Lucene search
+L

7044 matches found

PyPA
PyPA
•added 2026/07/06 8:3 a.m.•5 views

Cobbler XSS Vulnerability

Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting XSS vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to...

6.1CVSS6.8AI score0.01262EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•6 views

OpenStack Compute (Nova) Exposure of Sensitive Information to an Unauthorized Actor vulnerability

api/metadata/handler.py in OpenStack Compute Nova before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in...

4.3CVSS6AI score0.01938EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•6 views

OpenStack Nova Denial of Service in network source security groups

Algorithmic complexity vulnerability in OpenStack Compute Nova before 2013.1.3 and Havana before havana-3 does not properly handle network source security group policy updates, which allows remote authenticated users to cause a denial of service nova-network consumption via a large number of...

4CVSS6AI score0.02087EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•5 views

simplejson before 2.6.1 vulnerable to array index error

Array index error in the scanstring function in the json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the rawdecode function...

5.9CVSS6.8AI score0.08125EPSS
Exploits1References13Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•5 views

OpenStack Neutron Improper Input Validation vulnerability

OpenStack Neutron before 2014.2.4 juno and 2015.1.x before 2015.1.1 kilo, when using the IPTables firewall driver, allows remote authenticated users to cause a denial of service L2 agent crash by adding an address pair that is rejected by the ipset tool...

4CVSS7.1AI score0.11342EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•3 views

OpenStack Nova DoS through ephemeral disk backing files

The libvirt driver in OpenStack Compute Nova before 2013.2.2 and icehouse before icehouse-2 allows remote authenticated users to cause a denial of service disk consumption by creating and deleting instances with unique ostype settings, which triggers the creation of a new ephemeral disk backing...

4CVSS6AI score0.0202EPSS
Exploits0References10Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

OpenStack Compute (Nova) allows remote authenticated users to obtain sensitive information

OpenStack Compute Nova before 2013.1.3 and Havana before havana-2 does not properly enforce the os-flavor-access:ispublic property, which allows remote authenticated users to obtain sensitive information flavor properties, boot arbitrary flavors, and possibly have other unspecified impacts by...

6CVSS6.1AI score0.01829EPSS
Exploits2References10Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•7 views

OpenStack Compute (Nova) allows remote attackers to bypass intended restriction

OpenStack Compute Nova before 2014.2.4 juno and 2015.1.x before 2015.1.2 kilo do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made...

5CVSS6.8AI score0.0367EPSS
Exploits0References16Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•3 views

OpenStack Keystone Improper Authentication vulnerability

The 1 OS-KSADM/services and 2 tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services...

7.5CVSS6.1AI score0.03965EPSS
Exploits0References17Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

OpenStack Nova Potential Xen connection password leak via StorageError

The volumeutils.parsevolumeinfo function in OpenStack Compute Nova before 2015.1.3 kilo and 12.0.x before 12.0.1 liberty includes the connectioninfo dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading l...

5.9CVSS6.6AI score0.02221EPSS
Exploits0References13Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

OpenStack Nova host data access through resize/migration

The libvirt driver in OpenStack Compute Nova before 2015.1.4 kilo and 12.0.x before 12.0.3 liberty, when using raw storage and usecowimages is set to false, allows remote authenticated users to read arbitrary files via a crafted qcow2 header in an ephemeral or root disk...

5.3CVSS6.7AI score0.02091EPSS
Exploits0References18Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•3 views

OpenStack Cinder Denial of Service using XML entities

The 1 backup api/contrib/backups.py and 2 volume transfer contrib/volumetransfer.py APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service resource consumption and crash via an XML Entity Expansion XEE attack. NOTE: this issue is due to an...

4.3CVSS6AI score0.02604EPSS
Exploits0References9Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•3 views

OpenStack Keystone Token authorization for a user in a disabled tenant is allowed

OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant...

4CVSS6AI score0.02267EPSS
Exploits0References12Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

OpenStack Nova live snapshots use an insecure local directory

OpenStack Compute Nova Grizzly 2013.1.4, Havana 2013.2.1, and earlier uses world-writable and world-readable permissions for the temporary directory used to store live snapshots, which allows local users to read and modify live snapshots...

3.3CVSS5.9AI score0.00475EPSS
Exploits2References10Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

OpenStack Oslo utility sensitive information exposure via log files

The strutils.maskpassword function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log...

2.1CVSS6AI score0.00528EPSS
Exploits1References9Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

OpenStack Nova instance migration process does not stop when instance is deleted

OpenStack Compute nova 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service disk, network, and other resource consumption by resizing and then deleting an instance...

6.8CVSS7.1AI score0.03451EPSS
Exploits0References17Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

OpenStack Compute (Nova) has Insufficient Verification of Data Authenticity

OpenStack Compute Nova before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage...

5.1CVSS6AI score0.01061EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

OpenStack Compute (Nova)'s VMWare driver vulnerable to denial of service

The VMWare driver in OpenStack Compute Nova before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service resource consumption by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: thi...

2.7CVSS6AI score0.0171EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•3 views

OpenStack Compute (nova) allows remote authenticated users to cause a denial of service

OpenStack Compute nova before 2014.2.4 juno and 2015.1.x before 2015.1.2 kilo does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service disk consumption by deleting instances while in the resize state...

6.8CVSS6.9AI score0.03353EPSS
Exploits0References13Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•5 views

OpenStack Compute (Nova) Denial of Service vulnerability

OpenStack Compute Nova before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service CPU consumption via an IP filter in a list active servers API request...

4CVSS6AI score0.02783EPSS
Exploits1References14Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

MapProxy vulnerable to cross-site scripting in demo service

MapProxy version 1.11.1 and older are vulnerable to cross-site scripting in the demo service resulting in possible information disclosure. An incomplete fix was released in v1.10.4, and a complete fix was released in v1.11.1...

6.1CVSS6.3AI score0.00776EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•5 views

keycloak-httpd-client-install Insecure Secrets

keycloak-httpd-client-install versions before 0.8 allow users to insecurely pass password through command line, leaking it via command history and process info to other local users...

7.8CVSS6.7AI score0.00378EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•5 views

OpenStack Nova VMware instance leak potentially leading to compute DoS

The VMware driver in OpenStack Compute Nova before 2014.1.4 allows remote authenticated users to cause a denial of service disk consumption by deleting an instance in the resize state...

4CVSS6AI score0.02006EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

Matrix Synapse Improper Signature Validation

Matrix Synapse before 0.33.3.1 and 0.33.2.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation...

8.8CVSS7.3AI score0.01525EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

web2py exposure of sensitive information

web2py before 2.14.2 allows remote attackers to obtain the sessioncookiekey value via a direct request to examples/simpleexamples/status. NOTE: this issue can be leveraged by remote attackers to execute arbitrary code using CVE-2016-3957...

5.5CVSS7.2AI score0.01411EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

OpenStack Glance v2 API unrestricted path traversal through filesystem:// scheme

The V2 API in OpenStack Image Registry and Delivery Service Glance before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem:// URL in the image location property. NOTE: this vulnerability exists because of...

6.5CVSS6.1AI score0.02769EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

libpg_query memory leak

An issue was discovered in libpgquery 10-1.0.2. There is a memory leak in pgqueryrawparse in pgqueryparse.c, which might lead to a denial of service...

7.1CVSS6.6AI score0.0115EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•5 views

keycloak-httpd-client-install symlink attack vulnerability

keycloak-httpd-client-install versions before 0.8 insecurely creates temporary file allowing local attackers to overwrite other files via symbolic link...

5.5CVSS6.6AI score0.00386EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2026/07/06 8:3 a.m.•4 views

Matrix Synapse Authorization Error

In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.powerlevels event in force...

7.5CVSS7.1AI score0.01824EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2026/07/04 2:16 p.m.•4 views

PYSEC-2026-2150

In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shortencodenode on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in...

9.8CVSS6.1AI score0.00321EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2026/07/04 2:16 p.m.•3 views

PYSEC-2026-2149

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist fickle.py. Because these modules are absent from the denylist, fickling's checksafety function returns LIKELYSAFE with zero...

8.8CVSS6.1AI score0.00342EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2026/07/04 2:16 a.m.•4 views

PYSEC-2026-2085

In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser are vulnerable to untrusted JAR code execution. These classes accept user-controllable JAR paths and execute...

10CVSS7.8AI score0.00809EPSS
Exploits4References1Affected Software1
PyPA
PyPA
•added 2026/07/04 2:16 a.m.•5 views

PYSEC-0000-CVE-2026-12252

In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser are vulnerable to untrusted JAR code execution. These classes accept user-controllable JAR paths and execute...

7.8CVSS7.7AI score0.00158EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

OpenStack Nova Filter Scheduler Bypass

In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through 16.0.2, by rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters for example, the ImagePropertiesFilter or the IsolatedHostsFilter. All setups using Nova Filter...

6.5CVSS6.5AI score0.0141EPSS
Exploits0References15Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

Openstack tripleo-heat-templates unauthenticated file access

A resource-permission flaw was found in the tripleo-heat-templates package where ceph.client.openstack.keyring is created as world-readable. A local attacker with access to the key could read or modify data on Ceph cluster pools for OpenStack as though the attacker were the OpenStack service, thu...

6.3CVSS6.6AI score0.00285EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

Openstack Aodh can be used to launder Keystone trusts

Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust ID...

7.5CVSS6.8AI score0.02136EPSS
Exploits0References13Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

Kallithea Routes CSRF Bypass

Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method...

8.8CVSS7.2AI score0.00587EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

MySQL Connectors Privilege Escalation

Vulnerability in the MySQL Connectors component of Oracle MySQL subcomponent: Connector/Python. Supported versions that are affected are 2.1.5 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to...

3.3CVSS6.3AI score0.00406EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

Matrix Synapse Security Filtering Flaw

The ongetmissingevents function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the getmissingevents federation API where event visibility rules were not applied correctly...

7.5CVSS7.1AI score0.01805EPSS
Exploits0References7Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

OpenStack Nova Denial of service attack on the compute host

An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x through 16.1.1. By detaching and reattaching an encrypted volume, an attacker may access the underlying raw volume and corrupt the LUKS header, resulting in a denial of service attack on the compute host. The same code error...

7.8CVSS6.9AI score0.03755EPSS
Exploits1References15Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

OpenStack Nova DoS by rebuilding the same instance with a new image multiple times

An issue was discovered in the default FilterScheduler in OpenStack Nova 16.0.3. By repeatedly rebuilding an instance with new images, an authenticated user may consume untracked resources on a hypervisor host leading to a denial of service, aka doubled resource allocations. This regression was...

8.6CVSS6.6AI score0.01973EPSS
Exploits0References11Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

Cobbler Arbitrary File Read

A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation...

6.1CVSS6.8AI score0.00799EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

OpenEXR invalid write

In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function in ImfOptimizedPixelReading.h could cause the application to crash or execute arbitrary code...

8.8CVSS7.3AI score0.03166EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•5 views

OpenStack Identity Keystone Improper Privilege Management

OpenStack Identity Keystone before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges that are assigned to a group with the same ID...

6.5CVSS7.1AI score0.01386EPSS
Exploits1References10Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

OpenStack Dashboard (Horizon) Cross-site scripting (XSS) vulnerability in the Host Aggregates interface

Cross-site scripting XSS vulnerability in the Host Aggregates interface in OpenStack Dashboard Horizon before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name...

3.5CVSS6.1AI score0.02053EPSS
Exploits1References20Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•3 views

OpenStack Horizon Cross-site scripting (XSS) vulnerability

Cross-site scripting XSS vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard Horizon before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a networ...

3.5CVSS6.1AI score0.01917EPSS
Exploits1References17Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

OpenStack Identity Keystone Exposure of Sensitive Information

The catalog url replacement in OpenStack Identity Keystone before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$admintoken" in the publicurl endpoint field...

4CVSS6AI score0.02109EPSS
Exploits1References16Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

Horizon-Orchestration Cross-site scripting (XSS) vulnerability through resource name

Cross-site scripting XSS vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard Horizon before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject...

4.3CVSS6.1AI score0.01689EPSS
Exploits0References14Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

OpenStack Keystone Logs Passwords

OpenStack Identity Keystone before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backendargument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs...

4CVSS6AI score0.02877EPSS
Exploits0References8Affected Software1
PyPA
PyPA
•added 2026/07/02 2:13 p.m.•4 views

OpenEXR invalid read

In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ImfHuf.cpp could cause the application to crash...

6.5CVSS6.8AI score0.01851EPSS
Exploits0References10Affected Software1
Total number of security vulnerabilities7044