Lucene search
+L

7044 matches found

pypa
pypa
added 2026/07/07 2:34 p.m.7 views

Inefficient Regular Expression Complexity in langflow

A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument remainingtext leads to...

6.5CVSS5AI score0.00955EPSS
Exploits1References9Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Prevent XSS from Confidant API call

ImpactWhat kind of vulnerability is it? Who is impacted?Potential XSS from API calls below:GET /v1/credentialsGET /v1/credentials/GET /v1/archive/credentials/GET /v1/archive/credentialsPOST /v1/credentialsPUT /v1/credentials/PUT /v1/credentials//GET /v1/servicesGET /v1/services/GET...

5.1CVSS5.9AI score0.00347EPSS
Exploits0References9Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Mesop has a local file Inclusion via static file serving functionality

A vulnerability has been discovered and fixed in Mesop that could potentially allow unauthorized access to files on the server hosting the Mesop application. The vulnerability was related to insufficient input validation in a specific endpoint. This could have allowed an attacker to access files...

8.7CVSS5.8AI score0.0028EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Reverb use after free vulnerability

There exists a use after free vulnerability in Reverb.Reverb supports the VARIANT datatype, which is supposed to represent an arbitrary object in C++. When a tensor proto of type VARIANT is unpacked, memory is first allocated to store the entire tensor, and a ctor is called on each instance...

7.8CVSS6.1AI score0.00123EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

xhtml2pdf Denial of Service via crafted string

An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allows attackers to cause a Regular expression Denial of Service ReDOS via supplying a crafted string...

7.5CVSS6AI score0.00636EPSS
Exploits0References5Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

open-webui Insecure Direct Object Reference (IDOR) vulnerability

An Insecure Direct Object Reference IDOR vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update, where the decentralization design is flawed, allowing attackers to edit other users' memories without...

7.1CVSS6AI score0.00357EPSS
Exploits1References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

OAuth2 client ID and secret exposed through the web browser

pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data...

9.9CVSS5.9AI score0.09685EPSS
Exploits2References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

Django allows enumeration of user e-mail addresses

An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome only...

6.3CVSS6AI score0.00781EPSS
Exploits0References10Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

Guardrails has an arbitrary code execution vulnerability

An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing i...

8.8CVSS6.6AI score0.00375EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Composio Code Injection Vulnerability

A vulnerability has been found in composiohq composio up to 0.5.6 and classified as critical. Affected by this vulnerability is the function Calculator of the file python/composio/tools/local/mathematical/actions/calculator.py. The manipulation leads to code injection. The exploit has been...

8.8CVSS5.4AI score0.00823EPSS
Exploits1References9Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Composio Path Traversal vulnerability

A vulnerability was found in composiohq composio up to 0.5.8 and classified as problematic. Affected by this issue is the function path of the file composio\server\api.py. The manipulation of the argument file leads to path traversal. The exploit has been disclosed to the public and may be used...

5.1CVSS4.8AI score0.00863EPSS
Exploits1References9Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

vLLM Denial of Service via the best_of parameter

A vulnerability was found in the ilab model serve component, where improper handling of the bestof parameter in the vllm JSON web API can lead to a Denial of Service DoS. The API used for LLM-based sentence or chat completion accepts a bestof parameter to return the best completion from several...

6.9CVSS5.8AI score0.00231EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.8 views

Aim Stored XSS through TEXT EXPLORER

A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the...

5.4CVSS3.8AI score0.0047EPSS
Exploits1References8Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

LangChain pickle deserialization of untrusted data

A vulnerability in the FAISS.deserializefrombytes function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This can lead to the execution of arbitrary commands via the os.system function. The issue affects versions prior to 0.2.4...

8.4CVSS6.2AI score0.00358EPSS
Exploits1References7Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

sqlitedict insecure deserialization vulnerability

Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code...

9.8CVSS6.1AI score0.00886EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

vLLM denial of service vulnerability

A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service...

8.7CVSS5.9AI score0.00676EPSS
Exploits0References9Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Sentry improperly authorizes deletion of user issue alert notifications

ImpactAn authenticated user may delete user issue alert notifications for arbitrary users given a known alert ID. PatchesA patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications.Sentry SaaS users do not need to take any action. Self-Host...

7.1CVSS6AI score0.00386EPSS
Exploits0References8Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.9 views

Sentry improperly authorizes muting of alert rules

ImpactAn authenticated user can mute alert rules from arbitrary organizations and projects given a known given rule ID. The user does not need to be a member of the organization or have permissions on the project. In our review, we have identified no instances where alerts have been muted by...

7.1CVSS6AI score0.00358EPSS
Exploits0References8Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.17 views

D-Tale Command Execution Vulnerability

D-Tale is the combination of a Flask back-end and a React front-end to bring you an easy way to view & analyze Pandas data structures. Indtale\views.py, under the [email protected]"/chart-data/", the query parameters from the request are directly passed intorunqueryfor execution. And...

9.8CVSS6.1AI score0.01328EPSS
Exploits1References9Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

D-Tale vulnerable to Remote Code Execution through the Query input on Chart Builder

ImpactUsers hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. PatchesUsers should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default. You can find out more information on how to turn it back o...

9.8CVSS6.7AI score0.00741EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.5 views

MindsDB Cross-site Scripting vulnerability

A cross-site scripting XSS vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI...

9CVSS6.1AI score0.00473EPSS
Exploits1References4Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.5 views

LiteLLM Server-Side Request Forgery (SSRF) vulnerability

A Server-Side Request Forgery SSRF vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the apibase parameter when making requests to POST /chat/completions, causing the application to send the request to the domain specified by apibase. This request...

8.7CVSS6.1AI score0.37197EPSS
Exploits1References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

Timing-Based Username Enumeration Vulnerability in Fides Webserver Authentication

A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy ...

5.3CVSS5.9AI score0.00552EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

MindsDB Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is installed on the server. If a specially crafted ‘UPDATE’ query containing Python code is run against a database created with the specified integration...

8.8CVSS6.5AI score0.00851EPSS
Exploits1References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

Cleanlab Deserialization of Untrusted Data vulnerability

Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to run arbitrary code on an end user’s system when the data directory is loaded...

8.6CVSS6.3AI score0.00243EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

Refuel Autolab Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code...

8.6CVSS6.6AI score0.00349EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Flask-AppBuilder's login form allows browser to cache sensitive fields

ImpactAuth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using shared computer resources. PatchesUpgrade flask-appbuilder to version 4.5.1 WorkaroundsIf upgrading is not possible configure your web server to send the...

5.5CVSS5.9AI score0.00262EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine

SummaryThe Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default Owner or...

9.1CVSS6.6AI score0.01342EPSS
Exploits1References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

Ansible vulnerable to Insertion of Sensitive Information into Log File

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as includevars to load vaulted variables without setting the nolog: true parameter, resulting in sensitive data...

7.1CVSS6AI score0.00271EPSS
Exploits0References14Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.16 views

Refuel Autolab Eval Injection vulnerability

An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python...

8.6CVSS6.6AI score0.00349EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

FastAPI Admin cross-site scripting (XSS) vulnerability in the Create Product function

A cross-site scripting XSS vulnerability in the Create Product function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter...

6.1CVSS6AI score0.0027EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Mage AI incorrectly gives privileges to users with deleted accounts

Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server...

8.8CVSS6.4AI score0.00467EPSS
Exploits0References5Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

CKAN has Cross-site Scripting vector in the Datatables view plugin

The Datatables view plugin did not properly escape record data coming from the DataStore, leading to a potential XSS vector. ImpactSites running CKAN = 2.7.0 with the datatablesview plugin activated. This is a plugin included in CKAN core, that not activated by default but it is widely used to...

6.8CVSS5.8AI score0.00377EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

FastAPI Admin Cross-site Scripting vulnerability in the Config-Create function

A cross-site scripting XSS vulnerability in the Config-Create function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter...

6.1CVSS6AI score0.0027EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)

SummaryThe Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS. DetailsThe q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary...

5.4CVSS6AI score0.00519EPSS
Exploits1References7Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Mage AI Path Traversal vulnerability

Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Pipeline Interaction" request...

7.1CVSS6.3AI score0.00859EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Mage AI allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users

Mage AI allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users...

6.9CVSS6.1AI score0.00595EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

Potential access to sensitive URLs via CKAN extensions (SSRF)

ImpactThere are a number of CKAN plugins, including XLoader, DataPusher, Resource proxy and ckanext-archiver, that work by downloading the contents of local or remote files in order to perform some actions with their contents e.g. pushing to the DataStore, streaming contents or saving a local cop...

6.8CVSS6AI score0.00345EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Mage AI Path Traversal vulnerability

Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "File Content" request...

7.1CVSS6.3AI score0.00881EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.9 views

CKAN may leak Solr credentials via error message in package_search action

If there were connection issues with the Solr server, the internal Solr URL potentially including credentials could be leaked to packagesearch calls as part of the returned error message PatchesThis has been patched in CKAN 2.10.5 and 2.11.0...

6.9CVSS5.8AI score0.00377EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Mage AI Path Traversal vulnerability

Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Git Content" request...

7.1CVSS6.3AI score0.00881EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.5 views

Insecure Jinja2 templates rendered in Haystack Components can lead to RCE

ImpactHaystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions.Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. PatchesThe problem has been fixed...

7.7CVSS6.1AI score0.01171EPSS
Exploits0References10Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

MobSF vulnerable to Open Redirect in Login Redirect

ImpactWhat kind of vulnerability is it? Who is impacted?An open redirect vulnerability exist in MobSF authentication view. PoC1. Go to http://127.0.0.1:8000/login/?next=//afine.com in a web browser.2. Enter credentials and press "Sign In".3. You will be redirected to afine.comUsers who are not...

6.8CVSS5.9AI score0.01EPSS
Exploits1References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Weave server API vulnerable to arbitrary file leak

The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin...

8.8CVSS7.5AI score0.04974EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

In aiohttp, compressed files as symlinks are not protected from path traversal

SummaryStatic routes which contain files with compressed variants .gz or .br extension were vulnerable to path traversal outside the root directory if those variants are symbolic links. DetailsThe server protects static routes from path traversal outside the root directory when followsymlinks=Fal...

6.3CVSS6AI score0.00645EPSS
Exploits0References9Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.6 views

Mobile Security Framework (MobSF) has a Zip Slip Vulnerability in .a Static Library Files

SummaryUpon reviewing the MobSF source code, I identified a flaw in the Static Libraries analysis section. Specifically, during the extraction of .a extension files, the measure intended to prevent Zip Slip attacks is improperly implemented.Since the implemented measure can be bypassed, the...

9.8CVSS6AI score0.00902EPSS
Exploits1References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.8 views

openstack-heat may disclose sensitive information

An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied...

7.4CVSS5.9AI score0.00709EPSS
Exploits1References7Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

Open WebUI Stored Cross-Site Scripting Vulnerability

Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page...

6.3CVSS6AI score0.0062EPSS
Exploits3References5Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

PheonixAppAPI has visible Encoding Maps

ImpactThis is a kind of moderate issue. The impact is not big for normal users but can be for users who want to secure their code/files/etc.The issue is that the map of encoding/decoding languages are visible in code. PatchesThe Problem was patched in 0.2.5, so you should try to upgrade to the...

5.3CVSS6AI score0.0017EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 2:34 p.m.7 views

Pulp incorrectly assigns RBAC permissions in tasks that create objects

A flaw was found in the Pulp package. When a role-based access control RBAC object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin typically the addrolesforobjectcreator method. This method finds the object creator by checking the current authenticated user...

8.6CVSS6.6AI score0.0061EPSS
Exploits0References9Affected Software1
Total number of security vulnerabilities7044