Lucene search
+L

7044 matches found

pypa
pypa
added 2026/07/07 11:45 a.m.6 views

sagemaker-python-sdk vulnerable to Deserialization of Untrusted Data

Impactsagemaker.basedeserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays. This consequently may allow an unprivileged third party to cause remote code execution, denial of service, affecting both...

7.8CVSS7.3AI score0.00408EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter

The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, , or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys as opposed to only values as user input, and...

5.4CVSS6AI score0.00979EPSS
Exploits0References11Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

tqdm CLI arguments injection attack

ImpactAny optional non-boolean CLI arguments e.g. --delim, --buf-size, --manpath are passed through python's eval, allowing arbitrary code execution. Example:shpython -m tqdm --manpath="" + strexec"import os\nos.system'echo hi && killall python3'" + ""...

4.8CVSS6.6AI score0.00432EPSS
Exploits0References9Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.7 views

Ryu Infinite Loop vulnerability

OFPGroupDescStats in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service infinite loop via OFPBucket.len=0...

7.5CVSS7.1AI score0.00681EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

Ryu Infinite Loop vulnerability

OFPBucket in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service infinite loop via action.len=0...

5.3CVSS6.1AI score0.00457EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

Ryu Infinite Loop vulnerability

OFPHello in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service infinite loop via length=0...

7.5CVSS7.1AI score0.00681EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.8 views

Ryu Infinite Loop vulnerability

OFPFlowStats in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service infinite loop via inst.length=0...

7.5CVSS7.1AI score0.00681EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

sagemaker-python-sdk Command Injection vulnerability

ImpactThe capturedependencies function in sagemaker.serve.saveretrive.version100.save.utils module before version 2.214.3 allows for potentially unsafe Operating System OS Command Injection if inappropriate command is passed as the “requirementspath” parameter. This consequently may allow an...

7.8CVSS7.3AI score0.01143EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain

The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it...

7.5CVSS7.3AI score0.03397EPSS
Exploits0References10Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

Gradio's Component Server does not properly consider` _is_server_fn` for functions

Component Server in Gradio before 4.13 does not properly consider isserverfn for functions...

6.5CVSS5.9AI score
Exploits2References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

PyPXE Buffer Overflow vulnerability

Buffer Overflow vulnerability in PyPXE v.1.8.4 allows a remote attacker to cause a denial of service via the handle function in the tftp module...

8.8CVSS7.2AI score0.00539EPSS
Exploits0References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.7 views

nautobot has reflected Cross-site Scripting potential in all object list views

ImpactIt was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL could potentially be used to execute a Reflected Cross-Site Scripting Reflected XSS attack against users. All filterable object-list views in Nautobot are...

7.5CVSS7AI score0.00491EPSS
Exploits0References11Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

social-auth-app-django affected by Improper Handling of Case Sensitivity

ImpactDue to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. PatchesThis issue has been addressed by https://github.com/python-social-auth/social-app-django/pull/566 and fix releas...

4.9CVSS6.2AI score0.00581EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

pgAdmin Cross-site Scripting vulnerability in /settings/store API response json payload

pgAdmin = 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malicious script at the client end...

7.4CVSS7.2AI score0.00461EPSS
Exploits1References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

changedetection.io Cross-site Scripting vulnerability

SummaryInput in parameter notificationurls is not processed resulting in javascript execution in the application Detailschangedetection.io version: v0.45.21https://github.com/dgtlmoon/changedetection.io/blob/0.45.21/changedetectionio/forms.pyL226 for serverurl in field.data: if not...

4.3CVSS6.2AI score0.01281EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

pgAdmin is affected by a multi-factor authentication bypass vulnerability

pgAdmin = 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitimate account’s username and password may authenticate to the application and perform sensitive actions within the application, such as managing files an...

8.8CVSS7.1AI score0.00629EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

dcnnt-py is vulnerable to command injection via Notification Handler

A vulnerability was found in cyanomiko dcnnt-py up to 0.9.0. It has been classified as critical. Affected is the function main of the file dcnnt/plugins/notifications.py of the component Notification Handler. The manipulation leads to command injection. It is possible to launch the attack remotel...

6.5CVSS5.4AI score0.01322EPSS
Exploits0References9Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.7 views

Wagtail has permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet`

ImpactIf a model has been made available for editing through the wagtail.contrib.settings module or ModelViewSet, and the permission argument on FieldPanel has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific...

2.7CVSS5.9AI score0.00479EPSS
Exploits0References11Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests

SummaryAn attacker can send a specially crafted POST multipart/form-data request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process any further requests. ImpactAn attacker can stop the application from serving requests after sending a single...

7.5CVSS6AI score0.01094EPSS
Exploits0References10Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

OpenStack Storlets arbitrary code execution vulnerability

An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component...

7.8CVSS6.4AI score0.00892EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

langchain vulnerable to path traversal

langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory 'Path Traversal' in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to...

8.8CVSS7AI score0.01856EPSS
Exploits1References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

mlflow vulnerable to Path Traversal

A path traversal vulnerability exists in the createmodelversion function within server/handlers.py of the mlflow/mlflow repository, due to improper validation of the source parameter. Attackers can exploit this vulnerability by crafting a source parameter that bypasses the...

7.5CVSS7.2AI score0.00859EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

mlflow vulnerable to Path Traversal

A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. Th...

7.5CVSS7.2AI score0.00695EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used

Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "configuration" UI pagewhen "non-sensitive-only" was set as "webserver.exposeconfig" configuration The celery provider is the only community provider current...

5.3CVSS6AI score0.01049EPSS
Exploits0References8Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

mlflow vulnerable to Path Traversal

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypass path validation by exploiting the double decoding process in the deleteartifactmlflowartifacts handler and localfileuritopath function, allowing for...

8.1CVSS7.2AI score0.00856EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

aiohttp Cross-site Scripting vulnerability on index pages for static file handling

SummaryA XSS vulnerability exists on index pages for static file handling. DetailsWhen using web.static..., showindex=True, the resulting index pages do not escape file names.If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to XSS attacks...

6.1CVSS6.1AI score0.00666EPSS
Exploits0References12Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

Improper Certificate Validation vulnerability in Apache Airflow FTP Provider

Improper Certificate Validation vulnerability in Apache Airflow FTP Provider.The FTP hook lacks complete certificate validation in FTPTLS connections, which can potentially be leveraged. Implementing proper certificate validation by passing context=ssl.createdefaultcontext during FTPTLS...

2.7CVSS5.9AI score0.00626EPSS
Exploits0References9Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.10 views

Sentry vulnerable to leaking superuser cleartext password in logs

ImpactWhen authenticating as a superuser to a self-hosted Sentry instance with a username and password, the password is leaked as cleartext in logs under the event: auth-index.validatesuperuser. An attacker with access to the log data could use these leaked credentials to login to the Sentry syst...

7.3CVSS6AI score0.00428EPSS
Exploits0References8Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

gradio vulnerable to Path Traversal

An issue was discovered in gradio-app/gradio, where the /componentserver endpoint improperly allows the invocation of any method on a Component class with attacker-controlled arguments. Specifically, by exploiting the moveresourcetoblockcache method of the Block class, an attacker can copy any fi...

7.5CVSS6.1AI score0.09239EPSS
Exploits4References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Pydantic regular expression denial of service

Regular expression denial of service in Pydantic 2.4.0, 1.10.13 allows remote attackers to cause denial of service via a crafted email string...

7.5CVSS6.7AI score0.00949EPSS
Exploits1References8Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

NiceGUI allows potential access to local file system

NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the /nicegui/version/resources/key/path:path route. As a result any file on the backend filesystem which the web server has access to can be...

8.2CVSS7AI score0.0076EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

OpenStack magnum vulnerable to time-of-check to time-of-use (TOCTOU) attack

An issue in OpenStack magnum yoga-eom version allows a remote attacker to execute arbitrary code via the certmanager.py. component...

9.8CVSS6.3AI score0.01063EPSS
Exploits1References11Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations

aimhubio/aim is vulnerable to Cross-Site Request Forgery CSRF, allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboar...

8.8CVSS7.2AI score0.00587EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

sqlparse parsing heavily nested list leads to Denial of Service

SummaryPassing a heavily nested list to sqlparse.parse leads to a Denial of Service due to RecursionError. Details + PoCRunning the following code will raise Maximum recursion limit exceeded exception:pyimport sqlparsesqlparse.parse'' 10000 + '' 10000We expect a traceback of...

7.5CVSS7.1AI score0.0321EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

Potential DoS via the Tudoor mechanism in eventlet and dnspython

eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in whic...

7CVSS6AI score0.01857EPSS
Exploits1References16Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

Request smuggling leading to endpoint restriction bypass in Gunicorn

Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling HRS vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handli...

8.2CVSS5.9AI score0.02996EPSS
Exploits0References11Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

mlflow vulnerable to Path Traversal

A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the artifactlocation parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component in the artifact location URI to read arbitrary files on the...

7.5CVSS7.2AI score0.00712EPSS
Exploits1References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

mlflow Path Traversal vulnerability

A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a series of HTTP POST requests with specially crafted 'artifactlocation' and 'source' parameters, using a local URI with '' instead of '?', an attacker can...

7.5CVSS7.2AI score0.02718EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.7 views

gradio Server-Side Request Forgery vulnerability

An SSRF Server-Side Request Forgery vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the...

6.5CVSS6AI score0.01784EPSS
Exploits1References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.7 views

yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)

SummaryThe patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by replacing double quotes with two double quotes.However, this escaping is not sufficient, and still allows expansion of environment variables.Support for output template expansion in --exec, along...

9.8CVSS7.2AI score0.01254EPSS
Exploits1References11Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

DIRAC: Unauthorized users can read proxy contents during generation

ImpactDuring the proxy generation process e.g., when using dirac-proxy-init it is possible for unauthorized users on the same machine to gain read access to the proxy. This allows the user to then perform any action that is possible with the original proxy.This vulnerability only exists for a sho...

8.1CVSS5.9AI score0.00317EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Transformers Deserialization of Untrusted Data vulnerability

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the loadrepocheckpoint function of the TFPreTrainedModel class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting...

9.6CVSS6.9AI score0.02067EPSS
Exploits2References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

pgAdmin Remote Code Execution (RCE) vulnerability

pgAdmin = 8.4 is affected by a Remote Code Execution RCE vulnerability through the validate binary path API. This vulnerability allows attackers to execute arbitrary code on the server hosting PGAdmin, posing a severe risk to the database management system's integrity and the security of the...

9.8CVSS7.4AI score0.64846EPSS
Exploits5References9Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

Voilà Local file inclusion

ImpactAny deployment of voilà dashboard allow local file inclusion, that is to say any file on a filesystem that is readable by the user that runs the voilà dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how...

7.5CVSS6.9AI score0.00725EPSS
Exploits0References10Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

Pillow buffer overflow vulnerability

In imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy...

7.3CVSS6.8AI score0.00989EPSS
Exploits0References8Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page

SummaryPiccolo's admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type for upload; the default; an attacker can upload an SVG which when loaded under certain contexts allows for arbitrary access to the admin page. This access...

7.7CVSS7AI score0.00493EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.6 views

Ryu Infinite Loop vulnerability

An issue was discovered in OFPMatch in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service DoS infinite loop...

7.5CVSS7.2AI score0.0082EPSS
Exploits1References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check

ImpactWhat kind of vulnerability is it? Who is impacted?SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When malicious app is uploaded to Static analyzer, it is possible...

6.3CVSS6.6AI score0.0051EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.7 views

aliyundrive-webdav vulnerable to Command Injection

An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the actionqueryqrcode component...

9.8CVSS6.3AI score0.0117EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Cross site scripting (XSS) in JupyterHub via Self-XSS leveraged by Cookie Tossing

ImpactAffected configurations:- Single-origin JupyterHub deployments- JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server.By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS...

8.1CVSS7.2AI score0.00329EPSS
Exploits0References6Affected Software1
Total number of security vulnerabilities7044