Lucene search
+L

7044 matches found

PyPA
PyPA
•added 2025/02/26 7:26 p.m.•9 views

When using the project to bypass Deezer API restrictions, project exfiltrates user data to a hardcoded server.

Published in 2019, the automslc package is a Python librarythat bypasses Deezer API restrictions to download music.The package was found to exfiltrate user data to a hardcoded server,which could be used for malicious purposes...

6.7AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/02/26 3:15 p.m.•10 views

PYSEC-2025-18

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package hosted, for example, on pypi.org or GitHub via pip.main. Because pip is not a restricted global, the model, when scanned with picklesca...

5.3CVSS6.9AI score0.01592EPSS
Exploits2References3Affected Software1
PyPA
PyPA
•added 2025/02/25 3:15 p.m.•17 views

PYSEC-2025-120

jupyterhub-ltiauthenticator is a JupyterHub authenticator for learning tools interoperability LTI. LTI13Authenticator that was introduced in jupyterhub-ltiauthenticator 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only use...

10CVSS5.8AI score0.00328EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2025/02/21 10:15 p.m.•11 views

PYSEC-2025-31

vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the...

9.1CVSS6.8AI score0.00527EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/02/21 10:15 p.m.•8 views

PYSEC-2025-29

vyper is a Pythonic Smart Contract Language for the EVM. Vyper sqrt builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results. This issue is being addressed a...

7.5CVSS6.8AI score0.00302EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2025/02/21 10:15 p.m.•10 views

PYSEC-2025-30

vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple writes, it can consume side effects produced in the loop body e.g. read a storage variable...

7.5CVSS6.8AI score0.00412EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2025/02/10 7:15 p.m.•14 views

PYSEC-2025-84

A Local File Inclusion LFI vulnerability exists in the /load-workflow endpoint of modelscope/agentscope version v0.0.4. This vulnerability allows an attacker to read arbitrary files from the server, including sensitive files such as API keys, by manipulating the filename parameter. The issue aris...

7.5CVSS7.2AI score0.00501EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/02/07 8:15 p.m.•8 views

PYSEC-2025-62

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Maliciously constructed statements can lead to hash collisions, resulting in cache reuse, which can interfere with subsequent responses and cause unintended behavior. Prefix caching makes use of Python's built-i...

2.6CVSS6.6AI score0.00184EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2025/02/03 5:15 p.m.•8 views

PYSEC-2025-127

lunasvg v3.0.1 was discovered to contain a segmentation violation via the component grayfindcell...

6.5CVSS5.7AI score0.00402EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/01/29 9:15 p.m.•11 views

PYSEC-2025-28

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. On Linux systems, when temporary credential...

5.5CVSS7AI score0.00137EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/01/29 9:15 p.m.•9 views

PYSEC-2025-27

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. The OCSP response cache uses pickle as the...

7.8CVSS6.8AI score0.00246EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/01/29 9:15 p.m.•9 views

PYSEC-2025-26

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Snowflake discovered and remediated a vulnerability in the Snowflake Connector for Python. A function from the...

7CVSS7.8AI score0.003EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/01/27 6:15 p.m.•9 views

PYSEC-2025-58

vLLM is a library for LLM inference and serving. vllm/modelexecutor/weightutils.py implements hfmodelweightsiterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weightsonly parameter defaults to False. When torch.load loads malicious...

8.8CVSS7.8AI score0.00694EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2025/01/24 7:56 p.m.•13 views

uniapi version 1.0.7 contained an information harvesting script.

uniapi version 1.0.7 introduces code that would executeon import of the module and download a script from a remote URL,and would then execute the downloaded script in a thread.The downloaded script would harvest system informationand POST the information to another remote URL.This code was found ...

7AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2025/01/23 1:15 a.m.•8 views

PYSEC-2025-133

lunasvg v3.0.0 was discovered to contain a segmentation violation via the component grayrecordcell...

6.5CVSS5.7AI score0.00334EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/01/23 1:15 a.m.•8 views

PYSEC-2025-132

lunasvg v3.0.0 was discovered to contain a segmentation violation via the component compositionsourceover...

6.5CVSS5.7AI score0.00334EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/01/23 1:15 a.m.•12 views

PYSEC-2025-131

lunasvg v3.0.0 was discovered to contain a allocation-size-too-big bug via the component plutovgsurfacecreate...

7.5CVSS5.7AI score0.0044EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/01/23 1:15 a.m.•12 views

PYSEC-2025-129

lunasvg v3.0.0 was discovered to contain a segmentation violation via the component plutovgblend...

6.5CVSS5.7AI score0.00334EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/01/23 1:15 a.m.•13 views

PYSEC-2025-128

lunasvg v3.0.0 was discovered to contain a segmentation violation via the component blendtransformedtiledargb.isra.0...

6.5CVSS5.7AI score0.00386EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/01/23 1:15 a.m.•10 views

PYSEC-2025-130

lunasvg v3.0.0 was discovered to contain a segmentation violation via the component plutovgpathaddpath...

6.5CVSS5.7AI score0.00334EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2025/01/21 3:15 p.m.•11 views

PYSEC-2025-12

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Cross-site request forgery allows an unauthenticated attacker to hijack the authentication of a logged in user, and use the web API with the same permissions,including but not...

8.2CVSS7.2AI score0.00243EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/01/14 7:15 p.m.•9 views

PYSEC-2025-118

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List ACL for file paths can be bypassed by altering the letter case of a blocked file or directory path. This...

8.7CVSS5.8AI score0.0085EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2025/01/14 7:15 p.m.•10 views

PYSEC-2025-1

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions cleanipv6address and...

7.5CVSS6.9AI score0.01886EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2025/01/14 6:16 p.m.•8 views

PYSEC-2025-33

Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover 0x1 and Identity 0x4, the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall executi...

7.5CVSS7.2AI score0.00654EPSS
Exploits1References3Affected Software1
PyPA
PyPA
•added 2025/01/08 5:15 p.m.•14 views

PYSEC-2025-121

An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the getfile function...

6.5CVSS6.2AI score0.00224EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/12/26 10:15 p.m.•11 views

PYSEC-2024-298

OpenCTI is an open-source cyber threat intelligence platform. Before 6.3.0, general users can access information that can only be accessed by users with access privileges to admin and support information SETTINGSSUPPORT. This is due to inadequate access control for support information...

4.3CVSS5.8AI score0.00347EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/12/13 5:15 a.m.•8 views

PYSEC-2024-158

Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks...

7.1CVSS7.1AI score0.00558EPSS
Exploits0References6Affected Software1
PyPA
PyPA
•added 2024/12/12 2:2 a.m.•11 views

PYSEC-2024-297

OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the...

8.1CVSS5.8AI score0.00578EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/12/10 7:19 p.m.•10 views

A number of releases of ultralytics contained malicious crypto miner software.

Ultralytics has identified a supply chain attackaffecting affecting multiple versions of the ultralytics package.The compromised versions contained unauthorized code thatdownloaded and executed cryptocurrency mining softwarewhen instantiating YOLO models.This code was injected into the PyPI relea...

8.7CVSS7.2AI score
Exploits0References7Affected Software1
PyPA
PyPA
•added 2024/12/10 5:15 a.m.•10 views

PYSEC-2024-159

Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction Zip Slip due to improper destination file path validation in the extractpackagesarchive function...

8.6CVSS7AI score0.01096EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2024/12/06 12:15 p.m.•9 views

PYSEC-2024-157

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. Applications that use the...

9.8CVSS8AI score0.01424EPSS
Exploits0References4Affected Software1
PyPA
PyPA
•added 2024/12/06 12:15 p.m.•9 views

PYSEC-2024-156

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The striptags method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities...

7.5CVSS6.8AI score0.01398EPSS
Exploits0References5Affected Software1
PyPA
PyPA
•added 2024/12/04 11:15 a.m.•11 views

PYSEC-2024-300

Double-Free Vulnerability in uD3TN BPv7 Caused by Malformed Endpoint Identifier allows remote attacker to reliably cause DoS...

7.5CVSS5.8AI score0.00501EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2024/12/03 5:15 p.m.•60 views

PYSEC-2024-287

Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the...

5.3CVSS6.4AI score0.00419EPSS
Exploits0References2Affected Software1
PyPA
PyPA
•added 2024/12/03 5:15 p.m.•11 views

PYSEC-2024-286

Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can le...

7.5CVSS6.6AI score0.00572EPSS
Exploits0References1Affected Software1
PyPA
PyPA
•added 2024/12/03 4:15 p.m.•9 views

PYSEC-2024-256

Mobile Security Framework MobSF is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In versions prior to 3.9.7, the requests.get request in the checkurl method is specified as allowredirects=True, which allows a server-side reque...

7.5CVSS6.8AI score0.00712EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/11/28 5:15 p.m.•13 views

PYSEC-2024-161

Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources for example, user-supplied input files. This...

9.8CVSS7.7AI score0.02322EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/11/25 7:30 p.m.•10 views

aiocpa 0.1.13 contains credential harvesting code

aiocpa is a user-facing library for generating color gradients of text.Version 0.1.13 introduced obfuscated, malicious code targetingCrypto Pay users, forwarding client credentials to a remote Telegram bot.All versions have been removed from PyPI...

7.3AI score
Exploits0References2Affected Software1
PyPA
PyPA
•added 2024/11/25 2:15 p.m.•11 views

PYSEC-2024-224

Excessive directory permissions in MLflow leads to local privilege escalation when using sparkudf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the sparkudf MLflow API is called...

7CVSS6.9AI score0.0012EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/11/24 4:15 p.m.•10 views

PYSEC-2024-187

virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287...

9.8CVSS7.6AI score0.0157EPSS
Exploits1References4Affected Software1
PyPA
PyPA
•added 2024/11/22 10:15 p.m.•9 views

PYSEC-2024-228

Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability...

8.8CVSS7.7AI score0.02894EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/11/22 10:15 p.m.•11 views

PYSEC-2024-229

Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in th...

8.8CVSS7.7AI score0.02415EPSS
Exploits1References2Affected Software1
PyPA
PyPA
•added 2024/11/22 10:15 p.m.•10 views

PYSEC-2024-227

Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in...

8.8CVSS7.7AI score0.0714EPSS
Exploits4References2Affected Software1
PyPA
PyPA
•added 2024/11/22 8:15 p.m.•12 views

PYSEC-2024-310

Sentry is an error tracking and performance monitoring platform. Version 24.11.0, and only version 24.11.0, is vulnerable to a scenario where a specific error message generated by the Sentry platform could include a plaintext Client ID and Client Secret for an application integration. The Client ...

5.3CVSS5.8AI score0.00628EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/11/21 2:15 p.m.•13 views

PYSEC-2024-295

A heap-buffer-overflow vulnerability was discovered in the SkipSpacesAndLineEnd function in Assimp v5.4.3. This issue occurs when processing certain malformed MD5 model files, leading to an out-of-bounds read and potential application crash...

6.2CVSS6.5AI score0.00301EPSS
Exploits1References1Affected Software1
PyPA
PyPA
•added 2024/11/20 9:15 p.m.•10 views

PYSEC-2024-178

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to version 2.13.0, the multipart form parser shipped with litestar expects the entire request body as a single byte string and there is no default limit for the total size of the request body. This allows an attacker to...

8.2CVSS7.2AI score0.01004EPSS
Exploits2References6Affected Software1
PyPA
PyPA
•added 2024/11/19 10:15 p.m.•8 views

PYSEC-2024-160

lxmlhtmlclean is a project for HTML cleaning functionalities copied from lxml.html.clean. Prior to version 0.4.0, the HTML Parser in lxml does not properly handle context-switching for special HTML tags such as , and . This behavior deviates from how web browsers parse and interpret such tags...

7.7CVSS5.8AI score0.00472EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/11/18 3:15 p.m.•10 views

PYSEC-2024-313

OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. Prior to version 6.1.9, the regex validation used to prevent Introspection queries can be bypassed by removing the extra whitespace, carriage return, and line feed...

8.2CVSS5.3AI score0.00442EPSS
Exploits0References3Affected Software1
PyPA
PyPA
•added 2024/11/18 12:15 p.m.•9 views

PYSEC-2024-124

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in django CMS Association django-cms allows Cross-Site Scripting XSS.This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3...

4.8CVSS5.9AI score0.00493EPSS
Exploits1References5Affected Software1
PyPA
PyPA
•added 2024/11/15 11:15 a.m.•9 views

PYSEC-2024-123

An open redirection vulnerability exists in pyload/pyload version 0.5.0. The vulnerability is due to improper handling of the 'next' parameter in the login functionality. An attacker can exploit this vulnerability to redirect users to malicious sites, which can be used for phishing or other...

6.1CVSS6.8AI score0.00319EPSS
Exploits1References3Affected Software1
Total number of security vulnerabilities7044