Python
Monthly
Authorization bypass in Wagtail CMS allows authenticated low-privilege users to create translations for pages beyond their permitted scope. Versions prior to 7.0.8, 7.3.3, and 7.4.2 fail to enforce page-level permission checks when a user submits a translation request, exposing content of restricted pages to anyone holding the 'Can submit translation' permission. No public exploit code or active exploitation (CISA KEV) has been identified, but the low attack complexity and network-accessible vector make this straightforward to abuse for information disclosure.
Missing authorization on the image preview endpoint in Wagtail CMS allows any authenticated admin-panel user to render previews of images they do not have permission to access. Affected across three maintained release branches - all Wagtail versions prior to 7.0.8, 7.3.3, and 7.4.2. No public exploit has been identified at time of analysis, and exploitation is strictly bounded to users holding valid Wagtail admin credentials, making this a privileged-insider or compromised-account risk rather than an external threat.
Wagtail's Documents and Images chooser endpoint leaks asset metadata - including filenames, display names, and URLs - to authenticated admin users who have been explicitly denied collection-level choose permissions. Versions prior to 7.0.8, 7.3.3, and 7.4.2 are affected across the 7.0, 7.3, and 7.4 release branches. An attacker with a valid Wagtail admin account can enumerate restricted media assets across collections beyond their authorized scope, bypassing the collection permission model. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Wagtail CMS versions prior to 7.0.8, 7.3.3, and 7.4.2 expose a resource exhaustion vector where authenticated admin users can submit purposefully crafted image filter specification strings that trigger disproportionately expensive rendition processing on the server, resulting in service degradation for all site users. The vulnerability is constrained to admin-level authenticated users and cannot be triggered by ordinary unauthenticated site visitors, materially limiting real-world attack surface. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the low-priority tier for most deployments.
Local arbitrary code execution in the Cortex MCP server (neuro-cortex-memory ≥ 3.17.0) lets an attacker run Python with the victim's user privileges when the open_visualization tool trusts the Claude Code-supplied CLAUDE_PROJECT_DIR as a Cortex developer checkout. Any project a victim opens is treated as a candidate source root, and validation only checks for two trivial marker files (mcp_server/ and ui/unified-viz.html) before executing an attacker-supplied visualize_bootstrap.py via subprocess. A working PoC is included in the advisory; there is no evidence of active exploitation, and the issue is fixed in v3.17.1.
Denial of service in the msgpack-python serialization library (versions prior to 1.2.1) lets remote attackers crash a process via an out-of-bounds read when an application reuses an Unpacker instance after a previously raised error was caught. Sending malformed MessagePack data that triggers an error, then feeding further data to the same Unpacker, can drive the process to a SEGV. No public exploit has been identified at time of analysis, and EPSS data was not provided, but the CVSS 3.1 score of 7.5 (availability-only) reflects a straightforward, unauthenticated crash condition.
Memory exhaustion in pypdf prior to 6.13.3 allows unauthenticated remote attackers to cause denial of service by supplying a maliciously crafted PDF. The MAX_DECLARED_STREAM_LENGTH safety cap - designed to bound memory allocation during stream parsing - is bypassed when a PDF content stream omits the /Length value, enabling unbounded memory growth. No active exploitation is confirmed (not in CISA KEV), but the attack surface encompasses any Python application that parses attacker-supplied PDFs, a common pattern in document pipelines and web upload handlers.
The Python Code node in n8n allows authenticated workflow editors to bypass the AST security validator by crafting Python code that evades an incomplete blocklist (CWE-184), reaching the task executor module namespace. Affected self-hosted n8n deployments running versions before 2.25.7 or 2.26.x before 2.26.2 with the Python Task Runner enabled are exposed to environment variable disclosure when N8N_BLOCK_RUNNER_ENV_ACCESS is not set to restrict access, potentially leaking API keys, database credentials, or other secrets injected at process startup. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Arbitrary code execution bypass in picklescan before 0.0.29 lets attackers smuggle malicious Python pickle files past the scanner by abusing the built-in profile.Profile.run function inside a pickle __reduce__ method, which picklescan's blocklist fails to flag. Because picklescan is a defensive ML supply-chain tool meant to certify pickle/model files as safe, the flaw is a security-control evasion: a file marked 'clean' executes attacker code on deserialization. No public exploit is identified at time of analysis, and it is not in CISA KEV; the CVSS 4.0 base score is 7.6 (High).
Detection bypass in picklescan before 0.0.29 allows attackers to smuggle arbitrary-code payloads past the scanner by abusing Python's built-in trace.Trace.runctx in a pickle reduce method, so a malicious model/pickle file is rated safe yet executes code when later deserialized with pickle.load(). picklescan is a security scanner used to vet untrusted ML pickle files (notably in the Hugging Face ecosystem), so this failure defeats the very control teams rely on to catch malicious models. No public exploit identified at time of analysis and the issue is not in CISA KEV; reported by VulnCheck with a CVSS 4.0 base score of 7.6.
Unauthenticated remote code execution in Orkes Conductor (conductor-oss) versions 3.21.21 through 3.30.1 lets remote attackers run arbitrary OS commands by POSTing inline workflow definitions to the workflow API before any authentication check. The flaw stems from GraalVM script evaluators left in an unsandboxed state (HostAccess.ALL / allowAllAccess(true)), allowing JavaScript or Python expressions in INLINE, LAMBDA, DO_WHILE, and SWITCH tasks to reach Java reflection and subprocess APIs. Reported by VulnCheck; no public exploit identified at time of analysis, though a detailed vendor/researcher advisory exists.
Remote code execution in LLaMA-Factory through version 0.9.5 allows attackers who can reach the Gradio WebUI to run arbitrary Python by entering a malicious model path in the Chat or Training interfaces. Because the app forwards unvalidated user input into Hugging Face's AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True, a referenced repository's custom modeling code executes with the server process's privileges. Publicly available exploit code exists (a proof-of-concept gist plus a VulnCheck advisory), though it is not listed in CISA KEV and no in-the-wild abuse is documented in the available data.
Arbitrary file disclosure in NLTK 3.9.4 lets remote attackers read any file accessible to the Python process by passing percent-encoded path-traversal sequences (e.g. ..%2f) into nltk.data.load() or nltk.data.find(). The flaw is an incomplete fix for GitHub Issue #3504: the _UNSAFE_NO_PROTOCOL_RE guard only matches literal ../ while url2pathname() decodes the encoded form after the check runs, so the validation is bypassed. No public exploit identified at time of analysis, though it was reported through a huntr.com bounty; it is not listed in CISA KEV and no EPSS score was supplied.
Arbitrary code execution in Snowflake CLI versions prior to 3.19 lets an attacker run code in the context of any developer who bundles or deploys an attacker-supplied Snowpark project. The flaw lives in the Snowpark annotation processor callback template, where untrusted project content is interpolated directly into generated Python code (CWE-94). No public exploit has been identified at time of analysis, but the attack is straightforward and high-impact (CVSS 8.8) given that it executes with the victim's local privileges; exploitation hinges on the victim running the bundling/deployment workflow against malicious content.
Unauthenticated remote code execution affects Kestra OSS (the open-source event-driven orchestration platform) prior to versions 1.0.45 and 1.3.21, where a flawed authentication whitelist lets attackers reach protected API endpoints without credentials. The AuthenticationFilter exempts the public config endpoint using a suffix match (request.getPath().endsWith("/configs")) instead of an exact path match, so any API path ending in 'configs' bypasses Basic Auth, allowing an attacker to create and run arbitrary workflows. Because the default-enabled script-execution plugins (shell, Python) run inside the worker container as root, this escalates directly to unauthenticated RCE. Carries a maximal CVSS of 10.0; there is no public exploit identified at time of analysis.
Output manipulation in flawfinder before version 2.0.20 allows an attacker who controls repository filenames or file content to inject ANSI escape sequences into terminal output, visually hiding or falsifying scan results from human reviewers. The same untrusted-input handling gap extends to structured report generation: CSV reports and SonarQube XML output (via the output_sonar() function) can be corrupted or attribute-injected when filenames, categories, or code context contain unescaped special characters. No public exploit code is identified and the vulnerability is not in CISA KEV; however, the defense-evasion potential is meaningful for organizations running flawfinder against untrusted or adversarial repositories in CI/CD pipelines. The 'RCE' tag present in the intelligence metadata is not supported by the advisory and appears to be a mis-classification.
Memory-exhaustion denial of service in the python-socketio server (Socket.IO for Python, versions <= 5.16.1) lets remote clients pin server memory by sending binary EVENT or ACK packets while deliberately withholding one or more of the declared binary attachments. Because the server buffers the partial message and its received attachments in memory until all attachments arrive, an attacker can repeatedly open such incomplete messages to grow memory consumption unbounded and exhaust server resources. No public exploit identified at time of analysis; not listed in CISA KEV.
Denial of service in the python-engineio server (versions <= 4.13.1) allows remote unauthenticated attackers to exhaust server resources by abusing the heartbeat mechanism, which spawns a new background thread on each connection and on every PONG packet received. Synchronous servers are most at risk because each heartbeat is a physical OS thread; asynchronous deployments allocate lightweight tasks and are far less affected. No public exploit has been identified at the time of analysis, and the issue is not listed in CISA KEV; a vendor-released patch (version 4.13.2) is available.
Uncontrolled memory allocation in python-engineio (versions <= 4.13.1) lets remote attackers exhaust server memory by sending oversized messages that are loaded before any size check, causing denial of service (availability-only impact). The flaw triggers in two specific transport configurations - ASGI with long-polling POST requests, and Aiohttp with the WebSocket transport - and is fixed in 4.13.2. No public exploit identified at time of analysis, and the issue is not in CISA KEV; no EPSS score was provided.
Path traversal in Patool's safe_extract() function allows an attacker-controlled archive to write files to arbitrary locations on the filesystem when extracted by a victim running Patool before 4.0.5 on Python before 3.12. The flaw exists because the is_within_directory() helper in patoolib/programs/py_tarfile.py uses os.path.commonprefix() for character-level string prefix matching rather than path-component-level comparison, making it trivially bypassable with crafted member paths. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-complexity exploitation conditions and complete integrity bypass make this a meaningful risk for affected deployments.
Privilege escalation to AWS IAM and PKI compromise in Netflix Lemur 1.9.0 (and earlier) lets any SSO-authenticated, low-privilege user chain an ACME acme_url SSRF with a creator-equality IDOR to steal the worker's AWS STS credentials and retain permanent access to issued TLS private keys. Because Lemur auto-provisions new SSO identities as active=True, any holder of a trusted federated identity can reach the vulnerable authority-creation and key-fetch endpoints. A detailed, fully reproduced proof-of-concept (Docker lab plus asciinema recording) exists publicly, though there is no public exploit identified as being used in active attacks and the issue is fixed in 1.9.2.
JWT algorithm confusion in Netflix Lemur 1.9.0 allows an attacker to control which signing algorithm the server trusts by supplying an arbitrary alg value in the unverified token header, which is passed directly to pyjwt.decode() instead of a server-pinned allowlist. On current PyJWT 2.x deployments the standalone impact is limited to audit-log blinding and a durable algorithm-downgrade primitive; full account takeover requires chaining with a separate LEMUR_TOKEN_SECRET disclosure vulnerability, after which a forged HS256 admin JWT yields HTTP 200 with role=admin. A public proof-of-concept walkthrough exists (asciinema); no active exploitation is confirmed in CISA KEV.
Cleartext password storage in Netflix Lemur's user-update service path allows any attacker who gains read access to the Lemur database, its backups, query logs, or read replicas to obtain directly usable plaintext credentials - no offline cracking required. The flaw affects all Lemur deployments running pip/lemur <= 1.9.1 and is triggered exclusively when an administrator resets a user password through the admin-gated PUT /api/1/users/<id> API endpoint. No public exploit is required: the advisory itself contains precise reproduction steps, and the side effect (immediate login failure for affected users) makes the exposure operationally detectable. No KEV listing exists at time of analysis.
Incorrect authorization in Netflix Lemur's role management API allows any authenticated role member to rewrite the membership list and rename their own role via the PUT /api/1/roles/<id> endpoint in versions up to and including 1.9.1. The RoleMemberPermission check uses OR-semantics, meaning membership of a role is sufficient to mutate it - an authorization oversight confirmed by the asymmetry with the DELETE handler on the same resource, which correctly enforces admin-only access. Exploitation enables lateral privilege escalation within a Lemur PKI deployment: a malicious role member can inject colluders into certificate or authority management roles, remove legitimate members, or rename roles. No public exploit identified at time of analysis, though detailed reproduction steps are published in the GitHub security advisory GHSA-x3vf-mgxj-7785.
Server-Side Request Forgery in Netflix Lemur's certificate verification pipeline allows an authenticated operator-role user to force the Lemur host to issue outbound HTTP requests to arbitrary internal destinations by uploading a crafted certificate whose CRL Distribution Point or OCSP responder extensions point to RFC1918 addresses, link-local endpoints (169.254.169.254), internal Kubernetes API servers, or loopback interfaces. Both `crl_verify` and `ocsp_verify` in `lemur/certificates/verify.py` pass attacker-controlled URLs directly to network sinks with no destination allow-list, scheme restriction beyond LDAP rejection, or private-address filtering. No public exploit confirmed in CISA KEV, but detailed proof-of-concept reproduction steps are published in the GitHub Security Advisory GHSA-54vg-pfh7-jq95; vendor-released patch v1.9.2 is available.
Detection bypass in picklescan through version 0.0.26 lets attackers smuggle malicious pickle payloads past the scanner by invoking idlelib.pyshell.ModifiedInterpreter.runcode from a __reduce__ method, which picklescan does not blocklist. Because organizations rely on picklescan to vet PyTorch models and serialized Python objects, a payload it marks 'safe' still achieves arbitrary command execution the moment the victim calls pickle.load(), enabling ML supply-chain attacks. Publicly available exploit code exists (GHSA-3gf5-cxq9-w223 ships a working PoC); the CVE is not in CISA KEV and EPSS data was not provided, so active exploitation is unconfirmed.
Privilege escalation via broken authorization in Netflix Lemur (versions <= 1.9.0) lets any authenticated user - including the shipped lowest-privilege `read-only` role - perform admin-only certificate-management actions. Because the `StrictRolePermission` and `AuthorityCreatorPermission` classes were instantiated with an empty Need set when their config flags were left at the default `False`, Flask-Principal's `allows()` returns True for every identity, removing the only role gate in front of CA creation, certificate upload, notification (SSRF sink) management, and domain registry edits. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation requires only a single low-privilege credential, making it a direct pivot to control of the PKI issuance plane.
Arbitrary Python code execution in Vim before 9.2.0699 occurs when a victim triggers Python omni-completion (omnifunc) inside a malicious buffer; the python3complete.vim and legacy pythoncomplete.vim runtime plugins reconstruct in-buffer function and class definitions and run them through Python's exec(), inserting each scope's docstring verbatim between triple quotes. Because the docstring is never escaped, a crafted docstring can close the triple-quoted literal and inject attacker-controlled Python that runs with the user's privileges. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but a regression test bundled with the fix demonstrates the breakout, confirming exploitability; EPSS data was not provided.
Uncontrolled resource consumption in the AutoGPT platform (versions before 0.6.52) lets an authenticated user crash the server through the Fill Text Template block. The block's Jinja2 SandboxedEnvironment blocks dangerous attribute access but enforces no CPU, memory, or execution-time limits, so a crafted expression can exhaust server resources and hang or crash the host. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the bug is straightforward to trigger and the vendor has shipped a fix in 0.6.52.
Uncontrolled CPU consumption in Mistune, a Python Markdown parser, allows remote unauthenticated attackers to cause denial of service against any application that renders untrusted Markdown through versions prior to 3.3.0. The flaw lives in parse_link_text, which runs a regex search inside a loop and re-scans the remaining input each iteration, yielding roughly O(n²) behavior; a tiny payload of many consecutive '[' characters can pin a CPU core. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the trigger is trivial to construct and the GitHub Security Advisory documents the root cause precisely.
Remote code execution in Feast (the open-source ML feature store) before 0.63.0 lets remote attackers run OS commands as the feast service account by sending a crafted ApplyFeatureView gRPC request to the registry server. The registry base64-decodes the user_defined_function.body field of an OnDemandFeatureView and passes it to dill.loads() before any authorization check, so no credentials are required. A publicly available exploit code exists (reported by VulnCheck via huntr) and a vendor patch is available, though the flaw is not listed in CISA KEV.
Sandbox escape in RestrictedPython (zopefoundation/RestrictedPython, GHSA-ffg3-p8fm-mjx2) allows an authenticated attacker who can execute code within the restricted Python environment to break out of that sandbox and execute arbitrary Python on the underlying host. This affects Plone deployments that rely on RestrictedPython to safely run through-the-web (TTW) Python Scripts and TALES expressions. Disclosed June 2026 as part of a coordinated Plone security release; no public exploit code or CISA KEV listing identified at time of analysis, but the 8.3 high severity and scope-changing nature make it a meaningful risk for any Zope/Plone installation where untrusted or semi-trusted users can author Python scripts.
Unauthenticated remote action execution in motionEye (pip/motioneye < 0.44.0) exposes every camera action endpoint - snapshots, recording start/stop, and administrator-configured shell scripts - to any attacker who can reach port 8765, due to a missing @BaseHandler.auth() decorator on ActionHandler.post(). Dynamically confirmed on v0.43.1 in a Docker lab environment; exploitation requires only a single HTTP POST with no credentials, headers, or user interaction. Beyond the CVSS 5.3 Medium rating, real-world impact extends to physical security bypass (PTZ, alarms, lighting controls) if action scripts are configured, and SSRF via remote camera triggering - no public exploit or CISA KEV listing is identified at time of analysis.
Arbitrary file read in motionEye versions before 0.44.0 lets remote attackers retrieve any file readable by the motionEye process by supplying an absolute path to the media playback, download, and preview handlers. The flaw stems from os.path.join() discarding the configured media directory when given an absolute path, compounded by MoviePlaybackHandler deliberately overriding Tornado's StaticFileHandler path-safety checks. A proof-of-concept exists and the CVSS 4.0 exploit-maturity is rated Proof-of-Concept, but there is no public evidence of active exploitation.
Arbitrary file exfiltration in OctoPrint versions through 1.11.7 and 2.0.0rc1-rc2 allows authenticated users with the FILE_UPLOAD permission to move any host file readable by the OctoPrint process into the upload folder, where it can then be downloaded. This is an incomplete-fix recurrence of CVE-2025-48067; reserved internal form fields can still be smuggled to Flask via query parameters or Tornado/Werkzeug parser differentials. No public exploit identified at time of analysis, and patches are available in 1.11.8 and 2.0.0rc3.
Arbitrary file write and command execution in Glances (Python system monitoring tool) versions 4.0.8 through 4.5.4 allows attackers with the ability to modify glances.conf to abuse shell-like operators (`>`, `|`, `&&`) interpreted by the `secure_popen()` function inside AMP module command configuration. The flaw bypasses the `--disable-config-exec` mitigation introduced for CVE-2026-33641, since that flag only blocks backtick execution in `config.get_value()` and not operator parsing in `secure_popen()`. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-3vwc-qwhc-3mj7), but no public exploit identified in active campaigns at time of analysis.
File descriptor exhaustion in the Gogs built-in Go SSH server allows unauthenticated remote attackers to render the SSH service completely unavailable. By opening a large number of TCP connections to the SSH port and withholding the SSH-2.0 protocol banner, an attacker forces Gogs to spawn unbounded goroutines that block indefinitely in `golang.org/x/crypto/ssh.NewServerConn`, consuming one file descriptor per connection. Once the OS `ulimit -n` ceiling is breached, the server can accept no new connections and the entire Gogs process begins failing with cascading I/O errors. No public exploitation (KEV) confirmed, but a fully functional Python PoC is publicly disclosed alongside the advisory and the fix is available in v0.14.3.
Authenticated arbitrary file write in Gogs (self-hosted Git service) versions below 0.14.3 on Linux/macOS lets a user with repository write access escape the working tree and overwrite any file the gogs UID can touch, escalating to remote code execution. The flaw stems from `UploadRepoFiles` validating symlinks only on the leaf path while sibling functions correctly walk every component; combined with a crafted multipart filename containing a literal backslash, the write is redirected through a previously committed directory symlink to targets like `~git/.ssh/authorized_keys` or `<repo>.git/hooks/post-receive`. No CISA KEV listing and no EPSS provided, but a detailed, tested proof-of-concept is published in the vendor advisory, so publicly available exploit code exists.
Improper authorization in Gogs (self-hosted Git service) versions before 0.14.3 lets a read-only user write to repositories they should only be able to fetch from. The Git Smart HTTP handler derives the access policy from the client-supplied ?service= query parameter rather than the actual RPC path, so a POST to /repo.git/git-receive-pack carrying ?service=git-upload-pack is authorized as a read while the receive-pack (push) code path still executes. A working PoC is published in the GHSA advisory, so publicly available exploit code exists; it is not listed in CISA KEV and no active exploitation has been reported.
Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation.
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation by crafting malicious pickle files that import unblocked Python standard library modules. The tool's blocklist (scanner.py _unsafe_globals) omits at least seven stdlib modules - including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib - exposing eight functions that execute arbitrary commands via subprocess or os.system. Publicly available exploit code exists in the GHSA advisory, demonstrating CLEAN scan results for files that achieve full RCE on load; this is especially concerning because picklescan is relied on by HuggingFace Hub and similar ML pipelines.
Stored cross-site scripting in Gogs (self-hosted Git service) versions through 0.14.2 allows a low-privileged repository user to inject JavaScript via a crafted Jupyter notebook (.ipynb) Markdown cell containing a javascript: scheme link, which executes in the Gogs origin when a victim clicks the rendered link. Although server-side sanitization is performed via /-/api/sanitize_ipynb, the client subsequently re-renders Markdown cells with marked() and regenerates the dangerous links, and the file preview page is served without a Content Security Policy. Publicly available exploit code exists (full PoC published in the GHSA advisory) but there is no public exploit identified at time of analysis as actively exploited in the wild.
Cache poisoning in python-zeroconf before 0.149.16 allows any unauthenticated adjacent-network attacker to inject attacker-controlled DNS records into the local mDNS cache by multicasting a single crafted UDP packet on port 5353. The parser in `_read_character_string` and `_read_string` advanced its offset by a caller-declared length without validating it against the actual packet buffer size; Python's silent slice truncation meant over-advertised records were accepted and committed to `DNSCache` and `ServiceInfo` intact. The vendor manually downgraded severity to low, noting no RCE or OOM risk, but characterizes this as a building block for higher-impact chains in downstream consumers such as Home Assistant. No public exploit code has been identified and the vulnerability is not in CISA KEV.
DNS rebinding against the Glances XML-RPC server (`glances -s`) allows a network-adjacent or remote attacker to exfiltrate the full system monitoring dataset - including process command lines that routinely contain secrets - from a victim's browser without any authentication. The `GlancesXMLRPCHandler` in `glances/server.py` accepts arbitrary HTTP `Host` headers without validation, an omission that persists while the REST/WebUI server received an equivalent fix (TrustedHostMiddleware, v4.5.2) and the MCP server was protected since v4.5.1. No active exploitation is confirmed (not in CISA KEV), but a detailed proof-of-concept is published in the vendor's GitHub security advisory GHSA-w856-8p3r-p338 and the attack is materially amplified by the companion CORS wildcard issue CVE-2026-46608.
Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.
Local arbitrary code execution in Glances versions prior to 4.5.5 occurs when the daemon deserializes its version-check cache file via pickle.load() without integrity validation. An attacker with write access to the Glances user's XDG cache directory (~/.cache/glances/glances-version.db) can plant a malicious pickle that executes as the Glances process user - frequently root - on next startup. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis as actively weaponized.
Local privilege escalation via command injection in Glances 4.5.5_dev1 and earlier allows users with libvirt domain-creation rights to execute arbitrary commands as the Glances process owner (typically root on hypervisor hosts). The flaw lives in the KVM/QEMU monitoring plugin, where VM domain names parsed from `virsh list --all` are interpolated into command strings handled by `secure_popen()`, which intentionally treats `&&`, `|`, and `>` as control operators. No public exploit identified at time of analysis, but a detailed PoC accompanies the GHSA-v5r2-qh84-fjx5 advisory.
Arbitrary code execution in Picklescan before 0.0.33 occurs because the scanner fails to flag the numpy.f2py.crackfortran._eval_length gadget when used inside a pickle __reduce__ method, allowing crafted pickle files to be marked safe while still executing attacker-supplied Python on load. Workflows that rely on Picklescan to vet untrusted pickle or PyTorch model artifacts are exposed to supply-chain poisoning, and publicly available exploit code exists in the GHSA advisory.
Infinite loop denial-of-service in pypdf prior to 6.13.1 allows an attacker to hang any process that merges a crafted PDF containing cyclic article/thread structures. The vulnerability exists in the `_add_articles_thread()` method of `_writer.py`, which traversed PDF article bead linked-list structures without cycle detection, permitting a self-referential `/N` (Next) pointer chain to create an irrecoverable loop. No public exploit code or CISA KEV listing exists at time of analysis, but the upstream PR diff publicly discloses the precise triggering structure, lowering the bar for exploitation against vulnerable merge pipelines.
Arbitrary code execution in mise (jdx/mise) versions prior to 2026.3.10 allows attackers to run shell commands as the victim user simply by having them `cd` into a directory containing a malicious `.tool-versions` file. Unlike `.mise.toml`, `.tool-versions` files bypass the trust verification gate in non-paranoid mode, so the Tera template engine's `exec()` function fires silently from the shell `hook-env`. No public exploit identified at time of analysis beyond the detailed reporter PoC, but exploitation is trivial and a working PoC is embedded in the advisory.
Path traversal in motionEye v0.43.1 allows any authenticated user - including those with normal (non-admin) privileges - to read arbitrary files from the server filesystem via the picture and movie preview API endpoints. The root cause is inconsistent input validation: `get_media_preview()` and `del_media_content()` in `mediafiles.py` omit the `..` sequence check that `get_media_content()` correctly implements, and the Tornado web framework passes percent-encoded slashes (`%2F`) through unmodified to `os.path.join()`. A fully functional public proof-of-concept demonstrating retrieval of `/etc/passwd` is published in the GitHub security advisory; no public exploit identified at time of analysis for CISA KEV, but the low exploitation complexity and pre-computable default-credential signature make exposed instances an immediate practical target.
TLS trust store poisoning in Canonical ADSys through v0.16.2 allows a network-positioned attacker to inject an arbitrary Root CA certificate into managed Ubuntu hosts during Active Directory Certificate Services auto-enrollment. The vendored Samba GPO extension fetches the CA certificate over plaintext HTTP from the AD CS GetCACert endpoint, and the response is registered into the system trust store via update-ca-certificates without authenticity validation. No public exploit identified at time of analysis, but the impact enables persistent decryption of TLS traffic across the host.
Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully compromise the host by bypassing authentication and abusing improper Python execution isolation. The maximum CVSS 10.0 score (AV:N/AC:L/PR:N/UI:N with scope change) reflects trivial network-based exploitation against any internet-exposed instance, though no public exploit identified at time of analysis. IBM has confirmed the issue and released a patch via support advisory node/7277242.
Arbitrary file read leading to remote code execution affects Langflow versions prior to 1.9.2 in any flow that uses BaseFileComponent-derived nodes (Read File, Docling, Docling Serve, NVIDIA Retriever Extraction, Video File, Unstructured API). An attacker who can submit a TAR archive containing symlinks - for example through a RAG ingestion pipeline that accepts user documents - causes the server to follow those links and ingest arbitrary host files such as Langflow's JWT secret_key, which can then be used to forge admin tokens and execute Python via the Code Interpreter node. Publicly available exploit code exists (researcher-published PoC archive and demo video); not listed in CISA KEV.
Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing the victim's flow UUID as the `model` value to the `/api/v1/responses` endpoint, exposing data the victim's flow processes and consuming their resources. The flaw is an Insecure Direct Object Reference (CWE-639) in the `get_flow_by_id_or_endpoint_name` helper, which skipped ownership checks on the UUID lookup path. Publicly available exploit code exists (a working curl PoC), and the input lists it as confirmed actively exploited (CISA KEV), though the SSVC exploitation status of 'poc' and a low 0.24% EPSS complicate that claim (see risk_assessment).
Denial of service in py7zr (a pure-Python 7-Zip library) versions 1.1.2 and earlier lets a remote, unauthenticated attacker exhaust CPU with a tiny crafted .7z archive. The flaw is in header parsing (PackInfo._read), so merely opening the archive with SevenZipFile() - no extraction - triggers the cost; a ~50 KB file consumes roughly 7 seconds of CPU. Publicly available exploit code exists (PoC published in the GHSA advisory), but there is no active exploitation identified and it is not listed in CISA KEV.
Denial-of-service via decompression bomb in py7zr, the pure-Python 7-Zip library, affects all versions up to and including 1.1.2. The library's Worker.decompress() writes extracted data to disk or memory without tracking cumulative decompressed size, so a tiny crafted .7z (demonstrated at a 6,556:1 ratio - 15.6 KB expanding to 100 MB) can exhaust disk or RAM on any application that extracts untrusted archives. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but the issue is not listed in CISA KEV; CVSS 4.0 rates it 8.7 (High) with pure availability impact.
Incomplete SSRF remediation in mailpit v1.29.2 through v1.30.1 leaves the Link Check API bypassable via IPv6 transition mechanism literals (6to4, NAT64, IPv4-compatible IPv6, ISATAP, Teredo) and unclassified IPv6 prefixes (fec0::/10, 2001:db8::/32) that Go's stdlib Is* classification helpers silently pass. An unauthenticated network attacker who can deliver email to mailpit's SMTP listener and invoke the Link Check API can coerce the application into dialing internal IPv4 destinations - including cloud metadata endpoints at 169.254.169.254 - by encoding the target as an IPv6 literal that returns false for all seven predicates in IsInternalIP, bypassing the guard introduced for CVE-2026-27808. Publicly available exploit code exists in the form of a reproducible unit test and end-to-end proof-of-concept published in the advisory; this is the same deny-list bypass class confirmed in CVE-2026-44430 (MCP Registry) and CVE-2026-45741 (Gotenberg).
Token exfiltration in dbt-mcp's embedded OAuth helper server (versions before 1.20.0) allows any co-located process or DNS-rebinding attacker to retrieve a victim's full dbt Cloud access and refresh tokens via a single unauthenticated HTTP GET request. Developers running dbt-mcp in OAuth mode on any shared or browser-accessible host are affected for the entire lifetime of the OAuth helper process following a completed login flow. No public exploit identified at time of analysis, though the GitHub security advisory (GHSA-jr33-mw75-7j8f) includes a fully functional Docker-based PoC with step-by-step reproduction artifacts, substantially lowering the exploitation barrier.
Silent UTF-8 rewriting in UltraJSON (ujson) versions up to and including 5.12.1 allows input validation bypass and data integrity corruption when the reject_bytes=False encoding option is used. Malformed or truncated byte sequences - including invalid continuation bytes and over-read sequences - are silently transformed into different, syntactically valid Unicode characters rather than triggering an error, meaning data that exits ujson.dumps() differs from data that entered it. This creates a validation bypass window for any application that validates raw bytes before serialization, and no public exploit has been identified at time of analysis, though the flaw is fully described with reproducible examples in the GHSA advisory.
Heap corruption in the Oj Ruby JSON parser allows remote attackers to crash or potentially corrupt memory in applications that parse untrusted JSON with `Oj::Parser` in `:usual` mode when the `create_id` option is enabled. A 65,535-byte object key triggers an integer truncation in `form_attr` (ext/oj/usual.c:63) that turns the buffer length into `(size_t)-1`, causing `memcpy` to write `SIZE_MAX` bytes onto a fixed 65,536-byte cache slab. No public exploit identified at time of analysis beyond the maintainer-supplied reproduction script in GHSA-9cv6-qcjw-4grx.
{% case %}` tag that has no `{% when %}`, `{% else %}`, or closing `{% endcase %}`. Because the loop occurs at parse time, any application that renders untrusted or user-supplied Liquid templates can be frozen with a payload as small as `{% case x %}`. It is a pure availability issue (CWE-835) with no confidentiality or integrity impact; not listed in CISA KEV and no evidence of active exploitation, though the trivial trigger is documented in the vendor advisory.
Authorization bypass in jupyterlab-git 0.53.0 and earlier allows authenticated JupyterLab users to read admin-excluded git directories on case-insensitive filesystems (macOS APFS, Windows NTFS) by altering the case of URL path segments. The `GitHandler.prepare()` check uses `fnmatch.fnmatchcase()`, which is unconditionally case-sensitive, while the underlying filesystem resolves case-varied paths to the same location. Publicly available exploit code exists (PoC published with the GHSA advisory), but no public exploit identified in active exploitation feeds.
Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch checkpoint, because its pretrain loader silently falls back from torch.load(weights_only=True) to weights_only=False whenever an UnpicklingError is raised - a condition the attacker fully controls by embedding one unsupported pickle global. Publicly available exploit code exists (working PoC in the GHSA advisory), and any developer, CI pipeline, or production NLP service that downloads Stanza model files from HuggingFace, GitHub, or a shared cache can be compromised. Fixed in Stanza 1.12.2.
{device_id}`. The KonnectedView HTTP endpoint sets `requires_auth = False` and only enforces Bearer-token validation on POST/PUT methods, leaving the GET handler entirely unauthenticated. Publicly available exploit code exists in the form of a detailed reporter-published proof of concept against Home Assistant Core 2026.5.2.
Arbitrary file write in py7zr versions 1.1.0 through 1.1.2 allows attackers to escape the destination directory during archive extraction by chaining malicious symbolic links that resolve outside the target path. A victim who calls extractall() on a crafted 7z archive can have files written to arbitrary host filesystem locations, potentially escalating to remote code execution, privilege escalation, or data corruption. Publicly available exploit code exists (PoC published in the GHSA advisory), but there is no public exploit identified for active campaigns at time of analysis.
Arbitrary file write via path traversal in Slopsmith (a self-hosted Rocksmith 2014 CDLC web app) prior to 0.2.9-alpha.5 allows an attacker who can supply a malicious PSARC or sloppak archive to write files outside the extraction directory, escalating to remote code execution under the default Docker image which runs as root and exposes a writable plugin directory. The CVSS 4.0 vector reports high privileges required (PR:H), reflecting that the attacker must reach the archive-upload/open functionality of an authenticated user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary local file disclosure in the Rust crate tract-onnx (by Sonos) allows an attacker who supplies a malicious ONNX model file to read arbitrary files from the victim's filesystem at model-load time, with file contents surfaced directly in inference tensor output. The root cause is that `get_external_resources()` in `onnx/src/tensor.rs` passes the attacker-controlled `location` field of ONNX external-data tensors directly to `PathBuf::join()` without sanitization, enabling both absolute-path overrides and relative `../` traversal. A secondary denial-of-service (panic) is possible via out-of-bounds `offset`/`length` values. Publicly available exploit code exists (full PoC confirmed on tract-onnx 0.21.16); no active exploitation has been confirmed by CISA KEV at time of analysis.
Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.15) exposes a pickle.loads sink that can be reached without a valid pgAdmin session. The defect is the missing @pga_login_required decorator on DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did>; turning this into code execution additionally requires an attacker to possess the Flask SECRET_KEY and write access to the sessions/ directory from a separate channel. No public exploit identified at time of analysis, and the issue does not appear on CISA KEV.
Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on 0.0.0.0:8080 by default with no authentication, allowing any network-adjacent attacker to invoke every MCP tool - including SQL execution, schema creation, and table-config mutation - against the backing Apache Pinot cluster using the server's own credentials. The maximum CVSS 10.0 score reflects a scope-changing confused-deputy condition. No public exploit identified at time of analysis, but the trivial reachability and presence of write/DDL tooling make exploitation straightforward once the port is found.
Unauthenticated call-control abuse in pipecat-ai development runner (>=0.0.77, <1.4.0) allows remote attackers reaching an exposed `/ws` telephony WebSocket to inject an attacker-controlled `callSid` that the server then submits to Twilio, Telnyx, or Plivo REST APIs using the operator's own credentials, forcibly terminating victim calls. Publicly available exploit code exists (a full Dockerized PoC is published in the GHSA advisory) and the maintainers shipped a fix in v1.4.0; no CISA KEV listing at time of analysis.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Resource exhaustion in joserfc (versions 1.3.4-1.6.5) is possible because the RFC7797 unencoded-payload (b64=false) JWS code path skips the configured JWSRegistry.max_payload_length check, while the standard compact and flattened JSON paths correctly raise ExceededSizeError. Remotely submitted, cryptographically valid b64=false JWS tokens with arbitrarily large payloads are deserialized without size enforcement, consuming memory or CPU on the verifying server. No public exploit has been identified and the vulnerability is not in the CISA KEV catalog; a vendor-released fix is available in version 1.6.7.
Command injection in the AWS Bedrock AgentCore Python SDK (versions >= 1.1.3, < 1.6.1) allows remote authenticated users to execute arbitrary commands within the Code Interpreter sandbox by supplying crafted package name arguments to the install_packages() method. The flaw stems from improper neutralization of argument delimiters (CWE-88), letting attacker-controlled strings break out of the intended pip-install argument context. No public exploit identified at time of analysis, but a vendor patch and advisory are available from AWS.
Authorization bypass in Avo (Ruby on Rails admin framework) versions <= 3.32.0 and 4.0.0.beta.1 through 4.0.0.beta.50 allows authenticated low-privileged users to attach arbitrary related records to parent resources via a direct POST to the associations endpoint, bypassing the `attach_<association>?` policy enforced only on the form-rendering GET. Publicly available exploit code exists (Python PoC in the GHSA advisory), and in deployments where associations encode teams, tenants, roles, or memberships, exploitation yields privilege escalation and cross-tenant data exposure.
Authorization bypass in Wagtail CMS allows authenticated low-privilege users to create translations for pages beyond their permitted scope. Versions prior to 7.0.8, 7.3.3, and 7.4.2 fail to enforce page-level permission checks when a user submits a translation request, exposing content of restricted pages to anyone holding the 'Can submit translation' permission. No public exploit code or active exploitation (CISA KEV) has been identified, but the low attack complexity and network-accessible vector make this straightforward to abuse for information disclosure.
Missing authorization on the image preview endpoint in Wagtail CMS allows any authenticated admin-panel user to render previews of images they do not have permission to access. Affected across three maintained release branches - all Wagtail versions prior to 7.0.8, 7.3.3, and 7.4.2. No public exploit has been identified at time of analysis, and exploitation is strictly bounded to users holding valid Wagtail admin credentials, making this a privileged-insider or compromised-account risk rather than an external threat.
Wagtail's Documents and Images chooser endpoint leaks asset metadata - including filenames, display names, and URLs - to authenticated admin users who have been explicitly denied collection-level choose permissions. Versions prior to 7.0.8, 7.3.3, and 7.4.2 are affected across the 7.0, 7.3, and 7.4 release branches. An attacker with a valid Wagtail admin account can enumerate restricted media assets across collections beyond their authorized scope, bypassing the collection permission model. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Wagtail CMS versions prior to 7.0.8, 7.3.3, and 7.4.2 expose a resource exhaustion vector where authenticated admin users can submit purposefully crafted image filter specification strings that trigger disproportionately expensive rendition processing on the server, resulting in service degradation for all site users. The vulnerability is constrained to admin-level authenticated users and cannot be triggered by ordinary unauthenticated site visitors, materially limiting real-world attack surface. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the low-priority tier for most deployments.
Local arbitrary code execution in the Cortex MCP server (neuro-cortex-memory ≥ 3.17.0) lets an attacker run Python with the victim's user privileges when the open_visualization tool trusts the Claude Code-supplied CLAUDE_PROJECT_DIR as a Cortex developer checkout. Any project a victim opens is treated as a candidate source root, and validation only checks for two trivial marker files (mcp_server/ and ui/unified-viz.html) before executing an attacker-supplied visualize_bootstrap.py via subprocess. A working PoC is included in the advisory; there is no evidence of active exploitation, and the issue is fixed in v3.17.1.
Denial of service in the msgpack-python serialization library (versions prior to 1.2.1) lets remote attackers crash a process via an out-of-bounds read when an application reuses an Unpacker instance after a previously raised error was caught. Sending malformed MessagePack data that triggers an error, then feeding further data to the same Unpacker, can drive the process to a SEGV. No public exploit has been identified at time of analysis, and EPSS data was not provided, but the CVSS 3.1 score of 7.5 (availability-only) reflects a straightforward, unauthenticated crash condition.
Memory exhaustion in pypdf prior to 6.13.3 allows unauthenticated remote attackers to cause denial of service by supplying a maliciously crafted PDF. The MAX_DECLARED_STREAM_LENGTH safety cap - designed to bound memory allocation during stream parsing - is bypassed when a PDF content stream omits the /Length value, enabling unbounded memory growth. No active exploitation is confirmed (not in CISA KEV), but the attack surface encompasses any Python application that parses attacker-supplied PDFs, a common pattern in document pipelines and web upload handlers.
The Python Code node in n8n allows authenticated workflow editors to bypass the AST security validator by crafting Python code that evades an incomplete blocklist (CWE-184), reaching the task executor module namespace. Affected self-hosted n8n deployments running versions before 2.25.7 or 2.26.x before 2.26.2 with the Python Task Runner enabled are exposed to environment variable disclosure when N8N_BLOCK_RUNNER_ENV_ACCESS is not set to restrict access, potentially leaking API keys, database credentials, or other secrets injected at process startup. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Arbitrary code execution bypass in picklescan before 0.0.29 lets attackers smuggle malicious Python pickle files past the scanner by abusing the built-in profile.Profile.run function inside a pickle __reduce__ method, which picklescan's blocklist fails to flag. Because picklescan is a defensive ML supply-chain tool meant to certify pickle/model files as safe, the flaw is a security-control evasion: a file marked 'clean' executes attacker code on deserialization. No public exploit is identified at time of analysis, and it is not in CISA KEV; the CVSS 4.0 base score is 7.6 (High).
Detection bypass in picklescan before 0.0.29 allows attackers to smuggle arbitrary-code payloads past the scanner by abusing Python's built-in trace.Trace.runctx in a pickle reduce method, so a malicious model/pickle file is rated safe yet executes code when later deserialized with pickle.load(). picklescan is a security scanner used to vet untrusted ML pickle files (notably in the Hugging Face ecosystem), so this failure defeats the very control teams rely on to catch malicious models. No public exploit identified at time of analysis and the issue is not in CISA KEV; reported by VulnCheck with a CVSS 4.0 base score of 7.6.
Unauthenticated remote code execution in Orkes Conductor (conductor-oss) versions 3.21.21 through 3.30.1 lets remote attackers run arbitrary OS commands by POSTing inline workflow definitions to the workflow API before any authentication check. The flaw stems from GraalVM script evaluators left in an unsandboxed state (HostAccess.ALL / allowAllAccess(true)), allowing JavaScript or Python expressions in INLINE, LAMBDA, DO_WHILE, and SWITCH tasks to reach Java reflection and subprocess APIs. Reported by VulnCheck; no public exploit identified at time of analysis, though a detailed vendor/researcher advisory exists.
Remote code execution in LLaMA-Factory through version 0.9.5 allows attackers who can reach the Gradio WebUI to run arbitrary Python by entering a malicious model path in the Chat or Training interfaces. Because the app forwards unvalidated user input into Hugging Face's AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True, a referenced repository's custom modeling code executes with the server process's privileges. Publicly available exploit code exists (a proof-of-concept gist plus a VulnCheck advisory), though it is not listed in CISA KEV and no in-the-wild abuse is documented in the available data.
Arbitrary file disclosure in NLTK 3.9.4 lets remote attackers read any file accessible to the Python process by passing percent-encoded path-traversal sequences (e.g. ..%2f) into nltk.data.load() or nltk.data.find(). The flaw is an incomplete fix for GitHub Issue #3504: the _UNSAFE_NO_PROTOCOL_RE guard only matches literal ../ while url2pathname() decodes the encoded form after the check runs, so the validation is bypassed. No public exploit identified at time of analysis, though it was reported through a huntr.com bounty; it is not listed in CISA KEV and no EPSS score was supplied.
Arbitrary code execution in Snowflake CLI versions prior to 3.19 lets an attacker run code in the context of any developer who bundles or deploys an attacker-supplied Snowpark project. The flaw lives in the Snowpark annotation processor callback template, where untrusted project content is interpolated directly into generated Python code (CWE-94). No public exploit has been identified at time of analysis, but the attack is straightforward and high-impact (CVSS 8.8) given that it executes with the victim's local privileges; exploitation hinges on the victim running the bundling/deployment workflow against malicious content.
Unauthenticated remote code execution affects Kestra OSS (the open-source event-driven orchestration platform) prior to versions 1.0.45 and 1.3.21, where a flawed authentication whitelist lets attackers reach protected API endpoints without credentials. The AuthenticationFilter exempts the public config endpoint using a suffix match (request.getPath().endsWith("/configs")) instead of an exact path match, so any API path ending in 'configs' bypasses Basic Auth, allowing an attacker to create and run arbitrary workflows. Because the default-enabled script-execution plugins (shell, Python) run inside the worker container as root, this escalates directly to unauthenticated RCE. Carries a maximal CVSS of 10.0; there is no public exploit identified at time of analysis.
Output manipulation in flawfinder before version 2.0.20 allows an attacker who controls repository filenames or file content to inject ANSI escape sequences into terminal output, visually hiding or falsifying scan results from human reviewers. The same untrusted-input handling gap extends to structured report generation: CSV reports and SonarQube XML output (via the output_sonar() function) can be corrupted or attribute-injected when filenames, categories, or code context contain unescaped special characters. No public exploit code is identified and the vulnerability is not in CISA KEV; however, the defense-evasion potential is meaningful for organizations running flawfinder against untrusted or adversarial repositories in CI/CD pipelines. The 'RCE' tag present in the intelligence metadata is not supported by the advisory and appears to be a mis-classification.
Memory-exhaustion denial of service in the python-socketio server (Socket.IO for Python, versions <= 5.16.1) lets remote clients pin server memory by sending binary EVENT or ACK packets while deliberately withholding one or more of the declared binary attachments. Because the server buffers the partial message and its received attachments in memory until all attachments arrive, an attacker can repeatedly open such incomplete messages to grow memory consumption unbounded and exhaust server resources. No public exploit identified at time of analysis; not listed in CISA KEV.
Denial of service in the python-engineio server (versions <= 4.13.1) allows remote unauthenticated attackers to exhaust server resources by abusing the heartbeat mechanism, which spawns a new background thread on each connection and on every PONG packet received. Synchronous servers are most at risk because each heartbeat is a physical OS thread; asynchronous deployments allocate lightweight tasks and are far less affected. No public exploit has been identified at the time of analysis, and the issue is not listed in CISA KEV; a vendor-released patch (version 4.13.2) is available.
Uncontrolled memory allocation in python-engineio (versions <= 4.13.1) lets remote attackers exhaust server memory by sending oversized messages that are loaded before any size check, causing denial of service (availability-only impact). The flaw triggers in two specific transport configurations - ASGI with long-polling POST requests, and Aiohttp with the WebSocket transport - and is fixed in 4.13.2. No public exploit identified at time of analysis, and the issue is not in CISA KEV; no EPSS score was provided.
Path traversal in Patool's safe_extract() function allows an attacker-controlled archive to write files to arbitrary locations on the filesystem when extracted by a victim running Patool before 4.0.5 on Python before 3.12. The flaw exists because the is_within_directory() helper in patoolib/programs/py_tarfile.py uses os.path.commonprefix() for character-level string prefix matching rather than path-component-level comparison, making it trivially bypassable with crafted member paths. No public exploit or CISA KEV listing has been identified at time of analysis, but the low-complexity exploitation conditions and complete integrity bypass make this a meaningful risk for affected deployments.
Privilege escalation to AWS IAM and PKI compromise in Netflix Lemur 1.9.0 (and earlier) lets any SSO-authenticated, low-privilege user chain an ACME acme_url SSRF with a creator-equality IDOR to steal the worker's AWS STS credentials and retain permanent access to issued TLS private keys. Because Lemur auto-provisions new SSO identities as active=True, any holder of a trusted federated identity can reach the vulnerable authority-creation and key-fetch endpoints. A detailed, fully reproduced proof-of-concept (Docker lab plus asciinema recording) exists publicly, though there is no public exploit identified as being used in active attacks and the issue is fixed in 1.9.2.
JWT algorithm confusion in Netflix Lemur 1.9.0 allows an attacker to control which signing algorithm the server trusts by supplying an arbitrary alg value in the unverified token header, which is passed directly to pyjwt.decode() instead of a server-pinned allowlist. On current PyJWT 2.x deployments the standalone impact is limited to audit-log blinding and a durable algorithm-downgrade primitive; full account takeover requires chaining with a separate LEMUR_TOKEN_SECRET disclosure vulnerability, after which a forged HS256 admin JWT yields HTTP 200 with role=admin. A public proof-of-concept walkthrough exists (asciinema); no active exploitation is confirmed in CISA KEV.
Cleartext password storage in Netflix Lemur's user-update service path allows any attacker who gains read access to the Lemur database, its backups, query logs, or read replicas to obtain directly usable plaintext credentials - no offline cracking required. The flaw affects all Lemur deployments running pip/lemur <= 1.9.1 and is triggered exclusively when an administrator resets a user password through the admin-gated PUT /api/1/users/<id> API endpoint. No public exploit is required: the advisory itself contains precise reproduction steps, and the side effect (immediate login failure for affected users) makes the exposure operationally detectable. No KEV listing exists at time of analysis.
Incorrect authorization in Netflix Lemur's role management API allows any authenticated role member to rewrite the membership list and rename their own role via the PUT /api/1/roles/<id> endpoint in versions up to and including 1.9.1. The RoleMemberPermission check uses OR-semantics, meaning membership of a role is sufficient to mutate it - an authorization oversight confirmed by the asymmetry with the DELETE handler on the same resource, which correctly enforces admin-only access. Exploitation enables lateral privilege escalation within a Lemur PKI deployment: a malicious role member can inject colluders into certificate or authority management roles, remove legitimate members, or rename roles. No public exploit identified at time of analysis, though detailed reproduction steps are published in the GitHub security advisory GHSA-x3vf-mgxj-7785.
Server-Side Request Forgery in Netflix Lemur's certificate verification pipeline allows an authenticated operator-role user to force the Lemur host to issue outbound HTTP requests to arbitrary internal destinations by uploading a crafted certificate whose CRL Distribution Point or OCSP responder extensions point to RFC1918 addresses, link-local endpoints (169.254.169.254), internal Kubernetes API servers, or loopback interfaces. Both `crl_verify` and `ocsp_verify` in `lemur/certificates/verify.py` pass attacker-controlled URLs directly to network sinks with no destination allow-list, scheme restriction beyond LDAP rejection, or private-address filtering. No public exploit confirmed in CISA KEV, but detailed proof-of-concept reproduction steps are published in the GitHub Security Advisory GHSA-54vg-pfh7-jq95; vendor-released patch v1.9.2 is available.
Detection bypass in picklescan through version 0.0.26 lets attackers smuggle malicious pickle payloads past the scanner by invoking idlelib.pyshell.ModifiedInterpreter.runcode from a __reduce__ method, which picklescan does not blocklist. Because organizations rely on picklescan to vet PyTorch models and serialized Python objects, a payload it marks 'safe' still achieves arbitrary command execution the moment the victim calls pickle.load(), enabling ML supply-chain attacks. Publicly available exploit code exists (GHSA-3gf5-cxq9-w223 ships a working PoC); the CVE is not in CISA KEV and EPSS data was not provided, so active exploitation is unconfirmed.
Privilege escalation via broken authorization in Netflix Lemur (versions <= 1.9.0) lets any authenticated user - including the shipped lowest-privilege `read-only` role - perform admin-only certificate-management actions. Because the `StrictRolePermission` and `AuthorityCreatorPermission` classes were instantiated with an empty Need set when their config flags were left at the default `False`, Flask-Principal's `allows()` returns True for every identity, removing the only role gate in front of CA creation, certificate upload, notification (SSRF sink) management, and domain registry edits. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation requires only a single low-privilege credential, making it a direct pivot to control of the PKI issuance plane.
Arbitrary Python code execution in Vim before 9.2.0699 occurs when a victim triggers Python omni-completion (omnifunc) inside a malicious buffer; the python3complete.vim and legacy pythoncomplete.vim runtime plugins reconstruct in-buffer function and class definitions and run them through Python's exec(), inserting each scope's docstring verbatim between triple quotes. Because the docstring is never escaped, a crafted docstring can close the triple-quoted literal and inject attacker-controlled Python that runs with the user's privileges. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but a regression test bundled with the fix demonstrates the breakout, confirming exploitability; EPSS data was not provided.
Uncontrolled resource consumption in the AutoGPT platform (versions before 0.6.52) lets an authenticated user crash the server through the Fill Text Template block. The block's Jinja2 SandboxedEnvironment blocks dangerous attribute access but enforces no CPU, memory, or execution-time limits, so a crafted expression can exhaust server resources and hang or crash the host. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the bug is straightforward to trigger and the vendor has shipped a fix in 0.6.52.
Uncontrolled CPU consumption in Mistune, a Python Markdown parser, allows remote unauthenticated attackers to cause denial of service against any application that renders untrusted Markdown through versions prior to 3.3.0. The flaw lives in parse_link_text, which runs a regex search inside a loop and re-scans the remaining input each iteration, yielding roughly O(n²) behavior; a tiny payload of many consecutive '[' characters can pin a CPU core. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but the trigger is trivial to construct and the GitHub Security Advisory documents the root cause precisely.
Remote code execution in Feast (the open-source ML feature store) before 0.63.0 lets remote attackers run OS commands as the feast service account by sending a crafted ApplyFeatureView gRPC request to the registry server. The registry base64-decodes the user_defined_function.body field of an OnDemandFeatureView and passes it to dill.loads() before any authorization check, so no credentials are required. A publicly available exploit code exists (reported by VulnCheck via huntr) and a vendor patch is available, though the flaw is not listed in CISA KEV.
Sandbox escape in RestrictedPython (zopefoundation/RestrictedPython, GHSA-ffg3-p8fm-mjx2) allows an authenticated attacker who can execute code within the restricted Python environment to break out of that sandbox and execute arbitrary Python on the underlying host. This affects Plone deployments that rely on RestrictedPython to safely run through-the-web (TTW) Python Scripts and TALES expressions. Disclosed June 2026 as part of a coordinated Plone security release; no public exploit code or CISA KEV listing identified at time of analysis, but the 8.3 high severity and scope-changing nature make it a meaningful risk for any Zope/Plone installation where untrusted or semi-trusted users can author Python scripts.
Unauthenticated remote action execution in motionEye (pip/motioneye < 0.44.0) exposes every camera action endpoint - snapshots, recording start/stop, and administrator-configured shell scripts - to any attacker who can reach port 8765, due to a missing @BaseHandler.auth() decorator on ActionHandler.post(). Dynamically confirmed on v0.43.1 in a Docker lab environment; exploitation requires only a single HTTP POST with no credentials, headers, or user interaction. Beyond the CVSS 5.3 Medium rating, real-world impact extends to physical security bypass (PTZ, alarms, lighting controls) if action scripts are configured, and SSRF via remote camera triggering - no public exploit or CISA KEV listing is identified at time of analysis.
Arbitrary file read in motionEye versions before 0.44.0 lets remote attackers retrieve any file readable by the motionEye process by supplying an absolute path to the media playback, download, and preview handlers. The flaw stems from os.path.join() discarding the configured media directory when given an absolute path, compounded by MoviePlaybackHandler deliberately overriding Tornado's StaticFileHandler path-safety checks. A proof-of-concept exists and the CVSS 4.0 exploit-maturity is rated Proof-of-Concept, but there is no public evidence of active exploitation.
Arbitrary file exfiltration in OctoPrint versions through 1.11.7 and 2.0.0rc1-rc2 allows authenticated users with the FILE_UPLOAD permission to move any host file readable by the OctoPrint process into the upload folder, where it can then be downloaded. This is an incomplete-fix recurrence of CVE-2025-48067; reserved internal form fields can still be smuggled to Flask via query parameters or Tornado/Werkzeug parser differentials. No public exploit identified at time of analysis, and patches are available in 1.11.8 and 2.0.0rc3.
Arbitrary file write and command execution in Glances (Python system monitoring tool) versions 4.0.8 through 4.5.4 allows attackers with the ability to modify glances.conf to abuse shell-like operators (`>`, `|`, `&&`) interpreted by the `secure_popen()` function inside AMP module command configuration. The flaw bypasses the `--disable-config-exec` mitigation introduced for CVE-2026-33641, since that flag only blocks backtick execution in `config.get_value()` and not operator parsing in `secure_popen()`. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-3vwc-qwhc-3mj7), but no public exploit identified in active campaigns at time of analysis.
File descriptor exhaustion in the Gogs built-in Go SSH server allows unauthenticated remote attackers to render the SSH service completely unavailable. By opening a large number of TCP connections to the SSH port and withholding the SSH-2.0 protocol banner, an attacker forces Gogs to spawn unbounded goroutines that block indefinitely in `golang.org/x/crypto/ssh.NewServerConn`, consuming one file descriptor per connection. Once the OS `ulimit -n` ceiling is breached, the server can accept no new connections and the entire Gogs process begins failing with cascading I/O errors. No public exploitation (KEV) confirmed, but a fully functional Python PoC is publicly disclosed alongside the advisory and the fix is available in v0.14.3.
Authenticated arbitrary file write in Gogs (self-hosted Git service) versions below 0.14.3 on Linux/macOS lets a user with repository write access escape the working tree and overwrite any file the gogs UID can touch, escalating to remote code execution. The flaw stems from `UploadRepoFiles` validating symlinks only on the leaf path while sibling functions correctly walk every component; combined with a crafted multipart filename containing a literal backslash, the write is redirected through a previously committed directory symlink to targets like `~git/.ssh/authorized_keys` or `<repo>.git/hooks/post-receive`. No CISA KEV listing and no EPSS provided, but a detailed, tested proof-of-concept is published in the vendor advisory, so publicly available exploit code exists.
Improper authorization in Gogs (self-hosted Git service) versions before 0.14.3 lets a read-only user write to repositories they should only be able to fetch from. The Git Smart HTTP handler derives the access policy from the client-supplied ?service= query parameter rather than the actual RPC path, so a POST to /repo.git/git-receive-pack carrying ?service=git-upload-pack is authorized as a read while the receive-pack (push) code path still executes. A working PoC is published in the GHSA advisory, so publicly available exploit code exists; it is not listed in CISA KEV and no active exploitation has been reported.
Remote code execution in Gogs through 0.14.2 allows authenticated users (and unauthenticated attackers on default-configured instances with open registration) to execute arbitrary commands as the Gogs server process by crafting a pull request whose base branch name injects a `--exec` flag into the underlying `git rebase` invocation. A working Python proof-of-concept exists and has been validated end-to-end against Docker, Linux binary, and Windows installations, yielding shell access as the `git` user. No CISA KEV listing or EPSS data is provided, so this is treated as publicly available exploit code rather than confirmed active exploitation.
Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation by crafting malicious pickle files that import unblocked Python standard library modules. The tool's blocklist (scanner.py _unsafe_globals) omits at least seven stdlib modules - including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib - exposing eight functions that execute arbitrary commands via subprocess or os.system. Publicly available exploit code exists in the GHSA advisory, demonstrating CLEAN scan results for files that achieve full RCE on load; this is especially concerning because picklescan is relied on by HuggingFace Hub and similar ML pipelines.
Stored cross-site scripting in Gogs (self-hosted Git service) versions through 0.14.2 allows a low-privileged repository user to inject JavaScript via a crafted Jupyter notebook (.ipynb) Markdown cell containing a javascript: scheme link, which executes in the Gogs origin when a victim clicks the rendered link. Although server-side sanitization is performed via /-/api/sanitize_ipynb, the client subsequently re-renders Markdown cells with marked() and regenerates the dangerous links, and the file preview page is served without a Content Security Policy. Publicly available exploit code exists (full PoC published in the GHSA advisory) but there is no public exploit identified at time of analysis as actively exploited in the wild.
Cache poisoning in python-zeroconf before 0.149.16 allows any unauthenticated adjacent-network attacker to inject attacker-controlled DNS records into the local mDNS cache by multicasting a single crafted UDP packet on port 5353. The parser in `_read_character_string` and `_read_string` advanced its offset by a caller-declared length without validating it against the actual packet buffer size; Python's silent slice truncation meant over-advertised records were accepted and committed to `DNSCache` and `ServiceInfo` intact. The vendor manually downgraded severity to low, noting no RCE or OOM risk, but characterizes this as a building block for higher-impact chains in downstream consumers such as Home Assistant. No public exploit code has been identified and the vulnerability is not in CISA KEV.
DNS rebinding against the Glances XML-RPC server (`glances -s`) allows a network-adjacent or remote attacker to exfiltrate the full system monitoring dataset - including process command lines that routinely contain secrets - from a victim's browser without any authentication. The `GlancesXMLRPCHandler` in `glances/server.py` accepts arbitrary HTTP `Host` headers without validation, an omission that persists while the REST/WebUI server received an equivalent fix (TrustedHostMiddleware, v4.5.2) and the MCP server was protected since v4.5.1. No active exploitation is confirmed (not in CISA KEV), but a detailed proof-of-concept is published in the vendor's GitHub security advisory GHSA-w856-8p3r-p338 and the attack is materially amplified by the companion CORS wildcard issue CVE-2026-46608.
Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.
Local arbitrary code execution in Glances versions prior to 4.5.5 occurs when the daemon deserializes its version-check cache file via pickle.load() without integrity validation. An attacker with write access to the Glances user's XDG cache directory (~/.cache/glances/glances-version.db) can plant a malicious pickle that executes as the Glances process user - frequently root - on next startup. Publicly available exploit code exists in the GHSA advisory, but no public exploit identified at time of analysis as actively weaponized.
Local privilege escalation via command injection in Glances 4.5.5_dev1 and earlier allows users with libvirt domain-creation rights to execute arbitrary commands as the Glances process owner (typically root on hypervisor hosts). The flaw lives in the KVM/QEMU monitoring plugin, where VM domain names parsed from `virsh list --all` are interpolated into command strings handled by `secure_popen()`, which intentionally treats `&&`, `|`, and `>` as control operators. No public exploit identified at time of analysis, but a detailed PoC accompanies the GHSA-v5r2-qh84-fjx5 advisory.
Arbitrary code execution in Picklescan before 0.0.33 occurs because the scanner fails to flag the numpy.f2py.crackfortran._eval_length gadget when used inside a pickle __reduce__ method, allowing crafted pickle files to be marked safe while still executing attacker-supplied Python on load. Workflows that rely on Picklescan to vet untrusted pickle or PyTorch model artifacts are exposed to supply-chain poisoning, and publicly available exploit code exists in the GHSA advisory.
Infinite loop denial-of-service in pypdf prior to 6.13.1 allows an attacker to hang any process that merges a crafted PDF containing cyclic article/thread structures. The vulnerability exists in the `_add_articles_thread()` method of `_writer.py`, which traversed PDF article bead linked-list structures without cycle detection, permitting a self-referential `/N` (Next) pointer chain to create an irrecoverable loop. No public exploit code or CISA KEV listing exists at time of analysis, but the upstream PR diff publicly discloses the precise triggering structure, lowering the bar for exploitation against vulnerable merge pipelines.
Arbitrary code execution in mise (jdx/mise) versions prior to 2026.3.10 allows attackers to run shell commands as the victim user simply by having them `cd` into a directory containing a malicious `.tool-versions` file. Unlike `.mise.toml`, `.tool-versions` files bypass the trust verification gate in non-paranoid mode, so the Tera template engine's `exec()` function fires silently from the shell `hook-env`. No public exploit identified at time of analysis beyond the detailed reporter PoC, but exploitation is trivial and a working PoC is embedded in the advisory.
Path traversal in motionEye v0.43.1 allows any authenticated user - including those with normal (non-admin) privileges - to read arbitrary files from the server filesystem via the picture and movie preview API endpoints. The root cause is inconsistent input validation: `get_media_preview()` and `del_media_content()` in `mediafiles.py` omit the `..` sequence check that `get_media_content()` correctly implements, and the Tornado web framework passes percent-encoded slashes (`%2F`) through unmodified to `os.path.join()`. A fully functional public proof-of-concept demonstrating retrieval of `/etc/passwd` is published in the GitHub security advisory; no public exploit identified at time of analysis for CISA KEV, but the low exploitation complexity and pre-computable default-credential signature make exposed instances an immediate practical target.
TLS trust store poisoning in Canonical ADSys through v0.16.2 allows a network-positioned attacker to inject an arbitrary Root CA certificate into managed Ubuntu hosts during Active Directory Certificate Services auto-enrollment. The vendored Samba GPO extension fetches the CA certificate over plaintext HTTP from the AD CS GetCACert endpoint, and the response is registered into the system trust store via update-ca-certificates without authenticity validation. No public exploit identified at time of analysis, but the impact enables persistent decryption of TLS traffic across the host.
Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully compromise the host by bypassing authentication and abusing improper Python execution isolation. The maximum CVSS 10.0 score (AV:N/AC:L/PR:N/UI:N with scope change) reflects trivial network-based exploitation against any internet-exposed instance, though no public exploit identified at time of analysis. IBM has confirmed the issue and released a patch via support advisory node/7277242.
Arbitrary file read leading to remote code execution affects Langflow versions prior to 1.9.2 in any flow that uses BaseFileComponent-derived nodes (Read File, Docling, Docling Serve, NVIDIA Retriever Extraction, Video File, Unstructured API). An attacker who can submit a TAR archive containing symlinks - for example through a RAG ingestion pipeline that accepts user documents - causes the server to follow those links and ingest arbitrary host files such as Langflow's JWT secret_key, which can then be used to forge admin tokens and execute Python via the Code Interpreter node. Publicly available exploit code exists (researcher-published PoC archive and demo video); not listed in CISA KEV.
Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. A public proof-of-concept is included in the GitHub Security Advisory GHSA-qwqc-p3q8-wcg9, though there is no public exploit identified beyond the PoC at time of analysis and the issue is not listed in CISA KEV.
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing the victim's flow UUID as the `model` value to the `/api/v1/responses` endpoint, exposing data the victim's flow processes and consuming their resources. The flaw is an Insecure Direct Object Reference (CWE-639) in the `get_flow_by_id_or_endpoint_name` helper, which skipped ownership checks on the UUID lookup path. Publicly available exploit code exists (a working curl PoC), and the input lists it as confirmed actively exploited (CISA KEV), though the SSVC exploitation status of 'poc' and a low 0.24% EPSS complicate that claim (see risk_assessment).
Denial of service in py7zr (a pure-Python 7-Zip library) versions 1.1.2 and earlier lets a remote, unauthenticated attacker exhaust CPU with a tiny crafted .7z archive. The flaw is in header parsing (PackInfo._read), so merely opening the archive with SevenZipFile() - no extraction - triggers the cost; a ~50 KB file consumes roughly 7 seconds of CPU. Publicly available exploit code exists (PoC published in the GHSA advisory), but there is no active exploitation identified and it is not listed in CISA KEV.
Denial-of-service via decompression bomb in py7zr, the pure-Python 7-Zip library, affects all versions up to and including 1.1.2. The library's Worker.decompress() writes extracted data to disk or memory without tracking cumulative decompressed size, so a tiny crafted .7z (demonstrated at a 6,556:1 ratio - 15.6 KB expanding to 100 MB) can exhaust disk or RAM on any application that extracts untrusted archives. Publicly available exploit code exists (a working PoC is published in the GHSA advisory), but the issue is not listed in CISA KEV; CVSS 4.0 rates it 8.7 (High) with pure availability impact.
Incomplete SSRF remediation in mailpit v1.29.2 through v1.30.1 leaves the Link Check API bypassable via IPv6 transition mechanism literals (6to4, NAT64, IPv4-compatible IPv6, ISATAP, Teredo) and unclassified IPv6 prefixes (fec0::/10, 2001:db8::/32) that Go's stdlib Is* classification helpers silently pass. An unauthenticated network attacker who can deliver email to mailpit's SMTP listener and invoke the Link Check API can coerce the application into dialing internal IPv4 destinations - including cloud metadata endpoints at 169.254.169.254 - by encoding the target as an IPv6 literal that returns false for all seven predicates in IsInternalIP, bypassing the guard introduced for CVE-2026-27808. Publicly available exploit code exists in the form of a reproducible unit test and end-to-end proof-of-concept published in the advisory; this is the same deny-list bypass class confirmed in CVE-2026-44430 (MCP Registry) and CVE-2026-45741 (Gotenberg).
Token exfiltration in dbt-mcp's embedded OAuth helper server (versions before 1.20.0) allows any co-located process or DNS-rebinding attacker to retrieve a victim's full dbt Cloud access and refresh tokens via a single unauthenticated HTTP GET request. Developers running dbt-mcp in OAuth mode on any shared or browser-accessible host are affected for the entire lifetime of the OAuth helper process following a completed login flow. No public exploit identified at time of analysis, though the GitHub security advisory (GHSA-jr33-mw75-7j8f) includes a fully functional Docker-based PoC with step-by-step reproduction artifacts, substantially lowering the exploitation barrier.
Silent UTF-8 rewriting in UltraJSON (ujson) versions up to and including 5.12.1 allows input validation bypass and data integrity corruption when the reject_bytes=False encoding option is used. Malformed or truncated byte sequences - including invalid continuation bytes and over-read sequences - are silently transformed into different, syntactically valid Unicode characters rather than triggering an error, meaning data that exits ujson.dumps() differs from data that entered it. This creates a validation bypass window for any application that validates raw bytes before serialization, and no public exploit has been identified at time of analysis, though the flaw is fully described with reproducible examples in the GHSA advisory.
Heap corruption in the Oj Ruby JSON parser allows remote attackers to crash or potentially corrupt memory in applications that parse untrusted JSON with `Oj::Parser` in `:usual` mode when the `create_id` option is enabled. A 65,535-byte object key triggers an integer truncation in `form_attr` (ext/oj/usual.c:63) that turns the buffer length into `(size_t)-1`, causing `memcpy` to write `SIZE_MAX` bytes onto a fixed 65,536-byte cache slab. No public exploit identified at time of analysis beyond the maintainer-supplied reproduction script in GHSA-9cv6-qcjw-4grx.
{% case %}` tag that has no `{% when %}`, `{% else %}`, or closing `{% endcase %}`. Because the loop occurs at parse time, any application that renders untrusted or user-supplied Liquid templates can be frozen with a payload as small as `{% case x %}`. It is a pure availability issue (CWE-835) with no confidentiality or integrity impact; not listed in CISA KEV and no evidence of active exploitation, though the trivial trigger is documented in the vendor advisory.
Authorization bypass in jupyterlab-git 0.53.0 and earlier allows authenticated JupyterLab users to read admin-excluded git directories on case-insensitive filesystems (macOS APFS, Windows NTFS) by altering the case of URL path segments. The `GitHandler.prepare()` check uses `fnmatch.fnmatchcase()`, which is unconditionally case-sensitive, while the underlying filesystem resolves case-varied paths to the same location. Publicly available exploit code exists (PoC published with the GHSA advisory), but no public exploit identified in active exploitation feeds.
Arbitrary code execution in Stanford NLP's Stanza 1.12.0 (and ≤1.12.1) occurs when the library loads a malicious PyTorch checkpoint, because its pretrain loader silently falls back from torch.load(weights_only=True) to weights_only=False whenever an UnpicklingError is raised - a condition the attacker fully controls by embedding one unsupported pickle global. Publicly available exploit code exists (working PoC in the GHSA advisory), and any developer, CI pipeline, or production NLP service that downloads Stanza model files from HuggingFace, GitHub, or a shared cache can be compromised. Fixed in Stanza 1.12.2.
{device_id}`. The KonnectedView HTTP endpoint sets `requires_auth = False` and only enforces Bearer-token validation on POST/PUT methods, leaving the GET handler entirely unauthenticated. Publicly available exploit code exists in the form of a detailed reporter-published proof of concept against Home Assistant Core 2026.5.2.
Arbitrary file write in py7zr versions 1.1.0 through 1.1.2 allows attackers to escape the destination directory during archive extraction by chaining malicious symbolic links that resolve outside the target path. A victim who calls extractall() on a crafted 7z archive can have files written to arbitrary host filesystem locations, potentially escalating to remote code execution, privilege escalation, or data corruption. Publicly available exploit code exists (PoC published in the GHSA advisory), but there is no public exploit identified for active campaigns at time of analysis.
Arbitrary file write via path traversal in Slopsmith (a self-hosted Rocksmith 2014 CDLC web app) prior to 0.2.9-alpha.5 allows an attacker who can supply a malicious PSARC or sloppak archive to write files outside the extraction directory, escalating to remote code execution under the default Docker image which runs as root and exposes a writable plugin directory. The CVSS 4.0 vector reports high privileges required (PR:H), reflecting that the attacker must reach the archive-upload/open functionality of an authenticated user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary local file disclosure in the Rust crate tract-onnx (by Sonos) allows an attacker who supplies a malicious ONNX model file to read arbitrary files from the victim's filesystem at model-load time, with file contents surfaced directly in inference tensor output. The root cause is that `get_external_resources()` in `onnx/src/tensor.rs` passes the attacker-controlled `location` field of ONNX external-data tensors directly to `PathBuf::join()` without sanitization, enabling both absolute-path overrides and relative `../` traversal. A secondary denial-of-service (panic) is possible via out-of-bounds `offset`/`length` values. Publicly available exploit code exists (full PoC confirmed on tract-onnx 0.21.16); no active exploitation has been confirmed by CISA KEV at time of analysis.
Remote unauthenticated access to two SQL Editor endpoints in pgAdmin 4 server-mode deployments (versions 6.9 through 9.15) exposes a pickle.loads sink that can be reached without a valid pgAdmin session. The defect is the missing @pga_login_required decorator on DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did>; turning this into code execution additionally requires an attacker to possess the Flask SECRET_KEY and write access to the sessions/ directory from a separate channel. No public exploit identified at time of analysis, and the issue does not appear on CISA KEV.
Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on 0.0.0.0:8080 by default with no authentication, allowing any network-adjacent attacker to invoke every MCP tool - including SQL execution, schema creation, and table-config mutation - against the backing Apache Pinot cluster using the server's own credentials. The maximum CVSS 10.0 score reflects a scope-changing confused-deputy condition. No public exploit identified at time of analysis, but the trivial reachability and presence of write/DDL tooling make exploitation straightforward once the port is found.
Unauthenticated call-control abuse in pipecat-ai development runner (>=0.0.77, <1.4.0) allows remote attackers reaching an exposed `/ws` telephony WebSocket to inject an attacker-controlled `callSid` that the server then submits to Twilio, Telnyx, or Plivo REST APIs using the operator's own credentials, forcibly terminating victim calls. Publicly available exploit code exists (a full Dockerized PoC is published in the GHSA advisory) and the maintainers shipped a fix in v1.4.0; no CISA KEV listing at time of analysis.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Resource exhaustion in joserfc (versions 1.3.4-1.6.5) is possible because the RFC7797 unencoded-payload (b64=false) JWS code path skips the configured JWSRegistry.max_payload_length check, while the standard compact and flattened JSON paths correctly raise ExceededSizeError. Remotely submitted, cryptographically valid b64=false JWS tokens with arbitrarily large payloads are deserialized without size enforcement, consuming memory or CPU on the verifying server. No public exploit has been identified and the vulnerability is not in the CISA KEV catalog; a vendor-released fix is available in version 1.6.7.
Command injection in the AWS Bedrock AgentCore Python SDK (versions >= 1.1.3, < 1.6.1) allows remote authenticated users to execute arbitrary commands within the Code Interpreter sandbox by supplying crafted package name arguments to the install_packages() method. The flaw stems from improper neutralization of argument delimiters (CWE-88), letting attacker-controlled strings break out of the intended pip-install argument context. No public exploit identified at time of analysis, but a vendor patch and advisory are available from AWS.
Authorization bypass in Avo (Ruby on Rails admin framework) versions <= 3.32.0 and 4.0.0.beta.1 through 4.0.0.beta.50 allows authenticated low-privileged users to attach arbitrary related records to parent resources via a direct POST to the associations endpoint, bypassing the `attach_<association>?` policy enforced only on the form-rendering GET. Publicly available exploit code exists (Python PoC in the GHSA advisory), and in deployments where associations encode teams, tenants, roles, or memberships, exploitation yields privilege escalation and cross-tenant data exposure.