydoc:document:join Socket.IO handler checks note ownership only when the documentid starts with note: colon. However, the YdocManager storage layer normalizes all document IDs by replacing colons with underscores documentid.replace":", "". An attacker can join a document room using not...

5.3CVSS6.2AI score0.00268EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: Forged chat-file link allows cross-user file read and deletion

SummaryOpen WebUI v0.9.5 lets an authenticated user attach arbitrary fileid values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, hasaccesstofile treats the victim file as accessible...

8.3CVSS6.2AI score0.00241EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration

SummaryOpen WebUI has a Broken Object Level Authorization BOLA vulnerability in the builtin searchknowledgefiles tool.When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call searchknowledgefiles with an arbitrary knowledgeid...

4.3CVSS6.1AI score0.00226EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday6 views

Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects

SummaryThe SafePlaywrightURLLoader implements a validateurl function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only on the initial URL.Since Playwright automatically follows HTTP redirects 301/302 by default, an attacker can...

7.7CVSS6.1AI score0.00287EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode

RAG ACL Bypass in Milvus Multitenancy Mode SummaryThis is a bypass of the fix for:- GHSA-h36f-rqpx-j5wx- CVE-2026-44560- "Unauthorized File and Knowledge Base Content Access via RAG Vector Search"Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus...

6.5CVSS6.2AI score0.00281EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday5 views

Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar

SummaryPOST /api/v1/calendars/events/eventid/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendarid supplied in the request body. The model layer then persists the new calendarid unconditionally.A regular...

4.3CVSS6.1AI score0.00179EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday3 views

vLLM: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations

SummaryIssue 1: EXIF orientation not normalized → The image orientation processed by the model differs from how humans view it, introducing interpretation bias.Issue 2: PNG tRNS not explicitly flattened before converting to RGB → After conversion, transparent/semi-transparent pixels are rendered...

4.8CVSS6AI score0.00239EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added yesterday4 views

vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving

SummaryInteger truncation of tensor dimensions in vLLM's GGUF dequantize kernels csrc/quantization/gguf/ggufkernel.cu causes partial tensor processing. The output tensor is allocated at full size via torch::empty uninitialized memory, but the dequantize CUDA kernel processes only a truncated numb...

7.5CVSS6.2AI score0.00281EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday3 views

vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router

vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via the Anthropic API routerResearcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security ResearchSeverity: CVSS 3.1 5.3 Medium AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTarget: https://github.com/vllm-project/vllm---...

9.8CVSS6.7AI score0.03816EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday4 views

vLLM: OOM Denial of Service via Audio Decompression Bomb

SummaryvLLM's /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to 14.9GB of float32 PCM at decode time. Tested on vLLM v0.19.0. DetailsSpeechToTextProcessor rejects uploads over VLLMMAXAUDIOCLIPFILESIZEMB default 25MB based on...

6.5CVSS6.1AI score0.00243EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday2 views

yt-dlp: File Downloader cookie leak with curl

SummaryIf curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's.This is the equivalent to GHSA-v8mc-9377-rwjj for the curl downloader. The vulnerable behavior is...

7.4CVSS5.9AI score0.00268EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday4 views

vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels

SummaryAll temperature validation gates use comparison operators , which silently evaluate to False for NaN and for positive Infinity in Python's IEEE 754 float semantics. Both values pass every guard and propagate to GPU sampling kernels, where they produce undefined behavior or CUDA errors that...

6.9CVSS6.2AI score0.00261EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday3 views

OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints

Affects- Nova: =18.0.0 =32.0.0 =33.0.0 33.0.2 DescriptionErichen from the Institute of Computing Technology, Chinese Academy of Sciences reported that Nova's server create API does not strip internal scheduler hints. An authenticated user can bypass Placement resource claims and scheduling...

8.5CVSS6.1AI score0.00272EPSS
Exploits1References11Affected Software1
PyPA
PyPA
added yesterday4 views

yt-dlp: Arbitrary code execution via manifest downloads with aria2c

SummaryIf aria2c is used as an external downloader for a fragmented manifest format such as an HLS/DASH stream, yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code...

9.6CVSS6.5AI score0.00406EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday3 views

yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)

SummaryA vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files such as .desktop, .url, .webloc to the user's filesystem, bypassing the remediation for CVE-2024-38519. DetailsThe fix for CVE-2024-38519 enforced an allowlist for file extensions, in order ...

9.6CVSS6.2AI score0.00555EPSS
Exploits1References9Affected Software1
PyPA
PyPA
added yesterday4 views

python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service

SummaryWhen parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the...

7.5CVSS6.2AI score0.00263EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters

Summaryparseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=..., and the filename0/filename1 continuation form is decoded and surfaced...

5.3CVSS6.1AI score0.00177EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

python-multipart: Negative Content-Length in parse_form buffers the entire body in memory

Summaryparseform did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks...

3.7CVSS6.1AI score0.00217EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

pypdf: Inefficient decoding of FlateDecode PNG predictor streams

ImpactAn attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /FlateDecode filter with a PNG predictor. PatchesThis has been fixed in pypdf==6.12.2. WorkaroundsIf you cannot upgrade yet, consider applying the changes fr...

5.1CVSS6AI score0.00117EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

pypdf: Possible infinite loop when processing outlines/bookmarks in writer

ImpactAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer. PatchesThis has been fixed in pypdf==6.13.0. WorkaroundsIf you cannot upgrade yet, consider applying the changes from PR 3830...

6.9CVSS6AI score0.00123EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

pypdf: Manipulated XMP metadata streams can exhaust RAM

ImpactAn attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. PatchesThis has been fixed in pypdf==6.12.1. WorkaroundsIf you cannot upgrade yet, consider applying the changes...

6.9CVSS6AI score0.0013EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday3 views

pypdf: Possible large memory usage for form XObjects during text extraction

ImpactAn attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references. PatchesThis has been fixed in pypdf==6.12.2. WorkaroundsIf you cannot upgrade yet, consider applying the...

6.9CVSS6AI score0.00123EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

python-multipart: Semicolon treated as querystring field separator enables parameter smuggling

SummaryQuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only & as a separator. This creates a parser differential: the same bytes a...

3.7CVSS6.1AI score0.00176EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday6 views

Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

SummaryLangflow is vulnerable to Path Traversal in the Knowledge Bases API POST /api/v1/knowledgebases. This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw ...

6.5CVSS6.1AI score0.00313EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday3 views

LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders

SummarySeveral LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include: a file-search agent middleware that validates a starting directory but not the search pattern or th...

5.5CVSS6.1AI score0.00157EPSS
Exploits0References6Affected Software1
Total number of security vulnerabilities7035