Skip to main content

Python

2165 CVEs product

Monthly

CVE-2025-48995 PyPI MEDIUM PATCH This Month

A security vulnerability in SignXML (CVSS 6.9). Remediation should follow standard vulnerability management procedures.

Python Information Disclosure Ubuntu Debian
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-48994 PyPI MEDIUM PATCH This Month

A security vulnerability in SignXML (CVSS 6.9). Remediation should follow standard vulnerability management procedures.

Python Information Disclosure Ubuntu Debian
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2018-25111 PyPI MEDIUM POC PATCH This Month

django-helpdesk before 1.0.0 allows Sensitive Data Exposure because of os.umask(0) in models.py. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Django Helpdesk
NVD GitHub
CVSS 3.1
5.1
EPSS
0.1%
CVE-2025-48889 PyPI MEDIUM POC PATCH This Month

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python File Upload Gradio
NVD GitHub
CVSS 3.1
5.3
EPSS
1.5%
CVE-2025-5279 PyPI HIGH PATCH This Month

When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Python Red Hat
NVD GitHub
CVSS 4.0
7.0
EPSS
0.2%
CVE-2025-48383 PyPI HIGH PATCH This Month

Django-Select2 is a Django integration for Select2. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 3.1
8.2
EPSS
0.3%
CVE-2025-4280 MEDIUM Monitor

MacOS version of Poedit bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Privilege Escalation Python macOS
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-47942 MEDIUM This Month

The Open edX Platform is a learning management platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Authentication Bypass Python
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-46725 PyPI HIGH PATCH This Month

Langroid is a Python framework to build large language model (LLM)-powered applications. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Python Langroid
NVD GitHub
CVSS 4.0
8.1
EPSS
0.4%
CVE-2025-46724 PyPI CRITICAL POC PATCH GHSA Act Now

Langroid is a Python framework to build large language model (LLM)-powered applications. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Python Langroid
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-4894 MEDIUM POC This Month

A vulnerability classified as problematic was found in calmkart Django-sso-server up to 057247929a94ffc358788a37ab99e391379a4d15. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Python Information Disclosure Django Sso Server
NVD VulDB
CVSS 4.0
6.3
EPSS
0.1%
CVE-2025-47273 PyPI HIGH POC PATCH This Month

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python RCE Path Traversal Setuptools Debian Linux +2
NVD GitHub
CVSS 4.0
7.7
EPSS
0.5%
CVE-2025-32962 PyPI MEDIUM PATCH Monitor

Flask-AppBuilder is an application development framework built on top of Flask. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Python Open Redirect Flask Appbuilder
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-47287 PyPI HIGH PATCH This Month

Tornado is a Python web framework and asynchronous networking library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Python Denial Of Service Tornado Debian Linux Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2025-47928 CRITICAL This Week

Spotipy is a Python library for the Spotify Web API. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-47278 PyPI LOW PATCH Monitor

Flask is a web server gateway interface (WSGI) web application framework. Rated low severity (CVSS 1.8), this vulnerability is low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 4.0
1.8
EPSS
0.1%
CVE-2025-1752 PyPI HIGH POC PATCH This Week

A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Llamaindex Red Hat
NVD GitHub
CVSS 3.0
7.5
EPSS
0.2%
CVE-2025-46833 MEDIUM This Month

Programs/P73_SimplePythonEncryption.py illustrates a simple Python encryption example using the RSA Algorithm. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 4.0
4.6
EPSS
0.1%
CVE-2025-32873 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Django Red Hat Suse
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-46719 PyPI MEDIUM POC PATCH GHSA This Month

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python RCE XSS Open Webui
NVD GitHub
CVSS 4.0
5.4
EPSS
0.2%
CVE-2025-23254 HIGH This Week

NVIDIA TensorRT-LLM for any platform contains a vulnerability in python executor where an attacker may cause a data validation issue by local access to the TRTLLM server. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Deserialization Python RCE Nvidia
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-46656 PyPI LOW POC PATCH Monitor

python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. Rated low severity (CVSS 2.9), this vulnerability is no authentication required. Public exploit code available.

Python Information Disclosure Markdownify
NVD GitHub
CVSS 3.1
2.9
EPSS
0.1%
CVE-2025-43859 PyPI CRITICAL POC PATCH Act Now

h11 is a Python implementation of HTTP/1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Request Smuggling Information Disclosure Red Hat Suse
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-43948 HIGH This Week

Codemers KLIMS 1.6.DEV allows Python code injection. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Command Injection
NVD GitHub
CVSS 3.1
7.3
EPSS
0.3%
CVE-2025-32434 PyPI CRITICAL POC PATCH Act Now

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Deserialization Pytorch AI / ML
NVD GitHub
CVSS 4.0
9.3
EPSS
1.2%
CVE-2025-30714 MEDIUM PATCH This Month

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable.

Python Oracle Authentication Bypass Mysql Connectors
NVD
CVSS 3.1
4.8
EPSS
0.2%
CVE-2025-31491 HIGH POC This Week

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Open Redirect Information Disclosure Autogpt Platform
NVD GitHub
CVSS 3.1
8.6
EPSS
0.3%
CVE-2025-31490 HIGH POC PATCH This Week

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python SSRF Autogpt Platform
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-24375 MEDIUM This Month

Charmed MySQL K8s operator is a Charmed Operator for running MySQL on Kubernetes. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. No vendor patch available.

Python Information Disclosure Kubernetes
NVD GitHub
CVSS 3.1
5.0
EPSS
0.1%
CVE-2025-32375 PyPI CRITICAL POC PATCH THREAT Act Now

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 67.3%.

Python Information Disclosure RCE Deserialization Bentoml
NVD GitHub
CVSS 3.1
9.8
EPSS
67.3%
Threat
5.5
CVE-2025-32414 MEDIUM POC PATCH This Month

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. Rated medium severity (CVSS 5.6), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Python Buffer Overflow Libxml2 Red Hat Suse
NVD
CVSS 3.1
5.6
EPSS
0.2%
CVE-2025-27520 PyPI CRITICAL POC PATCH THREAT Act Now

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deserialization. The serving endpoint accepts pickled Python objects that are deserialized without validation, allowing attackers to execute arbitrary code on any BentoML inference server.

Python RCE Deserialization Bentoml
NVD GitHub
CVSS 3.1
9.8
EPSS
87.3%
Threat
6.1
CVE-2025-2945 PyPI CRITICAL POC PATCH THREAT Act Now

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoints. The query_commited and high_availability parameters are passed directly to Python's eval() function, allowing authenticated users to execute arbitrary Python code on the pgAdmin server.

RCE Code Injection Python Pgadmin 4 Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
77.9%
Threat
5.8
CVE-2025-27556 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Python Denial Of Service Django Windows +2
NVD
CVSS 3.1
5.8
EPSS
0.2%
CVE-2024-39780 HIGH PATCH This Week

A YAML deserialization vulnerability was found in the Robot Operating System (ROS) 'dynparam', a command-line tool for getting, setting, and deleting parameters of a dynamically configurable node,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Python Deserialization Robot Operating System
NVD GitHub
CVSS 3.1
7.8
EPSS
0.7%
CVE-2025-21973 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx} When qstats-get operation is executed, callbacks of. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity.

Python Linux Denial Of Service Linux Kernel Red Hat +1
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-30358 PyPI HIGH PATCH This Week

Mesop is a Python-based UI framework that allows users to build web applications. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python RCE Denial Of Service
NVD GitHub
CVSS 3.1
8.1
EPSS
3.1%
CVE-2025-20233 LOW Monitor

In the Splunk App for Lookup File Editing versions below 4.0.5, a script in the app used the `chmod` and `makedirs` Python functions in a way that resulted in overly broad read and execute. Rated low severity (CVSS 2.5). No vendor patch available.

Python Information Disclosure Splunk App For Lookup File Editing Splunk
NVD
CVSS 3.1
2.5
EPSS
0.0%
CVE-2025-0508 PyPI MEDIUM PATCH This Month

A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 3.0
5.9
EPSS
0.1%
CVE-2024-9701 PyPI CRITICAL PATCH GHSA This Week

A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python RCE Deserialization
NVD GitHub
CVSS 3.0
9.8
EPSS
1.2%
CVE-2024-8238 PyPI HIGH POC This Week

In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Python RCE Ssti Aim
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-8055 HIGH This Week

Vanna v0.6.3 is vulnerable to SQL injection via Snowflake database in its file staging operations using the `PUT` and `COPY` commands. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python SQLi
NVD
CVSS 3.0
7.5
EPSS
0.1%
CVE-2024-7806 PyPI HIGH POC PATCH This Week

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE CSRF Open Webui
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-6982 PyPI HIGH PATCH This Month

A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Python
NVD GitHub
CVSS 3.0
8.4
EPSS
0.1%
CVE-2024-6866 PyPI HIGH POC PATCH This Week

corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Flask Cors Suse
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-6844 PyPI MEDIUM POC PATCH This Month

A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Authentication Bypass Flask Cors Suse
NVD
CVSS 3.0
5.3
EPSS
0.1%
CVE-2024-6839 PyPI MEDIUM POC PATCH This Month

corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Flask Cors Suse
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-12391 MEDIUM POC This Month

A vulnerability in binary-husky/gpt_academic, as of commit 310122f, allows for a Regular Expression Denial of Service (ReDoS) attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python Denial Of Service Gpt Academic
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2024-12390 HIGH POC This Week

A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Gpt Academic
NVD
CVSS 3.0
8.8
EPSS
2.6%
CVE-2024-12389 HIGH POC This Week

A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Path Traversal Gpt Academic
NVD
CVSS 3.0
8.8
EPSS
2.6%
CVE-2024-10955 PyPI MEDIUM POC This Week

A Regular Expression Denial of Service (ReDoS) vulnerability exists in gaizhenbiao/chuanhuchatgpt, as of commit 20b2e02. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python Denial Of Service Chuanhuchatgpt
NVD
CVSS 3.0
6.5
EPSS
0.1%
CVE-2024-10902 PyPI CRITICAL POC Act Now

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /v1/personal/agent/upload` is vulnerable to Arbitrary File Upload with Path Traversal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Path Traversal File Upload Db Gpt
NVD
CVSS 3.1
9.8
EPSS
3.3%
CVE-2024-10901 PyPI CRITICAL POC Act Now

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/chart/run` allows execution of arbitrary SQL queries without any access control. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE File Upload Db Gpt
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2024-10624 PyPI HIGH POC This Week

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Denial Of Service Gradio
NVD
CVSS 3.0
7.5
EPSS
0.8%
CVE-2024-10252 HIGH POC PATCH This Week

A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE SSRF Code Injection Python Dify
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2024-10188 PyPI HIGH PATCH MAL This Week

A vulnerability in BerriAI/litellm, as of commit 26c03c9, allows unauthenticated users to cause a Denial of Service (DoS) by exploiting the use of ast.literal_eval to parse user input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service
NVD GitHub
CVSS 3.0
7.5
EPSS
0.1%
CVE-2025-29780 PyPI MEDIUM This Month

Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. Rated medium severity (CVSS 5.8). No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 4.0
5.8
EPSS
0.3%
CVE-2025-29779 PyPI MEDIUM This Month

Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. Rated medium severity (CVSS 5.4), this vulnerability is no authentication required. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 4.0
5.4
EPSS
0.0%
CVE-2025-2000 PyPI CRITICAL PATCH Act Now

A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Privilege Escalation Deserialization Qiskit
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-1550 PyPI CRITICAL POC PATCH GHSA Act Now

Keras Model.load_model can execute arbitrary code even with safe_mode=True by manipulating the config.json inside a .keras archive. An attacker can specify arbitrary Python modules and functions to be loaded during model deserialization. PoC available, patch available.

Python Red Hat RCE
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
4.8%
CVE-2025-1497 PyPI CRITICAL PATCH Act Now

PlotAI is vulnerable to remote code execution because it executes LLM-generated Python code without validation. The vendor has acknowledged the flaw by commenting out the vulnerable line but does not plan to release a formal patch, leaving users who re-enable the feature at risk.

Python RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2025-27607 HIGH POC PATCH This Week

Python JSON Logger is a JSON Formatter for Python Logging. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Python Json Logger Red Hat Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
9.3%
CVE-2025-26699 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Denial Of Service Django Debian Linux Red Hat +1
NVD
CVSS 3.1
5.0
EPSS
1.6%
CVE-2025-27516 PyPI MEDIUM PATCH This Month

Jinja is an extensible templating engine. Rated medium severity (CVSS 5.4), this vulnerability is low attack complexity.

Python RCE Ssti Jinja Debian Linux +2
NVD GitHub
CVSS 4.0
5.4
EPSS
0.2%
CVE-2025-24023 PyPI LOW PATCH Monitor

Flask-AppBuilder is an application development framework. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Python Information Disclosure Flask Appbuilder
NVD GitHub
CVSS 3.1
3.7
EPSS
0.2%
CVE-2025-27154 PyPI HIGH POC PATCH This Week

Spotipy is a lightweight Python library for the Spotify Web API. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. Public exploit code available.

Python Privilege Escalation Spotipy Suse
NVD GitHub
CVSS 4.0
8.4
EPSS
0.2%
CVE-2022-49337 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock When user_dlm_destroy_lock failed, it didn't clean up the flags it set. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Python Oracle Information Disclosure Linux Linux Kernel +2
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-0868 npm CRITICAL POC THREAT Emergency

A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.0%.

Python RCE Code Injection
NVD GitHub Exploit-DB
CVSS 4.0
9.3
EPSS
16.0%
CVE-2025-25295 PyPI HIGH PATCH This Week

Label Studio is an open source data labeling tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Path Traversal
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2024-3220 LOW Monitor

There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Python Information Disclosure Apple Windows +1
NVD
CVSS 4.0
2.3
EPSS
0.3%
CVE-2025-24836 MEDIUM This Month

With a specially crafted Python script, an attacker could send continuous startMeasurement commands over an unencrypted Bluetooth connection to the affected device. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required. No vendor patch available.

Python Information Disclosure
NVD
CVSS 4.0
6.1
EPSS
0.1%
CVE-2024-12366 PyPI CRITICAL POC This Week

PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) instead of the intended explanation of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
5.9%
CVE-2025-26411 HIGH This Week

An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python File Upload
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-24016 Go CRITICAL POC KEV PATCH THREAT Act Now

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers.

Wazuh Python Deserialization RCE Suse
NVD
CVSS 3.1
9.9
EPSS
93.9%
Threat
7.8
CVE-2025-25183 PyPI LOW PATCH Monitor

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Python Information Disclosure Vllm
NVD GitHub
CVSS 3.1
2.6
EPSS
0.3%
CVE-2025-1077 CRITICAL Act Now

A security vulnerability has been identified in the IBL Software Engineering Visual Weather and derived products (NAMIS, Aero Weather, Satellite Weather). Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Python RCE
NVD
CVSS 4.0
9.5
EPSS
1.1%
CVE-2025-24370 PyPI CRITICAL PATCH This Week

Django-Unicorn adds modern reactive component functionality to Django templates. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Authentication Bypass Python XSS
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-0938 MEDIUM PATCH This Month

The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Python Information Disclosure Red Hat Suse
NVD GitHub
CVSS 4.0
6.3
EPSS
1.5%
CVE-2025-24795 PyPI MEDIUM PATCH Monitor

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Python Snowflake Connector
NVD GitHub
CVSS 3.1
4.4
EPSS
0.1%
CVE-2025-24794 PyPI MEDIUM PATCH This Month

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Python Snowflake Connector
NVD GitHub
CVSS 3.1
6.7
EPSS
0.1%
CVE-2025-24793 PyPI HIGH PATCH This Month

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Rated high severity (CVSS 7.0). This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

Python SQLi Snowflake Connector
NVD GitHub
CVSS 3.1
7.0
EPSS
0.1%
CVE-2025-24359 PyPI HIGH PATCH This Month

ASTEVAL is an evaluator of Python expressions and statements. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Python Suse
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-22153 PyPI HIGH PATCH This Month

RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable. No vendor patch available.

Memory Corruption Authentication Bypass Python
NVD GitHub
CVSS 3.1
7.9
EPSS
0.1%
CVE-2025-21548 MEDIUM This Month

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Oracle Denial Of Service Mysql Connector Python
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-23042 PyPI HIGH POC PATCH GHSA This Week

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Authentication Bypass Python Apple Gradio +3
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2024-56374 PyPI MEDIUM PATCH This Month

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Django Debian Linux Red Hat +1
NVD
CVSS 3.1
5.8
EPSS
0.1%
CVE-2024-56113 HIGH This Month

Smart Toilet Lab - Motius 1.3.11 is running with debug mode turned on (DEBUG = True) and exposing sensitive information defined in Django settings file through verbose error page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-22151 PyPI LOW PATCH Monitor

Strawberry GraphQL is a library for creating GraphQL APIs. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Memory Corruption Privilege Escalation Python Information Disclosure
NVD GitHub
CVSS 3.1
3.7
EPSS
0.2%
CVE-2025-21618 PyPI HIGH PATCH This Month

NiceGUI is an easy-to-use, Python-based UI framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-22275 CRITICAL This Week

iTerm2 3.5.6 through 3.5.10 before 3.5.11 sometimes allows remote attackers to obtain sensitive information from terminal commands by reading the /tmp/framer.txt file. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure Iterm2
NVD
CVSS 3.1
9.3
EPSS
0.1%
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

A security vulnerability in SignXML (CVSS 6.9). Remediation should follow standard vulnerability management procedures.

Python Information Disclosure Ubuntu +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

A security vulnerability in SignXML (CVSS 6.9). Remediation should follow standard vulnerability management procedures.

Python Information Disclosure Ubuntu +1
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM POC PATCH This Month

django-helpdesk before 1.0.0 allows Sensitive Data Exposure because of os.umask(0) in models.py. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Django Helpdesk
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python File Upload Gradio
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Month

When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Python +1
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Month

Django-Select2 is a Django integration for Select2. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM Monitor

MacOS version of Poedit bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Privilege Escalation Python +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM This Month

The Open edX Platform is a learning management platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Month

Langroid is a Python framework to build large language model (LLM)-powered applications. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection Python +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Langroid is a Python framework to build large language model (LLM)-powered applications. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Python +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC This Month

A vulnerability classified as problematic was found in calmkart Django-sso-server up to 057247929a94ffc358788a37ab99e391379a4d15. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Python Information Disclosure Django Sso Server
NVD VulDB
EPSS 0% CVSS 7.7
HIGH POC PATCH This Month

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python RCE Path Traversal +4
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH Monitor

Flask-AppBuilder is an application development framework built on top of Flask. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Python Open Redirect Flask Appbuilder
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Month

Tornado is a Python web framework and asynchronous networking library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Python Denial Of Service Tornado +3
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL This Week

Spotipy is a Python library for the Spotify Web API. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 1.8
LOW PATCH Monitor

Flask is a web server gateway interface (WSGI) web application framework. Rated low severity (CVSS 1.8), this vulnerability is low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting version ~ latest(v0.12.15). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Llamaindex +1
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Programs/P73_SimplePythonEncryption.py illustrates a simple Python encryption example using the RSA Algorithm. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Django +2
NVD
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python RCE XSS +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

NVIDIA TensorRT-LLM for any platform contains a vulnerability in python executor where an attacker may cause a data validation issue by local access to the TRTLLM server. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Deserialization Python +2
NVD
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. Rated low severity (CVSS 2.9), this vulnerability is no authentication required. Public exploit code available.

Python Information Disclosure Markdownify
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

h11 is a Python implementation of HTTP/1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Request Smuggling Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

Codemers KLIMS 1.6.DEV allows Python code injection. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Command Injection
NVD GitHub
EPSS 1% CVSS 9.3
CRITICAL POC PATCH Act Now

PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Deserialization Pytorch +1
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable.

Python Oracle Authentication Bypass +1
NVD
EPSS 0% CVSS 8.6
HIGH POC This Week

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Open Redirect Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python SSRF Autogpt Platform
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM This Month

Charmed MySQL K8s operator is a Charmed Operator for running MySQL on Kubernetes. Rated medium severity (CVSS 5.0), this vulnerability is low attack complexity. No vendor patch available.

Python Information Disclosure Kubernetes
NVD GitHub
EPSS 67% 5.5 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 67.3%.

Python Information Disclosure RCE +2
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM POC PATCH This Month

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. Rated medium severity (CVSS 5.6), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Python Buffer Overflow Libxml2 +2
NVD
EPSS 87% 6.1 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deserialization. The serving endpoint accepts pickled Python objects that are deserialized without validation, allowing attackers to execute arbitrary code on any BentoML inference server.

Python RCE Deserialization +1
NVD GitHub
EPSS 78% 5.8 CVSS 9.9
CRITICAL POC PATCH THREAT Act Now

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoints. The query_commited and high_availability parameters are passed directly to Python's eval() function, allowing authenticated users to execute arbitrary Python code on the pgAdmin server.

RCE Code Injection Python +2
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

An issue was discovered in Django 5.1 before 5.1.8 and 5.0 before 5.0.14. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Python Denial Of Service +4
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

A YAML deserialization vulnerability was found in the Robot Operating System (ROS) 'dynparam', a command-line tool for getting, setting, and deleting parameters of a dynamically configurable node,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Python Deserialization Robot Operating System
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix kernel panic in the bnxt_get_queue_stats{rx | tx} When qstats-get operation is executed, callbacks of. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity.

Python Linux Denial Of Service +3
NVD
EPSS 3% CVSS 8.1
HIGH PATCH This Week

Mesop is a Python-based UI framework that allows users to build web applications. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python RCE Denial Of Service
NVD GitHub
EPSS 0% CVSS 2.5
LOW Monitor

In the Splunk App for Lookup File Editing versions below 4.0.5, a script in the app used the `chmod` and `makedirs` Python functions in a way that resulted in overly broad read and execute. Rated low severity (CVSS 2.5). No vendor patch available.

Python Information Disclosure Splunk App For Lookup File Editing +1
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH This Week

A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python RCE Deserialization
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC This Week

In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Python RCE Ssti +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Vanna v0.6.3 is vulnerable to SQL injection via Snowflake database in its file staging operations using the `PUT` and `COPY` commands. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python SQLi
NVD
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE CSRF +1
NVD
EPSS 0% CVSS 8.4
HIGH PATCH This Month

A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Python
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Flask Cors +1
NVD
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Authentication Bypass Flask Cors +1
NVD
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Flask Cors +1
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A vulnerability in binary-husky/gpt_academic, as of commit 310122f, allows for a Regular Expression Denial of Service (ReDoS) attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python Denial Of Service Gpt Academic
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Gpt Academic
NVD
EPSS 3% CVSS 8.8
HIGH POC This Week

A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Path Traversal +1
NVD
EPSS 0% CVSS 6.5
MEDIUM POC This Week

A Regular Expression Denial of Service (ReDoS) vulnerability exists in gaizhenbiao/chuanhuchatgpt, as of commit 20b2e02. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python Denial Of Service Chuanhuchatgpt
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /v1/personal/agent/upload` is vulnerable to Arbitrary File Upload with Path Traversal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Path Traversal +2
NVD
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/chart/run` allows execution of arbitrary SQL queries without any access control. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE File Upload +1
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Denial Of Service Gradio
NVD
EPSS 0% CVSS 7.2
HIGH POC PATCH This Week

A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE SSRF Code Injection +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A vulnerability in BerriAI/litellm, as of commit 26c03c9, allows unauthenticated users to cause a Denial of Service (DoS) by exploiting the use of ast.literal_eval to parse user input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM This Month

Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. Rated medium severity (CVSS 5.8). No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Post-Quantum Secure Feldman's Verifiable Secret Sharing provides a Python implementation of Feldman's Verifiable Secret Sharing (VSS) scheme. Rated medium severity (CVSS 5.4), this vulnerability is no authentication required. No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Privilege Escalation Deserialization +1
NVD
EPSS 5% CVSS 9.8
CRITICAL POC PATCH Act Now

Keras Model.load_model can execute arbitrary code even with safe_mode=True by manipulating the config.json inside a .keras archive. An attacker can specify arbitrary Python modules and functions to be loaded during model deserialization. PoC available, patch available.

Python Red Hat RCE
NVD GitHub Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

PlotAI is vulnerable to remote code execution because it executes LLM-generated Python code without validation. The vendor has acknowledged the flaw by commenting out the vulnerable line but does not plan to release a formal patch, leaving users who re-enable the feature at risk.

Python RCE
NVD GitHub
EPSS 9% CVSS 8.8
HIGH POC PATCH This Week

Python JSON Logger is a JSON Formatter for Python Logging. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Python Json Logger +2
NVD GitHub
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Denial Of Service Django +3
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Jinja is an extensible templating engine. Rated medium severity (CVSS 5.4), this vulnerability is low attack complexity.

Python RCE Ssti +4
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Flask-AppBuilder is an application development framework. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Python Information Disclosure Flask Appbuilder
NVD GitHub
EPSS 0% CVSS 8.4
HIGH POC PATCH This Week

Spotipy is a lightweight Python library for the Spotify Web API. Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. Public exploit code available.

Python Privilege Escalation Spotipy +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock When user_dlm_destroy_lock failed, it didn't clean up the flags it set. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Python Oracle Information Disclosure +4
NVD
EPSS 16% CVSS 9.3
CRITICAL POC THREAT Emergency

A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 16.0%.

Python RCE Code Injection
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Label Studio is an open source data labeling tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Path Traversal
NVD GitHub
EPSS 0% CVSS 2.3
LOW Monitor

There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Python Information Disclosure +3
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

With a specially crafted Python script, an attacker could send continuous startMeasurement commands over an unencrypted Bluetooth connection to the affected device. Rated medium severity (CVSS 6.1), this vulnerability is no authentication required. No vendor patch available.

Python Information Disclosure
NVD
EPSS 6% CVSS 9.8
CRITICAL POC This Week

PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution (RCE) instead of the intended explanation of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python RCE
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

An authenticated attacker is able to use the Plugin Manager of the web interface of the Wattsense Bridge devices to upload malicious Python files to the device. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python File Upload
NVD
EPSS 94% 7.8 CVSS 9.9
CRITICAL POC KEV PATCH THREAT Act Now

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI that allows remote code execution on Wazuh management servers.

Wazuh Python Deserialization +2
NVD
EPSS 0% CVSS 2.6
LOW PATCH Monitor

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Python Information Disclosure Vllm
NVD GitHub
EPSS 1% CVSS 9.5
CRITICAL Act Now

A security vulnerability has been identified in the IBL Software Engineering Visual Weather and derived products (NAMIS, Aero Weather, Satellite Weather). Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Python RCE
NVD
EPSS 0% CVSS 9.3
CRITICAL PATCH This Week

Django-Unicorn adds modern reactive component functionality to Django templates. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Authentication Bypass Python +1
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Python Information Disclosure Red Hat +1
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH Monitor

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Python Snowflake Connector
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Privilege Escalation Python +1
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Month

The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Rated high severity (CVSS 7.0). This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

Python SQLi Snowflake Connector
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Month

ASTEVAL is an evaluator of Python expressions and statements. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Python Suse
NVD GitHub
EPSS 0% CVSS 7.9
HIGH PATCH This Month

RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable. No vendor patch available.

Memory Corruption Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Oracle Denial Of Service +1
NVD
EPSS 0% CVSS 8.7
HIGH POC PATCH This Week

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Authentication Bypass Python +5
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Django +3
NVD
EPSS 0% CVSS 7.5
HIGH This Month

Smart Toilet Lab - Motius 1.3.11 is running with debug mode turned on (DEBUG = True) and exposing sensitive information defined in Django settings file through verbose error page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Strawberry GraphQL is a library for creating GraphQL APIs. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Memory Corruption Privilege Escalation Python +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Month

NiceGUI is an easy-to-use, Python-based UI framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL This Week

iTerm2 3.5.6 through 3.5.10 before 3.5.11 sometimes allows remote attackers to obtain sensitive information from terminal commands by reading the /tmp/framer.txt file. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure Iterm2
NVD
Prev Page 13 of 25 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy