Lucene search
K

7035 matches found

PyPA
PyPA
added yesterday7 views

Open WebUI vulnerable to blind server side request forgery (SSRF) via the PDF generate function

SummaryBlind server side request forgery SSRF via the PDF generate function. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Open...

5.4CVSS6.3AI score0.00186EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday5 views

Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF) via Image URL Manipulation

SummaryAn application-wide Cross-Site Request Forgery CSRFvulnerability was found Open-WebUl's image uploading functionality. An attacker can set an image URL to a malicious endpoint, allowing them to perform actions on behalf of a victim user. Any authenticated user can exploit this vulnerabilit...

4.6CVSS6.1AI score0.00165EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI has Broken Access Control for Completions API

SummaryAny user X can continue the conversation of any other user Y, as long as the Chat ID of Y is known. User X does not even need to be an admin to do so. DetailsA user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of another...

7.1CVSS7AI score0.00231EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI's chat completion API allows tool restrictions to be bypassed

SummaryOpen WebUI v0.6.43 contains a vulnerability in its chat completion API, which allows attackers to bypass tool restrictions, potentially enabling unauthorized actions or access. DetailsIn the chatcompletion API, the parameters toolids and toolservers are supplied by the user. These paramete...

7.1CVSS6.9AI score0.0026EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday5 views

Open WebUI Vulnerable to SSRF via OAuth Profile Picture URL in _process_picture_url (oauth.py)

SummaryA Server-Side Request Forgery SSRF vulnerability exists in processpictureurl in backend/openwebui/utils/oauth.py line 1338. The function fetches arbitrary URLs from OAuth picture claims without applying validateurl, allowing an attacker to force the server to make HTTP requests to internal...

7.7CVSS6.4AI score0.00381EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access)

SummaryThe POST /api/v1/notes/id/pin endpoint performs a write operation toggling the ispinned field but only checks for read permission. Users with read-only access to a shared note can pin/unpin it, which is a state-modifying action that should require write permission. All other write endpoint...

3.5CVSS6.1AI score0.00218EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API

Summary Any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own.The RoutinePermission class grants read access to any authenticated user when a routine has...

7.5CVSS6.1AI score0.00051EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday2 views

pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad

SummaryThe fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to the session directory and download session files of other users via /files/get/, leadin...

8.8CVSS6.1AI score0.00529EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday3 views

dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summaryrundbtcommand in src/dbtmcp/dbtcli/tools.py constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters without sanitization. Two independent...

6.3CVSS6.3AI score0.00018EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

pyzipper has an encryption bypass for small files encrypted using it

ImpactA Python operator precedence bug in pyzipper/zipfileaes.py caused the AE-2 format to never be automatically selected during encryption, regardless of file size or compression type. As a result, all encrypted entries are written in AE-1 format unless AE-2 is explicitly forced by the caller...

6.2CVSS6.1AI score0.00009EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI has stored XSS via the HTML renedering view

SummaryThrough the HTML rendering view, scripts can be injected and executed. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Ope...

7.7CVSS7AI score0.00217EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override

Summaryfides.js is the script that renders Fides's consent banner on customer websites. It lets the embedding page override the banner's description text at runtime via a URL query parameter, a JavaScript global, or a cookie. On sites that have opted into HTML-formatted descriptions, the overridd...

7CVSS6.3AI score0.00297EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file

SummaryA missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. DetailsAll files/ related endpoints lack permission checks. Listing all filesFor example, let's see how file listing is...

8.1CVSS7AI score0.00273EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager

SummaryA gym trainer can escalate their session to any higher-privileged account gym manager, general manager by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identityis set and this flag alone...

8.1CVSS6.2AI score0.00026EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

OpenStack Ironic: Pre-Validation Checksum Calculation allows Denial of Service (DoS) via Infinite Block Devices

In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL...

6.5CVSS6.1AI score0.00466EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI has Stored Cross-Site Scripting In Profile Picture

SummaryThe profileimageurl field on the user profile update form accepted arbitrary data: URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters:1. data:text/html;base64,... in a new browser tab raresvis, 2025-04-17 — when a victim...

5.4CVSS6.3AI score0.00199EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday5 views

dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. SummaryDbtMCP.calltool in src/dbtmcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the call...

2.5CVSS6.2AI score0.00012EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. SummaryDefaultUsageTracker.emittoolcalledevent in src/dbtmcp/tracking/tracking.py serializes the complete arguments dictionary of every MCP tool call and transmits it verbatim to...

3.1CVSS6.2AI score0.00042EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

Snorkel MultitaskClassifier.load uses an unsafe torch.load

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability CWE-502 in the MultitaskClassifier.load method of the MultitaskClassifier class. The method loads model weight files using torch.load without enabling the security-restrictive weightsonly=True parameter. This...

8.8CVSS6.5AI score0.00392EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday5 views

mem0 server lacks authentication and authorization controls for its memory creation API endpoint

The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...

5.3CVSS6.2AI score0.00335EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

mem0 server lacks authentication and authorization controls for its memory management API endpoints

The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memoryid are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...

7.5CVSS6.2AI score0.00372EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday6 views

LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning

DescriptionThe LangSmith SDK's prompt pull methods pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime...

7.1CVSS6AI score0.00199EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning

DescriptionThe LangSmith SDK's prompt pull methods pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime...

7.1CVSS6AI score0.00199EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

mem0 server lacks authentication and authorization controls for its memory deletion API endpoint

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...

6.5CVSS6.2AI score0.00386EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning

DescriptionThe LangSmith SDK's prompt pull methods pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime...

7.1CVSS6AI score0.00199EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Snorkel BaseLabeler.load uses an unsafe pickle.load

The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability CWE-502 in the BaseLabeler.load method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load function on user-supplied file paths without any validation or...

8.8CVSS6.6AI score0.00392EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Superduper: Remote code execution via unsafe eval in superduper query parsing

The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The parseoppart function in query.py uses the unsafe eval function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although...

8.8CVSS6.6AI score0.00405EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

pgAdmin 4 has deserialization of untrusted data in its FileBackedSessionManager

Deserialization of untrusted data CWE-502 in pgAdmin 4 FileBackedSessionManager.The session manager performed unsafe deserialization of session-file contents using Python's standard object-serialization module before performing any HMAC integrity check. Any file dropped into the sessions director...

7.8CVSS7.4AI score0.00131EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

pgAdmin 4 File Manager has symbolic-link path traversal

Symbolic-link path traversal CWE-61, CWE-22 in pgAdmin 4 File Manager.checkaccesspermission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent kernel write follows symlinks. An authenticated user could plant a symbolic link inside their own storage...

8.1CVSS7AI score0.00359EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday5 views

Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks

Docling's METS GBS backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions XML Bo...

7.5CVSS6AI score0.00278EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

SQL injection vulnerability in pgAdmin 4 Maintenance Tool

SQL injection vulnerability in pgAdmin 4 Maintenance Tool.Four user-supplied JSON fields bufferusagelimit, vacuumparallel, vacuumindexcleanup, reindextablespace were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the...

8.8CVSS7.3AI score0.00456EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem

A vulnerability in the createmodelversion handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag...

7.5CVSS7.1AI score0.00712EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday3 views

pgAdmin 4: Improper restriction of excessive authentication attempts

Improper restriction of excessive authentication attempts CWE-307 in pgAdmin 4.pgAdmin enforces MAXLOGINATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.initapp and is reachable on every server, never...

6.9CVSS6.7AI score0.00211EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday5 views

aiwaves-cn agents is vulnerable to resource consumption in the recall_relevant_memories_to_working_memory function

A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recallrelevantmemoriestoworkingmemory of the file core/cat/lookingglass/straycat.py of the component cheshirecatcore. This manipulation causes resource...

6.9CVSS5.9AI score0.0038EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday5 views

Snorkel Trainer.load uses an unsafe torch.load

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability CWE-502 in the Trainer.load method of the Trainer class. The method loads model checkpoint files using torch.load without enabling the security-restrictive weightsonly=True parameter. This default behavior allows...

8.8CVSS6.5AI score0.00392EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

PyTorch Lightning load_from_checkpoint has an insecure checkpoint deserialization

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability CWE-502 in the checkpoint loading mechanism. The LightningModule.loadfromcheckpoint method, which is commonly used to load saved model states, internally calls torch.load without setting the...

8.8CVSS6.5AI score0.00385EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

local-deep-research is Vulnerable to HTML Injection via Unescaped User Input in PDF Export (`pdf_service.py:_markdown_to_html`)

SummaryPDFService.markdowntohtml constructs an HTML document by interpolating user-controlled values — specifically title sourced from research.title or research.query and metadata key-value pairs — directly into an f-string without any HTML escaping. An authenticated attacker can craft a researc...

5CVSS6.2AI score0.00263EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added yesterday6 views

flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains an insecure deserialization vulnerability CWE-502 in its checkpoint loading mechanism. The loadcheckpoint function in checkpoint.py and the checkpoint loading code in eval.py use...

7.3CVSS6.3AI score0.00218EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

pgAdmin 4: OS command injection vulnerability in Import/Export query export

OS command injection CWE-78 vulnerability in pgAdmin 4 Import/Export query export.User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject " TO PROGRAM 'cmd'" to break out of the \copy ... context and achieve...

8.8CVSS7.2AI score0.01444EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

pgAdmin 4: Stored cross-site scripting (XSS) vulnerability in Browser Tree and Explain Visualizer modules

Stored cross-site scripting XSS vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules.User-controlled PostgreSQL object names database, schema, table, column, etc. were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute...

4.8CVSS6.2AI score0.00163EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday2 views

Keylime has a hardcoded attestation challenge nonce that allows replay attacks

CVE-2026-6420: Hardcoded attestation challenge nonce allows replay attacks ImpactThe CertificationParameters.generatechallenge method in the push attestation protocol uses a hardcoded challenge nonce instead of generating a cryptographically random value. This removes the nonce-based replay...

6.3CVSS6.1AI score0.00121EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

LiteLLM has a sandbox escape in custom-code guardrail

ImpactThe POST /guardrails/testcustomcode endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.Reaching the endpoint...

8.8CVSS6.7AI score0.06496EPSS
Exploits2References7Affected Software1
PyPA
PyPA
added yesterday3 views

GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content

SummaryGuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs...

5CVSS6.1AI score0.00113EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday6 views

GuardDog has a blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration

SummaryThe programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and...

8.2CVSS6.2AI score0.00198EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

pgAdmin 4 contains local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities

Local file inclusion LFI and server-side request forgery SSRF vulnerabilities in pgAdmin 4 LLM API configuration endpoints.User-supplied apikeyfile and apiurl preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by...

7.1CVSS6.2AI score0.00217EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday5 views

GPT-Pilot contains a command injection vulnerability in the Executor.run() method

GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 2025-09-03 contains a command injection vulnerability CWE-78 in the Executor.run method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper...

6.5CVSS6.6AI score0.00704EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks

Docling's JATS XML backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend uses etree.parse to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload XML Bomb. When processed by Doclin...

7.5CVSS6AI score0.00351EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

eml_parser has recursion DoS via nested message/rfc822 attachments

SummaryEmlParser.getrawbodytext recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the messag...

6.3CVSS6.2AI score0.00395EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists

LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load with allowedobjects="all". This does not enable arbitrary Python object deserialization, but it does allow...

8.2CVSS6.3AI score0.00406EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI Arbitrary File Write, Delete via Path Traversal

CONFIDENTIAL Vulnerability Disclosure Analysis Documentation-----------------------------------------------Vulnerability Details---------------------1. Discoverer: Taylor Pennington of KoreLogic, Inc.2. Date Submitted: June 11, 20243. Title: Open WebUI Arbitrary File Write, Delete via Path...

8.1CVSS6.1AI score0.00454EPSS
Exploits1References5Affected Software1
Total number of security vulnerabilities7035