Lucene search
+L

7044 matches found

pypa
pypa
•added 2026/07/07 11:45 a.m.•5 views

Authenticated Local Privilege Escalation vulnerability in Intel Optimization for Tensorflow

Improper buffer restrictions in the IntelR Optimization for Tensorflow software before version 2.12 may allow an authenticated user to potentially enable escalation of privilege via local access...

7.8CVSS7.2AI score0.00152EPSS
Exploits0References4Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•4 views

FaucetSDN Ryu Denial of Service Vulnerability

An issue was discovered in OFPQueueGetConfigReply in parser.py in FaucetSDN Ryu version 4.34, allows remote attackers to cause a denial of service DoS infinite loop...

7.5CVSS7.1AI score0.00719EPSS
Exploits1References5Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

RDiffWeb vulnerable to Allocation of Resources Without Limits or Throttling

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.8.0...

6.5CVSS6.2AI score0.00405EPSS
Exploits1References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•4 views

Fides Webserver Vulnerable to Zip Bomb File Uploads

ImpactThe Fides webserver is vulnerable to a type of Denial of Service DoS attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver.This...

4.9CVSS5.8AI score0.00568EPSS
Exploits0References7Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

ScanCode.io command injection in docker image fetch process

Command Injection in docker fetch process SummaryA possible command injection in the docker fetch process as it allows to append malicious commands in the dockerreference parameter. DetailsIn the function scanpipe/pipes/fetch.py:fetchdockerimage1 the parameter dockerreference is user controllable...

8.8CVSS6.9AI score0.02437EPSS
Exploits1References8Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Privilege escalation via ApiTokensEndpoint

ImpactAn attacker with access to a token with few or no scopes can query /api/0/api-tokens/ for a list of all tokens created by a user, including tokens with greater scopes, and use those tokens in other requests.There is no evidence that the issue was exploited on https://sentry.io. For...

8.1CVSS7.2AI score0.00849EPSS
Exploits1References9Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Fides Webserver Vulnerable to SVG Bomb File Uploads

ImpactThe Fides webserver is vulnerable to a type of Denial of Service DoS attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs similar to a billion laughs attack, causing resource exhaustion in Admin UI browser tabs and creating a persistent denial ...

4.9CVSS5.9AI score0.00579EPSS
Exploits0References7Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•2 views

Apache Airflow Apache Hive Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow Apache Hive Provider.Patching on top of CVE-2023-35797Before6.1.2the proxyuser option can also inject semicolon.This issue affects Apache Airflow Apache Hive Provider: before 6.1.2.It is recommended updating...

8.8CVSS7.1AI score0.01586EPSS
Exploits0References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•4 views

Keylime's registrar vulnerable to Denial-of-service attack via a single open connection

ImpactKeylime registrar is prone to a simple denial of service attack in which an adversary opens a connection to the TLS port by default, port 8891 blocking further, legitimate connections. As long as the connection is open, the registrar is blocked and cannot serve any further clients agents an...

7.5CVSS7AI score0.01424EPSS
Exploits0References10Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•4 views

Denial of service in neutron

An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significa...

6.5CVSS6.5AI score0.00969EPSS
Exploits0References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•4 views

Kiwi TCMS's misconfigured HTTP headers allow stored XSS execution with Firefox

ImpactKiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introducedchanges which were meant to serve all uploaded files as plain text in order to prevent browsers from executing potentially dangerous files when such files are accessed...

8.1CVSS6.8AI score0.00692EPSS
Exploits1References12Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration

Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection.In order to exploit this weakness, a user would already need elevated permissions Op or Admin to change the connection object in this...

7.2CVSS7.4AI score0.01531EPSS
Exploits0References5Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•6 views

gRPC connection termination issue

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyo...

5.3CVSS6.5AI score0.00531EPSS
Exploits0References11Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•4 views

yt-dlp File Downloader cookie leak

ImpactDuring file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host.This vulnerable behavior is present in all versions of youtube-dl...

8.2CVSS7AI score0.01038EPSS
Exploits0References14Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Apache Superset Server-Side Request Forgery vulnerability

A malicious actor who has been authenticated and granted specific permissions in Apache Superset may use the import dataset feature in order to conduct Server-Side Request Forgery attacks and query internal resources on behalf of the server where Superset is deployed. This vulnerability existsin...

6.5CVSS6.5AI score0.00949EPSS
Exploits0References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•6 views

gRPC Reachable Assertion issue

There exists an vulnerability causing an abort to be called in gRPC.The following headers cause gRPC's C++ implementation to abort when called via http2:te: x x != trailers:scheme: x x != http, httpsgrpclbclientstats: x x == anythingOn top of sending one of those headers, a later header must be...

7.5CVSS6.8AI score0.00412EPSS
Exploits0References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Apache Superset vulnerable to Exposure of Sensitive Information

An authenticated user with specific data permissions could access database connections stored passwords by requesting a specific REST API.This issue affects Apache Superset version 1.3.0 up to 2.0.1...

6.5CVSS6.8AI score0.02067EPSS
Exploits0References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Reportlab vulnerable to remote code execution

Reportlab up to and including v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file...

7.8CVSS7.2AI score0.02123EPSS
Exploits6References9Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•4 views

kiwitcms vulnerable to stored cross-site scripting via unrestricted file upload

ImpactKiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded and Content-Security-Policy definition to prevent cross-site-scripting attacks. The...

8.1CVSS7AI score0.0087EPSS
Exploits1References10Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Apache Airflow ODBC Provider Argument Injection vulnerability

Improper Neutralization of Argument Delimiters in a Command 'Argument Injection' vulnerability in Apache Software Foundation Apache Airflow ODBC Provider.In OdbcHook, A privilege escalation vulnerability exists in a system due to controllable ODBC driver parameters that allow the loading of...

7.8CVSS7.2AI score0.0075EPSS
Exploits0References7Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

kiwitcms vulnerable to stored XSS via unrestricted files upload

ImpactKiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded, see GHSA-fwcf-753v-fgcj and Content-Security-Policy definition to prevent...

8.1CVSS6.9AI score0.00431EPSS
Exploits0References8Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•4 views

jcvi vulnerable to Configuration Injection due to unsanitized user input

SummaryA configuration injection happens when user input is considered by the application in an unsanitized format and can reach the configuration file. A malicious user may craft a special payload that may lead to a command injection. PoCThe vulnerable code snippet is...

8.8CVSS7.6AI score0.01841EPSS
Exploits0References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Apache Airflow JDBC Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in Apache Software Foundation Apache Airflow JDBC Provider. Airflow JDBC Provider Connection’s Connection URL parameters had no restrictions, which made it possible to implement RCE attacks via different type JDBC drivers, obtain airflow server permission...

8.8CVSS7.2AI score0.01518EPSS
Exploits0References5Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

hnswlib Double Free vulnerability

Hnswlib 0.7.0 has a double free in initindex when the M argument is a large integer...

6.5CVSS6.6AI score0.00586EPSS
Exploits1References7Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Connection confusion in gRPC

When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this...

7.5CVSS6.8AI score0.00502EPSS
Exploits0References11Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•4 views

Apache Airflow ODBC Provider, Apache Airflow MSSQL Provider Improper Input Validation vulnerability

Input Validation vulnerability in Apache Software Foundation Apache Airflow ODBC Provider, Apache Software Foundation Apache Airflow MSSQL Provider.Thisvulnerability is considered low since it requires DAG code to use getsqlalchemyconnection and someone with access to connection resources...

4.3CVSS6AI score0.01263EPSS
Exploits0References7Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

PyPDF2 vulnerable to possible Infinite Loop when reading malformed objects

ImpactAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop.This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the user extracted metadata from such a...

6.5CVSS6.6AI score0.00573EPSS
Exploits1References8Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

PyPDF2 quadratic runtime with malformed PDF missing xref marker

ImpactAn attacker who uses this vulnerability can craft a PDF which leads to unexpected long runtime.This quadratic runtime blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. Patcheshttps://github.com/py-pdf/pypdf/pull/808 WorkaroundsIs...

6.5CVSS6.6AI score0.00625EPSS
Exploits1References9Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•10 views

pypdf and PyPDF2 possible Infinite Loop when a comment isn't followed by a character

ImpactAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if parsecontentstream is executed. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the...

6.2CVSS6.2AI score0.00352EPSS
Exploits1References9Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Improper Restriction of Excessive Authentication Attempts in calibreweb

Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20...

9.8CVSS7.1AI score0.00762EPSS
Exploits1References5Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Allegro Tech BigFlow vulnerable to Missing SSL Certificate Validation

Allegro Tech BigFlow prior to 1.6.0 is vulnerable to Missing SSL Certificate Validation...

5.9CVSS6.3AI score0.00434EPSS
Exploits1References8Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Apache superset missing check for default SECRET_KEY

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRETKEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset...

9.8CVSS7.2AI score0.97405EPSS
Exploits20References11Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•2 views

Apache Superset vulnerable to Improper Authorization

An authenticated user with Gamma role authorization could have access to metadata information using non trivial methods in Apache Superset up to and including 2.0.1...

4.3CVSS5.9AI score0.00773EPSS
Exploits0References5Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•2 views

Flask-AppBuilder Has No Rate Limiting on Login AUTH DB

ImpactLack of rate limiting will allow an attacker to brute-force user credentials. PatchesAbility to enable rate limiting on Flask-AppBuilder = 4.3.0. Use AUTHRATELIMITED = True and RATELIMITENABLED = True set the limit itself by using AUTHRATELIMIT. Will apply only to database authentication...

7.5CVSS7.1AI score0.00629EPSS
Exploits0References8Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•2 views

Any file can be included with the pymdown-snippets extension

SummaryArbitrary file read when using include file syntax. DetailsBy using the syntax --8--"/etc/passwd" or --8--"/proc/self/environ" the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to...

7.5CVSS7.1AI score0.01815EPSS
Exploits1References7Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•2 views

Unrestricted file upload in kiwi TCMS

ImpactKiwi TCMS allows users to upload attachments to test plans, test cases, etc. In earlier versions there is no control over what kinds of files can be uploaded. Thus a malicious actor may upload an .exe file or a file containing embedded JavaScript and trick others into clicking on these file...

9CVSS7.4AI score0.01024EPSS
Exploits1References8Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•2 views

Weak Password Requirements in calibreweb

Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20...

9.8CVSS7.1AI score0.00742EPSS
Exploits1References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•2 views

git-url-parse Regular Expression Denial of Service

giturlparse aka git-url-parse through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS Regular Expression Denial of Service if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package for example, to check whether it accesses any Git...

7.5CVSS7AI score0.01033EPSS
Exploits0References8Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•2 views

kiwi TCMS has possibility for user to update email address to unverified one

ImpactIn previous versions of Kiwi TCMS users were able to update their email addresses via the "My profile" admin page. This page allowed them to change the email address registered with their account without the ownership verification performed during account registration. PatchesWith Kiwi TCMS...

4.3CVSS6AI score0.00419EPSS
Exploits0References7Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

configobj ReDoS exploitable by developer using values in a server-side configuration file

All versions of the package configobj are vulnerable to Regular Expression Denial of Service ReDoS via the validate function, using .+?\.\. Note: This is only exploitable in the case of a developer, putting the offending value in a server side configuration file...

5.9CVSS6.2AI score0.01259EPSS
Exploits1References11Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

pgAdmin 4 vulnerable to directory traversal

pgAdmin 4 versions prior to v6.19 contains a directory traversal vulnerability. A user of the product may change another user's settings or alter the database...

6.5CVSS6.2AI score0.08826EPSS
Exploits0References7Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•4 views

TensorFlow has Heap-buffer-overflow in AvgPoolGrad

Impactpythonimport osos.environ'TFENABLEONEDNNOPTS' = '0'import tensorflow as tfprinttf.versionwith tf.device"CPU": ksize = 1, 40, 128, 1 strides = 1, 128, 128, 30 padding = "SAME" dataformat = "NHWC" originputshape = 11, 9, 78, 9 grad = tf.saturatecasttf.random.uniform16, 16, 16, 16, minval=-128...

9.8CVSS6.6AI score0.00415EPSS
Exploits0References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

Apache Airflow Drill Provider vulnerable to improper input validation

Apache Software Foundation's Apache Airflow Drill Provider before 2.3.2 is vulnerable to improper input validation because the host passed in drill connection is not sanitized...

8.7CVSS7.1AI score0.02062EPSS
Exploits0References10Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

TensorFlow vulnerable to Out-of-Bounds Read in DynamicStitch

ImpactIf the parameter indices for DynamicStitch does not match the shape of the parameter data, it can trigger an stack OOB read.pythonimport tensorflow as tffunc = tf.rawops.DynamicStitchpara='indices': 0xdeadbeef, 405, 519, 758, 1015, 'data': 110.27793884277344, 120.29475402832031,...

7.5CVSS6.7AI score0.00391EPSS
Exploits0References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

TensorFlow vulnerable to integer overflow in EditDistance

ImpactTFversion 2.11.0 //tensorflow/core/ops/arrayops.cc:1067 const Tensor hypothesisshapet = c-inputtensor2; std::vector dimshypothesisshapet-NumElements - 1; for int i = 0; i MakeDimstd::maxhvaluesi, tvaluesi; if hypothesisshapet is empty, hypothesisshapet-NumElements - 1 will be integer...

7.5CVSS6.6AI score0.00391EPSS
Exploits0References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•4 views

TensorFlow has Null Pointer Error in SparseSparseMaximum

ImpactWhen SparseSparseMaximum is given invalid sparse tensors as inputs, it can give an NPE. pythonimport tensorflow as tftf.rawops.SparseSparseMaximum aindices=1, avalues = 0.1 , ashape = 2, bindices=, bvalues =2 , bshape = 2, PatchesWe have patched the issue in GitHub commit...

7.5CVSS6.6AI score0.00439EPSS
Exploits1References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

TensorFlow Denial of Service vulnerability

ImpactA malicious invalid input crashes a tensorflow model Check Failed and can be used to trigger a denial of service attack.To minimize the bug, we built a simple single-layer TensorFlow model containing a Convolution3DTranspose layer, which works well with expected inputs and can be deployed i...

6.5CVSS6.7AI score0.00432EPSS
Exploits1References7Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•3 views

TensorFlow has Null Pointer Error in TensorArrayConcatV2

ImpactWhen ctx-stepcontainter is a null ptr, the Lookup function will be executed with a null pointer.pythonimport tensorflow as tftf.rawops.TensorArrayConcatV2handle='a', 'b', flowin = 0.1, dtype=tf.int32, elementshapeexcept0=1 PatchesWe have patched the issue in GitHub commit...

7.5CVSS6.6AI score0.00391EPSS
Exploits0References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•5 views

TensorFlow vulnerable to seg fault in `tf.raw_ops.Print`

ImpactWhen the parameter summarize of tf.rawops.Print is zero, the new method SummarizeArray will reference to a nullptr, leading to a seg fault.pythonimport tensorflow as tftf.rawops.Printinput = tf.constant1, 1, 1, 1,dtype=tf.int32, data = False, False, False, False, False, False, False, False,...

7.5CVSS6.6AI score0.00391EPSS
Exploits0References6Affected Software1
pypa
pypa
•added 2026/07/07 11:45 a.m.•4 views

Apache Airflow Spark Provider vulnerable to improper input validation

Apache Software Foundation Apache Airflow Spark Provider before 4.0.1 is vulnerable to improper input validation because the host and schema of JDBC Hook can contain / and ? which is used to denote the end of the field...

7.5CVSS7.1AI score0.02152EPSS
Exploits0References7Affected Software1
Total number of security vulnerabilities7044