Lucene search
+L

7044 matches found

PyPA
PyPA
•added 2025/03/25 8:15 a.m.•10 views

PYSEC-2025-162

A vulnerability has been found in Open Asset Import Library Assimp 5.4.3 and classified as problematic. This vulnerability affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation of the argument na...

8.8CVSS4.9AI score0.00618EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2025/03/25 8:15 a.m.•10 views

PYSEC-2025-163

A vulnerability was found in Open Asset Import Library Assimp 5.4.3 and classified as problematic. This issue affects the function fastatorealmove in the library include/assimp/fastatof.h of the component CSM File Handler. The manipulation leads to out-of-bounds read. The attack may be initiated...

8.8CVSS4.9AI score0.00618EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2025/03/25 8:15 a.m.•10 views

PYSEC-2025-161

A vulnerability, which was classified as critical, was found in Open Asset Import Library Assimp 5.4.3. This affects the function Assimp::CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp of the component CSM File Handler. The manipulation leads to out-of-bounds write. It is...

8.8CVSS6.1AI score0.00431EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2025/03/21 2:15 p.m.•3 views

PYSEC-2025-260

A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3. This issue affects the function CSMImporter::InternReadFile of the file code/AssetLib/CSM/CSMLoader.cpp. The manipulation leads to heap-based buffer overflow. The attack may be initiated...

8.8CVSS6.6AI score0.00678EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2025/03/21 2:15 p.m.•11 views

PYSEC-2025-160

A vulnerability classified as problematic was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function MDLImporter::InternReadFileQuake1 of the file code/AssetLib/MDL/MDLLoader.cpp. The manipulation of the argument skinwidth/skinheight leads to divide by zero. The...

5.5CVSS5.3AI score0.006EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2025/03/21 8:15 a.m.•12 views

PYSEC-2025-228

A vulnerability was found in WebAssembly wabt 1.0.36. It has been declared as critical. This vulnerability affects the function BinaryReaderInterp::GetReturnCallDropKeepCount of the file wabt/src/interp/binary-reader-interp.cc. The manipulation leads to heap-based buffer overflow. The attack can ...

6.8CVSS5.3AI score0.0047EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•10 views

PYSEC-2025-17

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user accou...

5.5CVSS6.7AI score0.00336EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•12 views

PYSEC-2025-98

A Server-Side Request Forgery SSRF vulnerability was discovered in gaizhenbiao/chuanhuchatgpt version 20240914. The vulnerability allows an attacker to construct a response link by saving the response in a folder named after the SHA-1 hash of the target URL. This enables the attacker to access th...

6.5CVSS6.8AI score0.00454EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•13 views

PYSEC-2025-99

A Denial of Service DoS vulnerability exists in the file upload feature of gaizhenbiao/chuanhuchatgpt version 20240914. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload with an excessively large filename, the server...

6.5CVSS6.6AI score0.00544EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•24 views

PYSEC-2025-57

A Denial of Service DoS vulnerability in zenml-io/zenml version 0.66.0 allows unauthenticated attackers to cause excessive resource consumption by sending malformed multipart requests with arbitrary characters appended to the end of multipart boundaries. This flaw in the multipart request boundar...

7.5CVSS7AI score0.00896EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•12 views

PYSEC-2025-95

A stored cross-site scripting XSS vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, affecting version git 20b2e02. The vulnerability arises from improper sanitization of HTML tags in chat history uploads. Specifically, the sanitization logic fails to handle HTML tags within code...

6.8CVSS6.8AI score0.00505EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•25 views

PYSEC-2025-97

An authentication bypass vulnerability exists in gaizhenbiao/ChuanhuChatGPT, as of commit 3856d4f, allowing any user to read and delete other users' chat history. The vulnerability arises because the username is provided via an HTTP request from the client side, rather than being read from a secu...

8.1CVSS7.3AI score0.00581EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•15 views

PYSEC-2025-96

An incorrect authorization vulnerability exists in gaizhenbiao/chuanhuchatgpt version git c91dbfc. The vulnerability allows any user to restart the server at will, leading to a complete loss of availability. The issue arises because the function responsible for restarting the server is not proper...

6.5CVSS6.6AI score0.006EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•10 views

PYSEC-2025-222

vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer RPC server entrypoints. The core functionality runserverloop calls the function makehandlercoro, which directly uses cloudpickle.loads on received messages without any sanitization. This can result in remote code...

9.8CVSS7.4AI score0.01274EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•3 views

PYSEC-2025-239

A vulnerability in gaizhenbiao/chuanhuchatgpt version 20240802 allows attackers to access, copy, and delete other users' chat histories. This issue arises due to improper handling of session data and lack of access control mechanisms, enabling attackers to view and manipulate chat histories of...

8.8CVSS7AI score0.0055EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•11 views

PYSEC-2025-80

A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. The API endpoint /api/file does not properly sanitize the path parameter, allowing an attacker to read arbitrary files on the server...

7.5CVSS7.2AI score0.00713EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•10 views

PYSEC-2025-83

A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. An attacker can exploit this vulnerability to read any local JSON file by sending a crafted POST request to the /read-examples endpoint...

7.5CVSS7.2AI score0.01211EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•23 views

PYSEC-2025-81

A Cross-Origin Resource Sharing CORS vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can lead to unauthorized dat...

9.8CVSS7.1AI score0.00273EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•13 views

PYSEC-2025-82

An arbitrary file download vulnerability exists in the rpcagentclient component of modelscope/agentscope version v0.0.4. This vulnerability allows any user to download any file from the rpcagent's host by exploiting the downloadfile method. This can lead to unauthorized access to sensitive...

8.8CVSS7.2AI score0.00922EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•12 views

PYSEC-2025-144

A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for blockcount in the Modelfile. This can lead to a denial of service DoS condition when the server processes the model, causing it to crash...

7.5CVSS7.1AI score0.00589EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•11 views

PYSEC-2025-10

A vulnerability in the downloadmodel function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwrite due to inadequate prevention of path traversal attacks in malicious tar files. This vulnerability can be exploited by an attacker to overwrite files i...

9.1CVSS7.3AI score0.01357EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•14 views

PYSEC-2025-11

A vulnerability in the KnowledgeBaseWebReader class of the run-llama/llamaindex repository, version latest, allows an attacker to cause a Denial of Service DoS by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the getarticleurls method, exhausting...

5.9CVSS7AI score0.0064EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•2 views

PYSEC-2025-244

A vulnerability in the LangChainLLM class of the run-llama/llamaindex repository, version v0.12.5, allows for a Denial of Service DoS attack. The streamcomplete method executes the llm using a thread and retrieves the result via the getresponsegen method of the StreamingGeneratorCallbackHandler...

7.5CVSS7AI score0.00761EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•19 views

PYSEC-2025-9

A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious cod...

9.8CVSS8.2AI score0.05342EPSS
Exploits5References3Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•11 views

PYSEC-2025-94

A Regular Expression Denial of Service ReDoS vulnerability exists in gaizhenbiao/chuanhuchatgpt, as of commit 20b2e02. The server uses the regex pattern r'+' to parse user input. In Python's default regex engine, this pattern can take polynomial time to match certain crafted inputs. An attacker c...

6.5CVSS6.6AI score0.00671EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•15 views

PYSEC-2025-93

gaizhenbiao/chuanhuchatgpt version git d4ec6a3 is affected by a local file inclusion vulnerability due to the use of the gradio component gr.JSON, which has a known issue CVE-2024-4941. This vulnerability allows unauthenticated users to access arbitrary files on the server by uploading a speciall...

7.5CVSS7AI score0.0083EPSS
Exploits2References1Affected Software1
PyPA
PyPA
•added 2025/03/20 10:15 a.m.•11 views

PYSEC-2025-92

An unauthenticated Denial of Service DoS vulnerability was identified in ChuanhuChatGPT version 20240918, which could be exploited by sending large data payloads using a multipart boundary. Although a patch was applied for CVE-2024-7807, the issue can still be exploited by sending data in groups...

7.5CVSS7.1AI score0.0067EPSS
Exploits2References1Affected Software1
PyPA
PyPA
•added 2025/03/19 4:15 p.m.•10 views

PYSEC-2025-63

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP on all network interfaces will allow attackers to execute remote code on distributed hosts. This is a remote code...

9CVSS8.4AI score0.0082EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2025/03/19 4:15 p.m.•11 views

PYSEC-2025-223

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. The outlines library is one of the backends used by vLLM to support structured output a.k.a. guided decoding. Outlines provides an optional cache for its compiled grammars on the local filesystem. This cache has...

6.5CVSS6.6AI score0.00421EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2025/03/17 4:35 p.m.•9 views

After the owner removed the project from PyPI, another user uploaded a new version with non-working code

The pygments-style-solarized project was removed from PyPI by its owner on 2021-08-26.The GitHub repository was also updated to show unmaintained, and archived on 2025-08-31.Another user uploaded a new version, 100.10.7, which contains non-working code,with clear language that it intends to be a...

6.8AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/03/17 8:15 a.m.•9 views

PYSEC-2025-227

A vulnerability was found in WebAssembly wabt 1.0.36 and classified as critical. This issue affects the function wabt::interp::anonymous namespace::BinaryReaderInterp::OnExport of the file wabt/src/interp/binary-reader-interp.cc of the component Malformed File Handler. The manipulation leads to...

8.8CVSS6.4AI score0.00529EPSS
Exploits1References7Affected Software1
PyPA
PyPA
•added 2025/03/11 9:15 a.m.•11 views

PYSEC-2025-122

The Keras Model.loadmodel function permits arbitrary code execution, even with safemode=True, through a manually constructed, malicious .keras archive. By altering the config.json file within the archive, an attacker can specify arbitrary Python modules and functions, along with their arguments, ...

9.8CVSS6.7AI score0.02803EPSS
Exploits3References3Affected Software1
PyPA
PyPA
•added 2025/03/10 2:15 p.m.•10 views

PYSEC-2025-159

A vulnerability, which was classified as critical, has been found in Open Asset Import Library Assimp 5.4.3. This issue affects the function Assimp::BaseImporter::ConvertToUTF8 of the file BaseImporter.cpp of the component File Handler. The manipulation leads to heap-based buffer overflow. The...

9.8CVSS6.8AI score0.00485EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2025/03/10 2:15 p.m.•9 views

PYSEC-2025-22

A vulnerability, that could result in Remote Code Execution RCE, has been found in PlotAI. Lack of validation of LLM-generated output allows attacker to execute arbitrary Python code.Vendor commented out vulnerable line, further usage of the software requires uncommenting it and thus accepting th...

9.8CVSS7.8AI score0.00952EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2025/03/10 1:15 p.m.•14 views

PYSEC-2025-190

A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnqSigmoid of the component Quantized Sigmoid Module. The manipulation of the argument scale/zeropoint leads to improper initialization. The attack needs to be approached...

2.5CVSS4.1AI score0.0024EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2025/03/10 1:15 p.m.•12 views

PYSEC-2025-158

A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function Assimp::GetNextLine in the library ParsingUtils.h of the component File Handler. The manipulation leads to stack-based buffer overflow. The attack can be initiated...

8.8CVSS6.8AI score0.00548EPSS
Exploits1References6Affected Software1
PyPA
PyPA
•added 2025/03/10 12:15 p.m.•28 views

PYSEC-2025-21

picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being...

9.8CVSS8AI score0.00512EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2025/03/10 12:15 p.m.•11 views

PYSEC-2025-189

A vulnerability was found in PyTorch 2.6.0+cu124. It has been declared as critical. Affected by this vulnerability is the function torch.ops.profiler.callendcallbacksonjitfut of the component Tuple Handler. The manipulation of the argument None leads to memory corruption. The attack can be launch...

7.5CVSS5.3AI score0.00403EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2025/03/10 12:15 p.m.•8 views

PYSEC-2025-20

picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan...

6.5CVSS6.8AI score0.00307EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2025/03/06 7:15 p.m.•12 views

PYSEC-2025-13

An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings...

7.5CVSS7AI score0.00766EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2025/03/06 5:15 a.m.•9 views

PYSEC-2025-23

Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logged in the standard logging. If the redis password is passed as an argument, it will be logged and could potentially leak the password. This is only...

6.4CVSS7AI score0.00183EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2025/03/03 7:15 p.m.•9 views

PYSEC-2025-19

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not...

9.8CVSS6.8AI score0.00365EPSS
Exploits2References2Affected Software1
PyPA
PyPA
•added 2025/03/03 5:15 p.m.•10 views

PYSEC-2025-24

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the /api/remove endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may be able to query this endpoint to view pictures hosted on the internal network of the rembg...

7.5CVSS6.7AI score0.00485EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2025/03/03 5:15 p.m.•14 views

PYSEC-2025-25

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allowcredentia...

8.7CVSS6.7AI score0.00179EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2025/03/03 4:15 p.m.•7 views

PYSEC-2025-15

Flask-AppBuilder is an application development framework. Prior to 4.5.3, Flask-AppBuilder allows unauthenticated users to enumerate existing usernames by timing the response time from the server when brute forcing requests to login. This vulnerability is fixed in 4.5.3...

5.3CVSS6.9AI score0.00304EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2025/03/03 11:15 a.m.•9 views

PYSEC-2025-66

Improper privilege management in a REST interface allowed registered users to access unauthorized resources if the resource ID was know. This issue affects Apache StreamPipes: through 0.95.1.Users are recommended to upgrade to version 0.97.0 which fixes the issue...

6.5CVSS6.9AI score0.00615EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2025/02/26 9:19 p.m.•9 views

Posts scraped data to IP address associated with other malware distribution attacks.

Published in 2021, the imblog package is a Python librarythat scrapes data from a blog page to an IP address associated with other malware distribution attacks...

6.8AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/02/26 8:59 p.m.•7 views

Exfiltrates cookies to hardcoded IP address

Published in 2021, the colabrun package is a Python librarythat exfiltrates user cookies to a hardcoded IP address.The package was found to exfiltrate user data to a hardcoded server,which could be used for malicious purposes...

6.7AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/02/26 8:57 p.m.•10 views

Exfiltrates user cookies to hardcoded server endpoint during normal operations

Published in 2020, the autodzee package is a Python librarythat bypasses Deezer API restrictions to download music.The package was found to exfiltrate user data to a hardcoded server,which could be used for malicious purposes...

6.7AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/02/26 8:54 p.m.•9 views

When using the project to bypass Deezer API restrictions, project exfiltrates user data to a hardcoded server.

Published in 2019, the autodzee package is a Python librarythat bypasses Deezer API restrictions to download music.The package was found to exfiltrate user data to a hardcoded server,which could be used for malicious purposes...

6.7AI score
Exploits0References1Affected Software1
Total number of security vulnerabilities7044