Skip to main content

Python

2173 CVEs product

Monthly

CVE-2018-1000030 LOW PATCH Monitor

Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Rated low severity (CVSS 3.6). This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Memory Corruption Use After Free Python Buffer Overflow Ubuntu Linux
NVD
CVSS 3.1
3.6
EPSS
1.3%
CVE-2018-6461 HIGH POC This Week

March Hare WINCVS before 2.8.01 build 6610, and CVS Suite before 2009R2 build 6610, contains an Insecure Library Loading vulnerability in the wincvs2.exe or wincvs.exe file, which may allow local. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Python Wincvs
NVD
CVSS 3.0
7.8
EPSS
1.8%
CVE-2018-6188 PyPI HIGH PATCH This Week

django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Python Django Ubuntu Linux
NVD
CVSS 3.0
7.5
EPSS
4.9%
CVE-2018-6596 PyPI CRITICAL PATCH Act Now

webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Python Django Anymail Debian Linux
NVD GitHub
CVSS 3.0
9.1
EPSS
2.7%
CVE-2018-6353 HIGH POC This Week

The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Python Command Injection Electrum
NVD GitHub
CVSS 3.0
7.8
EPSS
0.5%
CVE-2018-5773 PyPI MEDIUM PATCH This Month

An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Python Python Markdown2
NVD GitHub
CVSS 3.0
6.1
EPSS
0.8%
CVE-2017-17522 HIGH This Week

Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Code Injection
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2017-12340 MEDIUM This Month

A vulnerability in Cisco NX-OS System Software running on Cisco MDS Multilayer Director Switches, Cisco Nexus 7000 Series Switches, and Cisco Nexus 7700 Series Switches could allow an authenticated,. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity. No vendor patch available.

Python Cisco Authentication Bypass Nx Os
NVD
CVSS 3.0
4.2
EPSS
0.1%
CVE-2017-1000158 CRITICAL PATCH Act Now

CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow RCE Python Buffer Overflow Debian Linux
NVD
CVSS 3.1
9.8
EPSS
3.6%
CVE-2017-1000246 PyPI MEDIUM PATCH This Month

Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Pysaml2
NVD GitHub
CVSS 3.0
5.3
EPSS
0.1%
CVE-2017-0906 PyPI CRITICAL PATCH Act Now

The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource.get" method that could result. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Python Recurly Client Python
NVD GitHub
CVSS 3.0
9.8
EPSS
0.5%
CVE-2017-16764 PyPI CRITICAL POC Act Now

An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Django Make App
NVD GitHub
CVSS 3.1
9.8
EPSS
3.1%
CVE-2017-16763 PyPI CRITICAL POC PATCH Act Now

An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Confire
NVD GitHub
CVSS 3.0
9.8
EPSS
1.9%
CVE-2017-16618 PyPI CRITICAL POC PATCH Act Now

An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Owlmixin
NVD GitHub
CVSS 3.0
9.8
EPSS
2.0%
CVE-2017-16616 PyPI CRITICAL PATCH Act Now

An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Pyanyapi
NVD GitHub
CVSS 3.0
9.8
EPSS
1.2%
CVE-2017-16615 PyPI CRITICAL PATCH Act Now

An exploitable vulnerability exists in the YAML parsing functionality in the parse_yaml_query method in parser.py in MLAlchemy before 0.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Mlalchemy
NVD GitHub
CVSS 3.0
9.8
EPSS
0.9%
CVE-2016-10516 PyPI MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Python Werkzeug
NVD GitHub
CVSS 3.0
6.1
EPSS
0.4%
CVE-2017-12301 MEDIUM This Month

A vulnerability in the Python scripting subsystem of Cisco NX-OS Software could allow an authenticated, local attacker to escape the Python parser and gain unauthorized access to the underlying. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Python Cisco Authentication Bypass Nx Os
NVD
CVSS 3.0
6.7
EPSS
0.1%
CVE-2017-14483 MEDIUM This Month

flower.initd in the Gentoo dev-python/flower package before 0.9.1-r1 for Celery Flower sets PID file ownership to a non-root account, which might allow local users to kill arbitrary processes by. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Race Condition Python Information Disclosure Dev Python Flower
NVD
CVSS 3.0
5.5
EPSS
0.0%
CVE-2017-2809 PyPI HIGH POC PATCH This Week

An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

RCE Python Hashicorp Code Injection Ansible Vault
NVD GitHub
CVSS 3.0
7.5
EPSS
0.6%
CVE-2017-1002150 PyPI MEDIUM PATCH This Month

python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Python CSRF Python Fedora
NVD GitHub
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-12794 PyPI MEDIUM POC PATCH THREAT This Month

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 21.0%.

XSS Python Django
NVD
CVSS 3.0
6.1
EPSS
21.0%
CVE-2015-3206 PyPI HIGH PATCH This Week

The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Denial Of Service Python Authentication Bypass Pykerberos
NVD GitHub
CVSS 3.0
8.1
EPSS
1.3%
CVE-2014-4616 PyPI MEDIUM POC PATCH This Month

Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

RCE Python Simplejson Opensuse
NVD
CVSS 3.1
5.9
EPSS
0.4%
CVE-2015-5081 PyPI HIGH PATCH This Week

Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python CSRF Django Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
0.2%
CVE-2015-2674 PyPI MEDIUM This Month

Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrap_socket function in Python with the default CERT_NONE value for the cert_reqs argument. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Python Information Disclosure Restkit
NVD GitHub
CVSS 3.0
5.9
EPSS
0.3%
CVE-2017-9233 HIGH POC This Week

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE Libexpat Python Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2017-10803 MEDIUM POC PATCH This Month

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. Public exploit code available.

Deserialization Python Odoo
NVD GitHub Exploit-DB
CVSS 3.0
6.5
EPSS
1.6%
CVE-2017-9807 CRITICAL POC THREAT Emergency

An issue was discovered in the OpenWebif plugin through 1.2.4 for E2 open devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.0%.

RCE Python Code Injection Openwebif
NVD GitHub
CVSS 3.0
9.8
EPSS
14.0%
CVE-2017-2810 PyPI HIGH POC PATCH This Week

An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Python Information Disclosure Tablib
NVD
CVSS 3.0
7.5
EPSS
1.4%
CVE-2015-3220 PyPI HIGH PATCH This Week

The tlslite library before 0.4.9 for Python allows remote attackers to trigger a denial of service (runtime exception and process crash). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Denial Of Service Python Tlslite
NVD GitHub
CVSS 3.0
7.5
EPSS
0.8%
CVE-2017-9462 PyPI HIGH POC PATCH THREAT Act Now

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 48.7%.

RCE Python Mercurial Debian Linux Enterprise Linux Desktop +5
NVD
CVSS 3.1
8.8
EPSS
48.7%
Threat
4.7
CVE-2015-6531 HIGH POC This Week

Palo Alto Networks Panorama VM Appliance with PAN-OS before 6.0.1 might allow remote attackers to execute arbitrary Python code via a crafted firmware image file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Paloalto Code Injection Python Pan Os
NVD
CVSS 3.0
7.8
EPSS
1.0%
CVE-2017-3590 PyPI LOW PATCH Monitor

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Python). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity.

Python Authentication Bypass Oracle Connector Python
NVD
CVSS 3.0
3.3
EPSS
0.1%
CVE-2017-7234 PyPI MEDIUM PATCH This Month

A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Django
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-7233 PyPI MEDIUM PATCH This Month

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

XSS Open Redirect Python Django
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2017-5524 PyPI MEDIUM PATCH This Month

Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Python Information Disclosure Plone
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2017-7235 PyPI HIGH PATCH This Week

An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Python Cloudflare Scrape Cloudflare
NVD GitHub
CVSS 3.0
8.8
EPSS
0.5%
CVE-2017-6591 PyPI MEDIUM POC This Month

There is a cross-site scripting vulnerability in django-epiceditor 0.2.3 via crafted content in a form field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Python Django Epiceditor
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2016-4043 PyPI MEDIUM PATCH This Month

Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Python Privilege Escalation Plone
NVD
CVSS 3.0
4.9
EPSS
0.1%
CVE-2013-7459 PyPI CRITICAL POC PATCH THREAT Act Now

Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.5%.

Buffer Overflow RCE Python Pycrypto Fedora
NVD GitHub
CVSS 3.0
9.8
EPSS
14.5%
CVE-2016-7036 PyPI CRITICAL PATCH Act Now

python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Python Jose
NVD GitHub VulDB
CVSS 3.0
9.8
EPSS
0.4%
CVE-2016-9015 PyPI LOW PATCH Monitor

Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Python OpenSSL Urllib3
NVD
CVSS 3.0
3.7
EPSS
0.0%
CVE-2016-6581 PyPI HIGH PATCH This Week

A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called "HPACK Bomb" attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Python Hpack Hyper
NVD
CVSS 3.0
7.5
EPSS
0.4%
CVE-2016-6580 PyPI HIGH PATCH This Week

A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Python Priority Library
NVD
CVSS 3.0
7.5
EPSS
0.5%
CVE-2016-5851 PyPI HIGH PATCH This Week

python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python XXE Python Docx
NVD GitHub
CVSS 3.1
8.8
EPSS
0.9%
CVE-2016-9950 HIGH POC PATCH This Week

An issue was discovered in Apport before 2.20.4. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Path Traversal Python Apport Ubuntu Linux
NVD GitHub Exploit-DB
CVSS 3.0
7.8
EPSS
0.7%
CVE-2016-9949 HIGH POC PATCH This Week

An issue was discovered in Apport before 2.20.4. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Python Code Injection Apport Ubuntu Linux
NVD GitHub Exploit-DB
CVSS 3.0
7.8
EPSS
9.8%
CVE-2016-9014 PyPI HIGH PATCH This Week

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Python Privilege Escalation Fedora Ubuntu Linux Django
NVD
CVSS 3.0
8.1
EPSS
3.0%
CVE-2016-9013 PyPI CRITICAL PATCH Act Now

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

Oracle Python Authentication Bypass Django Ubuntu Linux +1
NVD
CVSS 3.0
9.8
EPSS
1.8%
CVE-2016-5598 MEDIUM PATCH This Month

Unspecified vulnerability in the MySQL Connector component 2.1.3 and earlier and 2.0.4 and earlier in Oracle MySQL allows remote attackers to affect confidentiality, integrity, and availability via. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required.

Oracle Python Authentication Bypass Mysql Connector Python
NVD
CVSS 3.0
5.6
EPSS
0.3%
CVE-2016-1000001 PyPI HIGH PATCH This Week

flask-oidc version 0.1.2 and earlier is vulnerable to an open redirect. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Open Redirect Flask Oidc
NVD GitHub
CVSS 3.0
7.4
EPSS
0.2%
CVE-2016-7401 PyPI HIGH PATCH This Week

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Python Google Ubuntu Linux Django +1
NVD
CVSS 3.0
7.5
EPSS
4.4%
CVE-2016-4972 PyPI CRITICAL PATCH Act Now

OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Python Mitaka Murano Murano Murano Dashboard +1
NVD
CVSS 3.0
9.8
EPSS
3.9%
CVE-2016-5699 MEDIUM POC PATCH THREAT This Month

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 41.7%.

Python Code Injection
NVD
CVSS 3.0
6.1
EPSS
41.7%
Threat
4.0
CVE-2016-5636 CRITICAL PATCH Act Now

Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 45.1%.

Integer Overflow Python Buffer Overflow
NVD
CVSS 3.0
9.8
EPSS
45.1%
CVE-2016-0772 MEDIUM POC PATCH This Month

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Python Authentication Bypass
NVD Exploit-DB
CVSS 3.0
6.5
EPSS
7.6%
CVE-2016-6186 PyPI MEDIUM POC PATCH THREAT This Month

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.1%.

XSS Python Debian Linux Django
NVD GitHub Exploit-DB
CVSS 3.0
6.1
EPSS
13.1%
CVE-2016-4472 HIGH PATCH This Week

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Denial Of Service RCE Buffer Overflow Libexpat Ubuntu Linux +2
NVD
CVSS 3.1
8.1
EPSS
2.3%
CVE-2016-3189 MEDIUM This Month

Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 23.7% and no vendor patch available.

Memory Corruption Denial Of Service Use After Free Bzip2 Python
NVD
CVSS 3.1
6.5
EPSS
23.7%
CVE-2013-7440 MEDIUM This Month

The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Python Information Disclosure
NVD
CVSS 3.0
5.9
EPSS
0.4%
CVE-2016-0718 CRITICAL PATCH Act Now

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service RCE Buffer Overflow Firefox Mac Os X +12
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2015-4605 HIGH POC This Week

The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a certain offset value,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE PHP Denial Of Service Enterprise Linux Desktop +6
NVD
CVSS 3.0
7.5
EPSS
9.1%
CVE-2015-4604 HIGH POC This Week

The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a certain pointer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE PHP Denial Of Service Enterprise Linux Desktop +6
NVD
CVSS 3.0
7.5
EPSS
9.1%
CVE-2016-2533 PyPI MEDIUM PATCH This Month

Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Python Buffer Overflow Pillow Python Imaging +1
NVD GitHub
CVSS 3.0
6.5
EPSS
2.2%
CVE-2016-2513 PyPI LOW PATCH Monitor

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Django
NVD GitHub
CVSS 3.0
3.1
EPSS
1.2%
CVE-2016-2512 PyPI HIGH PATCH This Week

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Python Django
NVD GitHub
CVSS 3.0
7.4
EPSS
1.2%
CVE-2016-2048 PyPI MEDIUM PATCH This Month

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity.

Python Authentication Bypass Django
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2015-7546 PyPI HIGH PATCH This Week

The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Python Authentication Bypass Keystonemiddleware Keystone Solaris
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2016-1494 PyPI MEDIUM POC PATCH This Month

The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Rsa Fedora Leap +1
NVD
CVSS 3.0
5.3
EPSS
3.1%
CVE-2015-7489 HIGH This Week

IBM SPSS Statistics 22.0.0.2 before IF10 and 23.0.0.2 before IF7 uses weak permissions (Everyone: Write) for Python scripts, which allows local users to gain privileges by modifying a script. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

IBM Python Privilege Escalation Spss Statistics
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2015-8213 PyPI MEDIUM PATCH This Month

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Django
NVD GitHub
CVSS 2.0
5.0
EPSS
3.0%
CVE-2015-5306 PyPI MEDIUM PATCH This Month

OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

RCE Python Ironic Inspector
NVD
CVSS 2.0
6.8
EPSS
0.6%
CVE-2015-5242 MEDIUM This Month

OpenStack Swift-on-File (aka Swiftonfile) does not properly restrict use of the pickle Python module when loading metadata, which allows remote authenticated users to execute arbitrary code via a. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.

RCE Python Code Injection Gluster Storage
NVD
CVSS 2.0
6.0
EPSS
1.2%
CVE-2015-5652 HIGH This Week

Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Python Information Disclosure Microsoft
NVD
CVSS 2.0
7.2
EPSS
0.1%
CVE-2014-2331 HIGH This Week

Check_MK 1.2.2p2, 1.2.2p3, and 1.2.3i5 allows remote authenticated users to execute arbitrary Python code via a crafted rules.mk file in a snapshot. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

RCE Python Code Injection Check Mk
NVD
CVSS 2.0
8.5
EPSS
0.8%
CVE-2015-5964 PyPI MEDIUM PATCH This Month

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Python Django Ubuntu Linux Solaris
NVD
CVSS 2.0
5.0
EPSS
4.4%
CVE-2015-5963 PyPI MEDIUM PATCH This Month

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Python Django Solaris Ubuntu Linux
NVD
CVSS 2.0
5.0
EPSS
5.2%
CVE-2015-1283 MEDIUM This Month

Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Integer Overflow Denial Of Service Google Buffer Overflow Chrome +12
NVD
CVSS 2.0
6.8
EPSS
0.5%
CVE-2015-5145 PyPI HIGH PATCH This Week

validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Python Django
NVD
CVSS 2.0
7.8
EPSS
0.8%
CVE-2015-5144 PyPI MEDIUM PATCH This Month

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Python Code Injection Ubuntu Linux Django Debian Linux +1
NVD
CVSS 2.0
4.3
EPSS
2.2%
CVE-2015-5143 PyPI HIGH PATCH Act Now

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 15.8%.

Denial Of Service Python Django Debian Linux Solaris +1
NVD
CVSS 2.0
7.8
EPSS
15.8%
CVE-2015-4234 HIGH This Week

Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Cisco Python Privilege Escalation Nx Os
NVD
CVSS 2.0
7.2
EPSS
0.1%
CVE-2015-4231 LOW Monitor

The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative. Rated low severity (CVSS 3.6), this vulnerability is low attack complexity. No vendor patch available.

Cisco Python Privilege Escalation Nx Os
NVD
CVSS 2.0
3.6
EPSS
0.1%
CVE-2015-1950 MEDIUM This Month

IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. No vendor patch available.

IBM Python Authentication Bypass Powervc
NVD
CVSS 2.0
4.6
EPSS
0.1%
CVE-2015-3982 PyPI MEDIUM PATCH This Month

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Python Information Disclosure Django
NVD
CVSS 2.0
5.0
EPSS
0.2%
CVE-2015-3446 CRITICAL PATCH Act Now

The Framework Daemon in AlienVault Unified Security Management before 4.15 allows remote attackers to execute arbitrary Python code via a crafted plugin configuration file (.cfg). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Python Code Injection Unified Security Management
NVD
CVSS 2.0
9.3
EPSS
1.5%
CVE-2015-0846 PyPI MEDIUM PATCH This Month

django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Django Markupfield
NVD GitHub
CVSS 2.0
5.0
EPSS
0.2%
CVE-2015-1852 PyPI MEDIUM PATCH This Month

The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Python Information Disclosure Keystonemiddleware Python Keystoneclient Ubuntu Linux
NVD
CVSS 2.0
4.3
EPSS
0.2%
CVE-2015-0693 HIGH This Week

Cisco Web Security Appliance (WSA) devices with software 8.5.0-ise-147 do not properly restrict use of the pickle Python module during certain tunnel-status checks, which allows local users to. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Cisco Python RCE Web Security Appliance
NVD
CVSS 2.0
7.2
EPSS
0.1%
EPSS 1% CVSS 3.6
LOW PATCH Monitor

Python 2.7.14 is vulnerable to a Heap-Buffer-Overflow as well as a Heap-Use-After-Free. Rated low severity (CVSS 3.6). This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Memory Corruption Use After Free Python +2
NVD
EPSS 2% CVSS 7.8
HIGH POC This Week

March Hare WINCVS before 2.8.01 build 6610, and CVS Suite before 2009R2 build 6610, contains an Insecure Library Loading vulnerability in the wincvs2.exe or wincvs.exe file, which may allow local. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Python Wincvs
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

django.contrib.auth.forms.AuthenticationForm in Django 2.0 before 2.0.2, and 1.11.8 and 1.11.9, allows remote attackers to obtain potentially sensitive information by leveraging data exposure from. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Python Django +1
NVD
EPSS 3% CVSS 9.1
CRITICAL PATCH Act Now

webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Python Django Anymail +1
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC This Week

The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Python Command Injection Electrum
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

An issue was discovered in markdown2 (aka python-markdown2) through 2.3.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Python Python Markdown2
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Python Code Injection
NVD
EPSS 0% CVSS 4.2
MEDIUM This Month

A vulnerability in Cisco NX-OS System Software running on Cisco MDS Multilayer Director Switches, Cisco Nexus 7000 Series Switches, and Cisco Nexus 7700 Series Switches could allow an authenticated,. Rated medium severity (CVSS 4.2), this vulnerability is low attack complexity. No vendor patch available.

Python Cisco Authentication Bypass +1
NVD
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Integer Overflow RCE Python +2
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Python package pysaml2 version 4.4.0 and earlier reuses the initialization vector across encryptions in the IDP server, resulting in weak encryption of data. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Pysaml2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, 2.4.5, 2.5.1, 2.6.2 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource.get" method that could result. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Python Recurly Client Python
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

An exploitable vulnerability exists in the YAML parsing functionality in the read_yaml_file method in io_utils.py in django_make_app 0.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Django Make App
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An exploitable vulnerability exists in the YAML parsing functionality in config.py in Confire 0.2.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Confire
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Owlmixin
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An exploitable vulnerability exists in the YAML parsing functionality in the YAMLParser method in Interfaces.py in PyAnyAPI before 0.6.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Pyanyapi
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

An exploitable vulnerability exists in the YAML parsing functionality in the parse_yaml_query method in parser.py in MLAlchemy before 0.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Mlalchemy
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the render_full function in debug/tbtools.py in the debugger in Pallets Werkzeug before 0.11.11 (as used in Pallets Flask and other products) allows remote. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS Python Werkzeug
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM This Month

A vulnerability in the Python scripting subsystem of Cisco NX-OS Software could allow an authenticated, local attacker to escape the Python parser and gain unauthorized access to the underlying. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Python Cisco Authentication Bypass +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

flower.initd in the Gentoo dev-python/flower package before 0.9.1-r1 for Celery Flower sets PID file ownership to a non-root account, which might allow local users to kill arbitrary processes by. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Race Condition Python Information Disclosure +1
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

RCE Python Hashicorp +2
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

python-fedora 0.8.0 and lower is vulnerable to an open redirect resulting in loss of CSRF protection. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Python CSRF +1
NVD GitHub
EPSS 21% CVSS 6.1
MEDIUM POC PATCH THREAT This Month

In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoescaping was disabled in a portion of the template for the technical 500 debug page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 21.0%.

XSS Python Django
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Denial Of Service Python Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

RCE Python Simplejson +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python CSRF Django Cms
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrap_socket function in Python with the default CERT_NONE value for the cert_reqs argument. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Python Information Disclosure Restkit
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat XML Parser Library) allows attackers to put the parser in an infinite loop using a malformed external entity definition from an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service XXE Libexpat +2
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. Public exploit code available.

Deserialization Python Odoo
NVD GitHub Exploit-DB
EPSS 14% CVSS 9.8
CRITICAL POC THREAT Emergency

An issue was discovered in the OpenWebif plugin through 1.2.4 for E2 open devices. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.0%.

RCE Python Code Injection +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Python Information Disclosure Tablib
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The tlslite library before 0.4.9 for Python allows remote attackers to trigger a denial of service (runtime exception and process crash). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Denial Of Service Python +1
NVD GitHub
EPSS 49% 4.7 CVSS 8.8
HIGH POC PATCH THREAT Act Now

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 48.7%.

RCE Python Mercurial +7
NVD
EPSS 1% CVSS 7.8
HIGH POC This Week

Palo Alto Networks Panorama VM Appliance with PAN-OS before 6.0.1 might allow remote attackers to execute arbitrary Python code via a crafted firmware image file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Paloalto Code Injection +2
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Python). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity.

Python Authentication Bypass Oracle +1
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18) site using the ``django.views.static.serve()`` view could redirect to any other domain, aka an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Open Redirect Python Django
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 relies on user input in some cases to redirect the user to an "on success" URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

XSS Open Redirect Python +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Python Information Disclosure Plone
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Python Cloudflare Scrape +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

There is a cross-site scripting vulnerability in django-epiceditor 0.2.3 via crafted content in a form field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Python Django Epiceditor
NVD
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Python Privilege Escalation Plone
NVD
EPSS 15% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 14.5%.

Buffer Overflow RCE Python +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

python-jose before 1.3.2 allows attackers to have unspecified impact by leveraging failure to use a constant time comparison for HMAC keys. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Python Jose
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Python OpenSSL +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A HTTP/2 implementation built using any version of the Python HPACK library between v1.0.0 and v2.2.0 could be targeted for a denial of service attack, specifically a so-called "HPACK Bomb" attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Python Hpack +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Python Priority Library
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

python-docx before 0.8.6 allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted document. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python XXE Python Docx
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

An issue was discovered in Apport before 2.20.4. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Path Traversal Python Apport +1
NVD GitHub Exploit-DB
EPSS 10% CVSS 7.8
HIGH POC PATCH This Week

An issue was discovered in Apport before 2.20.4. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

RCE Python Code Injection +2
NVD GitHub Exploit-DB
EPSS 3% CVSS 8.1
HIGH PATCH This Week

Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3, when settings.DEBUG is True, allow remote attackers to conduct DNS rebinding attacks by leveraging failure to. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Python Privilege Escalation Fedora +2
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Django 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x before 1.10.3 use a hardcoded password for a temporary database user created when running tests with an Oracle database, which makes it. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

Oracle Python Authentication Bypass +3
NVD
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Unspecified vulnerability in the MySQL Connector component 2.1.3 and earlier and 2.0.4 and earlier in Oracle MySQL allows remote attackers to affect confidentiality, integrity, and availability via. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required.

Oracle Python Authentication Bypass +1
NVD
EPSS 0% CVSS 7.4
HIGH PATCH This Week

flask-oidc version 0.1.2 and earlier is vulnerable to an open redirect. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Open Redirect Flask Oidc
NVD GitHub
EPSS 4% CVSS 7.5
HIGH PATCH This Week

The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Python Google +3
NVD
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Python Mitaka Murano +3
NVD
EPSS 42% 4.0 CVSS 6.1
MEDIUM POC PATCH THREAT This Month

CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in CPython (aka Python) before 2.7.10 and 3.x before 3.4.4 allows remote attackers to inject arbitrary HTTP. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 41.7%.

Python Code Injection
NVD
EPSS 45% CVSS 9.8
CRITICAL PATCH Act Now

Integer overflow in the get_data function in zipimport.c in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers to have unspecified impact via a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 45.1%.

Integer Overflow Python Buffer Overflow
NVD
EPSS 8% CVSS 6.5
MEDIUM POC PATCH This Month

The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Python Authentication Bypass
NVD Exploit-DB
EPSS 13% CVSS 6.1
MEDIUM POC PATCH THREAT This Month

Cross-site scripting (XSS) vulnerability in the dismissChangeRelatedObjectPopup function in contrib/admin/static/admin/js/admin/RelatedObjectLookups.js in Django before 1.8.14, 1.9.x before 1.9.8,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 13.1%.

XSS Python Debian Linux +1
NVD GitHub Exploit-DB
EPSS 2% CVSS 8.1
HIGH PATCH This Week

The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Denial Of Service RCE Buffer Overflow +4
NVD
EPSS 24% CVSS 6.5
MEDIUM This Month

Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 23.7% and no vendor patch available.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Python Information Disclosure
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service RCE Buffer Overflow +14
NVD
EPSS 9% CVSS 7.5
HIGH POC This Week

The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a certain offset value,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE PHP +8
NVD
EPSS 9% CVSS 7.5
HIGH POC This Week

The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a certain pointer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE PHP +8
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Python Buffer Overflow +3
NVD GitHub
EPSS 1% CVSS 3.1
LOW PATCH Monitor

The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Django
NVD GitHub
EPSS 1% CVSS 7.4
HIGH PATCH This Week

The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Python Django
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity.

Python Authentication Bypass Django
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Python Authentication Bypass Keystonemiddleware +2
NVD
EPSS 3% CVSS 5.3
MEDIUM POC PATCH This Month

The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Python Information Disclosure Rsa +3
NVD
EPSS 0% CVSS 7.8
HIGH This Week

IBM SPSS Statistics 22.0.0.2 before IF10 and 23.0.0.2 before IF7 uses weak permissions (Everyone: Write) for Python scripts, which allows local users to gain privileges by modifying a script. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

IBM Python Privilege Escalation +1
NVD
EPSS 3% CVSS 5.0
MEDIUM PATCH This Month

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Django
NVD GitHub
EPSS 1% CVSS 6.8
MEDIUM PATCH This Month

OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

RCE Python Ironic Inspector
NVD
EPSS 1% CVSS 6.0
MEDIUM This Month

OpenStack Swift-on-File (aka Swiftonfile) does not properly restrict use of the pickle Python module when loading metadata, which allows remote authenticated users to execute arbitrary code via a. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.

RCE Python Code Injection +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Python Information Disclosure Microsoft
NVD
EPSS 1% CVSS 8.5
HIGH This Week

Check_MK 1.2.2p2, 1.2.2p3, and 1.2.3i5 allows remote authenticated users to execute arbitrary Python code via a crafted rules.mk file in a snapshot. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.

RCE Python Code Injection +1
NVD
EPSS 4% CVSS 5.0
MEDIUM PATCH This Month

The (1) contrib.sessions.backends.base.SessionBase.flush and (2) cache_db.SessionStore.flush functions in Django 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions create empty. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Python Django +2
NVD
EPSS 5% CVSS 5.0
MEDIUM PATCH This Month

contrib.sessions.middleware.SessionMiddleware in Django 1.8.x before 1.8.4, 1.7.x before 1.7.10, 1.4.x before 1.4.22, and possibly other versions allows remote attackers to cause a denial of service. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Python Django +2
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Integer Overflow Denial Of Service Google +14
NVD
EPSS 1% CVSS 7.8
HIGH PATCH This Week

validators.URLValidator in Django 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Python Django
NVD
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Python Code Injection Ubuntu Linux +3
NVD
EPSS 16% CVSS 7.8
HIGH PATCH Act Now

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 15.8%.

Denial Of Service Python Django +3
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Cisco Python Privilege Escalation +1
NVD
EPSS 0% CVSS 3.6
LOW Monitor

The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative. Rated low severity (CVSS 3.6), this vulnerability is low attack complexity. No vendor patch available.

Cisco Python Privilege Escalation +1
NVD
EPSS 0% CVSS 4.6
MEDIUM This Month

IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. No vendor patch available.

IBM Python Authentication Bypass +1
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

The session.flush function in the cached_db backend in Django 1.8.x before 1.8.2 does not properly flush the session, which allows remote attackers to hijack user sessions via an empty string in the. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Python Information Disclosure Django
NVD
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

The Framework Daemon in AlienVault Unified Security Management before 4.15 allows remote attackers to execute arbitrary Python code via a crafted plugin configuration file (.cfg). Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Python Code Injection +1
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Python Information Disclosure Django Markupfield
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Python Information Disclosure Keystonemiddleware +2
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Cisco Web Security Appliance (WSA) devices with software 8.5.0-ise-147 do not properly restrict use of the pickle Python module during certain tunnel-status checks, which allows local users to. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity. No vendor patch available.

Cisco Python RCE +1
NVD
Prev Page 23 of 25 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy