Python

Stored cross-site scripting in File Browser via admin-controlled branding fields allows injection of persistent JavaScript that executes for all visitors, including unauthenticated users. The vulnerability stems from use of Go's text/template (which performs no HTML escaping) instead of html/template when rendering the SPA index.html with branding data. An authenticated admin can inject malicious payloads into branding.name or branding.color fields that break out of their intended HTML context and execute arbitrary JavaScript in every user's browser without restriction, as no Content-Security-Policy header is set. Affected versions through v2.62.1 are vulnerable; vendor-released patches are available.

Stored XSS in File Browser's EPUB preview function (versions ≤v2.62.1) allows authenticated attackers to steal JWT tokens and escalate privileges by uploading malicious EPUB files. The vulnerability arises from passing allowScriptedContent:true to the epub.js library combined with an ineffective iframe sandbox (allow-scripts + allow-same-origin), enabling JavaScript in crafted EPUBs to access parent frame localStorage. CVSS 7.6 (AV:N/AC:L/PR:L/UI:R/S:C). No public exploit identified at time of analysis beyond the detailed PoC in the advisory. EPSS data not available. Vendor-released patch available per GitHub advisory. Low-privilege users with file upload permissions can weaponize this to compromise administrator sessions.

Server-Side Request Forgery (SSRF) in FastMCP's OpenAPIProvider allows authenticated attackers to access arbitrary backend endpoints through path traversal injection in OpenAPI path parameters. The vulnerability arises from improper URL encoding in the RequestDirector._build_url() method, enabling attackers to escape intended API prefixes using '../' sequences and reach internal administrative or sensitive endpoints while inheriting the MCP provider's authentication context. This affects the fastmcp Python package and enables privilege escalation beyond the OpenAPI specification's intended API surface. No public exploit identified at time of analysis, though detailed proof-of-concept code exists in the GitHub advisory demonstrating traversal to /admin endpoints.

Symlink-based path traversal in ONNX Python library allows local attackers to read arbitrary files on the host system when loading maliciously crafted ONNX models with external data. Affected users who load untrusted ONNX models from compressed archives or external sources may inadvertently expose sensitive files (/etc/passwd, environment variables via /proc/1/environ, etc.). Publicly available exploit code exists with a detailed proof-of-concept demonstrating the vulnerability. No EPSS score or CISA KEV listing available at time of analysis, suggesting exploitation is not yet widespread.

Command injection in fastmcp install allows Windows users to execute arbitrary commands via shell metacharacters in server names. When installing a server with a name containing characters like `&` (e.g., `fastmcp install claude-code` with server name `test&calc`), the metacharacter is interpreted by cmd.exe during execution of .cmd wrapper scripts, leading to arbitrary command execution with user privileges. This affects Windows systems running claude or gemini CLI installations; macOS and Linux are unaffected. A patch is available via GitHub PR #3522.

Symlink race condition in Anthropic Python SDK async filesystem memory tool (versions 0.86.0-0.86.x) allows local authenticated attackers to escape sandbox restrictions and read or write arbitrary files outside the designated memory directory. The vulnerability exploits a time-of-check-time-of-use (TOCTOU) flaw where path validation occurs before symlink resolution, enabling an attacker with memory directory write access to redirect file operations via symlink manipulation. The synchronous implementation is unaffected. Vendor-released patch: version 0.87.0.

Anthropic Python SDK versions 0.86.0 to before 0.87.0 create memory files with overly permissive file permissions (0o666), allowing local attackers to read persisted agent state or modify memory files to influence model behavior on shared hosts and Docker environments. The vulnerability affects both synchronous and asynchronous memory tool implementations and has been patched in version 0.87.0; no public exploit code or active exploitation has been identified at the time of analysis.

Privilege escalation in APTRS (Automated Penetration Testing Reporting System) prior to version 2.0.1 allows any user to escalate their own account or modify any other user account to superuser status by submitting a crafted POST request to /api/auth/edituser/<pk> with an is_superuser field set to true. The CustomUserSerializer fails to mark is_superuser as read-only despite including it in serializer fields, and the edit_user view lacks validation to prevent non-superusers from modifying this critical field. No public exploit code or active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit given basic HTTP client access to the endpoint.

Nautobot REST API user creation and modification endpoints bypass Django's configured password validation rules, allowing authenticated administrators to set or modify user passwords that fail to meet organizational security standards. Versions prior to 2.4.30 and 3.0.10 are affected; an authenticated admin with high privileges can create accounts with weak passwords despite configured AUTH_PASSWORD_VALIDATORS rules. CVSS score is 2.7 (low severity) due to requirement for authenticated administrative access; however, organizations with strict password policies relying on Nautobot's config-driven enforcement face integrity risk.

SQL injection in SciTokens Python library allows unauthenticated remote code execution against the local SQLite database. The KeyCache class improperly uses str.format() to construct SQL queries with attacker-controlled issuer and key_id parameters, enabling arbitrary SQL command execution. Affects all versions prior to 1.9.6. CVSS 9.8 (Critical) with network attack vector, low complexity, and no privileges required. No CISA KEV listing indicates no confirmed active exploitation at time of analysis, though the straightforward nature of SQL injection and public patch details increase exploitation risk.

Cross-site scripting (XSS) in Tautulli 1.3.10 through 2.16.x allows remote attackers to inject malicious scripts via unsanitized JSONP callback parameters, enabling API key theft from authenticated users who click crafted links. The vulnerability requires social engineering (UI:A in CVSS) and affects the Plex monitoring tool's web interface. No public exploit or active exploitation (CISA KEV) confirmed at time of analysis, though the attack complexity is rated high (AC:H) suggesting practical exploitation requires specific conditions. GitHub security advisory indicates vendor-patched release available.

SQL injection in Tautulli's /api/v2?cmd=get_home_stats endpoint allows authenticated administrators to exfiltrate sensitive data from the SQLite database via boolean-blind SQL inference. Affected versions include 2.14.2-2.16.x for the 'before' and 'after' parameters, and 2.1.0-beta-2.16.x for 'section_id' and 'user_id' parameters. The vulnerability requires possession of the admin API key and results in confidentiality compromise without code execution. Patch is available in version 2.17.0.

Path traversal in Tautulli's /newsletter/image/images API endpoint allows unauthenticated remote attackers to read arbitrary files from the server filesystem. Tautulli, a Python-based monitoring tool for Plex Media Server, is affected in all versions prior to 2.17.0. The vulnerability carries a CVSS 4.0 score of 8.7 with network attack vector, low complexity, and no authentication required (PR:N), enabling trivial exploitation for sensitive information disclosure. No active exploitation confirmed at time of analysis, though the unauthenticated nature and public disclosure significantly elevate real-world risk.

Server-Side Request Forgery (SSRF) in Tautulli prior to version 2.17.0 allows remote attackers to forge outbound HTTP requests from the Plex Media Server process via the unauthenticated /pms_image_proxy endpoint, potentially exposing internal services on RFC-1918 address space and enabling reconnaissance or attacks against systems accessible from the Plex server's network context.

Remote code execution in Tautulli (Python-based Plex Media Server monitoring tool) versions prior to 2.17.0 allows authenticated administrators to bypass sandbox restrictions in notification templates via lambda expressions, enabling arbitrary Python code execution. The vulnerability exploits a flaw in the str_eval() sandbox implementation that only inspects outer code object names (co_names) while nested lambda code objects store attribute accesses in co_consts, evading security checks. CVSS 7.5 with high attack complexity and high privilege requirement (PR:H) indicates limited real-world risk scope, with no public exploit identified at time of analysis.

Hardcoded wildcard CORS headers (Access-Control-Allow-Origin: *) in the Model Context Protocol Java SDK transport layer enable cross-origin session hijacking, allowing attackers to extract session IDs from victim browsers and relay authenticated requests back to internal MCP servers. The vulnerability affects the HttpServletSseServerTransportProvider and HttpServletStreamableServerTransportProvider classes in mcp-core; no public exploit code has been identified, though the attack requires user interaction (victim visiting attacker-controlled page). CVSS 6.1 reflects the combination of network-accessible vector, low attack complexity, and cross-origin impact, though practical exploitation depends on MCP server deployment architecture.

Cross-site scripting (XSS) in the slippers Django package's {% attrs %} template tag allows unauthenticated remote attackers to inject arbitrary HTML and JavaScript by passing untrusted context variables containing quote characters and event handler attributes. The vulnerability affects templates that pass user-supplied or database-derived values to {% attrs %} without prior escaping. Vendor-released patch version 0.6.3 is available.

Command injection in Glances Python monitoring tool allows local authenticated users to execute arbitrary system commands via malicious configuration files. Attackers with write access to Glances configuration files can embed shell commands in backtick-enclosed strings that execute automatically during config parsing with the privileges of the Glances process. In environments where Glances runs as a system service with elevated privileges, this enables privilege escalation from low-privileged user to root. CVSS 7.8 (High) with local attack vector requiring low privileges. Public exploit code exists in the advisory. EPSS data not available, not listed in CISA KEV.

Cross-origin data exfiltration in Glances XML-RPC server (glances -s) allows any website to steal complete system monitoring data including hostname, OS details, process lists with command-line arguments, and network configuration through CORS misconfiguration. The server sends Access-Control-Allow-Origin: * on all responses and processes XML-RPC POST requests with Content-Type: text/plain without validation, bypassing browser CORS preflight checks. Default deployments run unauthenticated, making all network-accessible instances immediately exploitable. No public exploit identified at time of analysis, though detailed proof-of-concept code is included in the advisory.

Cross-session credential leakage in awesome-llm-apps Streamlit-based GitHub MCP Agent allows unauthenticated users to retrieve previously stored API tokens and secrets from process-wide environment variables, compromising GitHub Personal Access Tokens and LLM API keys across concurrent session boundaries. The vulnerability stems from improper session isolation in a multi-user Streamlit application that persists credentials in os.environ without clearing them between user sessions, enabling attackers to escalate privileges and access private resources without authentication.

Remote code execution in giskard-agents Python library (versions ≤0.3.3 and 1.0.x alpha) allows attackers to execute arbitrary system commands when user-controlled strings are passed to the ChatWorkflow.chat() method. The vulnerability stems from unsandboxed Jinja2 template rendering that enables class traversal exploitation via Python's object introspection. Patched in versions 0.3.4 (stable) and 1.0.2b1 (pre-release). Public exploit code exists demonstrating full RCE via Jinja2 object traversal to os.popen(). No active exploitation confirmed at time of analysis, though the straightforward attack vector and clear POC make this a critical priority for affected deployments.

A path traversal vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.

changedetection.io versions up to 0.54.6 leak all server environment variables including password hashes, proxy credentials, and API keys via unrestricted jq filter expressions. Attackers with API access (default: no authentication required) can extract SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, and any secrets passed to the container by creating a watch with 'jqraw:env' as the include filter. Vendor-released patch available in version 0.54.7. No active exploitation confirmed (not in CISA KEV), but a detailed proof-of-concept exists in the GitHub advisory demonstrating full environment variable extraction in three API calls.

KQL injection in adx-mcp-server Python package allows authenticated attackers to execute arbitrary Kusto queries against Azure Data Explorer clusters. Three MCP tool handlers (get_table_schema, sample_table_data, get_table_details) unsafely interpolate the table_name parameter into query strings via f-strings, enabling data exfiltration from arbitrary tables, execution of management commands, and potential table drops. Vendor-released patch available (commit 0abe0ee). No public exploit identified at time of analysis, though proof-of-concept code exists in the security advisory demonstrating injection via comment-based bypass and newline-separated commands. Affects adx-mcp-server ≤ commit 48b2933.

Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).

Dolibarr Core versions up to 22.0.4 allow authenticated users with minimal privileges to read arbitrary non-PHP files from the server via a Local File Inclusion vulnerability in /core/ajax/selectobject.php. The flaw stems from dynamic file inclusion occurring before authorization checks and a fail-open logic in the access control function, enabling exfiltration of sensitive configuration files, environment variables, and logs. Publicly available exploit code exists, and a vendor patch has been released.

PyLoad download manager (version 0.5.0 and potentially earlier, distributed via pip as pyload-ng) allows authenticated users to perform Server-Side Request Forgery attacks by submitting arbitrary URLs through the /api/addPackage endpoint without validation. Attackers with valid credentials can exfiltrate cloud provider metadata from AWS EC2, DigitalOcean, Google Cloud, and Azure instances, exposing IAM credentials, SSH keys, API tokens, and internal network topology. A proof-of-concept demonstration is documented with live instance credentials, and upstream fix available (PR/commit); released patched version not independently confirmed based on GitHub commit reference b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8.

Denial-of-service vulnerability in python-ecdsa library allows remote attackers to crash applications parsing untrusted DER-encoded private keys through truncated or malformed DER structures. The DER parsing functions accept invalid input that declares a longer byte length than actually provided, subsequently triggering unexpected internal IndexError exceptions instead of cleanly rejecting the malformed data. Publicly available proof-of-concept code demonstrates deterministic crashes via SigningKey.from_der() on mutated DER inputs.

Authenticated attackers with low-level privileges can exfiltrate sensitive database information from InvenTree open source inventory management systems prior to version 1.2.6 by abusing unvalidated filter parameters in bulk operation API endpoints. The vulnerability enables blind boolean-based data extraction through Django ORM relationship traversal, achieving high confidentiality impact with changed scope per CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (score 7.7). No public exploit identified at time of analysis, and vendor-released patches are available in versions 1.2.6 and 1.3.0.

Tandoor Recipes versions prior to 2.6.0 allow unlimited brute-force password guessing attacks against any known username through API endpoints accepting BasicAuthentication headers. While Django AllAuth rate limiting protects the HTML login form (5 attempts per minute per IP), API endpoints completely bypass these controls, enabling high-speed credential stuffing with no account lockout. A proof-of-concept exploit exists and the attack is automatable per SSVC analysis, though no active exploitation is confirmed in CISA KEV.

Tandoor Recipes application versions prior to 2.6.0 expose complete database schema and access control logic through an undocumented debug parameter in the Recipe API endpoint, allowing any authenticated user to extract raw SQL queries including table structures, JOIN relationships, WHERE conditions, and multi-tenant space identifiers even in production environments with DEBUG=False. A proof-of-concept exploit is available (SSVC exploitation status: poc). The CVSS 4.0 score of 7.7 reflects network-based exploitation with no attack complexity, and SSVC indicates the vulnerability is automatable with partial technical impact.

Tandoor Recipes versions through 2.5.3 permit Host header injection attacks that enable invite link poisoning, allowing authenticated administrators with high privileges to be social-engineered into sending system-generated invite tokens to attacker-controlled servers. The Django application's default ALLOWED_HOSTS='*' configuration fails to validate HTTP Host headers, which combined with request.build_absolute_uri() usage allows manipulation of all absolute URLs including invite emails, API pagination, and OpenAPI schemas. No public exploit identified at time of analysis; CVSS 8.1 reflects network-based attack requiring high privileges and user interaction with changed scope.

CVE-2026-33870 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Langflow's Agentic Assistant feature executes LLM-generated Python code server-side during component validation, enabling arbitrary code execution when attackers can influence model outputs. The vulnerability affects the pip package 'langflow' and exists in endpoints /assist and streaming paths that invoke exec() on dynamically generated component code. A proof-of-concept exists demonstrating the execution chain from user input through validation to code execution. Authentication requirements depend on deployment configuration, with AUTO_LOGIN=true defaults potentially widening exposure. No public exploit identified at time of analysis beyond the documented PoC, though the technical details and code references provide a complete exploitation blueprint.

BentoML, a Python framework for ML model serving, contains a command injection vulnerability in the docker.system_packages configuration field of bentofile.yaml files. The vulnerability affects all versions supporting this feature (confirmed in version 1.4.36) and allows attackers to execute arbitrary commands during the Docker image build process (bentoml containerize). This is a high-severity supply chain risk with a CVSS score of 7.8, requiring user interaction to trigger but achieving full command execution as root during container builds.

A Command Injection vulnerability in OpenHands allows authenticated users to execute arbitrary commands in the agent sandbox by injecting shell metacharacters into the path parameter of the /api/conversations/{conversation_id}/git/diff API endpoint. The vulnerability affects OpenHands installations exposing this endpoint, with a CVSS score of 7.6. A patch is available via PR #13051, and while no EPSS or KEV data indicates active exploitation, the vulnerability is easily exploitable by any authenticated user.

An authenticated path traversal vulnerability in Zoraxy's configuration import endpoint (POST /api/conf/import) allows authenticated users to write arbitrary files outside the intended config directory by exploiting insufficient zip entry name sanitization, enabling remote code execution through malicious plugin creation. The vulnerability affects Zoraxy versions prior to 3.3.2 and has a CVSS score of 3.3 due to high privilege requirements, but poses significant real-world risk because Docker socket mapping could facilitate host takeover. A functional proof-of-concept demonstrating full RCE via entrypoint modification and plugin execution is publicly available.

SiYuan, a note-taking application written in Go, contains an unauthenticated directory traversal vulnerability in its /api/file/readDir endpoint. The vulnerability allows remote attackers without authentication to enumerate the entire directory structure of notebooks, configuration folders, plugins, and resource directories, which can be chained with file reading vulnerabilities for arbitrary document access. A working Python proof-of-concept exploit is publicly available, demonstrating recursive directory enumeration of data/ and conf/ directories.

An unauthenticated information disclosure vulnerability exists in SiYuan note-taking application that allows remote attackers to read the content of all documents, including encrypted or access-restricted files, through two API endpoints (/api/file/readDir and /api/block/getChildBlocks). A working proof-of-concept Python exploit has been published demonstrating complete document enumeration and content retrieval. With a CVSS score of 9.8 (Critical) indicating network-based exploitation requiring no privileges or user interaction, this represents a severe confidentiality breach for all published SiYuan instances.

A critical pre-authentication denial of service vulnerability in nats-server allows an unauthenticated remote attacker to crash the entire server process by sending a single malicious 15-byte WebSocket frame. The vulnerability affects nats-server versions 2.2.0 through 2.11.13 and 2.12.0 through 2.12.4 when WebSocket listeners are enabled. A working proof-of-concept exploit in Go has been publicly disclosed by security researcher Mistz1, demonstrating that a single TCP connection can bring down the entire NATS deployment including all connected clients, JetStream streams, and cluster routes.

Modoboa, an open-source mail server management platform, contains a command injection vulnerability in its subprocess execution handler that allows authenticated Reseller or SuperAdmin users to execute arbitrary operating system commands. A proof-of-concept exploit exists demonstrating how shell metacharacters in domain names can achieve code execution, typically as root in standard deployments. The vulnerability affects modoboa versions up to and including 2.7.0, with patches available in version 2.7.1.

A SQL injection vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

pyLoad versions 0.4.20 through 0.5.0b3.dev96 contain an authentication bypass vulnerability in the ClickNLoad feature's local_check decorator that allows remote attackers to spoof the HTTP Host header and access localhost-restricted endpoints without authentication. This vulnerability enables unauthenticated remote users to inject arbitrary downloads, write files to the storage directory, and execute JavaScript code with the privileges of the pyLoad process. The vulnerability has been patched in version 0.5.0b3.dev97, and exploitation appears feasible given the straightforward nature of HTTP header manipulation.

The cbor2 Python library, which implements CBOR serialization, suffers from uncontrolled recursion when decoding deeply nested CBOR structures, allowing remote attackers to trigger Denial of Service by sending crafted payloads containing approximately 100,000 nested arrays. All versions prior to 5.9.0 are affected, including both the pure Python implementation and the C extension. Attackers can crash worker processes in web servers (Gunicorn, Uvicorn) and task queues (Celery) with small malicious packets under 100KB, causing complete service outages through repeated worker crashes.

Remote code execution in Python allows authenticated users with SETTINGS permission to modify the reconnect.script configuration parameter without restriction, which is then passed unsanitized to subprocess.run() enabling arbitrary command execution. The vulnerability exists due to insufficient input validation in the set_config_value() API endpoint, which only restricts the general.storage_folder setting while leaving other security-critical options like reconnect.script unprotected. An attacker with non-admin SETTINGS privileges can exploit this to achieve full system compromise on the affected Python installation.

The LoginControl plugin for AVideo contains a critical cryptographic weakness in its PGP-based 2FA implementation, generating 512-bit RSA keys that can be factored on commodity hardware within hours using publicly available tools. Attackers who obtain a user's public key can derive the complete private key and decrypt authentication challenges, completely bypassing the second factor protection. A proof-of-concept demonstrating key factoring and challenge decryption is included in the advisory, and unauthenticated endpoints allow anonymous CPU-intensive key generation for denial-of-service attacks.

Vikunja task management application contains an authentication bypass vulnerability in its password reset logic that allows disabled user accounts to be reactivated without authorization. The ResetPassword() function unconditionally sets user status to 'Active' after password reset completion, enabling disabled users to regain full access by requesting a password reset token and completing the reset process. A working proof-of-concept Python script is publicly available demonstrating automated exploitation of this vulnerability.

A non-terminating loop denial-of-service vulnerability exists in tinytag version 2.2.0, a Python library for reading audio file metadata. An attacker can supply a malicious MP3 file containing a crafted ID3v2 SYLT (synchronized lyrics) frame that causes the parsing operation to enter an infinite loop, consuming CPU resources until the worker process is terminated. The vulnerability affects server-side deployments that automatically parse user-supplied files, and has been patched in version 2.2.1.

pyLoad, a free and open-source download manager written in Python, contains a path traversal vulnerability in versions before 0.5.0b3.dev97 that allows arbitrary file deletion outside the extraction directory during password verification of encrypted 7z archives with non-encrypted headers. Attackers can exploit this vulnerability remotely with low complexity, requiring only user interaction, to delete arbitrary files on the system. This is assigned CVE-2026-32808 with a CVSS score of 8.1 (High severity), though no active exploitation (KEV) or public proof-of-concept has been reported at this time.

Path traversal in pydicom versions 2.0.0-rc.1 through 3.0.1 allows local attackers to read, copy, or delete arbitrary files outside the File-set root directory by crafting malicious ReferencedFileID values in DICOMDIR files. The vulnerability exists because pydicom fails to validate that resolved file paths remain within the intended File-set root before performing file I/O operations like copy(), write(), and remove(). No patch is currently available for affected versions.

A Host Header Spoofing vulnerability in the @local_check decorator of pyload-ng allows unauthenticated external attackers to bypass local-only IP address restrictions on the Click'N'Load API endpoints by sending a crafted HTTP Host header. This authentication bypass enables remote attackers to queue arbitrary downloads on the affected pyload instance, leading to Server-Side Request Forgery (SSRF) attacks against internal or external systems and Denial of Service through resource exhaustion. A proof-of-concept exploit exists in the form of a simple curl command that demonstrates immediate exploitability without user interaction.

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrary files anywhere on the host system, leading to remote code execution. The vulnerability affects Langflow version 1.7.3 and earlier, where the multipart upload filename bypasses security checks due to missing boundary containment in the LocalStorageService layer. A proof-of-concept exploit is publicly available demonstrating successful arbitrary file write outside the intended user directory.

The CustomizeUser plugin in PHP and Python allows attackers to bypass channel-level access control by exploiting improper password validation in the setPassword.json.php endpoint. An administrator-level attacker can set any user's channel password to zero due to type coercion of non-numeric characters, enabling trivial authentication bypass for any visitor. No patch is currently available for this critical vulnerability.

WWBN/AVideo fails to properly validate the redirectUri parameter in its login flow, allowing attackers to craft malicious URLs that redirect authenticated users to attacker-controlled sites after successful login. The vulnerability stems from insufficient encoding of user input before it is embedded into JavaScript code that executes a redirect via document.location. An attacker can exploit this open redirect to perform phishing attacks or distribute malware by tricking users into clicking a login link with an attacker-controlled redirect destination.

Stored cross-site scripting in the WWBN/AVideo CDN plugin allows authenticated attackers to inject malicious JavaScript through improperly sanitized video titles, which executes when users access download pages. An attacker with video creation or modification privileges can compromise any user viewing the affected download interface. No patch is currently available for PHP and Python implementations.

A critical validation bypass vulnerability in the ormar Python ORM library allows attackers to completely skip all Pydantic field validation by injecting a special '__pk_only__' parameter in JSON request bodies. This affects all applications using ormar's canonical FastAPI integration pattern (where ormar models are used directly as request body parameters), enabling attackers to persist invalid data, bypass security constraints, and potentially escalate privileges. A working proof-of-concept demonstrates the vulnerability is trivially exploitable, and with a CVSS score of 7.1, it poses significant risk to affected applications.

NLTK downloader contains a path traversal vulnerability that allows remote attackers to write arbitrary files to any location on the filesystem when a user downloads packages from a malicious server. Attackers controlling a remote XML index server can inject path traversal sequences (../) into package metadata to overwrite critical system files including /etc/passwd or SSH authorized_keys. A working proof-of-concept exploit exists demonstrating arbitrary file creation at /tmp/test_file.zip via malicious server and client script.

The NLTK (Natural Language Toolkit) WordNet Browser HTTP server contains an unauthenticated shutdown vulnerability that allows any remote attacker to terminate the service with a single GET request to the '/SHUTDOWN THE SERVER' endpoint. This affects users running nltk.app.wordnet_app in its default mode, where the server binds to all network interfaces without authentication. A proof-of-concept exploit is publicly available demonstrating the denial-of-service attack, though EPSS and KEV data are not yet available for this recent CVE.

A reflected cross-site scripting (XSS) vulnerability exists in NLTK's WordNet Browser application (nltk.app.wordnet_app) in the lookup_... route, where attacker-controlled word parameters are reflected into HTML responses without proper escaping. This vulnerability affects users running the local WordNet Browser server and allows attackers to inject and execute arbitrary JavaScript in the browser context of the affected application. A proof-of-concept exploit has been publicly demonstrated, and a vendor patch is available.

Memory exhaustion in Python's pickle deserialization allows attackers to crash applications by supplying a small malicious payload that forces allocation of gigabytes of memory through unrestricted constructor arguments in whitelisted classes. Applications using `_RestrictedUnpickler` to load untrusted pickle data are vulnerable to denial of service attacks. A patch is available.

Dynaconf, a Python configuration management library, contains a Server-Side Template Injection (SSTI) vulnerability in its @jinja resolver that allows arbitrary command execution when attackers can control configuration sources such as environment variables, .env files, or CI/CD secrets. The vulnerability affects pip package dynaconf and includes a public proof-of-concept demonstrating command execution via Jinja2 template evaluation without sandboxing. The @format resolver additionally enables object graph traversal to expose sensitive runtime data including API keys and credentials.

An unauthenticated remote code execution vulnerability exists in the mesop Python package's debugging Flask server endpoint (/exec-py) that accepts and executes arbitrary base64-encoded Python code without any authentication or validation. The vulnerability affects the mesop pip package, with a publicly disclosed proof-of-concept demonstrating trivial exploitation requiring only a single HTTP POST request. With a CVSS score of 9.8 (Critical) and detailed PoC availability, this represents an immediately exploitable vulnerability for any exposed instance.

A path traversal vulnerability in A Path Traversal vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.

Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments.

PinchTab contains a Server-Side Request Forgery (SSRF) vulnerability in its /download endpoint that allows unauthenticated attackers to bypass URL validation and cause the embedded Chromium browser to make requests to internal network services. The vulnerability affects PinchTab versions 0.7.x and 0.8.x when the security.allowDownload setting is enabled (disabled by default), and exploits a validation gap where only the initial user-supplied URL is checked while subsequent browser-initiated requests (redirects, JavaScript navigations, resource fetches) bypass this protection entirely. Although the attacker cannot receive response bodies from internal services (blind SSRF), they can trigger state-changing endpoints on localhost or private network addresses reachable from the PinchTab host, with a proof-of-concept publicly available demonstrating counter increments on internal services.

PySpector versions 0.1.6 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator that fails to sanitize JavaScript payloads embedded within scanned Python code. When a victim scans a malicious Python file crafted by an attacker and opens the resulting HTML report in a browser, the embedded JavaScript executes in the local file context, potentially enabling DOM manipulation, page redirects, and theft of locally accessible data. A proof-of-concept demonstrating the vulnerability has been publicly disclosed.

The ujson Python library prior to version 5.12.0 contains an integer overflow/underflow vulnerability in the dumps() function that can crash the Python interpreter (segmentation fault) or cause an infinite loop, leading to denial of service. The vulnerability affects applications that allow untrusted users to control the indent parameter when serializing JSON, or that use large negative indent values with nested data structures. A proof-of-concept demonstrating both the segfault and infinite loop conditions is provided in the vulnerability disclosure, though there is no evidence of active exploitation (not in KEV).

ujson versions 5.4.0 through 5.11.0 contain a memory leak in JSON parsing of large integers outside the range [-2^63, 2^64 - 1], allowing remote denial of service attacks against services processing untrusted JSON input. An attacker can craft malicious JSON payloads with oversized integers to exhaust memory and crash vulnerable applications. A patch is available.

A Server-Side Request Forgery (SSRF) vulnerability in AVideo's LiveLinks proxy endpoint allows unauthenticated attackers to access internal services and cloud metadata by exploiting missing validation on HTTP redirect targets. The vulnerability enables attackers to bypass initial URL validation through a malicious redirect, potentially exposing AWS/GCP/Azure instance metadata including IAM credentials. A detailed proof-of-concept is available and a patch has been released by the vendor.

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-33017, CVSS 9.3) in the public flow build API that allows attackers to execute arbitrary Python code by supplying malicious flow data. KEV-listed with public PoC, this vulnerability enables anyone with network access to a Langflow instance to achieve server compromise through the API that builds public flows without authentication.

The pyasn1 library suffers from an uncontrolled recursion vulnerability when parsing deeply nested ASN.1 structures, allowing remote attackers to trigger a denial of service through stack exhaustion or memory consumption. Any service using pyasn1 to parse untrusted ASN.1 data (including LDAP, SNMP, Kerberos, and X.509 parsers) can be crashed remotely with a small crafted payload under 100KB. A working proof-of-concept is publicly available, and while not currently in CISA KEV, the vulnerability has a CVSS score of 7.5 indicating high severity.

CVE-2026-26929 is a security vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

A Server-Side Request Forgery (SSRF) vulnerability exists in frdel/agent-zero version 0.9.7 within the handle_pdf_document function of python/helpers/document_query.py. This allows authenticated remote attackers to manipulate PDF document handling to perform arbitrary server-side requests, potentially accessing internal services or exfiltrating sensitive data. A public proof-of-concept exploit is available, and the vendor has not responded to early disclosure notifications, increasing the practical risk of exploitation.

Agent Zero 0.9.7-10's get_abs_path function in python/helpers/files.py is vulnerable to path traversal, allowing authenticated remote attackers to access files outside intended directories with limited confidentiality impact. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.

SiYuan's mobile file tree fails to sanitize notebook names in WebSocket rename events, allowing authenticated users to inject arbitrary HTML and JavaScript that executes in other clients' browsers. When combined with Electron's insecure configuration (nodeIntegration enabled, contextIsolation disabled), this stored XSS escalates to remote code execution with full Node.js privileges on affected desktop and mobile clients. The vulnerability affects users with notebook rename permissions across Docker, Node.js, Python, and Apple platforms.

Path traversal in Python and Docker import endpoints allows authenticated administrators to write files to arbitrary filesystem locations by injecting directory traversal sequences in multipart upload filenames, potentially enabling remote code execution through placement of malicious files in executable paths. The vulnerability affects the POST /api/import/importSY and POST /api/import/importZipMd endpoints which fail to sanitize user-supplied filenames before constructing file write paths. No patch is currently available.

A credential disclosure vulnerability exists in Glances monitoring tool when running in Central Browser mode with autodiscovery enabled. The vulnerability allows attackers on the same local network to steal reusable authentication credentials by advertising fake Glances services via Zeroconf, as the application trusts untrusted service names for password lookups instead of using verified IP addresses. A working proof-of-concept is included in the advisory, and the issue has a CVSS score of 8.1 indicating high severity.

The Glances system monitoring tool exposes reusable authentication credentials for downstream servers through an unauthenticated API endpoint when running in Central Browser mode without password protection. This vulnerability allows any network attacker to retrieve pbkdf2-hashed passwords that can be replayed to access protected Glances servers across an entire monitored fleet. A proof-of-concept is included in the advisory demonstrating credential extraction from the /api/4/serverslist endpoint.

The Glances system monitoring application accepts arbitrary HTTP Host headers on its REST API and WebUI endpoints, enabling DNS rebinding attacks that bypass browser same-origin policy and expose sensitive system data. While the MCP endpoint was recently hardened with host validation, the main FastAPI application for REST/WebUI/token routes lacks equivalent TrustedHostMiddleware protection, allowing attackers to rebind attacker-controlled domains to the victim's local Glances instance and read API responses as same-origin content. A proof-of-concept is code-validated through source inspection, and a patch is available in version 4.5.2 and later.

SQL injection in Python's Glances DuckDB export module allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting malicious data through unparameterized table and column name interpolation in DDL statements. While INSERT values use parameterized queries, identifier names are directly embedded via f-strings, enabling attackers over the network to manipulate database structure and access sensitive monitoring data. A patch is available.

A critical CORS misconfiguration in the Glances system monitoring tool's REST API allows any website to steal sensitive system information from users who visit a malicious page while having access to a Glances instance. The vulnerability affects all versions prior to 4.5.2 and enables cross-origin theft of system stats, configuration secrets, database passwords, API keys, and command-line arguments. A proof-of-concept is publicly available, though no active exploitation has been reported yet.

A critical information disclosure vulnerability in Glances system monitoring tool allows unauthenticated remote attackers to access sensitive configuration data including password hashes, SNMP community strings, and authentication keys through unprotected API endpoints. The vulnerability affects Glances versions prior to 4.5.2 when running in web server mode without password protection (the default configuration), and a proof-of-concept demonstrating the attack is publicly available. While not currently in CISA's Known Exploited Vulnerabilities catalog, the issue has a high CVSS score of 7.5 due to the ease of exploitation and severity of exposed secrets.

Glances monitoring system allows local attackers with limited privileges to execute arbitrary commands by injecting shell metacharacters into process or container names, which bypass command sanitization in the action execution handler. The vulnerability affects the threshold alert system that dynamically executes administrator-configured shell commands populated with runtime monitoring data. An attacker controlling a process name or container name can manipulate command parsing to break out of intended command boundaries and inject malicious commands.

Glances web server exposes its REST API without authentication by default when started with the -w flag, allowing unauthenticated remote attackers to access sensitive system information including process details that may contain credentials such as passwords and API keys. The vulnerability affects Python and Docker deployments where Glances is exposed to untrusted networks due to the server binding to 0.0.0.0 with authentication disabled by default. A patch is available to address this configuration vulnerability.

ONNX's hub.load() function can be bypassed to load untrusted models without user confirmation when the silent parameter is enabled, allowing attackers to potentially deliver malicious models to applications that suppress security warnings. The vulnerability stems from improper logic in the repository trust verification mechanism that prioritizes the silent flag over security checks. This affects Python-based systems using ONNX and could lead to unauthorized code execution through model loading.

Authlib's OpenID Connect ID Token validation silently passes verification when encountering unsupported cryptographic algorithms, allowing attackers to bypass hash integrity checks on forged tokens. This fail-open behavior in the `_verify_hash` function affects applications using Authlib for OIDC authentication and could enable token forgery attacks. A patch is available.

Authlib's implementation of the JWE RSA1_5 key management algorithm contains a padding oracle vulnerability that leaks decryption failures through timing and exception patterns, allowing attackers to decrypt sensitive data without the private key. The library disabled the constant-time protections provided by the underlying cryptography library and raises exceptions before tag validation completes, creating a reliable side-channel. Public exploit code exists for this vulnerability affecting Authlib users in Python and related Oracle products.

A critical authentication bypass vulnerability in authlib's JWT signature verification allows attackers to forge arbitrary tokens by injecting their own cryptographic keys through the JWT header. The flaw affects all versions of authlib prior to 1.6.9 when applications use key resolution callbacks that can return None (common in JWKS-based authentication flows). A working proof-of-concept exists demonstrating complete authentication bypass, enabling attackers to impersonate any user or assume administrative privileges without valid credentials.

A remote code execution vulnerability (CVSS 6.5). Remediation should follow standard vulnerability management procedures.