Lucene search
+L

7044 matches found

PyPA
PyPA
added 2025/07/22 5:15 p.m.13 views

PYSEC-2025-102

Local File Inclusion in dagster.grpc.impl.getnotebookdata in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebookpath field of ExternalNotebookData requests, bypassing the intended extension-based check...

6.6CVSS5.9AI score0.00524EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2025/07/22 4:15 p.m.9 views

PYSEC-2025-148

Path Traversal vulnerability in onnx.externaldatahelper.saveexternaldata in ONNX 1.17.0 allows attackers to overwrite arbitrary files by supplying crafted externaldata.location paths containing traversal sequences, bypassing intended directory restrictions...

8.8CVSS7.4AI score0.00578EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2025/07/21 9:15 p.m.15 views

PYSEC-2025-71

Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack. This XSS would notably allow an attacker to execute JavaScript code ...

7.6CVSS6.8AI score0.00244EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2025/07/20 12:15 p.m.10 views

PYSEC-2025-234

A vulnerability, which was classified as problematic, has been found in Huashengdun WebSSH up to 1.6.2. Affected by this issue is some unknown functionality of the component Login Page. The manipulation of the argument hostname/port leads to cross site scripting. The attack may be launched...

6.1CVSS4AI score0.00429EPSS
Exploits2References6Affected Software1
PyPA
PyPA
added 2025/07/18 3:15 p.m.9 views

PYSEC-2025-181

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.6.6, an IDOR vulnerability in the GrapQL NotificationLineNotificationMarkReadMutation and NotificationLineNotificationDeleteMutation mutations of OpenCTI allows an authenticated...

5.4CVSS5.8AI score0.00201EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2025/07/13 8:15 p.m.11 views

PYSEC-2025-69

In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates devel and responsive...

6.4CVSS6.5AI score0.00184EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/07/07 1:15 p.m.12 views

PYSEC-2025-65

A path traversal vulnerability exists in run-llama/llamaindex versions 0.12.27 through 0.12.40, specifically within the encodeimage function in genericutils.py. This vulnerability allows an attacker to manipulate the imagepath input to read arbitrary files on the server, including sensitive syste...

7.5CVSS6.8AI score0.00545EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/07/07 10:15 a.m.2 views

PYSEC-2025-252

A vulnerability in the ObsidianReader class of the run-llama/llamaindex repository, specifically in version 0.12.27, allows for hardlink-based path traversal. This flaw permits attackers to bypass path restrictions and access sensitive system files, such as /etc/passwd, by exploiting hardlinks. T...

6.2CVSS6.5AI score0.0029EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/07/07 10:15 a.m.2 views

PYSEC-2025-251

The JSONReader in run-llama/llamaindex versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service DoS by submitting deeply nested JSON structures, leading to a RecursionError and crashing...

6.5CVSS6.8AI score0.00338EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/07/07 10:15 a.m.2 views

PYSEC-2025-250

An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llamaindex repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service DoS...

7.5CVSS7AI score0.00415EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/07/07 10:15 a.m.2 views

PYSEC-2025-248

A vulnerability in the ObsidianReader class of the run-llama/llamaindex repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. The ObsidianReader fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the...

7.5CVSS7AI score0.00555EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/07/07 10:15 a.m.2 views

PYSEC-2025-247

A vulnerability in the ArxivReader class of the run-llama/llamaindex repository, versions up to v0.12.22.post1, allows for MD5 hash collisions when generating filenames for downloaded papers. This can lead to data loss as papers with identical titles but different contents may overwrite each othe...

5.3CVSS6.2AI score0.00281EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/07/06 11:15 p.m.2 views

PYSEC-2025-249

A critical deserialization vulnerability exists in the run-llama/llamaindex library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer prioritiz...

7.5CVSS6.7AI score0.00417EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/07/01 7:15 p.m.22 views

PYSEC-2025-61

Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large 64k encoded with default settings image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save...

7.1CVSS7.3AI score0.00259EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2025/06/24 8:15 a.m.11 views

PYSEC-2025-51

Failure to Sanitize Special Elements into a Different Plane Special Element Injection vulnerability in Apache Airflow Providers Snowflake.This issue affects Apache Airflow Providers Snowflake: before 6.4.0.Sanitation of table and stage parameters were added...

9.8CVSS7AI score0.00593EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/06/23 9:15 p.m.16 views

PYSEC-2025-70

A Server-Side Request Forgery SSRF vulnerability exists in the RequestsToolkit component of the langchain-community package specifically, langchaincommunity.agenttoolkits.openapi.toolkit.RequestsToolkit in langchain-ai/langchain version 0.0.27. This vulnerability occurs because the toolkit does n...

10CVSS6.8AI score0.14732EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2025/06/23 3:15 p.m.9 views

PYSEC-2025-52

gatewayproxyhandler in MLflow before 3.1.0 lacks gatewaypath validation...

5.8CVSS7AI score0.0037EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2025/06/19 9:15 p.m.10 views

PYSEC-2025-67

A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used...

9.8CVSS6.6AI score0.00662EPSS
Exploits1References8Affected Software1
PyPA
PyPA
added 2025/06/19 9:15 p.m.14 views

PYSEC-2025-68

A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/addtool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may ...

8CVSS6.5AI score0.00475EPSS
Exploits1References9Affected Software1
PyPA
PyPA
added 2025/06/19 6:15 p.m.14 views

PYSEC-2025-186

A vulnerability has been found in wasm3 0.5.0 and classified as problematic. This vulnerability affects the function MarkSlotAllocated of the file source/m3compile.c. The manipulation leads to out-of-bounds write. An attack has to be approached locally. The exploit has been disclosed to the publi...

4.8CVSS4.7AI score0.00188EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2025/06/17 11:15 a.m.4 views

PYSEC-2025-236

Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting XSS vulnerability in the admin interface. The vulnerability exists in the "displayablelinksjs" function, which fails to properly sanitize blog post titles before including them in JSON responses served via...

4.8CVSS5.9AI score0.00263EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2025/06/17 7:15 a.m.10 views

PYSEC-2025-64

A vulnerability classified as critical has been found in themanojdesai python-a2a up to 0.5.5. Affected is the function createworkflow of the file pythona2a/agentflow/server/api.py. The manipulation leads to path traversal. Upgrading to version 0.5.6 is able to address this issue. It is recommend...

9.8CVSS6.8AI score0.00726EPSS
Exploits1References12Affected Software1
PyPA
PyPA
added 2025/06/13 2:15 p.m.12 views

PYSEC-2025-150

Weak password requirements in OpenC3 COSMOS v6.0.0 allow attackers to bypass authentication via a brute force attack...

9.8CVSS5.8AI score0.00542EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/06/13 2:15 p.m.12 views

PYSEC-2025-149

A remote code execution RCE vulnerability in the Plugin Management component of OpenC3 COSMOS v6.0.0 allows attackers to execute arbitrary code via uploading a crafted .txt file...

9.8CVSS6.7AI score0.00914EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/06/13 2:15 p.m.4 views

PYSEC-2025-258

OpenC3 COSMOS before v6.0.2 was discovered to contain hardcoded credentials for the Service Account...

9.8CVSS6.1AI score0.00507EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2025/06/13 2:15 p.m.4 views

PYSEC-2025-256

An issue in the openc3-api/tables endpoint of OpenC3 COSMOS before 6.1.0 allows attackers to execute a directory traversal...

7.5CVSS6.2AI score0.00856EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2025/06/13 2:15 p.m.5 views

PYSEC-2025-255

A credential leak in OpenC3 COSMOS before v6.0.2 allows attackers to access service credentials as environment variables stored in all containers...

7.5CVSS6.1AI score0.00437EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2025/06/13 2:15 p.m.2 views

PYSEC-2025-254

A cross-site scripting XSS vulnerability in OpenC3 COSMOS before v6.0.2 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the URL parameter...

6.1CVSS6.3AI score0.00283EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2025/06/13 2:15 p.m.3 views

PYSEC-2025-257

An issue in the /script-api/scripts/ endpoint of OpenC3 COSMOS before 6.1.0 allows attackers to execute a directory traversal...

9.1CVSS6.2AI score0.00856EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2025/06/12 6:15 p.m.15 views

PYSEC-2025-221

vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This vulnerability is...

7.5CVSS5.8AI score0.0033EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2025/06/12 6:15 p.m.18 views

PYSEC-2025-220

vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password functionality...

9.8CVSS5.8AI score0.00397EPSS
Exploits0References1Affected Software1
PyPA
PyPA
added 2025/06/10 4:15 p.m.10 views

PYSEC-2025-79

Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot, a...

7.1CVSS5.8AI score0.00303EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2025/06/10 4:15 p.m.14 views

PYSEC-2025-74

Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot, a...

7.1CVSS5.8AI score0.00303EPSS
Exploits0References5
PyPA
PyPA
added 2025/06/05 3:15 a.m.23 views

PYSEC-2025-47

An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are...

5.3CVSS7.4AI score0.00629EPSS
Exploits0References5Affected Software1
PyPA
PyPA
added 2025/06/02 10:15 a.m.2 views

PYSEC-2025-245

An SQL injection vulnerability exists in the delete function of DuckDBVectorStore in run-llama/llamaindex version v0.12.19. This vulnerability allows an attacker to manipulate the refdocid parameter, enabling them to read and write arbitrary files on the server, potentially leading to remote code...

9.8CVSS7.5AI score0.00705EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/05/31 1:15 a.m.10 views

PYSEC-2025-44

django-helpdesk before 1.0.0 allows Sensitive Data Exposure because of os.umask0 in models.py...

5.1CVSS7AI score0.00172EPSS
Exploits1References4Affected Software1
PyPA
PyPA
added 2025/05/30 7:15 p.m.12 views

PYSEC-2025-55

vLLM is an inference and serving engine for large language models LLMs. Version 0.8.0 up to but excluding 0.9.0 have a Denial of Service ReDoS that causes the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to...

6.5CVSS7AI score0.00453EPSS
Exploits1References5Affected Software1
PyPA
PyPA
added 2025/05/30 7:15 p.m.8 views

PYSEC-2025-54

vLLM is an inference and serving engine for large language models LLMs. In versions 0.8.0 up to but excluding 0.9.0, hitting the /v1/completions API with a invalid jsonschema as a Guided Param kills the vllm server. This vulnerability is similar GHSA-9hcf-v7m4-6m2j/CVE-2025-48943, but for regex...

6.5CVSS6.9AI score0.00453EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2025/05/30 6:15 p.m.14 views

PYSEC-2025-50

vLLM, an inference and serving engine for large language models LLMs, has a Regular Expression Denial of Service ReDoS vulnerability in the file vllm/entrypoints/openai/toolparsers/pythonictoolparser.py of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and...

6.5CVSS7AI score0.00426EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2025/05/30 6:15 a.m.10 views

PYSEC-2025-119

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy a...

7.5CVSS7.3AI score0.0061EPSS
Exploits1References1Affected Software1
PyPA
PyPA
added 2025/05/29 5:15 p.m.16 views

PYSEC-2025-53

vLLM is an inference and serving engine for large language models LLMs. Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT Time to First Token. These timing differences...

2.6CVSS6.8AI score0.00247EPSS
Exploits0References4Affected Software1
PyPA
PyPA
added 2025/05/29 5:15 p.m.25 views

PYSEC-2025-43

vLLM is an inference and serving engine for large language models LLMs. In versions starting from 0.7.0 to before 0.9.0, in the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image...

7.3CVSS6.8AI score0.00266EPSS
Exploits0References3Affected Software1
PyPA
PyPA
added 2025/05/28 10:15 a.m.2 views

PYSEC-2025-246

LLama-Index CLI version v0.12.20 contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the --files argument, which is directly passed into os.system. An attacker who controls the content of this argument can inject and execute arbitrary shell...

7.8CVSS7.4AI score0.0103EPSS
Exploits1References2Affected Software1
PyPA
PyPA
added 2025/05/26 8:15 a.m.9 views

PYSEC-2025-46

A vulnerability was found in erdogant pypickle up to 1.1.5. It has been classified as critical. This affects the function Save of the file pypickle/pypickle.py. The manipulation leads to improper authorization. Attacking locally is a requirement. The exploit has been disclosed to the public and m...

5.5CVSS6.6AI score0.00197EPSS
Exploits1References18Affected Software1
PyPA
PyPA
added 2025/05/26 7:15 a.m.10 views

PYSEC-2025-45

A vulnerability was found in erdogant pypickle up to 1.1.5 and classified as problematic. Affected by this issue is the function load of the file pypickle/pypickle.py. The manipulation leads to deserialization. Local access is required to approach this attack. The exploit has been disclosed to th...

7.8CVSS6AI score0.00263EPSS
Exploits1References15Affected Software1
PyPA
PyPA
added 2025/05/26 5:15 a.m.10 views

PYSEC-2025-176

A vulnerability classified as problematic has been found in Open Asset Import Library Assimp 5.4.3. This affects the function MDLImporter::InternReadFile3DGSMDL345 of the file assimp/code/AssetLib/MDL/MDLLoader.cpp. The manipulation leads to out-of-bounds read. Local access is required to approac...

5.5CVSS4.7AI score0.00208EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2025/05/26 4:15 a.m.12 views

PYSEC-2025-175

A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been rated as problematic. Affected by this issue is the function MDLImporter::ImportUVCoordinate3DGSMDL345 of the file assimp/code/AssetLib/MDL/MDLLoader.cpp. The manipulation of the argument iIndex leads to out-of-bound...

5.5CVSS4.7AI score0.00208EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2025/05/26 4:15 a.m.12 views

PYSEC-2025-174

A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been declared as problematic. Affected by this vulnerability is the function LWOImporter::GetS0 in the library assimp/code/AssetLib/LWO/LWOLoader.h. The manipulation of the argument out leads to out-of-bounds read. The...

5.5CVSS4.7AI score0.00208EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2025/05/26 4:15 a.m.12 views

PYSEC-2025-173

A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been classified as problematic. Affected is the function MDCImporter::InternReadFile of the file assimp/code/AssetLib/MDC/MDCLoader.cpp of the component MDC File Parser. The manipulation of the argument pcVerts leads to...

5.5CVSS4.6AI score0.00208EPSS
Exploits1References6Affected Software1
PyPA
PyPA
added 2025/05/26 3:15 a.m.10 views

PYSEC-2025-172

A vulnerability was found in Open Asset Import Library Assimp 5.4.3 and classified as problematic. This issue affects the function MDCImporter::ValidateSurfaceHeader of the file assimp/code/AssetLib/MDC/MDCLoader.cpp. The manipulation of the argument pcSurface2 leads to out-of-bounds read...

5.5CVSS4.8AI score0.00208EPSS
Exploits1References6Affected Software1
Total number of security vulnerabilities7044