Lucene search
+L

7044 matches found

PyPA
PyPA
added 2025/11/05 3:15 p.m.12 views

PYSEC-2025-107

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8.NFKC normalization in Python is slow on Windows. As a consequence, django.http.HttpResponseRedirect, django.http.HttpResponsePermanentRedirect, and the shortcut django.shortcuts.redirect were subject to a...

7.5CVSS7.3AI score0.0193EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2025/10/31 3:15 p.m.11 views

PYSEC-2025-226

Kitware VTK Visualization Toolkit through 9.5.0 contains a heap use-after-free vulnerability in vtkGLTFDocumentLoader. The vulnerability manifests during mesh object copy operations where vector members are accessed after the underlying memory has been freed, specifically when handling GLTF files...

9.8CVSS5.7AI score0.0036EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/10/31 3:15 p.m.11 views

PYSEC-2025-225

Kitware VTK Visualization Toolkit through 9.5.0 contains a heap buffer overflow vulnerability in vtkGLTFDocumentLoader. When processing specially crafted GLTF files, the copy constructor of Accessor objects fails to properly validate buffer boundaries before performing memory read operations...

7.1CVSS6AI score0.00164EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/10/31 3:15 p.m.11 views

PYSEC-2025-224

Kitware VTK Visualization Toolkit up to 9.5.0 is vulnerable to Buffer Overflow in vtkGLTFDocumentLoader. The vulnerability occurs in the BufferDataExtractionWorker template function when processing GLTF accessor data...

7.5CVSS5.7AI score0.00392EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/10/28 7:15 p.m.15 views

PYSEC-2025-100

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. CodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal ldloggerlibrary, which is executed by the CodeChecker logcommand.This issue affects...

7.8CVSS6AI score0.00174EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/10/20 8:15 p.m.13 views

PYSEC-2025-187

Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim. This issue has been...

7.1CVSS5.7AI score0.00237EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2025/10/20 8:15 p.m.12 views

PYSEC-2025-188

Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or description fields which would run on project load. This issue has been patched in version 1.5.0...

5.4CVSS5.7AI score0.00165EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2025/10/15 8:15 a.m.18 views

PYSEC-2025-184

This issue affects Apache Spark versions before 3.4.4,3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.When spark.network.crypto.enabled is set to true it is set to false by default, but...

6.5CVSS7.2AI score0.0022EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/10/07 7:15 p.m.2 views

PYSEC-2025-268

Wasmtime is a runtime for WebAssembly. Wasmtime 37.0.0 and 37.0.1 have memory leaks in the C/C++ API when using bindings for the anyref or externref WebAssembly values. This is caused by a regression introduced during the development of 37.0.0 and all prior versions of Wasmtime are unaffected. If...

3.3CVSS6AI score0.00178EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/10/05 2:15 a.m.12 views

PYSEC-2025-157

A weakness has been identified in Open Asset Import Library Assimp 6.0.2. This affects the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. Executing a manipulation can lead to heap-based buffer overflow. The attack needs to be launched locally. The exploit...

7.8CVSS6.2AI score0.00222EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2025/10/05 1:15 a.m.11 views

PYSEC-2025-156

A vulnerability was identified in Open Asset Import Library Assimp 6.0.2. Affected by this vulnerability is the function ODDLParser::getNextSeparator in the library assimp/contrib/openddlparser/include/openddlparser/OpenDDLParserUtils.h. Such manipulation leads to heap-based buffer overflow. The...

7.8CVSS6.1AI score0.00225EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2025/10/05 1:15 a.m.13 views

PYSEC-2025-155

A vulnerability was determined in Open Asset Import Library Assimp 6.0.2. Affected is the function Q3DImporter::InternReadFile of the file assimp/code/AssetLib/Q3D/Q3DLoader.cpp. This manipulation causes allocation of resources. The attack is restricted to local execution. The exploit has been...

5.5CVSS5.4AI score0.00188EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2025/10/01 10:15 p.m.3 views

PYSEC-2025-269

Weblate is a web based localization tool. An open redirect exists in versions 5.13.2 and below via the redir parameter on .within.website when Weblate is configured with Anubis and REDIRECTDOMAINS is not set. An attacker can craft a URL on the legitimate domain that redirects a victim to an...

6.1CVSS6.1AI score0.00365EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2025/10/01 7:15 p.m.14 views

PYSEC-2025-106

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate, QuerySet.alias, QuerySet.aggregate, and QuerySet.extra are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionary expansion, as the kwarg...

9.8CVSS7.2AI score0.00583EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2025/09/26 8:15 a.m.12 views

PYSEC-2025-85

Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values.In Airflow 3.0.3, this model was unintentional...

6.5CVSS8AI score0.00903EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/09/25 4:15 p.m.9 views

PYSEC-2025-209

An issue in pytorch v2.7.0 can lead to a Denial of Service DoS when a PyTorch model consists of torch.Tensor.tosparse and torch.Tensor.todense and is compiled by Inductor...

7.5CVSS5.8AI score0.00381EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/09/25 4:15 p.m.7 views

PYSEC-2025-205

A syntax error in the component proxytensor.py of pytorch v2.7.0 allows attackers to cause a Denial of Service DoS...

7.5CVSS5.7AI score0.00381EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/09/25 4:15 p.m.17 views

PYSEC-2025-204

pytorch v2.8.0 was discovered to display unexpected behavior when the components torch.rot90 and torch.randnlike are used together...

7.5CVSS6AI score0.0039EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2025/09/25 4:15 p.m.17 views

PYSEC-2025-207

A Name Error occurs in pytorch v2.7.0 when a PyTorch model consists of torch.cummin and is compiled by Inductor, leading to a Denial of Service DoS...

7.5CVSS5.8AI score0.00381EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/09/25 4:15 p.m.14 views

PYSEC-2025-206

pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nantonum-.long...

5.3CVSS5.8AI score0.00294EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2025/09/25 4:15 p.m.9 views

PYSEC-2025-208

A buffer overflow occurs in pytorch v2.7.0 when a PyTorch model consists of torch.nn.Conv2d, torch.nn.functional.hardshrink, and torch.Tensor.view-torch.mv and is compiled by Inductor, leading to a Denial of Service DoS...

7.5CVSS6AI score0.0042EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/09/25 3:16 p.m.12 views

PYSEC-2025-202

PyTorch before 3.7.0 has a bernoullip decompose function in decompositions.py even though it lacks full consistency with the eager CPU implementation, negatively affecting nn.Dropout1d, nn.Dropout2d, and nn.Dropout3d for fallbackrandom=True...

5.3CVSS5.8AI score0.00391EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2025/09/25 3:16 p.m.12 views

PYSEC-2025-203

An issue in the component torch.linalg.lu of pytorch v2.8.0 allows attackers to cause a Denial of Service DoS when performing a slice operation...

7.5CVSS6.3AI score0.00391EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2025/09/25 3:16 p.m.10 views

PYSEC-2025-198

In PyTorch through 2.6.0, when eager is used, nn.PairwiseDistancep=2 produces incorrect results...

5.3CVSS5.8AI score0.00374EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2025/09/25 3:16 p.m.14 views

PYSEC-2025-200

In PyTorch before 2.7.0, when torch.compile is used, FractionalMaxPool2d has inconsistent results...

5.3CVSS5.8AI score0.0036EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2025/09/25 3:16 p.m.14 views

PYSEC-2025-199

In PyTorch before 2.7.0, when inductor is used, nn.Fold has an assertion error...

5.3CVSS5.8AI score0.00338EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/09/25 3:16 p.m.11 views

PYSEC-2025-201

In PyTorch before 2.7.0, bitwiserightshift produces incorrect output for certain out-of-bounds values of the "other" argument...

5.3CVSS5.8AI score0.00423EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/09/24 8:15 a.m.14 views

PYSEC-2025-88

Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 before 2.0.5.Users are recommended to upgrade to version 2.0.5, which fixes the issue...

5.3CVSS5.8AI score0.00457EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/09/19 9:15 a.m.12 views

PYSEC-2025-123

The Keras Model.loadmodelmethod can be exploited to achieve arbitrary code execution, even with safemode=True.One can create a specially crafted .h5/.hdf5model archive that, when loaded via Model.loadmodel, will trigger arbitrary code to be executed.This is achieved by crafting a special .h5archi...

7.3CVSS7.5AI score0.00205EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/09/19 9:15 a.m.12 views

PYSEC-2025-76

The Keras Model.loadmodelmethod can be exploited to achieve arbitrary code execution, even with safemode=True.One can create a specially crafted .kerasmodel archive that, when loaded via Model.loadmodel, will trigger arbitrary code to be executed. This is achieved by crafting a special config.jso...

8.6CVSS7.5AI score0.00186EPSS
Exploits0References2
PyPA
PyPA
added 2025/09/17 12:15 p.m.12 views

PYSEC-2025-153

A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via...

9.3CVSS7.5AI score0.00761EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2025/09/17 11:15 a.m.13 views

PYSEC-2025-152

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check CRC, which causes the...

9.8CVSS7.5AI score0.01428EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2025/09/17 10:15 a.m.9 views

PYSEC-2025-151

An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly...

9.3CVSS7.5AI score0.00816EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/09/15 5:15 p.m.10 views

PYSEC-2025-143

wangxutech MoneyPrinterTurbo 1.2.6 allows path traversal via /api/v1/download/ URIs such as /api/v1/download//etc/passwd...

6.3CVSS5.8AI score0.0029EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2025/09/09 12:15 a.m.9 views

PYSEC-2025-142

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.0, the pickleoperations function in monai/data/utils.py automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using pickle.loads . This...

8.8CVSS5.8AI score0.00602EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/09/09 12:15 a.m.12 views

PYSEC-2025-140

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. The extractall function zipfile.extractalloutputdir is used directly to process compressed files. It is used in many places in the project. In versions up to and including 1.5.0, when the Zip file containing malicious...

8.8CVSS5.7AI score0.00572EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/09/09 12:15 a.m.10 views

PYSEC-2025-141

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in modeldict = torch.loadfullpath, maplocation=torch.devicedevice, weightsonly=True in monai/bundle/scripts.py , weightsonly=True is loaded securely. However, insecure loading method...

8.8CVSS5.8AI score0.00684EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/09/03 9:15 p.m.12 views

PYSEC-2025-105

An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed QuerySet.annotate or QuerySet.alias...

8.1CVSS7.4AI score0.15602EPSS
Exploits4References7Affected Software1
PyPA
PyPA
added 2025/08/29 7:15 p.m.2 views

PYSEC-2025-240

Cross Site Scripting vulnerability in copyparty before 1.9.2 allows a local attacker to execute arbitrary code via a crafted payload to the WEEKEND-PLANS function. NOTE: this is disputed because WEEKEND-PLANS is accessible only to actors who already have write access to the server, and they can...

7.8CVSS6.4AI score0.00242EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2025/08/27 7:15 p.m.4 views

PYSEC-2025-259

The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the scs:... Scan SubString verb when combined with...

9.1CVSS6.9AI score0.00693EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2025/08/25 5:15 p.m.2 views

PYSEC-2025-243

Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user. This results in...

8.8CVSS6.1AI score0.00433EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/08/11 8:15 a.m.10 views

PYSEC-2025-75

A safe mode bypass vulnerability in the Model.loadmodel method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted .keras model archive...

8.6CVSS6.3AI score0.00116EPSS
Exploits0References3
PyPA
PyPA
added 2025/08/07 4:15 p.m.9 views

PYSEC-2025-146

An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull...

6.6CVSS5.9AI score0.00174EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/07/31 9:15 p.m.9 views

PYSEC-2025-183

pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement...

7CVSS5.8AI score0.0016EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/07/31 2:34 p.m.26 views

After a successful phishing attack, new versions of `num2words` were published containing malware.

The num2words project was compromised via a phishing attackand two new versions were uploaded to PyPI containing malicious code.The affected versions have been removed from PyPI,and users are advised to remove the affected versions from their environments...

7AI score
Exploits0References2Affected Software1
PyPA
PyPA
added 2025/07/29 8:15 p.m.13 views

PYSEC-2025-101

An issue was discovered in Couchbase Sync Gateway before 3.2.6. In sgcollectinfooptions.log and syncgateway.log, there are cleartext passwords in redacted and unredacted output...

7.3CVSS5.8AI score0.0018EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/07/25 10:15 a.m.12 views

PYSEC-2025-182

NULL Pointer Dereference in µD3TN via non-singleton destination Endpoint Identifier allows remote attacker to reliably cause DoS...

7.5CVSS5.8AI score0.00505EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/07/24 11:15 p.m.2 views

PYSEC-2025-241

LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. In versions before 2.2.1, there is a critical SQL Injection vulnerability in the getLast API functionality of the eKuiper project. This flaw allows unauthenticated remote...

9.8CVSS6.5AI score0.0076EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/07/23 4:15 p.m.10 views

PYSEC-2025-137

A cross-site scripting XSS vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a blog post...

4.8CVSS5.9AI score0.00576EPSS
Exploits3References3Affected Software1
PyPA
PyPA
added 2025/07/22 7:15 p.m.16 views

PYSEC-2025-147

Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint...

6.9CVSS6.5AI score0.03837EPSS
Exploits2References4Affected Software1
Total number of security vulnerabilities7044