Skip to main content

Python

2154 CVEs product

Monthly

CVE-2026-15746 MEDIUM PATCH This Month

Server-side request forgery in the strands-agents-tools elasticsearch_memory tool enables prompt-injection attacks that exfiltrate the operator's Elasticsearch API key to attacker-controlled infrastructure. Applications using strands-agents-tools prior to 0.7.0 that rely on the ELASTICSEARCH_API_KEY environment-variable fallback - rather than explicitly passing api_key - are exposed to credential theft when an attacker can influence LLM input. No public exploit code or CISA KEV listing has been identified at time of analysis, but the prompt-injection-to-SSRF primitive is well understood in the AI agent security community and the credential-theft impact warrants prompt remediation.

Python SSRF Elastic Strands Agents Tools
NVD
CVSS 4.0
6.9
CVE-2026-54447 HIGH PATCH GHSA This Week

Local credential theft in the garminconnect Python library (versions <= 0.3.4) stems from writing its OAuth token store to disk without an explicit file mode, so under the default umask 022 the file garmin_tokens.json - containing the DI refresh token - is created world-readable (0o644). Any unprivileged co-tenant on a shared Linux or macOS host can read the token and exchange it at Garmin's OAuth endpoint for fresh access tokens, gaining persistent access to the victim's Garmin Connect account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix in 0.3.5 is confirmed and the issue is trivially reproducible under default configuration.

Python Apple Privilege Escalation Authentication Bypass
NVD GitHub
CVSS 3.1
8.4
CVE-2026-61446 HIGH PATCH This Week

Arbitrary code execution in PraisonAI (praisonaiagents) before 1.6.78 lets an attacker who can drop a Python file into a plugin directory run their own code. The plugin manager auto-discovers and executes any .py file found in project-level or user-home .praisonai/plugins/ directories at initialization, with no code signing, integrity checks, or sandboxing. VulnCheck reported it under CWE-94; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python Path Traversal RCE Code Injection Praisonai
NVD GitHub
CVSS 4.0
8.6
CVE-2026-61433 HIGH PATCH This Week

Code injection in PraisonAI before 4.6.78 lets attackers who control deployment configuration achieve arbitrary Python execution because the API-server deployment generator fails to safely encode the deploy.api.host and agents_file values before emitting them into generated Python source (CWE-94). Injected expressions run when the generated API server starts or handles requests, yielding full code execution in the server process. No public exploit is identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.

Python RCE Code Injection Praisonai
NVD GitHub
CVSS 4.0
8.5
CVE-2026-54446 PyPI HIGH POC PATCH GHSA This Week

Unauthenticated abuse of the operator's NetLicensing credential affects Labs64 netlicensing-mcp (FastMCP server) versions <= 0.1.5 when run in HTTP transport mode. The ApiKeyMiddleware forwards requests that carry no client API key straight to the tool handlers, and the downstream client falls back to the server-side NETLICENSING_API_KEY environment variable, so any network-reachable attacker can invoke every MCP tool (list/create/update/delete of products, licenses, licensees, tokens) under the operator's identity and account quota. Publicly available exploit code exists (a self-contained Docker/Python PoC in the advisory), no public active exploitation is confirmed, and the issue is fixed in 0.1.6.

Docker Authentication Bypass Python
NVD GitHub
CVSS 3.1
8.1
CVE-2026-50158 Go HIGH PATCH GHSA This Week

Arbitrary file write in yutu, a Go-based YouTube CLI and MCP server, lets any caller of the built-in `caption-download` MCP tool place attacker-controlled bytes at any filesystem path the yutu process can write to. The vulnerable `Caption.Download()` calls `os.Create()` on the caller-supplied `file` parameter, bypassing the `YUTU_ROOT` (`pkg.Root`/`os.OpenRoot`) confinement that every other caption write path enforces. Publicly available exploit code exists (a self-contained Docker PoC ships with the advisory); the flaw is not in CISA KEV and no active exploitation is reported, and the vendor has released a fixed version (0.10.9-dev1).

Denial Of Service Debian Python Docker RCE
NVD GitHub
CVSS 3.1
7.7
CVE-2026-50125 Go HIGH PATCH GHSA This Week

Unauthenticated remote denial of service in StacklokLabs MKP (Model Context Protocol for Kubernetes) server versions before 0.4.1 lets a single crafted `tools/call` request against the default `:8080` endpoint exhaust process memory. The `get_resource` tool accepts attacker-controlled `limitBytes`/`tailLines` values with no upper bound and streams the entire Kubernetes pod-log response into an in-memory `bytes.Buffer`, driving an OOM kill (dynamic reproduction grew RSS from 25.8 MB to 1,179.3 MB on one request). Publicly available exploit code exists in the GitHub Security Advisory; there is no public evidence of active exploitation.

Docker Kubernetes Denial Of Service Python
NVD GitHub
CVSS 3.1
7.5
CVE-2026-59884 HIGH PATCH This Week

Denial of service in the pyasn1 Python ASN.1 library (versions prior to 0.6.4) allows a remote attacker to exhaust CPU and crash applications by supplying crafted BER, CER, or DER encoded data. The shared BER decoder parses long-form tags without bounding the tag ID size, so a malicious tag forces construction of an arbitrarily large integer whose processing scales quadratically, and on Python 3.11+ triggers unhandled ValueError exceptions in integer-to-string error formatting. No public exploit identified at time of analysis, though the fix commit ships proof-of-concept test cases; not listed in CISA KEV.

Python Denial Of Service Pyasn1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59885 HIGH PATCH This Week

Denial of service in the pyasn1 Python ASN.1 library (all versions prior to 0.6.4) allows remote attackers to exhaust CPU by submitting a small crafted OBJECT IDENTIFIER or RELATIVE-OID whose arcs are decoded in quadratic time, so any application that calls decode() on untrusted ASN.1 data can be stalled per call; re-encoding such values triggers the same blow-up. Rated CVSS 7.5 (availability-only) with no confidentiality or integrity impact; no public exploit identified at time of analysis, though the fix commit ships a regression test that effectively demonstrates the trigger. As a foundational dependency behind LDAP, SNMP, X.509/PKI and crypto tooling across the Python ecosystem, its broad transitive reach makes this notable despite the modest severity.

Python Denial Of Service Pyasn1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59886 HIGH PATCH This Week

Uncontrolled resource consumption in the pyasn1 Python ASN.1 library (versions prior to 0.6.4) lets remote attackers hang applications that decode untrusted BER/CER/DER data. A REAL value only a few bytes long can encode an enormous exponent; when the decoded univ.Real object is later printed, logged, compared, or converted via prettyPrint(), str(), int(), or float(), pyasn1 performs exact big-integer exponentiation that consumes excessive CPU and memory. There is no public exploit identified at time of analysis, but the network/no-auth/no-interaction, availability-only profile makes this a straightforward denial-of-service primitive; the issue is fixed in version 0.6.4.

Python Denial Of Service Pyasn1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54058 HIGH PATCH This Week

Out-of-bounds memory disclosure in Python Pillow before 12.3.0 lets an attacker who supplies a crafted McIdas AREA image file read adjacent process memory or crash the host application. When such a file is opened from a filename, header words control the raw-codec mmap row stride; setting it below the true row width causes later pixel operations (tobytes, getpixel, convert, save) to read past the mapped region. No public exploit is identified at time of analysis and it is not in CISA KEV, but the upstream fix, PR, and a regression test are public, making the flaw well documented.

Python Buffer Overflow Information Disclosure Pillow
NVD GitHub
CVSS 4.0
8.3
EPSS
0.4%
CVE-2026-59197 HIGH PATCH This Week

Heap out-of-bounds write in Python Pillow prior to 12.3.0 lets an attacker who controls the rank-filter size parameter corrupt native heap memory and crash or potentially manipulate the process. ImageFilter.RankFilter.filter() calls image.expand(size // 2, size // 2) before validating the filter size, and the native ImagingExpand() routine computes output dimensions using unchecked signed-int arithmetic, so a very large odd size overflows and drives an out-of-bounds write (CWE-787). No public exploit is identified at time of analysis; the flaw is fixed in Pillow 12.3.0.

Python Buffer Overflow Memory Corruption Pillow
NVD GitHub
CVSS 3.1
8.2
EPSS
0.4%
CVE-2026-59200 HIGH PATCH This Week

Uncontrolled memory consumption in Python Pillow (PIL) versions 5.1.0 through 12.2.x allows a remote attacker to cause denial of service by supplying a small crafted PDF whose FlateDecode stream declares a large Length; PdfParser.PdfStream.decode() passes this attacker-controlled Length straight to zlib.decompress() as the bufsize with no upper bound, so a tiny file inflates into gigabytes of decompressed data and exhausts host memory. Fixed in 12.3.0 by streaming decompression with a bounded max_length. No public exploit identified at time of analysis and this CVE is not in CISA KEV, but the trigger is trivial to construct.

Python Denial Of Service Pillow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59198 HIGH PATCH This Week

Out-of-bounds heap read in Python Pillow's TGA RLE encoder (versions 5.2.0 through 12.2.x) lets adjacent process heap bytes leak into a generated TGA file when an application saves a mode '1' (1-bit) image using compression='tga_rle'. The flaw is an information-disclosure bug (CWE-125), fixed in 12.3.0, with no public exploit identified at time of analysis. The NVD CVSS of 7.5 (network vector) overstates practical reach because triggering the leak depends on the host application invoking this specific and unusual save path.

Python Buffer Overflow Information Disclosure Pillow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59205 HIGH PATCH This Week

Denial-of-service and controlled heap corruption in Python's Pillow imaging library (all versions prior to 12.3.0) occurs when ImageCms.ImageCmsTransform.apply() is invoked with an output image whose mode does not match the transform's declared output mode, causing an out-of-bounds write in the native color-management code. The pre-fix code only validated the output mode and never validated the input mode, so a mismatched buffer geometry lets the C-level transform write past allocation bounds. No public exploit has been identified at time of analysis; the fix is confirmed in release 12.3.0 via the vendor security advisory GHSA-9hw9-ch79-4vh6.

Python Buffer Overflow Memory Corruption Pillow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59203 HIGH PATCH This Week

Denial of service in Python Pillow 12.0.0 through 12.2.0 lets a remote attacker hang an application by supplying a crafted EPS image whose %%BeginBinary directive declares a negative byte count, causing the EPS parser to seek backwards and re-parse the same directive forever. Any service that calls Image.open() on attacker-supplied EPS data is affected until upgraded to 12.3.0. No public exploit identified at time of analysis, though the upstream fix PR includes a test reproducer; the flaw is not listed in CISA KEV.

Python Denial Of Service Pillow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59199 HIGH PATCH This Week

Denial of service (and potential memory corruption) in Python Pillow before 12.3.0 arises when public image coordinate APIs - Image.paste(), Image.crop(), and Image.alpha_composite() - are handed box coordinates near the signed 32-bit integer boundary (±2**31), causing a native heap out-of-bounds write in the C imaging core. Any application that forwards untrusted coordinate values into these calls can be crashed, and the OOB write raises the theoretical prospect of heap corruption. No public exploit identified at time of analysis; the fix (integer-overflow-safe int64_t arithmetic) shipped in 12.3.0.

Python Buffer Overflow Integer Overflow Pillow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-59204 HIGH PATCH This Week

Denial of service in Python Pillow (versions 8.2.0 through 12.2.0) allows remote attackers to exhaust memory during JPEG2000 decoding, causing out-of-memory failures in any application that decodes untrusted images. The flaw stems from Pillow's JPEG2000 decoder summing tile widths across the whole image rather than per tile, so a small crafted tiled file forces disproportionately large transient allocations. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the upstream fix (12.3.0) and a public PR/commit make the root cause fully transparent.

Python Information Disclosure Pillow
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-12482 LOW Monitor

Symlink entries in malicious tar archives bypass the `filter_safe_tarinfos` validation in Keras 3.12.0, enabling directory escape that can read or overwrite arbitrary files on the host filesystem. The root defect is in `keras/src/utils/file_utils.py`, where `is_path_in_dir` path containment checks are applied only to regular file entries - symlink entries are extracted without equivalent validation. The exposure is most severe on Python 3.10 and 3.11, where `filter_safe_tarinfos` is the sole extraction safeguard; no public exploit or active exploitation has been identified at time of analysis.

Python Path Traversal Keras Team Keras
NVD
CVSS 3.0
3.1
EPSS
0.3%
CVE-2026-47677 PHP CRITICAL POC PATCH GHSA Act Now

Complete account takeover in FacturaScripts (<= 2026.2) lets an unauthenticated network attacker hijack any 2FA-enabled account, including admins, by brute-forcing the /login?action=two-factor-validation endpoint. The handler issues a full session cookie on a matching TOTP without verifying the password, requiring a CSRF token, or enforcing any rate limit, and an over-wide verification window keeps ~17 codes valid at once. Publicly available exploit code exists (a working Python PoC in the GitHub advisory GHSA-c67f-gmxw-mj93); no active exploitation has been reported in CISA KEV.

PHP Python Authentication Bypass CSRF
NVD GitHub
CVE-2026-61668 PyPI HIGH PATCH GHSA This Week

Man-in-the-middle code injection in DIRAC's grid pilot bootstrap affects the DIRACGrid Python distributed-computing framework, where the PilotWrapper explicitly disables TLS certificate validation when fetching the second-stage pilot.tar. Because both the payload and its reference checksum traverse the same unverified HTTPS channel, an attacker positioned on the grid site's network can substitute arbitrary code that runs in the pilot context with access to its proxy/credentials. No public exploit identified at time of analysis; exploitation requires an active network intercept, which the vendor notes is non-trivial, but the CVSS is 8.1 due to full CIA impact.

RCE Python
NVD GitHub
CVSS 3.1
8.1
CVE-2026-13014 CRITICAL Act Now

Remote unauthenticated code execution in Thales CERT's "Suspicious" email-analysis application (versions 1.3.4 and earlier), dubbed "Matryoshka Mail," lets an attacker abuse path traversal in attachment handling to overwrite writable application files-Python modules, configuration, cron inputs, and runtime artifacts-yielding root-level execution inside the Django container. Because the affected code runs Python and processes attacker-supplied mail, overwriting an imported module effectively converts arbitrary file write into RCE, plus persistent denial of service and possible exposure of application secrets and integrations. No public exploit identified at time of analysis and the issue is not in CISA KEV, but it carries a CVSS 4.0 base score of 9.2 and vendor-credited discovery by Lucien Doustaly (wlayzz).

Denial Of Service Path Traversal RCE Python Suspicious
NVD GitHub
CVSS 4.0
9.2
EPSS
0.7%
CVE-2026-61447 CRITICAL PATCH Act Now

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating the LLM that drives the CodeAgent component. Because CodeAgent._execute_python() runs LLM-generated code with no AST validation, import restrictions, or sandbox, an attacker who can shape model output via prompt injection can exfiltrate all environment secrets and gain full control of the agent host. VulnCheck reports the flaw with a maximum CVSS 4.0 score of 10.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Python RCE Praisonai
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.5%
CVE-2026-14480 HIGH CISA Act Now

Authenticated arbitrary file write in OpenPLC Runtime v3 lets a logged-in user of the legacy web UI escalate to native code execution on the host running the automation controller. The program-upload workflow stores the attacker-supplied prog_file filename in the Programs.File database field and later reuses it unvalidated as a destination path; because Python os.path.join() honors absolute paths, files can be written anywhere the webserver process can write. Reported by ICS-CERT (CISA ICS advisory ICSA-26-190-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python RCE Openplc
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.6%
CVE-2026-55664 MEDIUM PATCH This Month

Unauthorized schema disclosure in Grist Core prior to 1.7.15 allows any user with partial read access - explicitly including anonymous public users on publicly viewable documents - to retrieve table and column metadata for any widget by querying the GET /forms endpoint. The endpoint failed both to validate that the requested section was a form widget and to apply the document's configured access rules before returning metadata, meaning hidden schema structure (table names, column names, types) is fully exposed regardless of the restrictions in place. No public exploit has been identified and the vulnerability is not in CISA KEV; a vendor-released patch exists in version 1.7.15.

Python Information Disclosure Grist Core
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-55665 HIGH PATCH This Week

Stored and reflected cross-site scripting in Grist (grist-core) before 1.7.15 lets an attacker place a javascript: URL into an unvalidated link href and execute script in a victim's authenticated Grist origin on a single click. Two entry points are affected: the /welcome/select-account page reflects its next query parameter into account-button links, and the GristDocTour table's Link_URL column renders as a clickable tour button, so a document editor can plant a payload that runs when another user opens the document. Because the script executes as the victim, it can drive Grist APIs to read or modify data and change sharing/access rules, letting an editor escalate to owner-level control. There is no public exploit identified at time of analysis and it is not in CISA KEV.

XSS Python Grist Core
NVD GitHub
CVSS 4.0
8.5
EPSS
0.3%
CVE-2026-55659 HIGH PATCH This Week

Stored and reflected cross-site scripting in Grist (grist-core) prior to 1.7.15 lets a document editor inject script into a document's name or description that executes when higher-privileged users open the document, and lets attackers abuse the OAuth2 end-of-flow page's reflected openerOrigin parameter. Because the injected script runs in the victim's authenticated Grist origin, a mere document editor can read or modify data, alter sharing settings and access rules, and escalate to owner-level control. No public exploit identified at time of analysis; the issue is CWE-79 and is fixed upstream in the tagged 1.7.15 release.

XSS Python Grist Core
NVD GitHub
CVSS 3.1
7.7
EPSS
0.3%
CVE-2026-54071 PyPI HIGH POC PATCH GHSA This Week

Arbitrary Python code execution in BabelDOC (funstory-ai, pip package `babeldoc`) prior to 0.6.3 allows an attacker to run code in the context of the translation process by having a victim process a crafted PDF. The vendored pdfminer CMap loader (`cmapdb.py::_load_data`) strips only NUL bytes from a PDF-controlled CMap/Encoding name and passes it to `pickle.loads()`, so a hex-encoded absolute path in the PDF's `/Encoding` name redirects deserialization to an attacker-planted `.pickle.gz` file. A detailed, working proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no public evidence of active exploitation at time of analysis.

Deserialization Python Canonical Adobe Microsoft +4
NVD GitHub
CVSS 3.1
7.8
CVE-2026-61444 CRITICAL PATCH Act Now

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api.py run arbitrary Python, because that value is interpolated directly into an f-string that is later executed as generated server code via subprocess.Popen(). The CVSS 4.0 base score is 9.4 and the vector requires high privileges (PR:H), meaning the attacker must already be able to reach and drive the deployment API. No public exploit has been identified at time of analysis and it is not on the CISA KEV list.

Code Injection Python RCE Praisonai
NVD GitHub
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-61437 HIGH PATCH This Week

Arbitrary Python code execution in PraisonAI (praisonaiagents) before 1.6.78 occurs when AgentFlow._resolve_pydantic_class resolves a string output_pydantic reference in a workflow step, causing the framework to import a sibling tools.py from the workflow file's directory via importlib exec_module without any sandboxing. Because this loader ignores the PRAISONAI_ALLOW_*_TOOLS environment guardrails, an attacker who supplies a malicious workflow file plus its tools.py runs code with the workflow runner's privileges the moment the workflow is executed via WorkflowManager or loaded through load_yaml. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV.

Python RCE Praisonai
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-49836 PyPI MEDIUM POC PATCH GHSA This Month

Path traversal in psd-tools through v1.17.0 exposes any application processing untrusted PSD files to arbitrary file write and secondary arbitrary file read via the SmartObject API. SmartObject.save() consumes the embedded smart-object filename verbatim from the PSD binary - without basename stripping, absolute-path rejection, or directory-escape filtering - allowing a crafted PSD to write attacker-supplied bytes to any path the process can reach. A secondary issue in SmartObject.open() for external-kind objects uses the attacker-controlled fullPath descriptor as a read source, enabling file exfiltration to the write destination. A standalone proof-of-concept is publicly confirmed in the advisory; the fix is vendor-confirmed in v1.17.1 (PR #657). No public exploit identified at time of analysis beyond the advisory-embedded POC, and no CISA KEV listing was found.

Python Path Traversal Buffer Overflow Docker Denial Of Service +1
NVD GitHub
CVE-2026-59216 CRITICAL PATCH Act Now

Cross-user remote code execution in Open WebUI before 0.10.0 lets an authenticated user run arbitrary code interpreter Python or invoke tools inside another logged-in user's session. The get_event_call handler dispatched execute:python and execute:tool Socket.IO events to any client-supplied session_id that was merely 'connected', so an attacker who harvested a victim's socket ID via the ydoc:document:join collaboration flow could hijack that session. A proof-of-concept is indicated in the SSVC data, though the flaw is not in CISA KEV and EPSS rates near-term mass exploitation low (0.28%, 19th percentile).

Code Injection Python RCE Open Webui
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.3%
CVE-2026-15308 HIGH PATCH This Week

CPU-exhaustion denial of service in CPython's standard-library html.parser.HTMLParser lets remote attackers cause quadratic processing time by feeding a long, unterminated markup construct (comment, tag, PI, DOCTYPE, CDATA, or RAWTEXT element) incrementally in many small chunks. Any Python service that streams attacker-controlled HTML through HTMLParser.feed() is affected in all CPython versions before 3.16.0. There is no public exploit identified at time of analysis, but the fix, root cause (repeated buffer rescan and concatenation), and a triggering test case are publicly documented in the upstream pull request, making a working reproducer trivial to reconstruct.

Denial Of Service Python
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.5%
CVE-2026-59214 CRITICAL PATCH Act Now

Privilege escalation and server-side code execution in Open WebUI before 0.10.0 lets a low-privileged authenticated user plant a malicious chat payload that, when a victim (typically an admin) clicks Run, executes client-side Python via Pyodide in a same-origin web worker and issues authenticated same-origin requests to admin-only endpoints. Because the requests inherit the victim's session, the attacker can reach administrative APIs and trigger server-side code execution through configured tools. No public exploit has been identified at time of analysis, and EPSS is low (0.25%), but CVSS is 9.0 with total technical impact per CISA SSVC.

XSS Python Open Webui
NVD GitHub
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-15188 LOW POC Monitor

Improper access control in manjurulhoque's django-job-portal allows authenticated remote attackers to manipulate the `role` argument via the `EditEmployeeProfileAPIView` endpoint, enabling unauthorized privilege escalation within the Employee Dashboard. All commits up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f are affected under a rolling release model with no fixed version available. A publicly available proof-of-concept exploit exists via GitHub issue #91; the project maintainer has not responded to disclosure and no patch has been released.

Authentication Bypass Python Django Job Portal
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-49477 PyPI HIGH POC PATCH GHSA This Week

Denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4, lets remote attackers hang a worker thread by submitting a ~300-byte attribute selector with an unterminated quoted value (e.g. '[a="xxxx...'), triggering catastrophic regular-expression backtracking in the VALUE pattern of css_parser.py. Any Python service that passes untrusted selector strings to soupsieve.compile() or Beautiful Soup's .select()/.select_one() is affected, and each added byte roughly doubles CPU time, so a handful of concurrent requests can exhaust all workers. Publicly available exploit code exists (a working PoC is embedded in the advisory), but no exploit is identified as being used in active attacks and it is not listed in CISA KEV.

Python Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-49476 PyPI HIGH POC PATCH GHSA This Week

Memory-exhaustion denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4 (beautifulsoup4), lets remote unauthenticated attackers crash Python services by submitting a large comma-separated CSS selector to soupsieve.compile() or Beautiful Soup's .select()/.select_one(). Each comma-delimited item is parsed into a ~976-byte object graph with no cap on list length, so a ~500 KB selector string of 'a,a,a,...' expands to roughly 244 MB of heap (a ~488x amplification), triggering OOM kills or MemoryError. A working proof-of-concept is published in the advisory; no CISA KEV listing or in-the-wild exploitation is reported.

Kubernetes Python Denial Of Service Docker
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-48987 PyPI MEDIUM POC GHSA This Month

Memory exhaustion in pyload's EventManager module allows authenticated remote attackers to cause a denial of service by sending large volumes of requests to the getEvents API endpoint with unique UUIDs. Each unique UUID causes a new Client instance to be appended to the internal clients list, but the existing clean() method that would purge inactive clients is never invoked anywhere in the codebase, resulting in unbounded memory growth. No public exploit is independently catalogued, but a functional proof-of-concept script was included in the disclosure, demonstrating that the attack can be executed with a valid API key and approximately 100,000 HTTP GET requests.

Python Denial Of Service
NVD GitHub
CVSS 3.1
6.5
CVE-2026-48737 PyPI MEDIUM POC GHSA This Month

SSRF protection bypass in pyload-ng allows authenticated users with link-add permissions to reach internal network endpoints - including cloud metadata services - by supplying IPv6 transition-encoded addresses that Python's `ipaddress.IPv6Address.is_global` incorrectly classifies as globally routable. The NAT64 prefix (`64:ff9b::/96`) bypass is universal across all supported Python versions (3.9-3.14); the 6to4 prefix (`2002::/16`) bypass additionally affects Python 3.9-3.11, covering the full `python_requires = >=3.9` matrix. No confirmed active exploitation (CISA KEV) has been identified, but a researcher-provided proof-of-concept demonstrates full bypass of both the `is_global_address` guard and the pycurl PREREQFUNC in `http_request.py:680`.

SSRF Python
NVD GitHub
CVSS 3.1
4.9
CVE-2026-54591 HIGH PATCH This Week

Arbitrary file write in the AsyncSSH Python library (versions prior to 2.23.1) allows a malicious or compromised SSH server to plant files anywhere on an SCP client's filesystem when a user initiates a file-copy operation against it. Because the SCP client trusts server-supplied filenames verbatim, a hostile server can return names containing ../ sequences to escape the intended download directory, enabling code execution or system tampering. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.

Python Path Traversal
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-54590 MEDIUM PATCH This Month

{ENV}) unblocked, enabling escape via Python's Path.expanduser() and _expand_val() expansion. No public exploit has been identified at time of analysis, and CVSS AC:H reflects the prerequisite server-side configuration; however, successful exploitation achieves high integrity impact by enabling authentication with key material from arbitrary filesystem locations.

Python Path Traversal
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-52831 Go CRITICAL POC PATCH GHSA Act Now

OS command injection in Nuclio (serverless platform) versions <= 1.15.27 lets attackers run arbitrary shell commands as root inside Kubernetes CronJob pods by submitting a function with a crafted cron trigger. The controller concatenates unsanitized `event.headers` keys and `event.body` values into a `/bin/sh -c` curl string; a header key containing a double-quote breaks quoting, and a body containing `$()` triggers command substitution (strconv.Quote does not escape it). Because the Nuclio Dashboard API is unauthenticated in its default configuration, this is remotely reachable; no public exploit is identified in KEV, though a detailed, dynamically-verified PoC accompanies the advisory.

Python Kubernetes Microsoft Docker Command Injection +1
NVD GitHub
CVSS 3.1
10.0
CVE-2026-49825 PyPI HIGH PATCH GHSA This Week

Stored cross-site scripting in the lxml_html_clean Cleaner (≤ 0.4.4) and the bundled lxml legacy html.clean module (≤ 6.1.0) lets attackers smuggle javascript: URLs through HTML sanitization on the namespaced xlink:href attribute. When callers configure Cleaner with safe_attrs_only=False, the URL-scheme scrubber never inspects <a xlink:href="javascript:..."> inside SVG or MathML, so the payload survives and executes when a victim clicks the rendered anchor. Publicly available exploit code exists (a working reproducer ships with the advisory), but there is no public exploit identified as being used in active attacks and the issue is not in CISA KEV.

XSS Python Canonical Mozilla
NVD GitHub
CVSS 3.1
8.2
CVE-2026-59936 HIGH PATCH This Week

Denial of service in the pypdf Python PDF library (all versions prior to 6.14.1) allows a remote attacker to hang a consuming application by supplying a malicious PDF. A page content stream containing an unterminated inline image drives the inline-image end-marker detection logic into an infinite loop, most notably triggered during page text extraction. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects an unauthenticated, low-complexity availability attack, and a fixed release (6.14.1) is available.

Python Denial Of Service Pypdf
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59935 HIGH PATCH This Week

Denial of service in pypdf before 6.14.2 lets a remote attacker hang any application that parses an attacker-supplied PDF: a page content stream carrying an unterminated inline image with an ASCII85 or ASCIIHex filter drives the parser into an infinite loop (CWE-835), most notably during page text extraction. The pure-Python library is very widely used in document-processing and data-ingestion pipelines, so a single malicious file can pin a CPU core and stall the worker. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the root cause is well-described and trivially reproducible.

Python Denial Of Service Pypdf
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59939 PyPI HIGH POC PATCH This Week

Denial of service in the httplib2 Python HTTP client library (all versions prior to 0.32.0) lets a malicious or compromised HTTP server crash the client by returning a small gzip- or deflate-compressed response body that expands without bound during automatic decompression, exhausting memory and triggering a MemoryError or OS OOM-kill. Any application that uses httplib2 to fetch content from untrusted or attacker-controllable endpoints is affected. No public exploit identified at time of analysis; EPSS not provided, but the class is trivially demonstrable and the fix is a one-line-scope behavioral change shipped in 0.32.0.

Python Information Disclosure Httplib2
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58501 PyPI MEDIUM PATCH This Month

Server-Side Request Forgery in Python Zeep 4.0.0 through 4.3.2 allows an attacker who can influence WSDL or XSD content parsed by the library to bypass the explicit `Settings.forbid_external` security control, causing the server to issue HTTP or HTTPS requests to attacker-chosen URLs via transitive xsd:import, xsd:include, wsdl:import, or lxml entity and DTD references. The vulnerability is particularly significant because it defeats a documented security setting that developers actively configure to prevent external fetching - applications relying on this control are silently unprotected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

SSRF Python Python Zeep
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-59821 LOW PATCH Monitor

Custom Code Guardrails in LiteLLM's AI Gateway proxy prior to 1.82.0-stable permitted privileged users with guardrail management rights to submit arbitrary Python code via the production create and update API paths, which executed unsandboxed within the proxy process. Unlike the test endpoint - which enforced sandbox controls - the production paths lacked equivalent validation, enabling the injected code to access and expose secrets, API keys, and environment variables available to the running process. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; risk is highest in multi-tenant or multi-operator LiteLLM deployments where guardrail management rights are distributed.

Code Injection Python RCE Litellm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-59937 MEDIUM PATCH This Month

Uncontrolled resource consumption in pypdf prior to 6.14.0 allows unauthenticated remote attackers to cause denial of service by submitting a crafted PDF containing repeated malformed cross-reference streams. The library's XRef table recovery routine performs unbounded work on such inputs, leading to excessive CPU time consumption and effectively hanging or severely degrading any application that processes attacker-supplied PDFs. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Python Denial Of Service Pypdf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-59938 MEDIUM PATCH This Month

Uncontrolled memory allocation in pypdf prior to 6.14.0 allows remote, unauthenticated attackers to exhaust host memory by submitting a crafted PDF containing image metadata with inflated declared sizes that vastly exceed the actual embedded image data. Any application that uses pypdf to parse untrusted PDFs is exposed; the library allocates memory proportional to the declared (attacker-controlled) size rather than the actual data length. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Python Information Disclosure Pypdf
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-59927 PyPI MEDIUM PATCH This Month

Unbounded recursion in Mistune's Include directive (all versions prior to 3.3.0) can be triggered by a pair of mutually-referencing markdown files, bypassing the cycle detector that only checks for direct self-inclusion. An attacker who can supply markdown content processed by an application using the Include directive may crash the rendering request with a Python RecursionError, resulting in a denial of service. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a confirmed fix is available in version 3.3.0.

Python Denial Of Service Mistune
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-59928 PyPI HIGH PATCH This Week

Denial of service in Mistune (the lepture Python Markdown parser) before 3.3.0 lets remote unauthenticated attackers exhaust CPU by submitting a Markdown document packed with many repeated or distinct reference-link definitions, which triggers quadratic-time processing in the block parser and its ref_links dictionary handling. Any service that renders attacker-supplied Markdown through Mistune (wikis, comment systems, docs pipelines, notebook converters) can be stalled with a single crafted input. No public exploit is identified at time of analysis and it is not in CISA KEV, but the low-complexity, no-auth vector makes weaponization trivial.

Python Denial Of Service Mistune
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59924 PyPI MEDIUM PATCH This Month

Path traversal in Mistune's Include plugin allows reading arbitrary files from the server filesystem when processing attacker-controlled markdown. Applications using md.read() with the Include plugin on markdown content supplied by external users are exposed: a crafted include directive can escape the intended markdown base directory to access any file readable by the running process. No public exploit has been identified at time of analysis, but a vendor-released patch is available in version 3.3.0.

Python Path Traversal Mistune
NVD GitHub
CVSS 3.1
5.9
EPSS
0.3%
CVE-2026-59929 PyPI MEDIUM PATCH This Month

Cross-site scripting in Mistune prior to 3.3.0 stems from an incomplete URI scheme blocklist in the `safe_url` filter, permitting legacy and chained schemes (`feed:`, `jar:`, `livescript:`, `mocha:`, `ms-its:`, `mk:`, `res:`, `view-source:`) to pass unchecked into rendered `href` and `src` attributes. Any web application that accepts user-supplied Markdown, renders it via Mistune's HTML renderer, and serves the output to other users' browsers is exposed to stored or reflected XSS. No public exploit or CISA KEV listing has been identified at time of analysis; however, the CVSS 6.1 score with scope change (S:C) reflects genuine cross-session impact when the victim interacts with attacker-controlled content.

XSS Python Mistune
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-59925 PyPI HIGH PATCH This Week

Denial of service in Mistune, a widely used pure-Python Markdown parser, affects all versions prior to 3.3.0 where the default inline parser exhibits quadratic (O(n²)) behavior on long runs of well-formed double- or triple-asterisk emphasis pairs. Because the parser rescans forward for matching close markers from every candidate opening run, a small crafted Markdown payload forces disproportionate CPU consumption, exhausting resources on any service that renders untrusted Markdown. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and unauthenticated network vector make availability impact realistic against default configurations.

Python Denial Of Service Mistune
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59926 PyPI MEDIUM PATCH This Month

Cross-site scripting in Mistune (Python Markdown parser) prior to version 3.2.1 allows injection of arbitrary HTML attributes via the Admonition directive's `:class:` option, critically bypassing HTMLRenderer escape mode even when it is explicitly enabled. Applications that render user-controlled Markdown with admonition directives and serve the resulting HTML to web browsers are exposed to stored or reflected XSS, enabling session hijacking, credential theft, or malicious DOM manipulation. No public exploit has been identified at time of analysis, and a vendor-released patch is available in v3.2.1.

XSS Python Mistune
NVD GitHub
CVSS 4.0
5.3
EPSS
0.3%
CVE-2026-59923 PyPI MEDIUM PATCH This Month

Cross-site scripting in Mistune Python Markdown parser (all versions before 3.3.0) allows attacker-controlled Markdown content containing percent-encoded javascript: URIs to bypass the HTMLRenderer.safe_url() URL sanitization filter and execute arbitrary script in victim browsers. The bypass works because safe_url() checks the raw string without first decoding percent-encoded characters, so schemes like %6Aavascript: or %6aVaScRiPt: evade detection while remaining valid to browsers. Any web application that renders user-supplied or attacker-influenced Markdown through Mistune and serves the output to other users is exposed. No public exploit or CISA KEV listing has been identified at time of analysis.

XSS Python Mistune
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-59930 PyPI MEDIUM PATCH This Month

Predictable heading anchor ID generation in Mistune's toc plugin (all versions prior to 3.3.0) enables same-page navigation hijacking when untrusted Markdown content is rendered. The library assigns sequential numeric identifiers (toc_0, toc_1, etc.) to headings without incorporating heading text, so any party able to inject raw HTML containing a matching id attribute can pre-empt the generated anchor and redirect table-of-contents link targets, CSS selectors, or JavaScript DOM event handlers. No public exploit identified at time of analysis, though the deterministic ID scheme makes collision trivial to engineer once content injection is possible.

Python Information Disclosure Mistune
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-59922 PyPI HIGH PATCH This Week

Denial of service in Mistune, a Python Markdown parser, affects all versions prior to 3.3.0 when the strikethrough, mark, or insert plugins are enabled. Remote attackers can submit crafted Markdown containing runs of closed tilde (~), equals (=), or caret (^) marker pairs that trigger quadratic-time scanning in the formatting plugin, exhausting CPU and rendering the parsing service unresponsive. No public exploit identified at time of analysis, and the flaw is not in CISA KEV; impact is limited to availability with no data exposure.

Python Denial Of Service Mistune
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59890 PyPI MEDIUM PATCH This Month

Setuptools prior to 83.0.0 fails to normalize Unicode filenames before matching them against MANIFEST.in exclusion patterns on macOS APFS and HFS+ filesystems, allowing files with NFD-normalized on-disk names to silently bypass NFC-encoded exclude, global-exclude, recursive-exclude, and prune directives and be packed into Python source distributions. Python package maintainers developing on macOS face a supply chain risk: sensitive files such as credentials, private keys, or environment configs that are correctly listed in MANIFEST.in for exclusion may still appear in tarballs published to PyPI or private registries. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Python Apple Setuptools
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-15062 CRITICAL PATCH Act Now

SQL injection in the Snowflake Snowpark Python SDK (snowpark-python) before 1.53.0 lets an authenticated low-privilege Snowflake user execute SQL beyond their authorization scope, enabling cross-tenant data theft and source-database compromise. Three distinct injection points are involved - malicious source column names via DataFrameReader.dbapi(), a crafted location parameter that redirects COPY INTO in DataFrameWriter, and a backslash-single-quote bypass of normalize_path() in DataFrame.to_csv(). Rated CVSS 9.6 with a scope change; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python SQLi
NVD GitHub
CVSS 3.1
9.6
EPSS
0.3%
CVE-2026-15034 LOW Monitor

Cross-site request forgery in Flask-MonitoringDashboard up to version 5.0.2 allows a remote unauthenticated attacker to trick an authenticated dashboard user into submitting malicious state-changing requests by luring them to a crafted page. The vulnerability (CWE-352) is limited in scope to the monitoring dashboard itself with a low integrity impact and no confidentiality or availability consequence, reflected in the CVSS 4.0 score of 2.1. Exploit details have been publicly disclosed via VulDB submissions and a GitHub issue report, but no patch has been released and the project maintainer has not yet responded to the responsible disclosure.

CSRF Python
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-53553 Go HIGH POC GHSA This Week

Path traversal in Goploy's `/deploy/fileDiff` endpoint (versions <=1.17.5) enables any authenticated low-privilege member to read arbitrary files on both the Goploy host and every SFTP-managed remote server registered in the system. The dual file read returns local content in the `srcText` response field and remote server content in `distText`, multiplying the blast radius across all managed deployment targets. Publicly available exploit code exists per the GitHub Security Advisory; this is not listed in CISA KEV, but exploitation conditions are trivially met under default Goploy configuration.

Python Path Traversal Microsoft RCE Docker +1
NVD GitHub
CVSS 3.1
7.7
CVE-2026-49471 PyPI HIGH POC PATCH GHSA This Week

Remote code execution in the Oraios Serena MCP coding toolkit (prior to v1.5.2) lets a malicious webpage hijack a developer's local coding agent via DNS rebinding. Serena's built-in web dashboard runs an unauthenticated Flask API on a fixed, predictable port with no auth, no CSRF protection, and no Host-header validation, so any site the victim visits while Serena is running can write attacker-controlled content into the agent's persistent memory store; because the agent autonomously reads that memory and can invoke execute_shell_command with shell=True, this chains to code execution on the developer's machine. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.

Authentication Bypass CSRF Python RCE Serena
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-53511 HIGH PATCH This Week

Arbitrary Python code execution in calibre (e-book manager) before 9.10.0 lets attackers run code on a victim's machine simply by having them import or edit a malicious EPUB, OPF, or PDF. The crafted file embeds a custom column definition containing a python: template inside the calibre:user_metadata field, which calibre passes unsanitized to exec() in its template formatter during routine metadata reading (Add books / Edit books). No public exploit has been identified at time of analysis, but the flaw triggers through normal user workflows, making weaponized e-book files a realistic delivery vector.

Code Injection Python RCE Calibre
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.2%
CVE-2026-53878 PyPI MEDIUM PATCH This Month

Header injection in Django's DomainNameValidator allows network attackers to inject arbitrary HTTP response headers when applications pass validator-accepted domain values directly into HTTP responses, affecting Django 6.0 before 6.0.7 and 5.2 before 5.2.16. The validator silently accepts embedded newline characters in domain name strings, enabling HTTP response splitting that can facilitate session hijacking, open redirects, or cross-site scripting against end users. No public exploit code or CISA KEV listing exists at time of analysis; practical risk is narrowed significantly by Django's HttpResponse class independently rejecting newlines, meaning only non-standard code paths are exploitable.

Code Injection Python Django
NVD
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-53877 PyPI MEDIUM PATCH This Month

Memory over-read in Django's GIS module allows unauthenticated remote attackers to potentially disclose adjacent heap memory or degrade service availability via a segmentation fault. The `django.contrib.gis.gdal.GDALRaster` class fails to correctly bound its read when constructed from a bytes object, exposing raw memory when the `vsi_buffer` property is subsequently accessed. Affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16; no public exploit identified at time of analysis and not listed in CISA KEV.

Python Information Disclosure Django
NVD VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-48588 PyPI LOW PATCH Monitor

Cache poisoning in Django's UpdateCacheMiddleware and cache_page() decorator exposes private user data to unauthenticated remote attackers by incorrectly serving cached responses across different cookie contexts. Versions 6.0 before 6.0.7 and 5.2 before 5.2.16 are confirmed affected; older unsupported branches (5.0.x, 4.1.x, 3.2.x) were not evaluated but may share the flaw. No public exploit or CISA KEV listing exists at time of analysis, and the low CVSS 4.0 score of 2.3 reflects meaningful preconditions, though the data-disclosure consequence for applications serving personalized, cookie-gated content through a shared cache is concrete.

Python Information Disclosure Django
NVD VulDB
CVSS 4.0
2.3
EPSS
0.4%
CVE-2026-44512 PyPI MEDIUM POC PATCH GHSA This Month

Null pointer dereference in the ONNX Python library's version converter crashes any application that calls `onnx.version_converter.convert_version()` on a crafted model containing an Upsample node with zero inputs, producing an unrecoverable SIGSEGV. Affected versions include at minimum onnx 1.21.0 and 1.22.0, confirmed by a 107-byte public proof-of-concept; the vulnerability is part of a systemic pattern spanning eight adapters. No public active exploitation is confirmed in CISA KEV, but the trivially small PoC eliminates any meaningful exploitation barrier for threat actors targeting ML model conversion pipelines.

Python Denial Of Service Null Pointer Dereference
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-54771 PyPI HIGH PATCH GHSA This Week

Unauthorized tool invocation in the Langroid Python LLM-agent framework lets a user of an exposed chat interface directly execute server-side tool handlers by sending raw tool JSON, even when the tool was registered with use=False, handle=True. Because the dispatch path (agent_response → handle_message → get_tool_messages) never checks whether a message originated from Entity.USER versus Entity.LLM, the use=False guard — which developers reasonably assume blocks end-user invocation — only stops the LLM from emitting the tool, not a user from calling it. A working PoC exists in the advisory (publicly available exploit code exists); depending on which handled tools are enabled, this yields file read/write, database queries, or access to internal orchestration tools.

Python Information Disclosure
NVD GitHub
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-54769 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in the Langroid Python LLM-agent framework allows an attacker who can influence LLM prompts to escape the intended sandbox and run arbitrary OS commands on the host. The flaw affects TableChatAgent.pandas_eval() and the VectorStore base class, which pass LLM-generated expressions to Python's eval() with an empty locals dict but an unscrubbed globals dict, leaving __builtins__ implicitly available. A full working proof-of-concept is included in the advisory (publicly available exploit code exists); CVSS is scored 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), though real-world exploitation is gated on the non-default full_eval=True setting.

Code Injection Python RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.9%
CVE-2026-54760 PyPI CRITICAL PATCH GHSA Act Now

Server-side file disclosure in Langroid's SQLChatAgent (Python, pip package `langroid` <= 0.65.0) lets an attacker who can influence the agent's LLM-generated SQL bypass the `_validate_query` safety guard and execute PostgreSQL file-read functions such as `pg_read_file`. The default `allow_dangerous_operations=False` blocklist relies on a raw-text regex requiring `pg_...` names to be immediately followed by `(`, which is evaded by quoted identifiers, inline comments, or schema qualification while still parsing as a permitted SELECT. This is a bypass of the earlier CVE-2026-25879 / GHSA-pmch-g965-grmr regex fix; a working reproduction harness is published in the GHSA advisory, though there is no public exploit identified as being used in active attacks and no CISA KEV listing.

PostgreSQL SQLi Python Path Traversal
NVD GitHub
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-55379 PyPI HIGH PATCH This Week

Uncontrolled memory allocation in Python Pillow before 12.3.0 lets a crafted BDF font file exhaust available memory and crash the host application. The BdfFontFile parser trusts the attacker-supplied BBX width/height fields and hands them to Image.new() while skipping Pillow's decompression-bomb size check, so a tiny malicious font can request a huge in-memory bitmap. Impact is availability-only (denial of service); there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass Python Pillow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-55380 PyPI HIGH PATCH This Week

Denial-of-service via memory exhaustion in Python Pillow before 12.3.0 allows a crafted GD-format (.gd) image to trigger excessive C-heap allocation when opened, because GdImageFile._open() reads image dimensions straight from the GD 2.x header without invoking Pillow's Image._decompression_bomb_check() guard. Any application that loads untrusted .gd files with a vulnerable Pillow version can be crashed or driven into out-of-memory conditions. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 (availability-only impact).

Python Information Disclosure Pillow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54060 PyPI HIGH PATCH This Week

Uncontrolled memory allocation in Python Pillow before 12.3.0 allows a maliciously crafted font file to trigger excessive memory consumption and denial of service when its glyphs are compiled into a combined bitmap. FontFile.compile() builds the output image via Image.new("1", (xsize, ysize)) without invoking Pillow's decompression-bomb guard, so oversized glyph dimensions are allocated unchecked during conversion or saving. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the availability-only impact (CVSS 7.5) reflects resource exhaustion rather than code execution or data disclosure.

Python Information Disclosure Pillow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54059 PyPI HIGH PATCH This Week

Uncontrolled memory allocation in the Python Pillow imaging library (all versions prior to 12.3.0) allows a crafted PCF bitmap font to exhaust process memory and crash the host application. The PcfFontFile bitmap loader trusts attacker-supplied glyph dimensions from the font's METRICS section and hands them straight to Image.frombytes() while skipping Pillow's decompression-bomb guard. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is an availability-only denial of service (CVSS 7.5), not the information disclosure implied by the source tag.

Python Information Disclosure Pillow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-55798 PyPI MEDIUM PATCH This Month

Command injection in Pillow's WindowsViewer component (all versions prior to 12.3.0) allows arbitrary cmd.exe command execution when a user opens an image with a crafted filename containing shell metacharacters. The root cause is in WindowsViewer.get_command(), which embeds an unsanitized file path directly into an f-string and passes the result to subprocess.Popen with shell=True on Windows. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Command Injection Python Pillow
NVD GitHub VulDB
CVSS 3.1
4.5
EPSS
0.1%
CVE-2026-55786 PyPI HIGH POC PATCH GHSA This Week

Unauthenticated OS command execution in flyto-core (Python package, confirmed on 2.26.2) allows any client that can reach the HTTP MCP endpoint (POST /mcp) to run arbitrary shell commands as the server process. The JSON-RPC tools/call handler lacks the require_auth dependency present on the equivalent REST route, so an attacker can invoke execute_module against sandbox.execute_shell and reach asyncio.create_subprocess_shell with attacker-controlled input. Publicly available exploit code exists (a curl one-liner and poc.py in the advisory); there is no CISA KEV listing and no EPSS score provided, and by default the server binds to 127.0.0.1, making this a local (CVSS 8.4) issue that becomes network-exploitable only when started with --host 0.0.0.0.

Command Injection Python Authentication Bypass Docker
NVD GitHub
CVSS 3.1
8.4
CVE-2026-55787 PyPI HIGH POC PATCH GHSA This Week

Server-side request forgery in flyto-core (Python pip package) lets an authenticated workflow author bypass the built-in SSRF guard by encoding internal targets as IPv6 transition-form literals (IPv4-mapped `::ffff:127.0.0.1`, 6to4 `2002::/16`, or NAT64 `64:ff9b::/96`), causing the `http.get` atomic module and ~10 sibling fetch modules to perform outbound reads against loopback, RFC 1918, and cloud instance-metadata endpoints and return the response body. The reporter provides a full working end-to-end reproduction against a clean install of default-branch HEAD, so publicly available exploit code exists, though there is no evidence of active exploitation and no CISA KEV listing. CVSS 3.1 base is 7.1 (High); no EPSS score was supplied.

SSRF Python Google
NVD GitHub
CVSS 3.1
7.1
CVE-2022-46292 PyPI HIGH POC PATCH GHSA This Week

Python Cisco Buffer Overflow Suse
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.8%
CVE-2026-14534 PyPI HIGH PATCH This Week

Arbitrary code execution bypass in Trail of Bits fickling (versions ≤ 0.1.10) allows attackers to craft malicious pickle files that the tool's check_safety() gate rates LIKELY_SAFE with zero findings. Because the standard-library modules _posixsubprocess, site, and atexit are missing from the UNSAFE_IMPORTS denylist in fickle.py, payloads invoking _posixsubprocess.fork_exec, site.execsitecustomize, or atexit._run_exitfuncs pass the scanner and are then deserialized and executed by fickling.load(), which chains check_safety() into pickle.loads() as its security gate. No public exploit has been identified at time of analysis, and no EPSS or KEV signals are present in the input, but the advisory documents the exact bypass primitives.

Python RCE Fickling
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-71372 PyPI HIGH PATCH This Week

Security-scanner bypass in Picklescan before 0.0.33 lets attackers smuggle arbitrary-code-execution payloads past its safety checks by abusing the numpy.f2py.crackfortran.getlincoef gadget inside a pickle __reduce__ method, which the scanner fails to flag as dangerous. Because Picklescan is used to vet shared machine-learning model files, a malicious pickle passes as 'clean' and then executes attacker-controlled Python when the trusting downstream consumer deserializes it. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 score is 7.6 and the attack depends on a victim actually loading the file.

Deserialization Python RCE Picklescan
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.4%
CVE-2026-49353 npm HIGH PATCH GHSA This Week

Authentication-bypass leading to remote code execution in 9router (npm package 9router) lets attackers reach spawn-capable MCP routes that were meant to be loopback-only. This is an incomplete fix for CVE-2026-46339: the local-only gate in src/dashboardGuard.js decides 'local' from attacker-controllable Host and Origin headers instead of the TCP source address, so any proxied or tunneled (Cloudflare Tunnel / Tailscale) deployment can be tricked into treating remote requests as local. Combined with the deterministic, machine-ID-derived CLI token, a remote attacker can inject JSON-RPC into MCP child processes (node, python, npx, etc.) and execute code on the host; no public exploit identified at time of analysis, though detailed reproduction steps are published in the vendor advisory.

Authentication Bypass Python Information Disclosure RCE
NVD GitHub
CVSS 3.1
7.5
CVE-2026-52830 PyPI CRITICAL PATCH GHSA Act Now

Authentication bypass via path traversal in the fast-mcp-telegram MCP server (Python, PyPI package fast-mcp-telegram, master through release 0.19.0) lets a remote client hijack the default Telegram account without a valid bearer token. The SessionFileTokenVerifier blocks the exact reserved token 'telegram' but fails to normalize path separators, so a token like '../fast-mcp-telegram/telegram' resolves back to the default ~/.config/fast-mcp-telegram/telegram.session file and is accepted. A validation proof-of-concept is published in the advisory (publicly available exploit code exists), though there is no public exploit identified in the wild and no CISA KEV listing.

Authentication Bypass Python Path Traversal Microsoft
NVD GitHub
CVSS 3.1
9.4
EPSS
0.4%
CVE-2026-49852 PyPI HIGH POC PATCH GHSA This Week

Authentication bypass in the joserfc Python library (PyPI, versions <= 1.6.7) lets remote attackers forge valid HS256/HS384/HS512 JWTs whenever the application's verification secret resolves to an empty string or None. Because HMACAlgorithm.verify feeds the zero-length key straight into hmac.new(b'', ...) and OctKey.import_key only warns (never rejects) empty material, an attacker with no secret knowledge recomputes the identical HMAC digest and joserfc.jwt.decode accepts arbitrary forged claims (sub, admin, scopes, exp). A full working proof-of-concept is published in the advisory, though the flaw is gated on an operator-side misconfiguration (a secret sourced from an unset env var, missing DB/Redis row, or a '' fallback) rather than a default-config defect.

Authentication Bypass Python Canonical Redis
NVD GitHub VulDB
CVE-2026-50180 PyPI HIGH POC PATCH GHSA This Week

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfiltrate files from the PostgreSQL host even under the strict default config (allow_dangerous_operations=False, allowed_statement_types=['SELECT']). The _validate_query blocklist enumerates dangerous functions by exact name and misses the pg_read_file/pg_stat_file/pg_ls_*/pg_current_logfile family (plus MSSQL OPENDATASOURCE and keyword-less SQLite ATTACH), so these SELECT-shaped payloads pass both the statement-type allowlist and the regex blocklist and reach the live SQLAlchemy engine. Publicly available exploit code exists (a working PoC ships in the GHSA advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Python Path Traversal Canonical Docker
NVD GitHub
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-50181 PyPI HIGH POC PATCH GHSA This Week

Path traversal in Langroid's ReadFileTool and WriteFileTool lets a tool caller escape the configured curr_dir workspace boundary by supplying '../' sequences in file_path, because the tools only chdir into curr_dir without resolving and enforcing that the final path stays inside it. Applications that expose these file tools to an LLM agent or user-influenced tool calls can have arbitrary files read or written outside the intended project/sandbox directory, exposing secrets, config, and source files or corrupting files elsewhere on the host. Publicly available exploit code exists (a working PoC is included in the report demonstrating both read and write escapes), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

Python Path Traversal Docker
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-50027 PyPI CRITICAL POC PATCH GHSA Act Now

Missing authentication in mcp-memory-service's HTTP REST server exposes every route under /api/documents/* without any credential check, even when the operator has enabled MCP_API_KEY or OAuth, so remote attackers can upload, read, and delete stored memories at will. Because the sibling /api/memories router correctly enforces auth (returning 401), the gap is an inconsistent, easily-discovered authentication boundary that grants full confidentiality, integrity, and availability impact. A working PoC and vendor GitHub Security Advisory (GHSA-84hp-mqvj-3p8h) exist, so publicly available exploit code exists, though no CISA KEV listing or EPSS score was provided.

Authentication Bypass Python Information Disclosure Docker
NVD GitHub
CVSS 3.1
9.8
CVE-2026-50143 npm HIGH POC PATCH GHSA This Week

Apify API token exfiltration in @apify/actors-mcp-server 0.10.7 lets a remote attacker steal a victim's bearer credential via URL authority injection (CWE-918/SSRF). Because getActorMCPServerURL() naively concatenates a trusted standby base URL with an attacker-controlled webServerMcpPath from an Actor definition, an Actor published with a value like '@attacker.example/mcp' causes the WHATWG URL parser to resolve the outbound connection to the attacker's host, and connectMCPClient() unconditionally forwards the victim's 'Authorization: Bearer <APIFY_TOKEN>' header there. Publicly available exploit code exists (a Docker-based PoC that captures the token on an attacker HTTPS server); no active exploitation is confirmed.

Python SSRF OpenSSL Node.js Docker +1
NVD GitHub
CVSS 3.1
8.1
CVE-2026-54263 PyPI HIGH PATCH This Week

Reflected cross-site scripting in the Wagtail Django CMS admin interface lets a low-privilege editor craft a malicious URL that executes JavaScript in the browser of a higher-privilege administrator who opens it, enabling actions to be performed with the victim's credentials. All Wagtail installations before 7.0.8, 7.3.3 and 7.4.2 are affected - the flaw lives in the dynamic image URL generator view and exists even on sites that never enabled the dynamic image serve view. No public exploit identified at time of analysis, and the issue is not reachable by anonymous site visitors without a Wagtail admin account.

XSS Python Wagtail
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVSS 6.9
MEDIUM PATCH This Month

Server-side request forgery in the strands-agents-tools elasticsearch_memory tool enables prompt-injection attacks that exfiltrate the operator's Elasticsearch API key to attacker-controlled infrastructure. Applications using strands-agents-tools prior to 0.7.0 that rely on the ELASTICSEARCH_API_KEY environment-variable fallback - rather than explicitly passing api_key - are exposed to credential theft when an attacker can influence LLM input. No public exploit code or CISA KEV listing has been identified at time of analysis, but the prompt-injection-to-SSRF primitive is well understood in the AI agent security community and the credential-theft impact warrants prompt remediation.

Python SSRF Elastic +1
NVD
CVSS 8.4
HIGH PATCH This Week

Local credential theft in the garminconnect Python library (versions <= 0.3.4) stems from writing its OAuth token store to disk without an explicit file mode, so under the default umask 022 the file garmin_tokens.json - containing the DI refresh token - is created world-readable (0o644). Any unprivileged co-tenant on a shared Linux or macOS host can read the token and exchange it at Garmin's OAuth endpoint for fresh access tokens, gaining persistent access to the victim's Garmin Connect account. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the fix in 0.3.5 is confirmed and the issue is trivially reproducible under default configuration.

Python Apple Privilege Escalation +1
NVD GitHub
CVSS 8.6
HIGH PATCH This Week

Arbitrary code execution in PraisonAI (praisonaiagents) before 1.6.78 lets an attacker who can drop a Python file into a plugin directory run their own code. The plugin manager auto-discovers and executes any .py file found in project-level or user-home .praisonai/plugins/ directories at initialization, with no code signing, integrity checks, or sandboxing. VulnCheck reported it under CWE-94; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python Path Traversal RCE +2
NVD GitHub
CVSS 8.5
HIGH PATCH This Week

Code injection in PraisonAI before 4.6.78 lets attackers who control deployment configuration achieve arbitrary Python execution because the API-server deployment generator fails to safely encode the deploy.api.host and agents_file values before emitting them into generated Python source (CWE-94). Injected expressions run when the generated API server starts or handles requests, yielding full code execution in the server process. No public exploit is identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.

Python RCE Code Injection +1
NVD GitHub
CVSS 8.1
HIGH POC PATCH This Week

Unauthenticated abuse of the operator's NetLicensing credential affects Labs64 netlicensing-mcp (FastMCP server) versions <= 0.1.5 when run in HTTP transport mode. The ApiKeyMiddleware forwards requests that carry no client API key straight to the tool handlers, and the downstream client falls back to the server-side NETLICENSING_API_KEY environment variable, so any network-reachable attacker can invoke every MCP tool (list/create/update/delete of products, licenses, licensees, tokens) under the operator's identity and account quota. Publicly available exploit code exists (a self-contained Docker/Python PoC in the advisory), no public active exploitation is confirmed, and the issue is fixed in 0.1.6.

Docker Authentication Bypass Python
NVD GitHub
CVSS 7.7
HIGH PATCH This Week

Arbitrary file write in yutu, a Go-based YouTube CLI and MCP server, lets any caller of the built-in `caption-download` MCP tool place attacker-controlled bytes at any filesystem path the yutu process can write to. The vulnerable `Caption.Download()` calls `os.Create()` on the caller-supplied `file` parameter, bypassing the `YUTU_ROOT` (`pkg.Root`/`os.OpenRoot`) confinement that every other caption write path enforces. Publicly available exploit code exists (a self-contained Docker PoC ships with the advisory); the flaw is not in CISA KEV and no active exploitation is reported, and the vendor has released a fixed version (0.10.9-dev1).

Denial Of Service Debian Python +2
NVD GitHub
CVSS 7.5
HIGH PATCH This Week

Unauthenticated remote denial of service in StacklokLabs MKP (Model Context Protocol for Kubernetes) server versions before 0.4.1 lets a single crafted `tools/call` request against the default `:8080` endpoint exhaust process memory. The `get_resource` tool accepts attacker-controlled `limitBytes`/`tailLines` values with no upper bound and streams the entire Kubernetes pod-log response into an in-memory `bytes.Buffer`, driving an OOM kill (dynamic reproduction grew RSS from 25.8 MB to 1,179.3 MB on one request). Publicly available exploit code exists in the GitHub Security Advisory; there is no public evidence of active exploitation.

Docker Kubernetes Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the pyasn1 Python ASN.1 library (versions prior to 0.6.4) allows a remote attacker to exhaust CPU and crash applications by supplying crafted BER, CER, or DER encoded data. The shared BER decoder parses long-form tags without bounding the tag ID size, so a malicious tag forces construction of an arbitrarily large integer whose processing scales quadratically, and on Python 3.11+ triggers unhandled ValueError exceptions in integer-to-string error formatting. No public exploit identified at time of analysis, though the fix commit ships proof-of-concept test cases; not listed in CISA KEV.

Python Denial Of Service Pyasn1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the pyasn1 Python ASN.1 library (all versions prior to 0.6.4) allows remote attackers to exhaust CPU by submitting a small crafted OBJECT IDENTIFIER or RELATIVE-OID whose arcs are decoded in quadratic time, so any application that calls decode() on untrusted ASN.1 data can be stalled per call; re-encoding such values triggers the same blow-up. Rated CVSS 7.5 (availability-only) with no confidentiality or integrity impact; no public exploit identified at time of analysis, though the fix commit ships a regression test that effectively demonstrates the trigger. As a foundational dependency behind LDAP, SNMP, X.509/PKI and crypto tooling across the Python ecosystem, its broad transitive reach makes this notable despite the modest severity.

Python Denial Of Service Pyasn1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uncontrolled resource consumption in the pyasn1 Python ASN.1 library (versions prior to 0.6.4) lets remote attackers hang applications that decode untrusted BER/CER/DER data. A REAL value only a few bytes long can encode an enormous exponent; when the decoded univ.Real object is later printed, logged, compared, or converted via prettyPrint(), str(), int(), or float(), pyasn1 performs exact big-integer exponentiation that consumes excessive CPU and memory. There is no public exploit identified at time of analysis, but the network/no-auth/no-interaction, availability-only profile makes this a straightforward denial-of-service primitive; the issue is fixed in version 0.6.4.

Python Denial Of Service Pyasn1
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Out-of-bounds memory disclosure in Python Pillow before 12.3.0 lets an attacker who supplies a crafted McIdas AREA image file read adjacent process memory or crash the host application. When such a file is opened from a filename, header words control the raw-codec mmap row stride; setting it below the true row width causes later pixel operations (tobytes, getpixel, convert, save) to read past the mapped region. No public exploit is identified at time of analysis and it is not in CISA KEV, but the upstream fix, PR, and a regression test are public, making the flaw well documented.

Python Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Heap out-of-bounds write in Python Pillow prior to 12.3.0 lets an attacker who controls the rank-filter size parameter corrupt native heap memory and crash or potentially manipulate the process. ImageFilter.RankFilter.filter() calls image.expand(size // 2, size // 2) before validating the filter size, and the native ImagingExpand() routine computes output dimensions using unchecked signed-int arithmetic, so a very large odd size overflows and drives an out-of-bounds write (CWE-787). No public exploit is identified at time of analysis; the flaw is fixed in Pillow 12.3.0.

Python Buffer Overflow Memory Corruption +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uncontrolled memory consumption in Python Pillow (PIL) versions 5.1.0 through 12.2.x allows a remote attacker to cause denial of service by supplying a small crafted PDF whose FlateDecode stream declares a large Length; PdfParser.PdfStream.decode() passes this attacker-controlled Length straight to zlib.decompress() as the bufsize with no upper bound, so a tiny file inflates into gigabytes of decompressed data and exhausts host memory. Fixed in 12.3.0 by streaming decompression with a bounded max_length. No public exploit identified at time of analysis and this CVE is not in CISA KEV, but the trigger is trivial to construct.

Python Denial Of Service Pillow
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Out-of-bounds heap read in Python Pillow's TGA RLE encoder (versions 5.2.0 through 12.2.x) lets adjacent process heap bytes leak into a generated TGA file when an application saves a mode '1' (1-bit) image using compression='tga_rle'. The flaw is an information-disclosure bug (CWE-125), fixed in 12.3.0, with no public exploit identified at time of analysis. The NVD CVSS of 7.5 (network vector) overstates practical reach because triggering the leak depends on the host application invoking this specific and unusual save path.

Python Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service and controlled heap corruption in Python's Pillow imaging library (all versions prior to 12.3.0) occurs when ImageCms.ImageCmsTransform.apply() is invoked with an output image whose mode does not match the transform's declared output mode, causing an out-of-bounds write in the native color-management code. The pre-fix code only validated the output mode and never validated the input mode, so a mismatched buffer geometry lets the C-level transform write past allocation bounds. No public exploit has been identified at time of analysis; the fix is confirmed in release 12.3.0 via the vendor security advisory GHSA-9hw9-ch79-4vh6.

Python Buffer Overflow Memory Corruption +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Python Pillow 12.0.0 through 12.2.0 lets a remote attacker hang an application by supplying a crafted EPS image whose %%BeginBinary directive declares a negative byte count, causing the EPS parser to seek backwards and re-parse the same directive forever. Any service that calls Image.open() on attacker-supplied EPS data is affected until upgraded to 12.3.0. No public exploit identified at time of analysis, though the upstream fix PR includes a test reproducer; the flaw is not listed in CISA KEV.

Python Denial Of Service Pillow
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service (and potential memory corruption) in Python Pillow before 12.3.0 arises when public image coordinate APIs - Image.paste(), Image.crop(), and Image.alpha_composite() - are handed box coordinates near the signed 32-bit integer boundary (±2**31), causing a native heap out-of-bounds write in the C imaging core. Any application that forwards untrusted coordinate values into these calls can be crashed, and the OOB write raises the theoretical prospect of heap corruption. No public exploit identified at time of analysis; the fix (integer-overflow-safe int64_t arithmetic) shipped in 12.3.0.

Python Buffer Overflow Integer Overflow +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Python Pillow (versions 8.2.0 through 12.2.0) allows remote attackers to exhaust memory during JPEG2000 decoding, causing out-of-memory failures in any application that decodes untrusted images. The flaw stems from Pillow's JPEG2000 decoder summing tile widths across the whole image rather than per tile, so a small crafted tiled file forces disproportionately large transient allocations. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the upstream fix (12.3.0) and a public PR/commit make the root cause fully transparent.

Python Information Disclosure Pillow
NVD GitHub
EPSS 0% CVSS 3.1
LOW Monitor

Symlink entries in malicious tar archives bypass the `filter_safe_tarinfos` validation in Keras 3.12.0, enabling directory escape that can read or overwrite arbitrary files on the host filesystem. The root defect is in `keras/src/utils/file_utils.py`, where `is_path_in_dir` path containment checks are applied only to regular file entries - symlink entries are extracted without equivalent validation. The exposure is most severe on Python 3.10 and 3.11, where `filter_safe_tarinfos` is the sole extraction safeguard; no public exploit or active exploitation has been identified at time of analysis.

Python Path Traversal Keras Team Keras
NVD
CRITICAL POC PATCH Act Now

Complete account takeover in FacturaScripts (<= 2026.2) lets an unauthenticated network attacker hijack any 2FA-enabled account, including admins, by brute-forcing the /login?action=two-factor-validation endpoint. The handler issues a full session cookie on a matching TOTP without verifying the password, requiring a CSRF token, or enforcing any rate limit, and an over-wide verification window keeps ~17 codes valid at once. Publicly available exploit code exists (a working Python PoC in the GitHub advisory GHSA-c67f-gmxw-mj93); no active exploitation has been reported in CISA KEV.

PHP Python Authentication Bypass +1
NVD GitHub
CVSS 8.1
HIGH PATCH This Week

Man-in-the-middle code injection in DIRAC's grid pilot bootstrap affects the DIRACGrid Python distributed-computing framework, where the PilotWrapper explicitly disables TLS certificate validation when fetching the second-stage pilot.tar. Because both the payload and its reference checksum traverse the same unverified HTTPS channel, an attacker positioned on the grid site's network can substitute arbitrary code that runs in the pilot context with access to its proxy/credentials. No public exploit identified at time of analysis; exploitation requires an active network intercept, which the vendor notes is non-trivial, but the CVSS is 8.1 due to full CIA impact.

RCE Python
NVD GitHub
EPSS 1% CVSS 9.2
CRITICAL Act Now

Remote unauthenticated code execution in Thales CERT's "Suspicious" email-analysis application (versions 1.3.4 and earlier), dubbed "Matryoshka Mail," lets an attacker abuse path traversal in attachment handling to overwrite writable application files-Python modules, configuration, cron inputs, and runtime artifacts-yielding root-level execution inside the Django container. Because the affected code runs Python and processes attacker-supplied mail, overwriting an imported module effectively converts arbitrary file write into RCE, plus persistent denial of service and possible exposure of application secrets and integrations. No public exploit identified at time of analysis and the issue is not in CISA KEV, but it carries a CVSS 4.0 base score of 9.2 and vendor-credited discovery by Lucien Doustaly (wlayzz).

Denial Of Service Path Traversal RCE +2
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating the LLM that drives the CodeAgent component. Because CodeAgent._execute_python() runs LLM-generated code with no AST validation, import restrictions, or sandbox, an attacker who can shape model output via prompt injection can exfiltrate all environment secrets and gain full control of the agent host. VulnCheck reports the flaw with a maximum CVSS 4.0 score of 10.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Code Injection Python RCE +1
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH Act Now

Authenticated arbitrary file write in OpenPLC Runtime v3 lets a logged-in user of the legacy web UI escalate to native code execution on the host running the automation controller. The program-upload workflow stores the attacker-supplied prog_file filename in the Programs.File database field and later reuses it unvalidated as a destination path; because Python os.path.join() honors absolute paths, files can be written anywhere the webserver process can write. Reported by ICS-CERT (CISA ICS advisory ICSA-26-190-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python RCE Openplc
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthorized schema disclosure in Grist Core prior to 1.7.15 allows any user with partial read access - explicitly including anonymous public users on publicly viewable documents - to retrieve table and column metadata for any widget by querying the GET /forms endpoint. The endpoint failed both to validate that the requested section was a form widget and to apply the document's configured access rules before returning metadata, meaning hidden schema structure (table names, column names, types) is fully exposed regardless of the restrictions in place. No public exploit has been identified and the vulnerability is not in CISA KEV; a vendor-released patch exists in version 1.7.15.

Python Information Disclosure Grist Core
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Stored and reflected cross-site scripting in Grist (grist-core) before 1.7.15 lets an attacker place a javascript: URL into an unvalidated link href and execute script in a victim's authenticated Grist origin on a single click. Two entry points are affected: the /welcome/select-account page reflects its next query parameter into account-button links, and the GristDocTour table's Link_URL column renders as a clickable tour button, so a document editor can plant a payload that runs when another user opens the document. Because the script executes as the victim, it can drive Grist APIs to read or modify data and change sharing/access rules, letting an editor escalate to owner-level control. There is no public exploit identified at time of analysis and it is not in CISA KEV.

XSS Python Grist Core
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Stored and reflected cross-site scripting in Grist (grist-core) prior to 1.7.15 lets a document editor inject script into a document's name or description that executes when higher-privileged users open the document, and lets attackers abuse the OAuth2 end-of-flow page's reflected openerOrigin parameter. Because the injected script runs in the victim's authenticated Grist origin, a mere document editor can read or modify data, alter sharing settings and access rules, and escalate to owner-level control. No public exploit identified at time of analysis; the issue is CWE-79 and is fixed upstream in the tagged 1.7.15 release.

XSS Python Grist Core
NVD GitHub
CVSS 7.8
HIGH POC PATCH This Week

Arbitrary Python code execution in BabelDOC (funstory-ai, pip package `babeldoc`) prior to 0.6.3 allows an attacker to run code in the context of the translation process by having a victim process a crafted PDF. The vendored pdfminer CMap loader (`cmapdb.py::_load_data`) strips only NUL bytes from a PDF-controlled CMap/Encoding name and passes it to `pickle.loads()`, so a hex-encoded absolute path in the PDF's `/Encoding` name redirects deserialization to an attacker-planted `.pickle.gz` file. A detailed, working proof-of-concept exists (publicly available exploit code exists); there is no CISA KEV listing and no public evidence of active exploitation at time of analysis.

Deserialization Python Canonical +6
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api.py run arbitrary Python, because that value is interpolated directly into an f-string that is later executed as generated server code via subprocess.Popen(). The CVSS 4.0 base score is 9.4 and the vector requires high privileges (PR:H), meaning the attacker must already be able to reach and drive the deployment API. No public exploit has been identified at time of analysis and it is not on the CISA KEV list.

Code Injection Python RCE +1
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary Python code execution in PraisonAI (praisonaiagents) before 1.6.78 occurs when AgentFlow._resolve_pydantic_class resolves a string output_pydantic reference in a workflow step, causing the framework to import a sibling tools.py from the workflow file's directory via importlib exec_module without any sandboxing. Because this loader ignores the PRAISONAI_ALLOW_*_TOOLS environment guardrails, an attacker who supplies a malicious workflow file plus its tools.py runs code with the workflow runner's privileges the moment the workflow is executed via WorkflowManager or loaded through load_yaml. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV.

Python RCE Praisonai
NVD GitHub
MEDIUM POC PATCH This Month

Path traversal in psd-tools through v1.17.0 exposes any application processing untrusted PSD files to arbitrary file write and secondary arbitrary file read via the SmartObject API. SmartObject.save() consumes the embedded smart-object filename verbatim from the PSD binary - without basename stripping, absolute-path rejection, or directory-escape filtering - allowing a crafted PSD to write attacker-supplied bytes to any path the process can reach. A secondary issue in SmartObject.open() for external-kind objects uses the attacker-controlled fullPath descriptor as a read source, enabling file exfiltration to the write destination. A standalone proof-of-concept is publicly confirmed in the advisory; the fix is vendor-confirmed in v1.17.1 (PR #657). No public exploit identified at time of analysis beyond the advisory-embedded POC, and no CISA KEV listing was found.

Python Path Traversal Buffer Overflow +3
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Cross-user remote code execution in Open WebUI before 0.10.0 lets an authenticated user run arbitrary code interpreter Python or invoke tools inside another logged-in user's session. The get_event_call handler dispatched execute:python and execute:tool Socket.IO events to any client-supplied session_id that was merely 'connected', so an attacker who harvested a victim's socket ID via the ydoc:document:join collaboration flow could hijack that session. A proof-of-concept is indicated in the SSVC data, though the flaw is not in CISA KEV and EPSS rates near-term mass exploitation low (0.28%, 19th percentile).

Code Injection Python RCE +1
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH PATCH This Week

CPU-exhaustion denial of service in CPython's standard-library html.parser.HTMLParser lets remote attackers cause quadratic processing time by feeding a long, unterminated markup construct (comment, tag, PI, DOCTYPE, CDATA, or RAWTEXT element) incrementally in many small chunks. Any Python service that streams attacker-controlled HTML through HTMLParser.feed() is affected in all CPython versions before 3.16.0. There is no public exploit identified at time of analysis, but the fix, root cause (repeated buffer rescan and concatenation), and a triggering test case are publicly documented in the upstream pull request, making a working reproducer trivial to reconstruct.

Denial Of Service Python
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Privilege escalation and server-side code execution in Open WebUI before 0.10.0 lets a low-privileged authenticated user plant a malicious chat payload that, when a victim (typically an admin) clicks Run, executes client-side Python via Pyodide in a same-origin web worker and issues authenticated same-origin requests to admin-only endpoints. Because the requests inherit the victim's session, the attacker can reach administrative APIs and trigger server-side code execution through configured tools. No public exploit has been identified at time of analysis, and EPSS is low (0.25%), but CVSS is 9.0 with total technical impact per CISA SSVC.

XSS Python Open Webui
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Improper access control in manjurulhoque's django-job-portal allows authenticated remote attackers to manipulate the `role` argument via the `EditEmployeeProfileAPIView` endpoint, enabling unauthorized privilege escalation within the Employee Dashboard. All commits up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f are affected under a rolling release model with no fixed version available. A publicly available proof-of-concept exploit exists via GitHub issue #91; the project maintainer has not responded to disclosure and no patch has been released.

Authentication Bypass Python Django Job Portal
NVD VulDB GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4, lets remote attackers hang a worker thread by submitting a ~300-byte attribute selector with an unterminated quoted value (e.g. '[a="xxxx...'), triggering catastrophic regular-expression backtracking in the VALUE pattern of css_parser.py. Any Python service that passes untrusted selector strings to soupsieve.compile() or Beautiful Soup's .select()/.select_one() is affected, and each added byte roughly doubles CPU time, so a handful of concurrent requests can exhaust all workers. Publicly available exploit code exists (a working PoC is embedded in the advisory), but no exploit is identified as being used in active attacks and it is not listed in CISA KEV.

Python Denial Of Service
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Memory-exhaustion denial of service in soupsieve, the CSS selector engine bundled with Beautiful Soup 4 (beautifulsoup4), lets remote unauthenticated attackers crash Python services by submitting a large comma-separated CSS selector to soupsieve.compile() or Beautiful Soup's .select()/.select_one(). Each comma-delimited item is parsed into a ~976-byte object graph with no cap on list length, so a ~500 KB selector string of 'a,a,a,...' expands to roughly 244 MB of heap (a ~488x amplification), triggering OOM kills or MemoryError. A working proof-of-concept is published in the advisory; no CISA KEV listing or in-the-wild exploitation is reported.

Kubernetes Python Denial Of Service +1
NVD GitHub
CVSS 6.5
MEDIUM POC This Month

Memory exhaustion in pyload's EventManager module allows authenticated remote attackers to cause a denial of service by sending large volumes of requests to the getEvents API endpoint with unique UUIDs. Each unique UUID causes a new Client instance to be appended to the internal clients list, but the existing clean() method that would purge inactive clients is never invoked anywhere in the codebase, resulting in unbounded memory growth. No public exploit is independently catalogued, but a functional proof-of-concept script was included in the disclosure, demonstrating that the attack can be executed with a valid API key and approximately 100,000 HTTP GET requests.

Python Denial Of Service
NVD GitHub
CVSS 4.9
MEDIUM POC This Month

SSRF protection bypass in pyload-ng allows authenticated users with link-add permissions to reach internal network endpoints - including cloud metadata services - by supplying IPv6 transition-encoded addresses that Python's `ipaddress.IPv6Address.is_global` incorrectly classifies as globally routable. The NAT64 prefix (`64:ff9b::/96`) bypass is universal across all supported Python versions (3.9-3.14); the 6to4 prefix (`2002::/16`) bypass additionally affects Python 3.9-3.11, covering the full `python_requires = >=3.9` matrix. No confirmed active exploitation (CISA KEV) has been identified, but a researcher-provided proof-of-concept demonstrates full bypass of both the `is_global_address` guard and the pycurl PREREQFUNC in `http_request.py:680`.

SSRF Python
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Arbitrary file write in the AsyncSSH Python library (versions prior to 2.23.1) allows a malicious or compromised SSH server to plant files anywhere on an SCP client's filesystem when a user initiates a file-copy operation against it. Because the SCP client trusts server-supplied filenames verbatim, a hostile server can return names containing ../ sequences to escape the intended download directory, enabling code execution or system tampering. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.

Python Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

{ENV}) unblocked, enabling escape via Python's Path.expanduser() and _expand_val() expansion. No public exploit has been identified at time of analysis, and CVSS AC:H reflects the prerequisite server-side configuration; however, successful exploitation achieves high integrity impact by enabling authentication with key material from arbitrary filesystem locations.

Python Path Traversal
NVD GitHub VulDB
CVSS 10.0
CRITICAL POC PATCH Act Now

OS command injection in Nuclio (serverless platform) versions <= 1.15.27 lets attackers run arbitrary shell commands as root inside Kubernetes CronJob pods by submitting a function with a crafted cron trigger. The controller concatenates unsanitized `event.headers` keys and `event.body` values into a `/bin/sh -c` curl string; a header key containing a double-quote breaks quoting, and a body containing `$()` triggers command substitution (strconv.Quote does not escape it). Because the Nuclio Dashboard API is unauthenticated in its default configuration, this is remotely reachable; no public exploit is identified in KEV, though a detailed, dynamically-verified PoC accompanies the advisory.

Python Kubernetes Microsoft +3
NVD GitHub
CVSS 8.2
HIGH PATCH This Week

Stored cross-site scripting in the lxml_html_clean Cleaner (≤ 0.4.4) and the bundled lxml legacy html.clean module (≤ 6.1.0) lets attackers smuggle javascript: URLs through HTML sanitization on the namespaced xlink:href attribute. When callers configure Cleaner with safe_attrs_only=False, the URL-scheme scrubber never inspects <a xlink:href="javascript:..."> inside SVG or MathML, so the payload survives and executes when a victim clicks the rendered anchor. Publicly available exploit code exists (a working reproducer ships with the advisory), but there is no public exploit identified as being used in active attacks and the issue is not in CISA KEV.

XSS Python Canonical +1
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in the pypdf Python PDF library (all versions prior to 6.14.1) allows a remote attacker to hang a consuming application by supplying a malicious PDF. A page content stream containing an unterminated inline image drives the inline-image end-marker detection logic into an infinite loop, most notably triggered during page text extraction. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects an unauthenticated, low-complexity availability attack, and a fixed release (6.14.1) is available.

Python Denial Of Service Pypdf
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in pypdf before 6.14.2 lets a remote attacker hang any application that parses an attacker-supplied PDF: a page content stream carrying an unterminated inline image with an ASCII85 or ASCIIHex filter drives the parser into an infinite loop (CWE-835), most notably during page text extraction. The pure-Python library is very widely used in document-processing and data-ingestion pipelines, so a single malicious file can pin a CPU core and stall the worker. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the root cause is well-described and trivially reproducible.

Python Denial Of Service Pypdf
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in the httplib2 Python HTTP client library (all versions prior to 0.32.0) lets a malicious or compromised HTTP server crash the client by returning a small gzip- or deflate-compressed response body that expands without bound during automatic decompression, exhausting memory and triggering a MemoryError or OS OOM-kill. Any application that uses httplib2 to fetch content from untrusted or attacker-controllable endpoints is affected. No public exploit identified at time of analysis; EPSS not provided, but the class is trivially demonstrable and the fix is a one-line-scope behavioral change shipped in 0.32.0.

Python Information Disclosure Httplib2
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Server-Side Request Forgery in Python Zeep 4.0.0 through 4.3.2 allows an attacker who can influence WSDL or XSD content parsed by the library to bypass the explicit `Settings.forbid_external` security control, causing the server to issue HTTP or HTTPS requests to attacker-chosen URLs via transitive xsd:import, xsd:include, wsdl:import, or lxml entity and DTD references. The vulnerability is particularly significant because it defeats a documented security setting that developers actively configure to prevent external fetching - applications relying on this control are silently unprotected. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

SSRF Python Python Zeep
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Custom Code Guardrails in LiteLLM's AI Gateway proxy prior to 1.82.0-stable permitted privileged users with guardrail management rights to submit arbitrary Python code via the production create and update API paths, which executed unsandboxed within the proxy process. Unlike the test endpoint - which enforced sandbox controls - the production paths lacked equivalent validation, enabling the injected code to access and expose secrets, API keys, and environment variables available to the running process. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; risk is highest in multi-tenant or multi-operator LiteLLM deployments where guardrail management rights are distributed.

Code Injection Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Uncontrolled resource consumption in pypdf prior to 6.14.0 allows unauthenticated remote attackers to cause denial of service by submitting a crafted PDF containing repeated malformed cross-reference streams. The library's XRef table recovery routine performs unbounded work on such inputs, leading to excessive CPU time consumption and effectively hanging or severely degrading any application that processes attacker-supplied PDFs. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Python Denial Of Service Pypdf
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Uncontrolled memory allocation in pypdf prior to 6.14.0 allows remote, unauthenticated attackers to exhaust host memory by submitting a crafted PDF containing image metadata with inflated declared sizes that vastly exceed the actual embedded image data. Any application that uses pypdf to parse untrusted PDFs is exposed; the library allocates memory proportional to the declared (attacker-controlled) size rather than the actual data length. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Python Information Disclosure Pypdf
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unbounded recursion in Mistune's Include directive (all versions prior to 3.3.0) can be triggered by a pair of mutually-referencing markdown files, bypassing the cycle detector that only checks for direct self-inclusion. An attacker who can supply markdown content processed by an application using the Include directive may crash the rendering request with a Python RecursionError, resulting in a denial of service. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a confirmed fix is available in version 3.3.0.

Python Denial Of Service Mistune
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Mistune (the lepture Python Markdown parser) before 3.3.0 lets remote unauthenticated attackers exhaust CPU by submitting a Markdown document packed with many repeated or distinct reference-link definitions, which triggers quadratic-time processing in the block parser and its ref_links dictionary handling. Any service that renders attacker-supplied Markdown through Mistune (wikis, comment systems, docs pipelines, notebook converters) can be stalled with a single crafted input. No public exploit is identified at time of analysis and it is not in CISA KEV, but the low-complexity, no-auth vector makes weaponization trivial.

Python Denial Of Service Mistune
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Path traversal in Mistune's Include plugin allows reading arbitrary files from the server filesystem when processing attacker-controlled markdown. Applications using md.read() with the Include plugin on markdown content supplied by external users are exposed: a crafted include directive can escape the intended markdown base directory to access any file readable by the running process. No public exploit has been identified at time of analysis, but a vendor-released patch is available in version 3.3.0.

Python Path Traversal Mistune
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Mistune prior to 3.3.0 stems from an incomplete URI scheme blocklist in the `safe_url` filter, permitting legacy and chained schemes (`feed:`, `jar:`, `livescript:`, `mocha:`, `ms-its:`, `mk:`, `res:`, `view-source:`) to pass unchecked into rendered `href` and `src` attributes. Any web application that accepts user-supplied Markdown, renders it via Mistune's HTML renderer, and serves the output to other users' browsers is exposed to stored or reflected XSS. No public exploit or CISA KEV listing has been identified at time of analysis; however, the CVSS 6.1 score with scope change (S:C) reflects genuine cross-session impact when the victim interacts with attacker-controlled content.

XSS Python Mistune
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Mistune, a widely used pure-Python Markdown parser, affects all versions prior to 3.3.0 where the default inline parser exhibits quadratic (O(n²)) behavior on long runs of well-formed double- or triple-asterisk emphasis pairs. Because the parser rescans forward for matching close markers from every candidate opening run, a small crafted Markdown payload forces disproportionate CPU consumption, exhausting resources on any service that renders untrusted Markdown. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and unauthenticated network vector make availability impact realistic against default configurations.

Python Denial Of Service Mistune
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cross-site scripting in Mistune (Python Markdown parser) prior to version 3.2.1 allows injection of arbitrary HTML attributes via the Admonition directive's `:class:` option, critically bypassing HTMLRenderer escape mode even when it is explicitly enabled. Applications that render user-controlled Markdown with admonition directives and serve the resulting HTML to web browsers are exposed to stored or reflected XSS, enabling session hijacking, credential theft, or malicious DOM manipulation. No public exploit has been identified at time of analysis, and a vendor-released patch is available in v3.2.1.

XSS Python Mistune
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in Mistune Python Markdown parser (all versions before 3.3.0) allows attacker-controlled Markdown content containing percent-encoded javascript: URIs to bypass the HTMLRenderer.safe_url() URL sanitization filter and execute arbitrary script in victim browsers. The bypass works because safe_url() checks the raw string without first decoding percent-encoded characters, so schemes like %6Aavascript: or %6aVaScRiPt: evade detection while remaining valid to browsers. Any web application that renders user-supplied or attacker-influenced Markdown through Mistune and serves the output to other users is exposed. No public exploit or CISA KEV listing has been identified at time of analysis.

XSS Python Mistune
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Predictable heading anchor ID generation in Mistune's toc plugin (all versions prior to 3.3.0) enables same-page navigation hijacking when untrusted Markdown content is rendered. The library assigns sequential numeric identifiers (toc_0, toc_1, etc.) to headings without incorporating heading text, so any party able to inject raw HTML containing a matching id attribute can pre-empt the generated anchor and redirect table-of-contents link targets, CSS selectors, or JavaScript DOM event handlers. No public exploit identified at time of analysis, though the deterministic ID scheme makes collision trivial to engineer once content injection is possible.

Python Information Disclosure Mistune
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Mistune, a Python Markdown parser, affects all versions prior to 3.3.0 when the strikethrough, mark, or insert plugins are enabled. Remote attackers can submit crafted Markdown containing runs of closed tilde (~), equals (=), or caret (^) marker pairs that trigger quadratic-time scanning in the formatting plugin, exhausting CPU and rendering the parsing service unresponsive. No public exploit identified at time of analysis, and the flaw is not in CISA KEV; impact is limited to availability with no data exposure.

Python Denial Of Service Mistune
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Setuptools prior to 83.0.0 fails to normalize Unicode filenames before matching them against MANIFEST.in exclusion patterns on macOS APFS and HFS+ filesystems, allowing files with NFD-normalized on-disk names to silently bypass NFC-encoded exclude, global-exclude, recursive-exclude, and prune directives and be packed into Python source distributions. Python package maintainers developing on macOS face a supply chain risk: sensitive files such as credentials, private keys, or environment configs that are correctly listed in MANIFEST.in for exclusion may still appear in tarballs published to PyPI or private registries. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Python Apple +1
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

SQL injection in the Snowflake Snowpark Python SDK (snowpark-python) before 1.53.0 lets an authenticated low-privilege Snowflake user execute SQL beyond their authorization scope, enabling cross-tenant data theft and source-database compromise. Three distinct injection points are involved - malicious source column names via DataFrameReader.dbapi(), a crafted location parameter that redirects COPY INTO in DataFrameWriter, and a backslash-single-quote bypass of normalize_path() in DataFrame.to_csv(). Rated CVSS 9.6 with a scope change; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Python SQLi
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site request forgery in Flask-MonitoringDashboard up to version 5.0.2 allows a remote unauthenticated attacker to trick an authenticated dashboard user into submitting malicious state-changing requests by luring them to a crafted page. The vulnerability (CWE-352) is limited in scope to the monitoring dashboard itself with a low integrity impact and no confidentiality or availability consequence, reflected in the CVSS 4.0 score of 2.1. Exploit details have been publicly disclosed via VulDB submissions and a GitHub issue report, but no patch has been released and the project maintainer has not yet responded to the responsible disclosure.

CSRF Python
NVD GitHub VulDB
CVSS 7.7
HIGH POC This Week

Path traversal in Goploy's `/deploy/fileDiff` endpoint (versions <=1.17.5) enables any authenticated low-privilege member to read arbitrary files on both the Goploy host and every SFTP-managed remote server registered in the system. The dual file read returns local content in the `srcText` response field and remote server content in `distText`, multiplying the blast radius across all managed deployment targets. Publicly available exploit code exists per the GitHub Security Advisory; this is not listed in CISA KEV, but exploitation conditions are trivially met under default Goploy configuration.

Python Path Traversal Microsoft +3
NVD GitHub
EPSS 0% CVSS 8.3
HIGH POC PATCH This Week

Remote code execution in the Oraios Serena MCP coding toolkit (prior to v1.5.2) lets a malicious webpage hijack a developer's local coding agent via DNS rebinding. Serena's built-in web dashboard runs an unauthenticated Flask API on a fixed, predictable port with no auth, no CSRF protection, and no Host-header validation, so any site the victim visits while Serena is running can write attacker-controlled content into the agent's persistent memory store; because the agent autonomously reads that memory and can invoke execute_shell_command with shell=True, this chains to code execution on the developer's machine. No public exploit identified at time of analysis, and the flaw is not on the CISA KEV list.

Authentication Bypass CSRF Python +2
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Arbitrary Python code execution in calibre (e-book manager) before 9.10.0 lets attackers run code on a victim's machine simply by having them import or edit a malicious EPUB, OPF, or PDF. The crafted file embeds a custom column definition containing a python: template inside the calibre:user_metadata field, which calibre passes unsanitized to exec() in its template formatter during routine metadata reading (Add books / Edit books). No public exploit has been identified at time of analysis, but the flaw triggers through normal user workflows, making weaponized e-book files a realistic delivery vector.

Code Injection Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Header injection in Django's DomainNameValidator allows network attackers to inject arbitrary HTTP response headers when applications pass validator-accepted domain values directly into HTTP responses, affecting Django 6.0 before 6.0.7 and 5.2 before 5.2.16. The validator silently accepts embedded newline characters in domain name strings, enabling HTTP response splitting that can facilitate session hijacking, open redirects, or cross-site scripting against end users. No public exploit code or CISA KEV listing exists at time of analysis; practical risk is narrowed significantly by Django's HttpResponse class independently rejecting newlines, meaning only non-standard code paths are exploitable.

Code Injection Python Django
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Memory over-read in Django's GIS module allows unauthenticated remote attackers to potentially disclose adjacent heap memory or degrade service availability via a segmentation fault. The `django.contrib.gis.gdal.GDALRaster` class fails to correctly bound its read when constructed from a bytes object, exposing raw memory when the `vsi_buffer` property is subsequently accessed. Affects Django 6.0 before 6.0.7 and 5.2 before 5.2.16; no public exploit identified at time of analysis and not listed in CISA KEV.

Python Information Disclosure Django
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cache poisoning in Django's UpdateCacheMiddleware and cache_page() decorator exposes private user data to unauthenticated remote attackers by incorrectly serving cached responses across different cookie contexts. Versions 6.0 before 6.0.7 and 5.2 before 5.2.16 are confirmed affected; older unsupported branches (5.0.x, 4.1.x, 3.2.x) were not evaluated but may share the flaw. No public exploit or CISA KEV listing exists at time of analysis, and the low CVSS 4.0 score of 2.3 reflects meaningful preconditions, though the data-disclosure consequence for applications serving personalized, cookie-gated content through a shared cache is concrete.

Python Information Disclosure Django
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Null pointer dereference in the ONNX Python library's version converter crashes any application that calls `onnx.version_converter.convert_version()` on a crafted model containing an Upsample node with zero inputs, producing an unrecoverable SIGSEGV. Affected versions include at minimum onnx 1.21.0 and 1.22.0, confirmed by a 107-byte public proof-of-concept; the vulnerability is part of a systemic pattern spanning eight adapters. No public active exploitation is confirmed in CISA KEV, but the trivially small PoC eliminates any meaningful exploitation barrier for threat actors targeting ML model conversion pipelines.

Python Denial Of Service Null Pointer Dereference
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unauthorized tool invocation in the Langroid Python LLM-agent framework lets a user of an exposed chat interface directly execute server-side tool handlers by sending raw tool JSON, even when the tool was registered with use=False, handle=True. Because the dispatch path (agent_response → handle_message → get_tool_messages) never checks whether a message originated from Entity.USER versus Entity.LLM, the use=False guard — which developers reasonably assume blocks end-user invocation — only stops the LLM from emitting the tool, not a user from calling it. A working PoC exists in the advisory (publicly available exploit code exists); depending on which handled tools are enabled, this yields file read/write, database queries, or access to internal orchestration tools.

Python Information Disclosure
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution in the Langroid Python LLM-agent framework allows an attacker who can influence LLM prompts to escape the intended sandbox and run arbitrary OS commands on the host. The flaw affects TableChatAgent.pandas_eval() and the VectorStore base class, which pass LLM-generated expressions to Python's eval() with an empty locals dict but an unscrubbed globals dict, leaving __builtins__ implicitly available. A full working proof-of-concept is included in the advisory (publicly available exploit code exists); CVSS is scored 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), though real-world exploitation is gated on the non-default full_eval=True setting.

Code Injection Python RCE
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Server-side file disclosure in Langroid's SQLChatAgent (Python, pip package `langroid` <= 0.65.0) lets an attacker who can influence the agent's LLM-generated SQL bypass the `_validate_query` safety guard and execute PostgreSQL file-read functions such as `pg_read_file`. The default `allow_dangerous_operations=False` blocklist relies on a raw-text regex requiring `pg_...` names to be immediately followed by `(`, which is evaded by quoted identifiers, inline comments, or schema qualification while still parsing as a permitted SELECT. This is a bypass of the earlier CVE-2026-25879 / GHSA-pmch-g965-grmr regex fix; a working reproduction harness is published in the GHSA advisory, though there is no public exploit identified as being used in active attacks and no CISA KEV listing.

PostgreSQL SQLi Python +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uncontrolled memory allocation in Python Pillow before 12.3.0 lets a crafted BDF font file exhaust available memory and crash the host application. The BdfFontFile parser trusts the attacker-supplied BBX width/height fields and hands them to Image.new() while skipping Pillow's decompression-bomb size check, so a tiny malicious font can request a huge in-memory bitmap. Impact is availability-only (denial of service); there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass Python Pillow
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial-of-service via memory exhaustion in Python Pillow before 12.3.0 allows a crafted GD-format (.gd) image to trigger excessive C-heap allocation when opened, because GdImageFile._open() reads image dimensions straight from the GD 2.x header without invoking Pillow's Image._decompression_bomb_check() guard. Any application that loads untrusted .gd files with a vulnerable Pillow version can be crashed or driven into out-of-memory conditions. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 (availability-only impact).

Python Information Disclosure Pillow
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uncontrolled memory allocation in Python Pillow before 12.3.0 allows a maliciously crafted font file to trigger excessive memory consumption and denial of service when its glyphs are compiled into a combined bitmap. FontFile.compile() builds the output image via Image.new("1", (xsize, ysize)) without invoking Pillow's decompression-bomb guard, so oversized glyph dimensions are allocated unchecked during conversion or saving. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the availability-only impact (CVSS 7.5) reflects resource exhaustion rather than code execution or data disclosure.

Python Information Disclosure Pillow
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Uncontrolled memory allocation in the Python Pillow imaging library (all versions prior to 12.3.0) allows a crafted PCF bitmap font to exhaust process memory and crash the host application. The PcfFontFile bitmap loader trusts attacker-supplied glyph dimensions from the font's METRICS section and hands them straight to Image.frombytes() while skipping Pillow's decompression-bomb guard. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw is an availability-only denial of service (CVSS 7.5), not the information disclosure implied by the source tag.

Python Information Disclosure Pillow
NVD GitHub VulDB
EPSS 0% CVSS 4.5
MEDIUM PATCH This Month

Command injection in Pillow's WindowsViewer component (all versions prior to 12.3.0) allows arbitrary cmd.exe command execution when a user opens an image with a crafted filename containing shell metacharacters. The root cause is in WindowsViewer.get_command(), which embeds an unsanitized file path directly into an f-string and passes the result to subprocess.Popen with shell=True on Windows. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Command Injection Python Pillow
NVD GitHub VulDB
CVSS 8.4
HIGH POC PATCH This Week

Unauthenticated OS command execution in flyto-core (Python package, confirmed on 2.26.2) allows any client that can reach the HTTP MCP endpoint (POST /mcp) to run arbitrary shell commands as the server process. The JSON-RPC tools/call handler lacks the require_auth dependency present on the equivalent REST route, so an attacker can invoke execute_module against sandbox.execute_shell and reach asyncio.create_subprocess_shell with attacker-controlled input. Publicly available exploit code exists (a curl one-liner and poc.py in the advisory); there is no CISA KEV listing and no EPSS score provided, and by default the server binds to 127.0.0.1, making this a local (CVSS 8.4) issue that becomes network-exploitable only when started with --host 0.0.0.0.

Command Injection Python Authentication Bypass +1
NVD GitHub
CVSS 7.1
HIGH POC PATCH This Week

Server-side request forgery in flyto-core (Python pip package) lets an authenticated workflow author bypass the built-in SSRF guard by encoding internal targets as IPv6 transition-form literals (IPv4-mapped `::ffff:127.0.0.1`, 6to4 `2002::/16`, or NAT64 `64:ff9b::/96`), causing the `http.get` atomic module and ~10 sibling fetch modules to perform outbound reads against loopback, RFC 1918, and cloud instance-metadata endpoints and return the response body. The reporter provides a full working end-to-end reproduction against a clean install of default-branch HEAD, so publicly available exploit code exists, though there is no evidence of active exploitation and no CISA KEV listing. CVSS 3.1 base is 7.1 (High); no EPSS score was supplied.

SSRF Python Google
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

Python Cisco Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution bypass in Trail of Bits fickling (versions ≤ 0.1.10) allows attackers to craft malicious pickle files that the tool's check_safety() gate rates LIKELY_SAFE with zero findings. Because the standard-library modules _posixsubprocess, site, and atexit are missing from the UNSAFE_IMPORTS denylist in fickle.py, payloads invoking _posixsubprocess.fork_exec, site.execsitecustomize, or atexit._run_exitfuncs pass the scanner and are then deserialized and executed by fickling.load(), which chains check_safety() into pickle.loads() as its security gate. No public exploit has been identified at time of analysis, and no EPSS or KEV signals are present in the input, but the advisory documents the exact bypass primitives.

Python RCE Fickling
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Security-scanner bypass in Picklescan before 0.0.33 lets attackers smuggle arbitrary-code-execution payloads past its safety checks by abusing the numpy.f2py.crackfortran.getlincoef gadget inside a pickle __reduce__ method, which the scanner fails to flag as dangerous. Because Picklescan is used to vet shared machine-learning model files, a malicious pickle passes as 'clean' and then executes attacker-controlled Python when the trusting downstream consumer deserializes it. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 score is 7.6 and the attack depends on a victim actually loading the file.

Deserialization Python RCE +1
NVD GitHub VulDB
CVSS 7.5
HIGH PATCH This Week

Authentication-bypass leading to remote code execution in 9router (npm package 9router) lets attackers reach spawn-capable MCP routes that were meant to be loopback-only. This is an incomplete fix for CVE-2026-46339: the local-only gate in src/dashboardGuard.js decides 'local' from attacker-controllable Host and Origin headers instead of the TCP source address, so any proxied or tunneled (Cloudflare Tunnel / Tailscale) deployment can be tricked into treating remote requests as local. Combined with the deterministic, machine-ID-derived CLI token, a remote attacker can inject JSON-RPC into MCP child processes (node, python, npx, etc.) and execute code on the host; no public exploit identified at time of analysis, though detailed reproduction steps are published in the vendor advisory.

Authentication Bypass Python Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Authentication bypass via path traversal in the fast-mcp-telegram MCP server (Python, PyPI package fast-mcp-telegram, master through release 0.19.0) lets a remote client hijack the default Telegram account without a valid bearer token. The SessionFileTokenVerifier blocks the exact reserved token 'telegram' but fails to normalize path separators, so a token like '../fast-mcp-telegram/telegram' resolves back to the default ~/.config/fast-mcp-telegram/telegram.session file and is accepted. A validation proof-of-concept is published in the advisory (publicly available exploit code exists), though there is no public exploit identified in the wild and no CISA KEV listing.

Authentication Bypass Python Path Traversal +1
NVD GitHub
HIGH POC PATCH This Week

Authentication bypass in the joserfc Python library (PyPI, versions <= 1.6.7) lets remote attackers forge valid HS256/HS384/HS512 JWTs whenever the application's verification secret resolves to an empty string or None. Because HMACAlgorithm.verify feeds the zero-length key straight into hmac.new(b'', ...) and OctKey.import_key only warns (never rejects) empty material, an attacker with no secret knowledge recomputes the identical HMAC digest and joserfc.jwt.decode accepts arbitrary forged claims (sub, admin, scopes, exp). A full working proof-of-concept is published in the advisory, though the flaw is gated on an operator-side misconfiguration (a secret sourced from an unset env var, missing DB/Redis row, or a '' fallback) rather than a default-config defect.

Authentication Bypass Python Canonical +1
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfiltrate files from the PostgreSQL host even under the strict default config (allow_dangerous_operations=False, allowed_statement_types=['SELECT']). The _validate_query blocklist enumerates dangerous functions by exact name and misses the pg_read_file/pg_stat_file/pg_ls_*/pg_current_logfile family (plus MSSQL OPENDATASOURCE and keyword-less SQLite ATTACH), so these SELECT-shaped payloads pass both the statement-type allowlist and the regex blocklist and reach the live SQLAlchemy engine. Publicly available exploit code exists (a working PoC ships in the GHSA advisory); no public exploit identified as actively exploited and this is not in CISA KEV.

PostgreSQL Python Path Traversal +2
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Path traversal in Langroid's ReadFileTool and WriteFileTool lets a tool caller escape the configured curr_dir workspace boundary by supplying '../' sequences in file_path, because the tools only chdir into curr_dir without resolving and enforcing that the final path stays inside it. Applications that expose these file tools to an LLM agent or user-influenced tool calls can have arbitrary files read or written outside the intended project/sandbox directory, exposing secrets, config, and source files or corrupting files elsewhere on the host. Publicly available exploit code exists (a working PoC is included in the report demonstrating both read and write escapes), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

Python Path Traversal Docker
NVD GitHub
CVSS 9.8
CRITICAL POC PATCH Act Now

Missing authentication in mcp-memory-service's HTTP REST server exposes every route under /api/documents/* without any credential check, even when the operator has enabled MCP_API_KEY or OAuth, so remote attackers can upload, read, and delete stored memories at will. Because the sibling /api/memories router correctly enforces auth (returning 401), the gap is an inconsistent, easily-discovered authentication boundary that grants full confidentiality, integrity, and availability impact. A working PoC and vendor GitHub Security Advisory (GHSA-84hp-mqvj-3p8h) exist, so publicly available exploit code exists, though no CISA KEV listing or EPSS score was provided.

Authentication Bypass Python Information Disclosure +1
NVD GitHub
CVSS 8.1
HIGH POC PATCH This Week

Apify API token exfiltration in @apify/actors-mcp-server 0.10.7 lets a remote attacker steal a victim's bearer credential via URL authority injection (CWE-918/SSRF). Because getActorMCPServerURL() naively concatenates a trusted standby base URL with an attacker-controlled webServerMcpPath from an Actor definition, an Actor published with a value like '@attacker.example/mcp' causes the WHATWG URL parser to resolve the outbound connection to the attacker's host, and connectMCPClient() unconditionally forwards the victim's 'Authorization: Bearer <APIFY_TOKEN>' header there. Publicly available exploit code exists (a Docker-based PoC that captures the token on an attacker HTTPS server); no active exploitation is confirmed.

Python SSRF OpenSSL +3
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Reflected cross-site scripting in the Wagtail Django CMS admin interface lets a low-privilege editor craft a malicious URL that executes JavaScript in the browser of a higher-privilege administrator who opens it, enabling actions to be performed with the victim's credentials. All Wagtail installations before 7.0.8, 7.3.3 and 7.4.2 are affected - the flaw lives in the dynamic image URL generator view and exists even on sites that never enabled the dynamic image serve view. No public exploit identified at time of analysis, and the issue is not reachable by anonymous site visitors without a Wagtail admin account.

XSS Python Wagtail
NVD GitHub
Page 1 of 24 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy