Lucene search
K

7035 matches found

PyPA
PyPA
added yesterday3 views

hermes-agent has an Injection issue

A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.23. Impacted is an unknown function of the file agent/skillsguard.py of the component Skills Guard Multi-Word Prompt Handler. The manipulation of the argument THREATPATTERNS leads to injection. Remote exploitatio...

7.5CVSS6.5AI score0.00305EPSS
Exploits0References10Affected Software1
PyPA
PyPA
added yesterday4 views

Apache Fory PyFory Deserialization of Untrusted Data

Fory PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies o...

9.8CVSS6.1AI score0.00574EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday5 views

Crawlee for Python: SSRF via sitemap-derived URLs

Overview- Vulnerability type: Blind SSRF- Affected components: src/crawlee/utils/sitemap.py, src/crawlee/utils/robots.py, src/crawlee/requestloaders/sitemaprequestloader.py, and all built-in HTTP clients.- Trigger: an attacker-controlled sitemap or robots.txt containing a URL that points to an...

2.3CVSS6.5AI score0.00286EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday2 views

LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit

LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...

8.8CVSS7.1AI score0.00739EPSS
Exploits3References12Affected Software1
PyPA
PyPA
added yesterday4 views

Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler

SummaryAmazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the Triton inference handler deserializes model artifacts without performing integrity verification, allowing...

7.2CVSS6.6AI score0.0039EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday4 views

FlaskBB: SSRF in get_image_info() via unrestricted avatar URL

SummaryA Server-Side Request Forgery SSRF vulnerability in getimageinfo allows any authenticated user to force the server to send HTTP requests to arbitrary internal endpoints, including cloud metadata services e.g., AWS 169.254.169.254. This is a blind SSRF with confirmed internal port scanning...

6.5CVSS6.2AI score0.00032EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday5 views

pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API

SummaryThe SSRF mitigation added in commit 33c55da for GHSA-7gvf-3w72-p2pg is incomplete. The PREREQFUNCTION-based private IP check was correctly applied to HTTPChunk download path but not to HTTPRequest used by the parseurls API. An authenticated attacker can supply a URL pointing to an...

5CVSS6.2AI score0.00176EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out

📋 Reframing 2026-05-02: implicit unsafe remote-code path, not "supply-chain" The accurate description of this vulnerability is: "getmodelarch and related helpers hardcode trustremotecode=True with no opt-out, creating an implicit unsafe remote-code load path on every model fetch." What this repor...

7.8CVSS6.6AI score0.00148EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path

SummaryAmazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the ModelBuilder/Serve component stores an HMAC signing key in cleartext as a container environment variable,...

8.5CVSS6.4AI score0.00439EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday3 views

LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization

Summarylmdeploy hardcodes trustremotecode=True in multiple HuggingFace model-loading call sites.The affected code paths are in:textlmdeploy/archs.pylmdeploy/utils.pyThe vulnerable call sites pass trustremotecode=True into HuggingFace Transformers APIs such as AutoConfig.frompretrained,...

7.8CVSS6.6AI score0.00142EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path

Summarypymdownx.snippets has a regression of the CVE-2023-32309 / GHSA-jh85-wwv9-24hv fix. With restrictbasepath: True the default, the current filename.startswithbase containment check does not enforce a directory boundary. As a result, a markdown snippet directive can read files from sibling...

4.3CVSS6AI score0.0003EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

MLflow authenticated users can enumerate any registered model versions due to lack of per-model permissions checks

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...

6.5CVSS6.6AI score0.00441EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday2 views

Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing

SummaryThe fileID field from Manifest.db a SQLite database inside iOS backups, generated by the device is used directly in filesystem path construction without validation. This affects two commands through a shared code path:- mvt-ios decrypt-backup decrypt.py: fileid is used to construct both re...

5.3CVSS6.5AI score0.00376EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

MLFlow Creates a Temporary File With Insecure Permissions

In mlflow/mlflow versions prior to 3.11.0, the getorcreatenfstmpdir function in mlflow/utils/fileutils.py creates temporary directories with world-writable permissions 0o777, and the createmodeldownloadingtmpdir function in mlflow/pyfunc/init.py creates directories with group-writable permissions...

7.8CVSS7.3AI score0.00193EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday2 views

NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes

SummaryTwo FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log ...

5.3CVSS6.2AI score0.00343EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS

HTTP transports expose unauthenticated PowerShell control with wildcard CORSThere is an issue in the SSE and Streamable HTTP transport modes. The default stdio mode is not affected, but the documented HTTP modes expose the MCP control plane without authentication and add wildcard CORS handling...

9.3CVSS6.3AI score0.00397EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

ModelScope is vulnerable to arbitrary code injection via a crafted module

An issue was discovered in ModelScope 1.25.0 allowing attackers to execute arbitrary code via crafted module listed in the configuration file deymini.yaml under the key 'nnet''module'...

8.1CVSS6.3AI score0.00529EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday5 views

Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command-Line Arguments

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of...

8.7CVSS6.1AI score0.00156EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday5 views

Diffusers: TOCTOU Trust Remote Code Bypass

BackgroundThis vulnerability is found in the diffusers package - the transformers-equivalent library for diffusion models.It is found in the DiffusionPipeline.frompretrained flow, which is used to load a pipeline from the HuggingFace Hub.This function has a trustremotecode guard: if the...

7.5CVSS6.5AI score0.00048EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion

The cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal...

8.8CVSS6.2AI score0.00475EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection

Summaryprepareenvironment in clicommunicationprotocol.py passes a full copy of os.environ to every CLI subprocess. When combined with the Command Injection vulnerability CWE-78 in substituteutcpargs tracked as GHSA-33p6-5jxp-p3x4, an attacker can exfiltrate all process-level secrets in a single...

7.7CVSS6.1AI score0.00223EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree

SummaryTwo primitive integrators in apm-cli enumerate package files with bare Path.glob / Path.rglob calls and read each match with Path.readtext, transparently following symbolic links.A symlink committed inside a remote APM dependency under .apm/prompts/.prompt.md or .apm/agents/.agent.md is...

7.4CVSS6.2AI score0.00654EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday2 views

Weblate: Stored HTML injection in editor search preview

ImpactWeblate's live search preview renders unit source and context as HTML without escaping. Any contributor whose content reaches those fields stores HTML and CSS that runs inside the authenticated editor of every user who runs a matching search. Patches...

4.6CVSS6.1AI score0.00208EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday4 views

NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()

Summaryui.restructuredtext renders reStructuredText server-side with Docutils without disabling file insertion directives.When a NiceGUI application passes attacker-controlled content to ui.restructuredtext, an attacker can use standard Docutils directives include, csv-table with :file:, raw with...

7.5CVSS6.2AI score0.00255EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

AstrBot: File upload vulnerability in the function post_file of the file astrbot/dashboard/routes/chat.py

A vulnerability was detected in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function postfile of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal. It is possible to launch the attack remotely...

6.5CVSS6.2AI score0.00358EPSS
Exploits0References10Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

SummaryThe LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, line 663 was explicitly patched to prevent this race with the comment "Insert with default role first to avoid...

8.1CVSS7AI score0.00354EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed

SummaryThe /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set ENABLECODEEXECUTION=false. The feature gate is not enforced on the API endpoint — the configuration says "disabled" but code still executes. DetailsThe admi...

8.8CVSS7.5AI score0.00406EPSS
Exploits2References7Affected Software1
PyPA
PyPA
added yesterday4 views

Pipecat: Path Traversal in Pipecat Runner `/files` Endpoint — Arbitrary File Read via `%2F`-Encoded Separator

SummaryA path traversal vulnerability exists in Pipecat's development runner src/pipecat/runner/run.py. When the runner is started with the --folder flag, it exposes a GET /files/filename:path download endpoint. The filename path parameter is concatenated directly onto args.folder with no...

7.5CVSS7AI score0.00423EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added yesterday4 views

Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`

SummaryMicrosoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a local .tar.gz that is not recognized as a plugin-format bundle, APM probes whether it is a...

5.5CVSS6.3AI score0.0061EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI: Mass Assignment via FeedbackForm extra=allow Allows Feedback User ID Spoofing and Evaluation Data Manipulation

Mass Assignment in Feedback Creation Allows User ID Spoofing and Evaluation Data Manipulation SummaryThe POST /api/v1/evaluations/feedback endpoint in Open WebUI v0.9.2 is vulnerable to mass assignment via FeedbackForm, which uses modelconfig = ConfigDictextra='allow'. Due to an insecure dictiona...

5.4CVSS6.3AI score0.00307EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls

IDOR: Retrieval API Bypasses Knowledge Base Access ControlsAuthor: Andrew Orr Summaryvalidatecollectionaccess PR 22109 checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who know...

7.5CVSS6.9AI score0.00331EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday5 views

Open WebUI has an Indirect Object Reference (IDOR) in user notes

SummaryThe API /api/v1/notes/noteid endpoint lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating UUIDs. This results in unauthorized disclosure of potentially sensitive or private user data. Details- if notes is...

6.5CVSS6.7AI score0.00277EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption

SummaryAny authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks and POST /api/tasks/stop/taskid methods. This allows a casual user to disrupt system-wide chat usage by continuously canceling...

7.1CVSS7AI score0.0027EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added yesterday5 views

Open WebUI Exposes System Prompt to Regular User [Non-Admin]

SummaryA regular user non-admin can view the system prompt of the model which is set by an admin. DetailsWhen a regular user non-admin logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of available...

6.5CVSS6.6AI score0.00281EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure

Vulnerability Type: Information Disclosure / Missing Authentication Severity: Medium Component: backend/openwebui/routers/retrieval.py — getstatus GET / Affected Endpoint: GET /api/v1/retrieval/ Affected Version: Open WebUI main branch — confirmed unpatched through v0.9.2 Authentication Required:...

5.3CVSS6.2AI score0.0072EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI: Authenticated users can bypass model access control via exposed query parameter [AI-ASSISTED]

SummaryAn internal-only bypassfilter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated user to append ?bypassfilter=true and bypass model access control checks to invoke admin-restricted models...

5.4CVSS6.3AI score0.00193EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: shared-chat branch ignores access_type, allowing unauthorized file deletion

SummaryAny authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile authorization gate unconditionally grants access through its shared-chat branch. It checks neither the requesting...

8CVSS6.9AI score0.0027EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI has a Server-Side Request Forgery (SSRF) bypass in `validate_url`

SummaryIn the open-webui project, a parsing difference between the urlparse and requests libraries led to an SSRF bypass vulnerability. DetailsIn the current project, URL validation is performed using the function validateurl.The current checking logic uses urlparse to parse the hostname part of...

8.5CVSS7.1AI score0.00292EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI has a SSRF Bypass via HTTP Redirect Following in Web-Fetch and Image-Load Endpoints (not addressed by CVE-2025-65958)

Server-Side Request Forgery SSRF Bypass via HTTP Redirect Following in Web-Fetch, Image-Load, and Chat-Completion Endpoints SummaryThe validateurl function in backend/openwebui/retrieval/web/utils.py only validates the initial URL submitted by the caller. The HTTP clients used downstream sync...

8.5CVSS7AI score0.003EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday2 views

Open WebUI: Unauthenticated endpoint can trigger embedding generation (cost/DoS)

SummaryGET /api/v1/memories/ef is accessible without authentication and executes request.app.state.EMBEDDINGFUNCTION.... This allows any unauthenticated caller to trigger embedding generation which can lead to direct cost exposure if a paid provider is used.Code reference:...

6.5CVSS6.7AI score0.00341EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI has an IDOR vulnerability in the pin_channel_message API endpoint

SummaryPin/Unpin is a write operation modifies the message's ispinned , pinnedby, pinnedat fields, but in standard channels it only checks read permission, allowing users with read-only access to pin/unpin any message...

4.3CVSS6.1AI score0.00204EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI has an IDOR vulnerability in the update_message_by_id API endpoint

SummaryAn IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members including administrators within the same channel. This vulnerability affects the latest version v0.8.12 of Open WebUI. DetailsIn the updatemessagebyid...

4.3CVSS5.8AI score0.00204EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Cross-User File Access via Unchecked fileid in Folder Knowledge and Knowledge-Base Attach Endpoints SummaryMultiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the caller...

8.1CVSS6.9AI score0.00346EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI: Sharing models for others to use (read permission) also exposes model details (system prompt leakage)

SummaryWhen setting model permissions so that a group has read access to it, intending for other users to use it, those users also can read the model's system prompt.However users may consider their system prompt confidential, so we consider this a security issue.Compare...

4.3CVSS6.1AI score0.0022EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)

SummaryA Server-Side Request Forgery SSRF vulnerability exists in processpictureurl in backend/openwebui/utils/oauth.py line 1338. The function fetches arbitrary URLs from OAuth picture claims without applying validateurl, allowing an attacker to force the server to make HTTP requests to internal...

7.7CVSS6.4AI score0.00381EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation

SummaryAn application-wide Cross-Site Request Forgery CSRFvulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerabilit...

4.6CVSS6.1AI score0.00165EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday6 views

Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function

SummaryBlind server side request forgery SSRF via the PDF generate function. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open...

5.4CVSS6.3AI score0.00186EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI has Broken Access Control for Completions API

SummaryAny user X can continue the conversation of any other user Y, as long as the Chat ID of Y is known. User X does not even need to be an admin to do so. DetailsA user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of another...

7.1CVSS7AI score0.00231EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday2 views

Open WebUI's chat completion API allows tool restrictions to be bypassed

SummaryOpen WebUI v0.6.43 contains a vulnerability in its chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. DetailsIn the chatcompletion API, the parameters toolids and toolservers are supplied by the user. These paramete...

7.1CVSS6.9AI score0.0026EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday2 views

Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)

SummaryThe POST /api/v1/notes/id/pin endpoint performs a write operation toggling the ispinned field but only checks for read permission. Users with read-only access to a shared note can pin/unpin it, which is a state-modifying action that should require write permission. All other write endpoint...

3.5CVSS6.1AI score0.00218EPSS
Exploits1References6Affected Software1
Total number of security vulnerabilities7035