Lucene search
+L

7044 matches found

pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Fides Information Disclosure Vulnerability in Config API Endpoint

ImpactThe Fides webserver API allows users to retrieve its configuration using the GET api/v1/config endpoint. The configuration data is filtered to suppress most sensitive configuration information before it is returned to the user, but even the filtered data contains information about the...

6.5CVSS6.5AI score0.00722EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF

ImpactAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop.This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage.That is, for example, the case when the pypdf-user manipulates an incoming...

5.5CVSS6.1AI score0.00243EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Ethyca Fides HTML Injection Vulnerability in HTML-Formatted DSR Packages

ImpactThe Fides web application allows data subject users to request access to their personal data. If the request is approved by the data controller user operating the Fides web application, the data subject's personal data can then retrieved from connected systems and data stores before being...

6.1CVSS6.4AI score0.00609EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection

ImpactThe Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases.To pass extra control data between...

5CVSS6AI score0.00318EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Fides JavaScript Injection Vulnerability in Privacy Center URL

ImpactThe Fides web application allows users to edit consent and privacy notices such as cookie banners. These privacy notices can then be served by other integrated websites, for example in cookie consent banners. One of the editable fields is a privacy policy URL and this input was found to not...

5.4CVSS6.1AI score0.00607EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Ansible galaxy-importer Path Traversal vulnerability

A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten...

6.5CVSS6.5AI score0.00834EPSS
Exploits1References10Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Langchain Server-Side Request Forgery vulnerability

In Langchain before 0.0.329, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks...

7.5CVSS7.2AI score0.00585EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

dtale vulnerable to Remote Code Execution through the Custom Filter Input

ImpactUsers hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. PatchesUsers should upgrade to version 3.7.0 where the "Custom Filter" input is turned off by default. You can find out more information on how to turn it back on...

9.8CVSS7.8AI score0.00756EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Apache Airflow Celery provider Insertion of Sensitive Information into Log File vulnerability

Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow.Sensitive information logged as clear text when rediss, amqp, rpc protocols are used as Celery result backendNote: thevulnerability is about the information exposed in the logs not abo...

7.5CVSS7AI score0.01203EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Fides Server-Side Request Forgery Vulnerability in Custom Integration Upload

ImpactThe Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in YAML format. It was discovered that specially crafted YAML dataset and config files allow a malicious user to perform arbitrary requests to internal systems...

8.2CVSS7AI score0.00675EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

PDM Trojan Lockfile

SummaryIt's possible to craft a malicious pdm.lock file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. DetailsProject foo can be targeted by creating the project foo-2 and uploading the file...

7.8CVSS7.6AI score0.00512EPSS
Exploits1References9Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

yt-dlp on Windows vulnerable to `--exec` command injection when using `%q`

Impactyt-dlp allows the user to provide shell commands to be executed at various stages in its download process through the --exec flag. This flag allows output template expansion in its argument, so that video metadata values may be used in the shell commands. The metadata fields can be combined...

8.3CVSS7.5AI score0.01292EPSS
Exploits1References9Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

NI MeasurementLink Python Services Improper Access Restriction vulnerability

ImpactAn improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services exposed on localhost. These services were previously thought to be unreachable outside of the node. This affects measurement plug-ins written in Python using...

8.8CVSS7.2AI score0.00281EPSS
Exploits0References8Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Defining resource name as integer may give unintended access in vantage6

ImpactMalicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names.One example where this is a risk, is when users define which users are allowed to run algorithms on their node. This may be defined by username or user id. Now, for...

5.4CVSS6.1AI score0.00402EPSS
Exploits0References9Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

TorBot vulnerable to Inefficient Regular Expression Complexity in validate_link

SummaryThe torbot.modules.validators.validatelink function uses the python-validators URL validation regex. This particular regular expression has an exponential complexity which allows an attacker to cause an application crash using a well-crafted argument...

7.5CVSS7AI score0.00797EPSS
Exploits1References8Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Microsoft Common Data Model SDK Denial of Service Vulnerability

Microsoft Common Data Model SDK Denial of Service Vulnerability...

6.5CVSS6.8AI score0.02802EPSS
Exploits0References4Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

pretix allows Pillow to parse EPS files

pretix before 2023.7.2 allows Pillow to parse EPS files...

7.8CVSS7.1AI score0.003EPSS
Exploits0References9Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Ansible may expose private key

A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availabili...

7.8CVSS7AI score0.00239EPSS
Exploits0References8Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

OpenStack Barbican credential leak flaw

A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials...

6.6CVSS6.5AI score0.00191EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics

SummaryAutoinstrumentation out of the box adds the label httpmethod that has unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. DetailsHTTP method for requests can be easily set by an attacker to be random and long. PoCSend many reques...

7.5CVSS7AI score0.00685EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

Apache HDFS Provider error message suggested

In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentationinfo pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The...

7.8CVSS6.8AI score0.0046EPSS
Exploits0References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

OpenStack Barbican information disclosure vulnerability

A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is...

6CVSS6.1AI score0.0048EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Denial of Service Vulnerability in gRPC TCP Server (Posix-compatible platforms)

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms ex. Linux allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Jav...

7.5CVSS7.1AI score0.00666EPSS
Exploits0References14Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

OpenStack Heat information leak vulnerability

An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system...

7.4CVSS6.7AI score0.00709EPSS
Exploits1References8Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Gradio arbitrary file upload vulnerability

Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface...

4.8CVSS6AI score0.00345EPSS
Exploits0References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

libwebp: OOB write in BuildHuffmanTable

Heap buffer overflow in libwebp allow a remote attacker to perform an out of bounds memory write via a crafted HTML page...

8.8CVSS7.2AI score0.99735EPSS
Exploits9References65Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

pgAdmin failed to properly control the server code

A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities such as pgdump and pgrestore. Versions of pgAdmin prior to 7.7 failed to properly control the server code executed on this API, allowing an...

8.8CVSS7AI score0.0147EPSS
Exploits0References9Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.2 views

Zope vulnerable to Stored Cross Site Scripting with SVG images

ImpactThere is a stored cross site scripting vulnerability for SVG images.Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user...

5.4CVSS5.6AI score0.00599EPSS
Exploits1References8Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Domain restrictions bypass via DNS Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes

ImpactThe proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in Preventing proxying to and recording from specific target addresses. These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to th...

6.6CVSS6.7AI score0.00571EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

Apache Superset Server Side Request Forgery vulnerability

Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, possible SSRF...

5.4CVSS6.3AI score0.00806EPSS
Exploits0References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

Apache Superset has improper default REST API permission for Gamma users

An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test database connections...

5.4CVSS6.1AI score0.00839EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Apache Superset users may incorrectly create resources using the import charts feature

A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0...

4.3CVSS5.9AI score0.00876EPSS
Exploits0References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Pyramid static view path traversal up one directory

ImpactThis impacts users of Python 3.11 that are using a Pyramid static view with a full filesystem path and have a index.html file that is located exactly one directory above the location of the static view's file system path. No further path traversal exists, and the only file that could be...

5.3CVSS6.1AI score0.00632EPSS
Exploits0References10Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.5 views

Information disclosure in AccessControl

ImpactPython's "format" functionality allows someone controlling the format string to "read" objects accessible recursively via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown getattr and getitem, not the policy...

7.7CVSS7.2AI score0.00519EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Apache Superset has incorrect authorization check

An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability...

4.3CVSS6AI score0.0074EPSS
Exploits0References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Apache Superset vulnerable to improper data authorization

Improper data authorization check on Jinja templated queries in Apache Supersetup to and including 2.1.0 allows for an authenticated user to issue queries on database tables they may not have access to...

5CVSS6AI score0.00726EPSS
Exploits0References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in hyper-bump-it

Summaryhyper-bump-it reads a file glob pattern from the configuration file. That is combined with the project root directory to construct a full glob pattern that is used to find files that should be edited. These matched files should be contained within the project root directory, but that is no...

5.5CVSS6.2AI score0.00336EPSS
Exploits1References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Apache Superset may expose internal traces on REST API endpoints

By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users.This vulnerability exists in Apache Superset versions up to and including 2.1.0...

4.3CVSS5.9AI score0.00811EPSS
Exploits0References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Airflow Sqoop Provider RCE Vulnerability

Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. The attacker needs to be logged...

8.8CVSS7.1AI score0.01206EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Apache Superset Deserialization of Untrusted Data vulnerability

If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only accessible directly by t...

6.6CVSS7.6AI score0.29226EPSS
Exploits2References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Apache Superset Improper Input Validation vulnerability

Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names likesqlite+pysqlite or by using database imports. This could allow for unexpected file creation on Superset webservers. Additionally, if Apache Superset is using...

6.5CVSS6.7AI score0.83716EPSS
Exploits2References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.13 views

Remote Code Execution in Custom Integration Upload

ImpactThe Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML files, but Fides can be configured to also accept the inclusion of custom Python code in it. The custom code is executed in a restricted, sandboxed environment, but the sandbox c...

8.8CVSS7.4AI score0.00837EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Excessive Iteration in gRPC

gRPC contains a vulnerability that allows hpack table accounting errors could lead to unwanted disconnects between clients and servers in exceptional cases/Three vectors were found that allow the following DOS attacks:- Unbounded memory buffering in the HPACK parser- Unbounded CPU consumption in...

7.5CVSS7.1AI score0.00412EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Sentry vulnerable to incorrect credential validation on OAuth token requests

ImpactAn attacker with sufficient client-side exploits could retrieve a valid access token for another user during the OAuth token exchange due to incorrect credential validation. The client ID must be known and the API application must have already been authorized on the targeted user account...

6.8CVSS6.7AI score0.00308EPSS
Exploits0References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

Apache Airflow missing Certificate Validation

Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, andApache Airflow before 2.7.0 are affected by theValidation of OpenSSL Certificate vulnerability.The default SSL context with SSL library did not check a server's X.509certificate. Instead, the code accepted an...

5.9CVSS6.3AI score0.00594EPSS
Exploits0References12Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

pandasai vulnerable to prompt injection

An issue in Gaberiele Venturi pandasai v.0.8.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the prompt function...

9.8CVSS7.6AI score0.01267EPSS
Exploits1References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Apache Airflow Spark Provider Improper Input Validation vulnerability

Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server.It is recommended to upgrade to a version that is not affected...

7.5CVSS7AI score0.01667EPSS
Exploits0References6Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

FaucetSDN Ryu Denial of Service Vulnerability

An issue was discovered in OFPBundleCtrlMsg in parser.py in FaucetSDN Ryu version 4.34, allows remote attackers to cause a denial of service DoS infinite loop...

7.5CVSS7.1AI score0.00719EPSS
Exploits1References5Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.4 views

Scancode.io Reflected Cross-Site Scripting (XSS) in license endpoint

SummaryIn the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting XSS vulnerability when attempting to access a detailed license view that does not exist. DetailsIn the /license/ endpoint, the licensedetailsview...

6.1CVSS6.2AI score0.00438EPSS
Exploits1References7Affected Software1
pypa
pypa
added 2026/07/07 11:45 a.m.3 views

apache-airflow-providers-apache-drill Improper Input Validation vulnerability

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Drill Provider.Apache Airflow Drill Provider is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection with DrillHook giving an opportunity to read file...

8.7CVSS6.7AI score0.01776EPSS
Exploits0References10Affected Software1
Total number of security vulnerabilities7044