Skip to main content

Python

2173 CVEs product

Monthly

CVE-2021-41265 PyPI HIGH PATCH This Week

Flask-AppBuilder is a development framework built on top of Flask. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Python Authentication Bypass Flask Appbuilder
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2021-43410 MEDIUM This Month

Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Apache Python Airavata Django Portal
NVD
CVSS 3.1
5.3
EPSS
2.4%
CVE-2021-44420 PyPI HIGH PATCH This Week

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Authentication Bypass Django Satellite Debian Linux +2
NVD
CVSS 3.1
7.3
EPSS
2.3%
CVE-2021-3994 PyPI CRITICAL POC PATCH Act Now

django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XSS Django Helpdesk
NVD GitHub
CVSS 3.1
9.6
EPSS
1.4%
CVE-2021-43777 MEDIUM PATCH This Month

Redash is a package for data visualization and sharing. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Python Google Redash
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2021-41281 PyPI HIGH PATCH This Week

Synapse is a package for Matrix homeservers written in Python 3/Twisted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Synapse Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
1.5%
CVE-2021-25986 PyPI MEDIUM PATCH This Month

In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Python XSS Django Wiki
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-40831 LIB HIGH PATCH This Week

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Authentication Bypass Apple Node.js Java +2
NVD GitHub
CVSS 3.1
7.2
EPSS
0.6%
CVE-2021-40830 LIB HIGH PATCH This Week

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Python Node.js Java Amazon Web Services Aws C Io +1
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2021-40829 LIB HIGH PATCH This Week

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Python Apple Information Disclosure Node.js Java +1
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2021-40828 LIB HIGH PATCH This Week

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Python Microsoft Information Disclosure Node.js Java +2
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2021-3950 PyPI MEDIUM POC PATCH This Month

django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python XSS Django Helpdesk
NVD GitHub
CVSS 3.1
5.4
EPSS
0.8%
CVE-2021-3945 PyPI MEDIUM POC PATCH This Month

django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XSS Django Helpdesk
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2021-3572 PyPI MEDIUM PATCH This Month

A flaw was found in python-pip in the way it handled Unicode separators in git references. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.

Python Information Disclosure Pip Agile Plm Communications Cloud Native Core Network Function Cloud Native Environment +1
NVD
CVSS 3.1
5.7
EPSS
1.7%
CVE-2021-43572 PyPI CRITICAL POC PATCH Act Now

The verify function in the Stark Bank Python ECDSA library (aka starkbank-escada or ecdsa-python) before 2.0.1 fails to check that the signature is non-zero, which allows attackers to forge. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Jwt Attack Ecdsa Python
NVD GitHub
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-39182 PyPI HIGH POC PATCH This Week

EnroCrypt is a Python module for encryption and hashing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Enrocrypt
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2021-41250 MEDIUM PATCH This Month

Python discord bot is the community bot for the Python Discord community. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Python Authentication Bypass Bot
NVD GitHub
CVSS 3.1
4.3
EPSS
0.7%
CVE-2021-41213 PyPI MEDIUM PATCH This Month

TensorFlow is an open source platform for machine learning. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Python Denial Of Service Tensorflow
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-42343 PyPI CRITICAL PATCH Act Now

An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python RCE Dask
NVD GitHub
CVSS 3.1
9.8
EPSS
2.9%
CVE-2021-41168 MEDIUM POC PATCH This Month

Snudown is a reddit-specific fork of the Sundown Markdown parser used by GitHub, with Python integration added. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python Denial Of Service Snudown
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2021-42771 PyPI HIGH POC PATCH This Week

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Python Path Traversal RCE Babel Debian Linux
NVD GitHub
CVSS 3.1
7.8
EPSS
0.7%
CVE-2021-41131 PyPI HIGH POC PATCH This Week

python-tuf is a Python reference implementation of The Update Framework (TUF). Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Python Path Traversal The Update Framework
NVD GitHub
CVSS 3.1
8.7
EPSS
1.4%
CVE-2021-42576 LIB CRITICAL POC PATCH Act Now

The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Bluemonday Pybluemonday
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2021-42134 PyPI MEDIUM PATCH This Month

The Unicorn framework before 0.36.1 for Django allows XSS via a component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Python XSS Unicorn
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-42053 PyPI MEDIUM POC PATCH This Month

The Unicorn framework through 0.35.3 for Django allows XSS via component.name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python XSS Unicorn
NVD GitHub Exploit-DB
CVSS 3.1
5.4
EPSS
2.5%
CVE-2021-41125 PyPI MEDIUM PATCH This Month

Scrapy is a high-level web crawling and scraping framework for Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Scrapy Debian Linux
NVD GitHub
CVSS 3.1
6.5
EPSS
1.2%
CVE-2021-32838 PyPI HIGH PATCH This Week

Flask-RESTX (pypi package flask-restx) is a community driven fork of Flask-RESTPlus. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Python Denial Of Service Flask Restx Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2021-32839 PyPI HIGH PATCH This Week

sqlparse is a non-validating SQL parser module for Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Python Denial Of Service Sqlparse
NVD GitHub
CVSS 3.1
7.5
EPSS
2.1%
CVE-2021-40839 PyPI HIGH PATCH This Week

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Rencode Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
5.6%
CVE-2021-32805 PyPI MEDIUM PATCH This Month

Flask-AppBuilder is an application development framework, built on top of Flask. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Flask Appbuilder
NVD GitHub
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-32831 npm HIGH POC PATCH This Week

Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Node.js Code Injection Python Total Js
NVD GitHub
CVSS 3.1
7.2
EPSS
1.5%
CVE-2021-39271 HIGH POC This Week

OrbiTeam BSCW Classic before 7.4.3 allows authenticated remote code execution (RCE) during archive extraction via attacker-supplied Python code in the class attribute of a .bscw file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Bscw Classic
NVD
CVSS 3.1
8.8
EPSS
3.7%
CVE-2021-36359 HIGH POC This Week

OrbiTeam BSCW Classic before 7.4.3 allows exportpdf authenticated remote code execution (RCE) via XML tag injection because reportlab\platypus\paraparser.py (reached via bscw.cgi. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Bscw Classic
NVD
CVSS 3.1
8.8
EPSS
4.0%
CVE-2021-39158 HIGH This Week

NVCaffe's python required dependencies list used to contain `gfortran`version prior to 0.17.4, entry which does not exist in the repository pypi.org. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure Nvcaffe
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2021-35936 PyPI MEDIUM PATCH This Month

If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Python Airflow
NVD
CVSS 3.1
5.3
EPSS
4.0%
CVE-2021-37678 PyPI HIGH PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Python RCE Tensorflow
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2021-38305 PyPI HIGH PATCH This Week

23andMe Yamale before 3.0.8 allows remote attackers to execute arbitrary code via a crafted schema file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Python File Upload RCE Yamale
NVD GitHub
CVSS 3.1
7.8
EPSS
2.5%
CVE-2021-32811 PyPI HIGH PATCH This Week

Zope is an open-source web application server. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Python RCE Accesscontrol Zope
NVD GitHub
CVSS 3.1
7.2
EPSS
2.3%
CVE-2021-32807 PyPI HIGH PATCH This Week

The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Python RCE Accesscontrol
NVD GitHub
CVSS 3.1
7.2
EPSS
2.0%
CVE-2021-34552 PyPI CRITICAL PATCH Act Now

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Python Pillow Debian Linux Fedora
NVD
CVSS 3.1
9.8
EPSS
3.2%
CVE-2021-23401 PyPI MEDIUM POC This Month

This affects all versions of package Flask-User. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Python Flask User
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2021-35042 PyPI CRITICAL POC PATCH THREAT Act Now

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Python Django Fedora
NVD
CVSS 3.1
9.8
EPSS
44.4%
CVE-2021-32681 PyPI MEDIUM POC PATCH This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python XSS Wagtail
NVD GitHub
CVSS 3.1
5.4
EPSS
1.1%
CVE-2021-23393 PyPI MEDIUM PATCH This Month

This affects the package Flask-Unchained before 0.9.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Flask Unchained
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2021-31997 HIGH This Week

A UNIX Symbolic Link (Symlink) Following vulnerability in python-postorius of openSUSE Leap 15.2, Factory allows local attackers to escalate from users postorius or postorius-admin to root. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Python Privilege Escalation Python Postorius
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2021-25322 HIGH POC This Week

A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15.2, Factory allows local attackers to escalate privileges from the user hyperkitty or hyperkitty-admin. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Python Privilege Escalation Python Hyperkitty
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2021-34363 PyPI CRITICAL PATCH Act Now

The thefuck (aka The Fuck) package before 3.31 for Python allows Path Traversal that leads to arbitrary file deletion via the "undo archive operation" feature. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Path Traversal The Fuck Fedora
NVD GitHub
CVSS 3.1
9.1
EPSS
1.8%
CVE-2021-32677 PyPI HIGH PATCH This Week

FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Python Fastapi Fedora
NVD GitHub
CVSS 3.1
8.1
EPSS
0.8%
CVE-2021-33571 PyPI HIGH PATCH This Week

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Python SSRF Django Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
3.1%
CVE-2021-33203 PyPI MEDIUM PATCH This Month

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Django Fedora
NVD
CVSS 3.1
4.9
EPSS
2.7%
CVE-2021-32674 PyPI HIGH PATCH This Week

Zope is an open-source web application server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Zope
NVD GitHub
CVSS 3.1
8.8
EPSS
1.6%
CVE-2021-29621 PyPI MEDIUM PATCH This Month

Flask-AppBuilder is a development framework, built on top of Flask. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Flask Appbuilder Airflow
NVD GitHub
CVSS 3.1
5.3
EPSS
3.4%
CVE-2021-33880 PyPI MEDIUM PATCH This Month

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Python Information Disclosure Websockets Communications Cloud Native Core Policy Communications Cloud Native Core Security Edge Protection Proxy +2
NVD GitHub
CVSS 3.1
5.9
EPSS
2.3%
CVE-2021-33509 PyPI CRITICAL PATCH Act Now

Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Information Disclosure Plone
NVD
CVSS 3.1
9.9
EPSS
2.0%
CVE-2021-32633 PyPI HIGH POC PATCH This Week

Zope is an open-source web application server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python Path Traversal Plone Zope
NVD GitHub
CVSS 3.1
8.8
EPSS
1.8%
CVE-2021-3426 MEDIUM PATCH This Month

There's a flaw in Python 3's pydoc. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Fedora Debian Linux Software Collections +6
NVD
CVSS 3.1
5.7
EPSS
1.9%
CVE-2021-32618 PyPI MEDIUM POC PATCH This Month

The Python "Flask-Security-Too" package is used for adding security features to your Flask application. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Python Flask Security
NVD GitHub
CVSS 3.1
6.1
EPSS
3.3%
CVE-2021-29614 PyPI HIGH POC PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Python Denial Of Service Tensorflow
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-29572 PyPI MEDIUM POC PATCH This Month

TensorFlow is an end-to-end open source platform for machine learning. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Null Pointer Dereference Python Denial Of Service Tensorflow
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-29571 PyPI HIGH POC PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Python Memory Corruption RCE Tensorflow
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-29567 PyPI MEDIUM POC PATCH This Month

TensorFlow is an end-to-end open source platform for machine learning. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Python Denial Of Service Tensorflow
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-29548 PyPI MEDIUM POC PATCH This Month

TensorFlow is an end-to-end open source platform for machine learning. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Python Denial Of Service Tensorflow
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-29539 PyPI MEDIUM POC PATCH This Month

TensorFlow is an end-to-end open source platform for machine learning. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Python Information Disclosure Tensorflow
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2021-29514 PyPI HIGH POC PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Python Memory Corruption Tensorflow
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-29513 PyPI HIGH POC PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Null Pointer Dereference Python Denial Of Service Tensorflow
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-29512 PyPI HIGH POC PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Python Tensorflow
NVD GitHub
CVSS 3.1
7.8
EPSS
0.2%
CVE-2021-33026 PyPI CRITICAL PATCH Act Now

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Python RCE Redis Privilege Escalation +1
NVD GitHub
CVSS 3.1
9.8
EPSS
7.3%
CVE-2021-29510 PyPI HIGH PATCH This Week

Pydantic is a data validation and settings management using Python type hinting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Pydantic Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-29471 PyPI MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Python Denial Of Service Synapse Fedora
NVD GitHub
CVSS 3.1
5.3
EPSS
1.6%
CVE-2021-21419 PyPI MEDIUM PATCH This Month

Eventlet is a concurrent networking library for Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Eventlet Fedora
NVD GitHub
CVSS 3.1
5.3
EPSS
1.8%
CVE-2021-32052 PyPI MEDIUM PATCH This Month

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Python XSS Django Fedora
NVD
CVSS 3.1
6.1
EPSS
3.1%
CVE-2021-29921 CRITICAL POC PATCH Act Now

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Authentication Bypass Communications Cloud Native Core Automated Test Suite Communications Cloud Native Core Binding Support Function Communications Cloud Native Core Network Slice Selection Function +2
NVD GitHub
CVSS 3.1
9.8
EPSS
6.8%
CVE-2021-31542 PyPI HIGH PATCH This Week

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Django Debian Linux Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
5.3%
CVE-2021-28359 PyPI MEDIUM PATCH This Month

The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Python Airflow
NVD
CVSS 3.1
6.1
EPSS
14.4%
CVE-2021-29434 PyPI MEDIUM PATCH This Month

Wagtail is a Django content management system. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python XSS RCE Wagtail
NVD GitHub
CVSS 3.1
4.8
EPSS
0.6%
CVE-2021-30459 PyPI CRITICAL PATCH Act Now

A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar before 1.11.1, 2.x before 2.2.1, and 3.x before 3.2.1 allows attackers to execute SQL statements by changing the raw_sql input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Python Django Debug Toolbar
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2021-21393 PyPI MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Python Denial Of Service Synapse Fedora
NVD GitHub
CVSS 3.1
6.5
EPSS
1.6%
CVE-2021-21392 PyPI MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Synapse Fedora
NVD GitHub
CVSS 3.1
6.3
EPSS
0.9%
CVE-2021-21394 PyPI MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Python Denial Of Service Synapse Fedora
NVD GitHub
CVSS 3.1
6.5
EPSS
1.5%
CVE-2021-28658 PyPI MEDIUM PATCH This Month

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Path Traversal Django Debian Linux Fedora
NVD
CVSS 3.1
5.3
EPSS
3.9%
CVE-2021-21416 PyPI LOW PATCH Monitor

django-registration is a user registration package for Django. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Python Information Disclosure Django Registration
NVD GitHub
CVSS 3.1
2.6
EPSS
0.4%
CVE-2021-29421 PyPI HIGH PATCH This Week

models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Python XXE Pikepdf Fedora
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2021-21333 PyPI MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required.

Python Code Injection Synapse Fedora
NVD GitHub
CVSS 3.1
6.1
EPSS
1.4%
CVE-2021-21332 PyPI HIGH PATCH This Week

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

CSRF Python XSS Synapse Fedora
NVD GitHub
CVSS 3.1
8.2
EPSS
1.2%
CVE-2021-21377 PyPI MEDIUM PATCH This Month

OMERO.web is open source Django-based software for managing microscopy imaging. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Omero Web
NVD GitHub
CVSS 3.1
5.4
EPSS
0.8%
CVE-2021-21376 PyPI MEDIUM PATCH This Month

OMERO.web is open source Django-based software for managing microscopy imaging. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Omero Web
NVD GitHub
CVSS 3.1
6.5
EPSS
1.5%
CVE-2021-28957 PyPI MEDIUM POC PATCH This Month

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XSS Lxml Debian Linux Fedora +2
NVD GitHub
CVSS 3.1
6.1
EPSS
4.0%
CVE-2021-28667 HIGH PATCH This Week

StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Stackstorm
NVD
CVSS 3.1
7.5
EPSS
2.2%
CVE-2021-28363 PyPI MEDIUM PATCH This Month

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Urllib3 Fedora Peoplesoft Enterprise Peopletools
NVD GitHub
CVSS 3.1
6.5
EPSS
2.1%
CVE-2021-21274 PyPI MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Python Denial Of Service Synapse Fedora
NVD GitHub
CVSS 3.1
6.5
EPSS
2.2%
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Flask-AppBuilder is a development framework built on top of Flask. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Python Authentication Bypass Flask Appbuilder
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM This Month

Apache Airavata Django Portal allows CRLF log injection because of lack of escaping log statements. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Apache Python +1
NVD
EPSS 2% CVSS 7.3
HIGH PATCH This Week

In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Authentication Bypass Django +4
NVD
EPSS 1% CVSS 9.6
CRITICAL POC PATCH Act Now

django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XSS Django Helpdesk
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Redash is a package for data visualization and sharing. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Python Google +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Synapse is a package for Matrix homeservers written in Python 3/Twisted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Synapse +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Python XSS Django Wiki
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Authentication Bypass Apple +4
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Python Node.js +3
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Python Apple Information Disclosure +3
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Python Microsoft Information Disclosure +4
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python XSS Django Helpdesk
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XSS Django Helpdesk
NVD GitHub
EPSS 2% CVSS 5.7
MEDIUM PATCH This Month

A flaw was found in python-pip in the way it handled Unicode separators in git references. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity.

Python Information Disclosure Pip +3
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

The verify function in the Stark Bank Python ECDSA library (aka starkbank-escada or ecdsa-python) before 2.0.1 fails to check that the signature is non-zero, which allows attackers to forge. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Jwt Attack +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

EnroCrypt is a Python module for encryption and hashing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Enrocrypt
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Python discord bot is the community bot for the Python Discord community. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Python Authentication Bypass Bot
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

TensorFlow is an open source platform for machine learning. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity.

Python Denial Of Service Tensorflow
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in the Dask distributed package before 2021.10.0 for Python. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python RCE Dask
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Snudown is a reddit-specific fork of the Sundown Markdown parser used by GitHub, with Python integration added. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python Denial Of Service Snudown
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Python Path Traversal RCE +2
NVD GitHub
EPSS 1% CVSS 8.7
HIGH POC PATCH This Week

python-tuf is a Python reference implementation of The Update Framework (TUF). Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Python Path Traversal The Update Framework
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python (in pybluemonday), does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Bluemonday +1
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The Unicorn framework before 0.36.1 for Django allows XSS via a component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Python XSS Unicorn
NVD GitHub
EPSS 3% CVSS 5.4
MEDIUM POC PATCH This Month

The Unicorn framework through 0.35.3 for Django allows XSS via component.name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python XSS Unicorn
NVD GitHub Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Scrapy is a high-level web crawling and scraping framework for Python. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Scrapy +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Flask-RESTX (pypi package flask-restx) is a community driven fork of Flask-RESTPlus. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Python Denial Of Service Flask Restx +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

sqlparse is a non-validating SQL parser module for Python. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Python Denial Of Service Sqlparse
NVD GitHub
EPSS 6% CVSS 7.5
HIGH PATCH This Week

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Rencode +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Flask-AppBuilder is an application development framework, built on top of Flask. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Flask Appbuilder
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC PATCH This Week

Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Node.js Code Injection +2
NVD GitHub
EPSS 4% CVSS 8.8
HIGH POC This Week

OrbiTeam BSCW Classic before 7.4.3 allows authenticated remote code execution (RCE) during archive extraction via attacker-supplied Python code in the class attribute of a .bscw file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Bscw Classic
NVD
EPSS 4% CVSS 8.8
HIGH POC This Week

OrbiTeam BSCW Classic before 7.4.3 allows exportpdf authenticated remote code execution (RCE) via XML tag injection because reportlab\platypus\paraparser.py (reached via bscw.cgi. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Bscw Classic
NVD
EPSS 0% CVSS 8.8
HIGH This Week

NVCaffe's python required dependencies list used to contain `gfortran`version prior to 0.17.4, entry which does not exist in the repository pypi.org. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Information Disclosure Nvcaffe
NVD GitHub
EPSS 4% CVSS 5.3
MEDIUM PATCH This Month

If remote logging is not used, the worker (in the case of CeleryExecutor) or the scheduler (in the case of LocalExecutor) runs a Flask logging server and is listening on a specific port and also. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Python +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Python RCE +1
NVD GitHub
EPSS 2% CVSS 7.8
HIGH PATCH This Week

23andMe Yamale before 3.0.8 allows remote attackers to execute arbitrary code via a crafted schema file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Python File Upload RCE +1
NVD GitHub
EPSS 2% CVSS 7.2
HIGH PATCH This Week

Zope is an open-source web application server. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Python RCE Accesscontrol +1
NVD GitHub
EPSS 2% CVSS 7.2
HIGH PATCH This Week

The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Python RCE Accesscontrol
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1.7 allow an attacker to pass controlled parameters directly into a convert function to trigger a buffer overflow in Convert.c. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Python Pillow +2
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

This affects all versions of package Flask-User. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Python Flask User
NVD GitHub
EPSS 44% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.order_by SQL injection if order_by is untrusted input from a client of a web application. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Python Django +1
NVD
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

Wagtail is an open source content management system built on Django. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python XSS Wagtail
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

This affects the package Flask-Unchained before 0.9.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Flask Unchained
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

A UNIX Symbolic Link (Symlink) Following vulnerability in python-postorius of openSUSE Leap 15.2, Factory allows local attackers to escalate from users postorius or postorius-admin to root. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Python Privilege Escalation Python Postorius
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

A UNIX Symbolic Link (Symlink) Following vulnerability in python-HyperKitty of openSUSE Leap 15.2, Factory allows local attackers to escalate privileges from the user hyperkitty or hyperkitty-admin. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Python Privilege Escalation Python Hyperkitty
NVD
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

The thefuck (aka The Fuck) package before 3.31 for Python allows Path Traversal that leads to arbitrary file deletion via the "undo archive operation" feature. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Path Traversal The Fuck +1
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

FastAPI is a web framework for building APIs with Python 3.6+ based on standard Python type hints. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Python Fastapi +1
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Python SSRF Django +1
NVD GitHub
EPSS 3% CVSS 4.9
MEDIUM PATCH This Month

Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Django +1
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Zope is an open-source web application server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Zope
NVD GitHub
EPSS 3% CVSS 5.3
MEDIUM PATCH This Month

Flask-AppBuilder is a development framework, built on top of Flask. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Flask Appbuilder +1
NVD GitHub
EPSS 2% CVSS 5.9
MEDIUM PATCH This Month

The aaugustin websockets library before 9.1 for Python has an Observable Timing Discrepancy on servers when HTTP Basic Authentication is enabled with basic_auth_protocol_factory(credentials=...). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Python Information Disclosure Websockets +4
NVD GitHub
EPSS 2% CVSS 9.9
CRITICAL PATCH Act Now

Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python Information Disclosure Plone
NVD
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

Zope is an open-source web application server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Python Path Traversal Plone +1
NVD GitHub
EPSS 2% CVSS 5.7
MEDIUM PATCH This Month

There's a flaw in Python 3's pydoc. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Fedora +8
NVD
EPSS 3% CVSS 6.1
MEDIUM POC PATCH This Month

The Python "Flask-Security-Too" package is used for adding security features to your Flask application. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Python Flask Security
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Python Denial Of Service Tensorflow
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

TensorFlow is an end-to-end open source platform for machine learning. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Null Pointer Dereference Python Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Python Memory Corruption +2
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

TensorFlow is an end-to-end open source platform for machine learning. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Python Denial Of Service Tensorflow
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

TensorFlow is an end-to-end open source platform for machine learning. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Python Denial Of Service Tensorflow
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

TensorFlow is an end-to-end open source platform for machine learning. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Python Information Disclosure Tensorflow
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Python Memory Corruption +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Null Pointer Dereference Python Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

TensorFlow is an end-to-end open source platform for machine learning. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Buffer Overflow Python Tensorflow
NVD GitHub
EPSS 7% CVSS 9.8
CRITICAL PATCH Act Now

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Python RCE +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Pydantic is a data validation and settings management using Python type hinting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Pydantic +1
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Python Denial Of Service Synapse +1
NVD GitHub
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

Eventlet is a concurrent networking library for Python. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Denial Of Service Eventlet +1
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM PATCH This Month

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Python XSS Django +1
NVD
EPSS 7% CVSS 9.8
CRITICAL POC PATCH Act Now

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Authentication Bypass Communications Cloud Native Core Automated Test Suite +4
NVD GitHub
EPSS 5% CVSS 7.5
HIGH PATCH This Week

In Django 2.2 before 2.2.21, 3.1 before 3.1.9, and 3.2 before 3.2.1, MultiPartParser, UploadedFile, and FieldFile allowed directory traversal via uploaded files with suitably crafted file names. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Python Path Traversal Django +2
NVD GitHub
EPSS 14% CVSS 6.1
MEDIUM PATCH This Month

The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache XSS Python +1
NVD
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

Wagtail is a Django content management system. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Python XSS RCE +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

A SQL Injection issue in the SQL Panel in Jazzband Django Debug Toolbar before 1.11.1, 2.x before 2.2.1, and 3.x before 3.2.1 allows attackers to execute SQL statements by changing the raw_sql input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Python Django Debug Toolbar
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Python Denial Of Service Synapse +1
NVD GitHub
EPSS 1% CVSS 6.3
MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Synapse +1
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Python Denial Of Service Synapse +1
NVD GitHub
EPSS 4% CVSS 5.3
MEDIUM PATCH This Month

In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Path Traversal Django +2
NVD
EPSS 0% CVSS 2.6
LOW PATCH Monitor

django-registration is a user registration package for Django. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.

Python Information Disclosure Django Registration
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

Python XXE Pikepdf +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required.

Python Code Injection Synapse +1
NVD GitHub
EPSS 1% CVSS 8.2
HIGH PATCH This Week

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

CSRF Python XSS +2
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

OMERO.web is open source Django-based software for managing microscopy imaging. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Omero Web
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

OMERO.web is open source Django-based software for managing microscopy imaging. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Omero Web
NVD GitHub
EPSS 4% CVSS 6.1
MEDIUM POC PATCH This Month

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python XSS Lxml +4
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Denial Of Service Stackstorm
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Urllib3 +2
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Python Denial Of Service Synapse +1
NVD GitHub
Prev Page 20 of 25 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy