Lucene search
K

7035 matches found

PyPA
PyPA
added yesterday3 views

pyLoad is vulnerable to stored XSS in Downloads view via unsanitized link URL in packages.js template literal

SummaryThe packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $div.htmlhtml. No escaping runs between the API value and innerHTML. An...

8.7CVSS6.2AI score0.00199EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday2 views

Open WebUI has stored XSS via attacker-controlled file extension in /api/v1/audio/transcriptions

Summary The audio transcription upload endpoint takes the file extension from the user-supplied filename and saves the file under CACHEDIR/audio/transcriptions/.. The /cache/path route serves these files via FileResponse, which sets Content-Type from the on-disk extension and emits no...

8.7CVSS7.3AI score0.0018EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI missing authorization check at the model update function - models from other users can be updated

SummaryA user can modify another user's model even if its visibility is set to Private.The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Test...

6.5CVSS6.7AI score0.00226EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI has a full SSRF Vulnerability in the RAG Web Search Feature

SSRF Bypass via IPv6/IPv4-mapped IPv6/IPv4-reserved-ranges in validateurl Summaryvalidateurl in backend/openwebui/retrieval/web/utils.py calls validators.ipv6ip, private=True, but the validators library does NOT implement the private keyword for IPv6 — the call raises a ValidationError which is...

8.5CVSS7AI score0.00286EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI has stored XSS via unsanitized Office/Excel/DOCX file preview rendering ({@html} without DOMPurify)

Related advisoryThis advisory tracks a regression of the original Excel-preview XSS that was publicly disclosed and patched under GHSA-jwf8-pv5p-vhmc patched in v0.8.0. The same root cause — XLSX.utils.sheettohtml output rendered via @html excelHtml without DOMPurify — was reintroduced sometime...

5.4CVSS6.2AI score0.00209EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI has XSS via SVG in /api/v1/channels/webhooks/{webhook_id}/profile/image

As part of our research on improving our AI pentest, we have uncovered the following issue in Open WebUI. We've manually verified and tided up the report, but you can also find the original agent finding at the bottom of this report. SummaryThe channel webhook create/update flow accepts arbitrary...

7.4CVSS6.6AI score0.00212EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday4 views

wger Vulnerable to IDOR: Authenticated Users Can Read Any User's Private Workout Session Data via Template Routine API

Summary Any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own.The RoutinePermission class grants read access to any authenticated user when a routine has...

7.5CVSS6.1AI score0.00051EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday2 views

pyLoad Has Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory in pyLoad

SummaryThe fix for CVE-2026-33509 prevents setting storagefolder inside PKGDIR or userdir, but does NOT protect the Flask session directory /tmp/pyLoad/flask. An authenticated attacker can set storagefolder to the session directory and download session files of other users via /files/get/, leadin...

8.8CVSS6.1AI score0.00529EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday3 views

dbt MCP Server has an Argument Injection in dbt CLI Tool Wrappers via node_selection and resource_type Parameters

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summaryrundbtcommand in src/dbtmcp/dbtcli/tools.py constructs the dbt subprocess argument list by appending user-supplied MCP tool parameters without sanitization. Two independent...

6.3CVSS6.3AI score0.00018EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

pyzipper has an encryption bypass for small files encrypted using it

ImpactA Python operator precedence bug in pyzipper/zipfileaes.py caused the AE-2 format to never be automatically selected during encryption, regardless of file size or compression type. As a result, all encrypted entries are written in AE-1 format unless AE-2 is explicitly forced by the caller...

6.2CVSS6.1AI score0.00009EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI has stored XSS via the HTML renedering view

SummaryThrough the HTML rendering view, scripts can be injected and executed. The finding resulted from a penetration test for a customer. It is suspected that the root cause of the issue lies within the core of Open WebUI, which is why it is being reported as a security issue here. Tested on Ope...

7.7CVSS7AI score0.00217EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override

Summaryfides.js is the script that renders Fides's consent banner on customer websites. It lets the embedding page override the banner's description text at runtime via a URL query parameter, a JavaScript global, or a cookie. On sites that have opted into HTML-formatted descriptions, the overridd...

7CVSS6.3AI score0.00297EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file

SummaryA missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. DetailsAll files/ related endpoints lack permission checks. Listing all filesFor example, let's see how file listing is...

8.1CVSS7AI score0.00273EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

wger: Privilege escalation via trainer-login session chaining allows gym trainer to impersonate gym manager

SummaryA gym trainer can escalate their session to any higher-privileged account gym manager, general manager by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a low-privileged user, the session flag trainer.identityis set and this flag alone...

8.1CVSS6.2AI score0.00026EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

OpenStack Ironic: Pre-Validation Checksum Calculation allows Denial of Service (DoS) via Infinite Block Devices

In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL...

6.5CVSS6.1AI score0.00466EPSS
Exploits1References7Affected Software1
PyPA
PyPA
added yesterday4 views

Open WebUI has Stored Cross-Site Scripting In Profile Picture

SummaryThe profileimageurl field on the user profile update form accepted arbitrary data: URI values without MIME-type validation. Two distinct attack paths were independently demonstrated by separate reporters:1. data:text/html;base64,... in a new browser tab raresvis, 2025-04-17 — when a victim...

5.4CVSS6.3AI score0.00199EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday5 views

dbt MCP Server Logs Tool Arguments Including SQL Queries and Credentials in Plaintext Without Redaction When File Logging Is Enabled

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. SummaryDbtMCP.calltool in src/dbtmcp/mcp/server.py logs the complete raw arguments dictionary at INFO level on every tool invocation line 67 and again at ERROR level if the call...

2.5CVSS6.2AI score0.00012EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. SummaryDefaultUsageTracker.emittoolcalledevent in src/dbtmcp/tracking/tracking.py serializes the complete arguments dictionary of every MCP tool call and transmits it verbatim to...

3.1CVSS6.2AI score0.00042EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

Snorkel MultitaskClassifier.load uses an unsafe torch.load

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability CWE-502 in the MultitaskClassifier.load method of the MultitaskClassifier class. The method loads model weight files using torch.load without enabling the security-restrictive weightsonly=True parameter. This...

8.8CVSS6.5AI score0.00392EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday5 views

mem0 server lacks authentication and authorization controls for its memory creation API endpoint

The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...

5.3CVSS6.2AI score0.00335EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

mem0 server lacks authentication and authorization controls for its memory management API endpoints

The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memoryid are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...

7.5CVSS6.2AI score0.00372EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday6 views

LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning

DescriptionThe LangSmith SDK's prompt pull methods pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime...

7.1CVSS6AI score0.00199EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning

DescriptionThe LangSmith SDK's prompt pull methods pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime...

7.1CVSS6AI score0.00199EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

mem0 server lacks authentication and authorization controls for its memory deletion API endpoint

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...

6.5CVSS6.2AI score0.00386EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning

DescriptionThe LangSmith SDK's prompt pull methods pullprompt / pullpromptcommit in Python, pullPrompt / pullPromptCommit in JS/TS fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configuration that affect runtime...

7.1CVSS6AI score0.00199EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Snorkel BaseLabeler.load uses an unsafe pickle.load

The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability CWE-502 in the BaseLabeler.load method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load function on user-supplied file paths without any validation or...

8.8CVSS6.6AI score0.00392EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Superduper: Remote code execution via unsafe eval in superduper query parsing

The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The parseoppart function in query.py uses the unsafe eval function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although...

8.8CVSS6.6AI score0.00405EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

pgAdmin 4 has deserialization of untrusted data in its FileBackedSessionManager

Deserialization of untrusted data CWE-502 in pgAdmin 4 FileBackedSessionManager.The session manager performed unsafe deserialization of session-file contents using Python's standard object-serialization module before performing any HMAC integrity check. Any file dropped into the sessions director...

7.8CVSS7.4AI score0.00131EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

pgAdmin 4 File Manager has symbolic-link path traversal

Symbolic-link path traversal CWE-61, CWE-22 in pgAdmin 4 File Manager.checkaccesspermission used os.path.abspath, which resolves '..' but does not resolve symbolic links, while the subsequent kernel write follows symlinks. An authenticated user could plant a symbolic link inside their own storage...

8.1CVSS7AI score0.00359EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday5 views

Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks

Docling's METS GBS backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions XML Bo...

7.5CVSS6AI score0.00278EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

SQL injection vulnerability in pgAdmin 4 Maintenance Tool

SQL injection vulnerability in pgAdmin 4 Maintenance Tool.Four user-supplied JSON fields bufferusagelimit, vacuumparallel, vacuumindexcleanup, reindextablespace were concatenated directly into the rendered VACUUM/ANALYZE/REINDEX command and passed to psql --command. An authenticated user with the...

8.8CVSS7.3AI score0.00456EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday3 views

MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem

A vulnerability in the createmodelversion handler of mlflow/server/handlers.py in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem. The issue arises when a CreateModelVersion request includes the tag...

7.5CVSS7.1AI score0.00712EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday3 views

pgAdmin 4: Improper restriction of excessive authentication attempts

Improper restriction of excessive authentication attempts CWE-307 in pgAdmin 4.pgAdmin enforces MAXLOGINATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.initapp and is reachable on every server, never...

6.9CVSS6.7AI score0.00211EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday5 views

aiwaves-cn agents is vulnerable to resource consumption in the recall_relevant_memories_to_working_memory function

A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recallrelevantmemoriestoworkingmemory of the file core/cat/lookingglass/straycat.py of the component cheshirecatcore. This manipulation causes resource...

6.9CVSS5.9AI score0.0038EPSS
Exploits0References8Affected Software1
PyPA
PyPA
added yesterday5 views

Snorkel Trainer.load uses an unsafe torch.load

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability CWE-502 in the Trainer.load method of the Trainer class. The method loads model checkpoint files using torch.load without enabling the security-restrictive weightsonly=True parameter. This default behavior allows...

8.8CVSS6.5AI score0.00392EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

PyTorch Lightning load_from_checkpoint has an insecure checkpoint deserialization

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability CWE-502 in the checkpoint loading mechanism. The LightningModule.loadfromcheckpoint method, which is commonly used to load saved model states, internally calls torch.load without setting the...

8.8CVSS6.5AI score0.00385EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added yesterday4 views

local-deep-research is Vulnerable to HTML Injection via Unescaped User Input in PDF Export (`pdf_service.py:_markdown_to_html`)

SummaryPDFService.markdowntohtml constructs an HTML document by interpolating user-controlled values — specifically title sourced from research.title or research.query and metadata key-value pairs — directly into an f-string without any HTML escaping. An authenticated attacker can craft a researc...

5CVSS6.2AI score0.00263EPSS
Exploits0References9Affected Software1
PyPA
PyPA
added yesterday6 views

flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains an insecure deserialization vulnerability CWE-502 in its checkpoint loading mechanism. The loadcheckpoint function in checkpoint.py and the checkpoint loading code in eval.py use...

7.3CVSS6.3AI score0.00218EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

pgAdmin 4: OS command injection vulnerability in Import/Export query export

OS command injection CWE-78 vulnerability in pgAdmin 4 Import/Export query export.User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject " TO PROGRAM 'cmd'" to break out of the \copy ... context and achieve...

8.8CVSS7.2AI score0.01444EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday4 views

pgAdmin 4: Stored cross-site scripting (XSS) vulnerability in Browser Tree and Explain Visualizer modules

Stored cross-site scripting XSS vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules.User-controlled PostgreSQL object names database, schema, table, column, etc. were assigned to DOM elements via innerHTML, allowing crafted object names containing HTML markup to execute...

4.8CVSS6.2AI score0.00163EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added yesterday2 views

Keylime has a hardcoded attestation challenge nonce that allows replay attacks

CVE-2026-6420: Hardcoded attestation challenge nonce allows replay attacks ImpactThe CertificationParameters.generatechallenge method in the push attestation protocol uses a hardcoded challenge nonce instead of generating a cryptographically random value. This removes the nonce-based replay...

6.3CVSS6.1AI score0.00121EPSS
Exploits0References7Affected Software1
PyPA
PyPA
added yesterday4 views

LiteLLM has a sandbox escape in custom-code guardrail

ImpactThe POST /guardrails/testcustomcode endpoint runs user-supplied Python inside a hand-rolled sandbox. The sandbox can be escaped using bytecode-level techniques, allowing arbitrary code execution in the proxy process — which runs as root in the default Docker image.Reaching the endpoint...

8.8CVSS6.7AI score0.06496EPSS
Exploits2References7Affected Software1
PyPA
PyPA
added yesterday3 views

GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content

SummaryGuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs...

5CVSS6.1AI score0.00113EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday6 views

GuardDog has a blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration

SummaryThe programmatic remote project scanning path rewrites attacker-controlled repository URLs using a blind string replacement and then sends the caller's GitHub credentials with the resulting request. This allows an attacker who can influence the scanned repository URL to trigger SSRF and...

8.2CVSS6.2AI score0.00198EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

pgAdmin 4 contains local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities

Local file inclusion LFI and server-side request forgery SSRF vulnerabilities in pgAdmin 4 LLM API configuration endpoints.User-supplied apikeyfile and apiurl preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by...

7.1CVSS6.2AI score0.00217EPSS
Exploits0References6Affected Software1
PyPA
PyPA
added yesterday5 views

GPT-Pilot contains a command injection vulnerability in the Executor.run() method

GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 2025-09-03 contains a command injection vulnerability CWE-78 in the Executor.run method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper...

6.5CVSS6.6AI score0.00704EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks

Docling's JATS XML backend is vulnerable to XML Entity Expansion XXE attacks thru 2.61.0. The backend uses etree.parse to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nested entity expansion payload XML Bomb. When processed by Doclin...

7.5CVSS6AI score0.00351EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday4 views

eml_parser has recursion DoS via nested message/rfc822 attachments

SummaryEmlParser.getrawbodytext recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the messag...

6.3CVSS6.2AI score0.00395EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists

LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load with allowedobjects="all". This does not enable arbitrary Python object deserialization, but it does allow...

8.2CVSS6.3AI score0.00406EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added yesterday3 views

Open WebUI Arbitrary File Write, Delete via Path Traversal

CONFIDENTIAL Vulnerability Disclosure Analysis Documentation-----------------------------------------------Vulnerability Details---------------------1. Discoverer: Taylor Pennington of KoreLogic, Inc.2. Date Submitted: June 11, 20243. Title: Open WebUI Arbitrary File Write, Delete via Path...

8.1CVSS6.1AI score0.00454EPSS
Exploits1References5Affected Software1
Total number of security vulnerabilities7035