Skip to main content

Python

2168 CVEs product

Monthly

CVE-2024-39317 PyPI MEDIUM PATCH GHSA This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Python Denial Of Service Wagtail
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-5753 PyPI HIGH This Week

vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Python
NVD
CVSS 3.0
7.5
EPSS
0.6%
CVE-2024-39934 HIGH This Week

Robotmk before 2.0.1 allows a local user to escalate privileges (e.g., to SYSTEM) if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to edit. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-4897 HIGH POC This Week

parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Python Lollms Web Ui
NVD
CVSS 3.0
8.4
EPSS
0.4%
CVE-2024-5827 CRITICAL POC Act Now

Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP Python
NVD
CVSS 3.0
9.8
EPSS
3.5%
CVE-2024-39705 PyPI CRITICAL PATCH Act Now

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Python
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-38526 PyPI HIGH POC PATCH This Week

pdoc provides API Documentation for Python Projects. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 3.1
7.2
EPSS
3.8%
CVE-2024-37891 PyPI MEDIUM POC PATCH This Month

urllib3 is a user-friendly HTTP client library for Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python Information Disclosure Urllib3 Debian Linux Active Iq Unified Manager
NVD GitHub
CVSS 3.1
6.5
EPSS
1.1%
CVE-2024-0397 HIGH This Week

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Python Information Disclosure
NVD GitHub
CVSS 3.1
7.4
EPSS
0.8%
CVE-2024-38459 PyPI HIGH PATCH This Week

langchain_experimental (aka LangChain Experimental) before 0.0.61 for LangChain provides Python REPL access without an opt-in step. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Python Langchain Experimental
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-27173 CRITICAL Act Now

Remote Command program allows an attacker to get Remote Code Execution by overwriting existing Python files containing executable code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Python
NVD
CVSS 3.1
9.8
EPSS
3.2%
CVE-2024-27171 HIGH This Week

A remote attacker using the insecure upload functionality will be able to overwrite any Python file and get Remote Code Execution. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

Privilege Escalation RCE Python
NVD
CVSS 3.1
7.4
EPSS
0.5%
CVE-2024-37014 PyPI CRITICAL POC PATCH Act Now

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Python RCE Langflow
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-5278 MEDIUM POC This Month

gaizhenbiao/chuanhuchatgpt is vulnerable to an unrestricted file upload vulnerability due to insufficient validation of uploaded file types in its `/upload` endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Python File Upload Chuanhuchatgpt
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-5124 HIGH POC This Week

A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Chuanhuchatgpt
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2024-3408 PyPI CRITICAL POC THREAT Emergency

man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass RCE Python D Tale
NVD GitHub
CVSS 3.1
9.8
EPSS
78.0%
CVE-2024-2965 PyPI MEDIUM POC PATCH This Month

A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. Rated medium severity (CVSS 4.7). Public exploit code available and no vendor patch available.

Python Denial Of Service Langchain
NVD GitHub
CVSS 3.1
4.7
EPSS
0.3%
CVE-2024-37065 PyPI HIGH This Week

Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when loaded. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Python
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-5565 PyPI HIGH This Week

The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection Python RCE
NVD
CVSS 3.1
8.1
EPSS
15.0%
CVE-2024-35228 PyPI MEDIUM PATCH This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 3.1
5.5
EPSS
0.3%
CVE-2024-36105 PyPI MEDIUM PATCH This Month

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2024-35060 HIGH POC This Week

An issue in the YAML Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands via supplying a crafted YAML file. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Python Information Disclosure Ait Core
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-35059 PyPI HIGH POC This Week

An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Python Information Disclosure Ait Core
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-34083 PyPI MEDIUM PATCH This Month

aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Rated medium severity (CVSS 5.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-3126 HIGH POC PATCH This Week

A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Python Command Injection Lollms Web Ui
NVD GitHub
CVSS 3.0
8.4
EPSS
1.3%
CVE-2024-34359 PyPI CRITICAL PATCH Act Now

llama-cpp-python is the Python bindings for llama.cpp. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Python
NVD GitHub
CVSS 3.1
9.6
EPSS
28.4%
CVE-2024-4030 HIGH This Week

On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Python Microsoft
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2024-27453 HIGH POC This Week

In Extreme XOS through 22.6.1.4, a read-only user can escalate privileges to root via a crafted HTTP POST request to the python method of the Machine-to-Machine Interface (MMI). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Python Extremexos
NVD
CVSS 3.1
8.6
EPSS
0.7%
CVE-2024-34073 PyPI HIGH PATCH This Week

sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Python Command Injection Denial Of Service
NVD GitHub
CVSS 3.1
7.8
EPSS
1.1%
CVE-2024-34072 PyPI HIGH PATCH This Week

sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Python Denial Of Service
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2024-30251 PyPI HIGH PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Aiohttp
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2024-32882 PyPI LOW PATCH Monitor

Wagtail is an open source content management system built on Django. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
2.7
EPSS
0.5%
CVE-2024-32979 PyPI MEDIUM PATCH This Month

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PostgreSQL Python Nautobot
NVD GitHub
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-32880 PyPI HIGH POC This Week

pyload is an open-source Download Manager written in pure Python. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Python File Upload Pyload
NVD GitHub
CVSS 3.1
7.2
EPSS
1.4%
CVE-2024-33664 PyPI MEDIUM POC PATCH This Month

python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Python Jose
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2024-33663 PyPI MEDIUM POC PATCH This Month

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure SSH Python Jose
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-32879 PyPI MEDIUM PATCH This Month

Python Social Auth is a social authentication/registration mechanism. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

Python Information Disclosure
NVD GitHub
CVSS 3.1
4.9
EPSS
0.6%
CVE-2024-1681 PyPI MEDIUM POC PATCH This Month

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Python Flask Cors
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2024-27306 PyPI MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Nginx Python Aiohttp Fedora
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2024-21090 HIGH This Week

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Oracle Mysql Connector Python
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2024-32005 PyPI HIGH PATCH This Week

NiceGUI is an easy-to-use, Python-based UI framework. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Python
NVD GitHub
CVSS 3.1
8.2
EPSS
0.8%
CVE-2024-31988 Maven HIGH POC PATCH This Week

XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Python CSRF Xwiki
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-31871 HIGH This Week

IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct a man in the middle attack when deploying Python scripts due to improper certificate validation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM Python Information Disclosure Security Verify Access
NVD
CVSS 3.1
8.1
EPSS
0.6%
CVE-2024-30248 PyPI HIGH PATCH This Week

Piccolo Admin is an admin interface/content management system for Python, built on top of Piccolo. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.

XSS Python
NVD GitHub
CVSS 3.1
7.7
EPSS
0.5%
CVE-2024-29189 PyPI HIGH POC PATCH This Week

PyAnsys Geometry is a Python client library for the Ansys Geometry service and other CAD Ansys products. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Python Command Injection Pyansys Geometry
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2024-28102 PyPI MEDIUM POC PATCH This Month

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python Denial Of Service Jwcrypto Debian Linux
NVD GitHub
CVSS 3.1
6.8
EPSS
1.0%
CVE-2024-28865 PyPI HIGH PATCH This Week

django-wiki is a wiki system for Django. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Django Wiki
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-27305 PyPI MEDIUM PATCH This Month

aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Aiosmtpd
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-26164 PyPI HIGH PATCH This Week

Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Python Microsoft Django Backend
NVD
CVSS 3.1
8.8
EPSS
2.1%
CVE-2024-2319 PyPI MEDIUM This Month

Cross-Site Scripting (XSS) vulnerability in the Django MarkdownX project, affecting version 4.0.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Python Markdownx
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-27083 PyPI MEDIUM PATCH This Month

Flask-AppBuilder is an application development framework, built on top of Flask. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Python Flask Appbuilder
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-25128 PyPI CRITICAL PATCH Act Now

Flask-AppBuilder is an application development framework, built on top of Flask. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Python Flask Appbuilder
NVD GitHub
CVSS 3.1
9.1
EPSS
0.9%
CVE-2024-25723 PyPI HIGH POC PATCH THREAT This Week

ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Python Privilege Escalation Zenml
NVD GitHub
CVSS 3.1
8.8
EPSS
70.6%
CVE-2024-27444 PyPI CRITICAL PATCH Act Now

langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Python Langchain Experimental
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-0243 PyPI HIGH POC PATCH This Week

With the following crawler configuration: ```python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader( url=url, max_depth=2, extractor=lambda x: Soup(x,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

SSRF Python Langchain
NVD GitHub
CVSS 3.1
8.1
EPSS
0.5%
CVE-2024-26151 PyPI MEDIUM POC PATCH This Month

The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Python Mjml Python
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2024-26130 PyPI HIGH PATCH This Week

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Python Denial Of Service Cryptography
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-23346 PyPI HIGH POC PATCH This Week

Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

RCE Python Command Injection Pymatgen
NVD GitHub Exploit-DB
CVSS 3.1
7.8
EPSS
3.8%
CVE-2024-21624 PyPI MEDIUM PATCH This Month

nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Nonebot
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-24812 MEDIUM This Month

Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Python Frappe
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-24680 PyPI HIGH PATCH This Week

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Django
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2024-24808 PyPI MEDIUM POC PATCH This Month

pyLoad is an open-source Download Manager written in pure Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Open Redirect Pyload
NVD GitHub
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-50782 PyPI HIGH PATCH This Week

A flaw was found in the python-cryptography package. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Python Ansible Automation Platform Enterprise Linux Update Infrastructure +2
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2024-24762 PyPI HIGH POC PATCH This Week

`python-multipart` is a streaming multipart parser for Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Python Multipart
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2024-1141 PyPI MEDIUM PATCH This Month

A vulnerability was found in python-glance-store. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Python Information Disclosure Glance Store
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-23633 PyPI MEDIUM PATCH This Month

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XSS Python Label Studio
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-23342 PyPI HIGH POC This Week

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Python Information Disclosure Ecdsa
NVD GitHub
CVSS 3.1
7.4
EPSS
1.0%
CVE-2024-23752 PyPI CRITICAL POC Act Now

GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass RCE Python Pandasai
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2024-22416 PyPI HIGH POC PATCH This Week

pyLoad is a free and open-source Download Manager written in pure Python. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python CSRF Pyload Ng
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-22414 MEDIUM POC This Month

flaskBlog is a simple blog app built with Flask. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Python Flaskblog
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-52289 PyPI HIGH This Week

An issue was discovered in the flaskcode package through 0.0.8 for Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Path Traversal Flaskcode
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-52288 PyPI HIGH This Week

An issue was discovered in the flaskcode package through 0.0.8 for Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Path Traversal Flaskcode
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-21669 PyPI CRITICAL POC PATCH Act Now

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python Jwt Attack Information Disclosure Aries Cloud Agent
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2024-22195 PyPI MEDIUM PATCH This Month

Jinja is an extensible templating engine. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Python Jinja
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-22194 PyPI LOW POC PATCH Monitor

cdo-local-uuid project provides a specialized UUID-generating function that can, on user request, cause a program to generate deterministic UUIDs. Rated low severity (CVSS 2.2). Public exploit code available.

Python Information Disclosure Case Python Utilities Cdo Local Uuid Utility
NVD GitHub
CVSS 3.1
2.2
EPSS
0.0%
CVE-2024-22190 PyPI HIGH POC PATCH This Month

GitPython is a python library used to interact with Git repositories. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Microsoft Information Disclosure Python Gitpython Windows
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
CVE-2023-45139 PyPI HIGH POC PATCH This Week

fontTools is a library for manipulating fonts, written in Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XXE Fonttools
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-21645 PyPI MEDIUM POC PATCH THREAT This Month

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 71.3%.

Python Code Injection Pyload
NVD GitHub
CVSS 3.1
5.3
EPSS
71.3%
Threat
4.7
CVE-2024-21644 PyPI HIGH POC PATCH THREAT Act Now

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint. Attackers can extract this key to forge session cookies, impersonate the administrator, and execute arbitrary code through pyLoad's plugin system.

Authentication Bypass Python Pyload
NVD GitHub
CVSS 3.1
7.5
EPSS
86.5%
Threat
5.6
CVE-2023-51663 PyPI MEDIUM PATCH This Month

Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Google Information Disclosure Microsoft Hail
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-49438 PyPI MEDIUM POC PATCH This Month

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Open Redirect Flask Security Too
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2023-51449 PyPI HIGH POC PATCH This Week

Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Python Gradio
NVD GitHub
CVSS 3.1
7.5
EPSS
2.3%
CVE-2023-51649 PyPI MEDIUM PATCH This Month

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Python PostgreSQL Authentication Bypass Nautobot
NVD GitHub
CVSS 3.1
4.3
EPSS
0.4%
CVE-2023-50263 PyPI MEDIUM PATCH This Month

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Python PostgreSQL Nautobot
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2023-50423 PyPI CRITICAL PATCH Act Now

SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Python Privilege Escalation Sap Xssec
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-49797 PyPI HIGH PATCH This Week

PyInstaller bundles a Python application and all its dependencies into a single package. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Python Information Disclosure Pyinstaller
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2023-6507 MEDIUM PATCH This Month

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
4.9
EPSS
1.3%
CVE-2023-6568 PyPI MEDIUM POC PATCH This Month

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XSS Mlflow
NVD GitHub
CVSS 3.1
6.1
EPSS
1.6%
CVE-2023-49297 PyPI HIGH POC PATCH This Week

PyDrive2 is a wrapper library of google-api-python-client that simplifies many common Google Drive API V2 tasks. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Python Google Deserialization Pydrive2
NVD GitHub
CVSS 3.1
7.8
EPSS
0.5%
CVE-2023-49277 PyPI MEDIUM PATCH This Month

dpaste is an open source pastebin application written in Python using the Django framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Python XSS Authentication Bypass Dpaste
NVD GitHub
CVSS 3.1
6.1
EPSS
0.5%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Python Denial Of Service Wagtail
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Python
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Robotmk before 2.0.1 allows a local user to escalate privileges (e.g., to SYSTEM) if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to edit. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 8.4
HIGH POC This Week

parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Python Lollms Web Ui
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP Python
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Python
NVD GitHub
EPSS 4% CVSS 7.2
HIGH POC PATCH This Week

pdoc provides API Documentation for Python Projects. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

urllib3 is a user-friendly HTTP client library for Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python Information Disclosure Urllib3 +2
NVD GitHub
EPSS 1% CVSS 7.4
HIGH This Week

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Race Condition Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

langchain_experimental (aka LangChain Experimental) before 0.0.61 for LangChain provides Python REPL access without an opt-in step. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Incorrect Default Permissions vulnerability could allow attackers to access resources due to overly permissive default settings.

Privilege Escalation Python Langchain Experimental
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL Act Now

Remote Command program allows an attacker to get Remote Code Execution by overwriting existing Python files containing executable code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Path Traversal Python
NVD
EPSS 0% CVSS 7.4
HIGH This Week

A remote attacker using the insecure upload functionality will be able to overwrite any Python file and get Remote Code Execution. Rated high severity (CVSS 7.4), this vulnerability is no authentication required. No vendor patch available.

Privilege Escalation RCE Python
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Python RCE +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

gaizhenbiao/chuanhuchatgpt is vulnerable to an unrestricted file upload vulnerability due to insufficient validation of uploaded file types in its `/upload` endpoint. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Python +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

A timing attack vulnerability exists in the gaizhenbiao/chuanhuchatgpt repository, specifically within the password comparison logic. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Chuanhuchatgpt
NVD GitHub
EPSS 78% CVSS 9.8
CRITICAL POC THREAT Emergency

man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass RCE Python +1
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM POC PATCH This Month

A Denial-of-Service (DoS) vulnerability exists in the `SitemapLoader` class of the `langchain-ai/langchain` repository, affecting all versions. Rated medium severity (CVSS 4.7). Public exploit code available and no vendor patch available.

Python Denial Of Service Langchain
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when loaded. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Python
NVD
EPSS 15% CVSS 8.1
HIGH This Week

The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection Python RCE
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

An issue in the YAML Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands via supplying a crafted YAML file. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Python Information Disclosure Ait Core
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Python Information Disclosure Ait Core
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Rated medium severity (CVSS 5.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 1% CVSS 8.4
HIGH POC PATCH This Week

A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Python Command Injection +1
NVD GitHub
EPSS 28% CVSS 9.6
CRITICAL PATCH Act Now

llama-cpp-python is the Python bindings for llama.cpp. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Python
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

On Windows a directory returned by tempfile.mkdtemp() would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Python Microsoft
NVD GitHub
EPSS 1% CVSS 8.6
HIGH POC This Week

In Extreme XOS through 22.6.1.4, a read-only user can escalate privileges to root via a crafted HTTP POST request to the python method of the Machine-to-Machine Interface (MMI). Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Python Extremexos
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Python Command Injection +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Python +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Aiohttp
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Wagtail is an open source content management system built on Django. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS PostgreSQL Python +1
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

pyload is an open-source Download Manager written in pure Python. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Python File Upload +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Python Jose
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure SSH +1
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

Python Social Auth is a social authentication/registration mechanism. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

Python Information Disclosure
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Python Flask Cors
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Nginx Python +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Oracle +1
NVD
EPSS 1% CVSS 8.2
HIGH PATCH This Week

NiceGUI is an easy-to-use, Python-based UI framework. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Python
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Python CSRF +1
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct a man in the middle attack when deploying Python scripts due to improper certificate validation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM Python Information Disclosure +1
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Piccolo Admin is an admin interface/content management system for Python, built on top of Piccolo. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.

XSS Python
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

PyAnsys Geometry is a Python client library for the Ansys Geometry service and other CAD Ansys products. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Python Command Injection Pyansys Geometry
NVD GitHub
EPSS 1% CVSS 6.8
MEDIUM POC PATCH This Month

JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python Denial Of Service Jwcrypto +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

django-wiki is a wiki system for Django. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Django Wiki
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Aiosmtpd
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Python Microsoft +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-Site Scripting (XSS) vulnerability in the Django MarkdownX project, affecting version 4.0.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Python Markdownx
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Flask-AppBuilder is an application development framework, built on top of Flask. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Python Flask Appbuilder
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Flask-AppBuilder is an application development framework, built on top of Flask. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Python Flask Appbuilder
NVD GitHub
EPSS 71% CVSS 8.8
HIGH POC PATCH THREAT This Week

ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Python Privilege Escalation +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-44467 fix and execute arbitrary code via the __import__, __subclasses__,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Python Langchain Experimental
NVD GitHub
EPSS 1% CVSS 8.1
HIGH POC PATCH This Week

With the following crawler configuration: ```python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader( url=url, max_depth=2, extractor=lambda x: Soup(x,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

SSRF Python Langchain
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

The `mjml` PyPI package, found at the `FelixSchwarz/mjml-python` GitHub repo, is an unofficial Python port of MJML, a markup language created by Mailjet. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Python Mjml Python
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.

Null Pointer Dereference Python Denial Of Service +1
NVD GitHub
EPSS 4% CVSS 7.8
HIGH POC PATCH This Week

Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

RCE Python Command Injection +1
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Nonebot
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Python Frappe
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Django
NVD
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

pyLoad is an open-source Download Manager written in pure Python. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Open Redirect Pyload
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in the python-cryptography package. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Python Ansible Automation Platform +4
NVD
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

`python-multipart` is a streaming multipart parser for Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Denial Of Service Python Multipart
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A vulnerability was found in python-glance-store. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Python Information Disclosure Glance Store
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XSS Python +1
NVD GitHub
EPSS 1% CVSS 7.4
HIGH POC This Week

The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Python Information Disclosure Ecdsa
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass RCE Python +1
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

pyLoad is a free and open-source Download Manager written in pure Python. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python CSRF Pyload Ng
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

flaskBlog is a simple blog app built with Flask. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Python Flaskblog
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

An issue was discovered in the flaskcode package through 0.0.8 for Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Path Traversal Flaskcode
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An issue was discovered in the flaskcode package through 0.0.8 for Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Path Traversal Flaskcode
NVD
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python Jwt Attack Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Jinja is an extensible templating engine. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Python Jinja
NVD GitHub
EPSS 0% CVSS 2.2
LOW POC PATCH Monitor

cdo-local-uuid project provides a specialized UUID-generating function that can, on user request, cause a program to generate deterministic UUIDs. Rated low severity (CVSS 2.2). Public exploit code available.

Python Information Disclosure Case Python Utilities +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Month

GitPython is a python library used to interact with Git repositories. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Microsoft Information Disclosure Python +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

fontTools is a library for manipulating fonts, written in Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XXE Fonttools
NVD GitHub
EPSS 71% 4.7 CVSS 5.3
MEDIUM POC PATCH THREAT This Month

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 71.3%.

Python Code Injection Pyload
NVD GitHub
EPSS 87% 5.6 CVSS 7.5
HIGH POC PATCH THREAT Act Now

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint. Attackers can extract this key to forge session cookies, impersonate the administrator, and execute arbitrary code through pyLoad's plugin system.

Authentication Bypass Python Pyload
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Google Information Disclosure +2
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Open Redirect Flask Security Too
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Python Gradio
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Python PostgreSQL Authentication Bypass +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Python PostgreSQL +1
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SAP Python Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

PyInstaller bundles a Python application and all its dependencies into a single package. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Python Information Disclosure Pyinstaller
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.

Privilege Escalation Python
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

A reflected Cross-Site Scripting (XSS) vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XSS Mlflow
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

PyDrive2 is a wrapper library of google-api-python-client that simplifies many common Google Drive API V2 tasks. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Python Google +2
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

dpaste is an open source pastebin application written in Python using the Django framework. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Python XSS Authentication Bypass +1
NVD GitHub
Prev Page 15 of 25 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy