Python
Monthly
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Resource exhaustion in joserfc (versions 1.3.4-1.6.5) is possible because the RFC7797 unencoded-payload (b64=false) JWS code path skips the configured JWSRegistry.max_payload_length check, while the standard compact and flattened JSON paths correctly raise ExceededSizeError. Remotely submitted, cryptographically valid b64=false JWS tokens with arbitrarily large payloads are deserialized without size enforcement, consuming memory or CPU on the verifying server. No public exploit has been identified and the vulnerability is not in the CISA KEV catalog; a vendor-released fix is available in version 1.6.7.
Command injection in the AWS Bedrock AgentCore Python SDK (versions >= 1.1.3, < 1.6.1) allows remote authenticated users to execute arbitrary commands within the Code Interpreter sandbox by supplying crafted package name arguments to the install_packages() method. The flaw stems from improper neutralization of argument delimiters (CWE-88), letting attacker-controlled strings break out of the intended pip-install argument context. No public exploit identified at time of analysis, but a vendor patch and advisory are available from AWS.
Authorization bypass in Avo (Ruby on Rails admin framework) versions <= 3.32.0 and 4.0.0.beta.1 through 4.0.0.beta.50 allows authenticated low-privileged users to attach arbitrary related records to parent resources via a direct POST to the associations endpoint, bypassing the `attach_<association>?` policy enforced only on the form-rendering GET. Publicly available exploit code exists (Python PoC in the GHSA advisory), and in deployments where associations encode teams, tenants, roles, or memberships, exploitation yields privilege escalation and cross-tenant data exposure.
{flow_id} endpoint, causing disk exhaustion (DoS) and leaking the absolute filesystem path of the cache directory in the JSON response. No public exploit identified at time of analysis beyond the reporter's PoC, and the issue is not on CISA KEV, but exploitation is trivial - a single unauthenticated curl request - and the fix landed in 1.9.1 via PR #12831.
Private note disclosure in Open WebUI (≤0.8.10) allows any authenticated user to read the full contents of another user's private notes by exploiting a namespace collision in the Socket.IO collaborative editing subsystem. The ydoc:document:join handler enforces authorization only for document IDs prefixed with 'note:' (colon), but the YdocManager storage layer normalizes all IDs by substituting underscores for colons - making 'note:abc' and 'note_abc' identical storage keys. A fully functional public PoC exploit script is included in the GitHub Security Advisory. No KEV listing; fix is available in version 0.8.11.
Incorrect authorization in Open WebUI versions 0.9.5 and earlier allows any authenticated non-admin user to route LLM inference requests to arbitrary configured Ollama backends - including internally restricted, higher-privilege, or admin-disabled instances - by supplying a raw integer `url_idx` path parameter on eight indexed proxy routes. The flaw bypasses backend-level access isolation entirely: model authorization is checked, but backend authorization is silently skipped when `url_idx` is caller-supplied, and disabled backends remain reachable because their disabled state is never re-evaluated at request time. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the attack requires only a valid user account and knowledge of the URL pattern, making it a low-barrier insider threat in any multi-backend deployment.
Private RAG knowledge-base content belonging to any user can be fully exfiltrated by any authenticated low-privilege account in Open WebUI v0.9.5 deployments running Milvus with multitenancy enabled. This is a second-order bypass of the previously released fix for CVE-2026-44560 (GHSA-h36f-rqpx-j5wx): the prior patch introduced collection-level ACL checks, but the ACL's permissive handling of unknown collection names combined with unsanitized string interpolation into Milvus filter expressions creates an injection path that renders the ACL ineffective. A public proof-of-concept in the form of a ready-to-run curl command exists; no CISA KEV listing was identified at time of analysis.
SSRF protection bypass in Open WebUI's SafePlaywrightURLLoader (versions <= 0.9.5) allows authenticated users to access internal network resources by supplying an externally-hosted URL that returns an HTTP 301/302 redirect to a private address. Because Playwright's page.goto() automatically follows redirects without re-validating the destination, attackers can reach localhost, container-network peers, or cloud metadata endpoints (169.254.169.254) even when ENABLE_RAG_LOCAL_WEB_FETCH=False. A working PoC is published in the GHSA advisory; there is no public exploit identified at time of analysis being actively used, and no CISA KEV listing.
Authenticated path traversal and SSRF in Open WebUI's terminal-server reverse proxy (versions <= 0.9.5) allows non-admin users with granted terminal access to escape the intended path or policy scope using double-encoded traversal sequences (%252e%252e). The flaw bypasses the project's own _sanitize_proxy_path mitigation, which performs only a single URL-decode pass before the '..' check, letting attackers reach unintended endpoints, files, and internal services routed by the terminal server. No public exploit identified at time of analysis, though the vendor advisory includes working proof-of-concept request strings.
Unauthenticated remote code execution in NVIDIA Spatial Intelligence Lab's GEN3C inference API server allows network attackers to execute arbitrary Python code by sending crafted pickle payloads to the /request-inference and /seed-model endpoints. The endpoints feed raw HTTP bodies directly into pickle.loads() with no authentication or validation, so a standard __reduce__ gadget yields code execution as the inference process. No public exploit identified at time of analysis, but the upstream patch and a VulnCheck advisory document the precise vulnerable code path.
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the scanner by invoking the module-level profile.run() function, which is missing from the blocklist that only covers Profile.run and Profile.runctx. The scanner reports zero issues while pickle.loads() triggers exec() of attacker-controlled Python. No public exploit identified at time of analysis beyond the proof-of-concept in the GHSA advisory, and the issue is not listed in CISA KEV.
Remote code execution in python-statemachine 3.0.0 through 3.1.x allows attackers to run arbitrary Python in the host process by supplying a crafted SCXML document whose `<data expr="...">` attributes are passed unsandboxed to eval() inside SCXMLProcessor. Reported by VulnCheck with publicly available exploit code and a vendor advisory (GHSA-v4jc-pm6r-3vj8); no public exploit identified at time of analysis as actively in the wild, and the flaw is not listed in CISA KEV.
Broken Object Level Authorization in Open WebUI's `search_knowledge_files` builtin tool (versions ≤ 0.9.5) allows any authenticated user to enumerate file metadata from private or restricted knowledge bases they do not own or have permission to access. By sending a crafted chat completion request with native function calling enabled and supplying an arbitrary `knowledge_id`, an attacker bypasses the `AccessGrants` permission model entirely, receiving file IDs, filenames, knowledge base names, and timestamps. No KEV listing exists at time of analysis, but a detailed proof-of-concept with full reproduction steps is publicly documented in GitHub Security Advisory GHSA-cx9v-4qj2-jrw6, and a vendor-released patch is available in version 0.9.6.
Insecure Direct Object Reference in Open WebUI's prompt version-history API (versions ≤ 0.9.5) allows authenticated users to read or delete other users' private prompt history entries. Three endpoints authorize the URL-supplied `prompt_id` but pass caller-controlled `history_id` values to model-layer functions without verifying the history row belongs to the authorized prompt - a binding enforced correctly in a fourth endpoint but absent in these three. A functional proof-of-concept is included in the GitHub Security Advisory; no public KEV listing exists but exploitation steps are fully documented.
Sibling-prefix path traversal in open-webui 0.9.5 and earlier allows any authenticated user to read arbitrary files from directories adjacent to the configured cache directory, provided those directories share the string prefix 'cache' (e.g., cache_backup, cached_models). The flaw exists in serve_cache_file() at main.py:2914, where a missing trailing path separator in the startswith boundary check causes os.path.abspath() to validate resolved sibling paths as if they were within the cache root. Publicly available exploit code exists in the GHSA advisory (PoC confirmed against open-webui 0.9.5 via raw ASGI delivery); no confirmed active exploitation (not in CISA KEV) at time of analysis.
Stored cross-site scripting in Open WebUI versions up to and including 0.9.5 allows any authenticated user holding the default workspace.models permission to embed an SVG payload in a model's profile_image_url and hijack the session of anyone who opens that image URL as a top-level document. The flaw is an incomplete-patch bypass of GHSA-3wgj-c2hg-vm6q and GHSA-3856-3vxq-m6fc - the input validator and the MIME allowlist plus X-Content-Type-Options:nosniff added to the user and webhook endpoints were never applied to ModelMeta or the model image serving endpoint. No public exploit identified at time of analysis beyond the working PoC included in the advisory, and CVSS 7.6 reflects the cross-origin scope change leading to JWT theft and account takeover.
{id} content and delete endpoints. The flaw is a missing ownership check on model metadata that is later trusted as an authorization source by has_access_to_file(). A working proof-of-concept exercising the real insert sink and view_file branch is published in the GitHub Security Advisory, but no public exploit identified at time of analysis in CISA KEV.
Cross-user file read and deletion in Open WebUI <=0.9.5 allows authenticated users to access or destroy other users' files by attaching arbitrary file_id values to their own chat messages and sharing the chat. The flaw stems from missing ownership checks in Chats.insert_chat_files() combined with a shared-chat authorization branch that ignores access_type, so a read grant also satisfies write/delete checks. No public exploit identified at time of analysis, though a detailed PoC is included in the GitHub Security Advisory.
Cross-user file disclosure in Open WebUI (pip package open-webui, versions ≤ 0.9.5) allows any authenticated user to read the content of files uploaded by other users by supplying a victim's file UUID as the image_url.url value in POST /api/chat/completions. The server's image-conversion middleware resolves the UUID against the global file table with no ownership check, base64-encodes the file, and injects it into the LLM prompt, from which the attacker reads the content via a transcription instruction. No KEV listing confirms active exploitation, but a complete step-by-step reproduction proof-of-concept is embedded in the public GitHub Security Advisory (GHSA-wch8-mhj5-9frg), materially increasing exploitation likelihood; the vendor-released fix is version 0.9.6.
Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.
{event_id}/update` endpoint validates write access only on the source calendar, silently omitting the destination `calendar_id` authorization check that `create_event` correctly enforces - a classic IDOR pattern. A verified public proof-of-concept exists against v0.9.4 (the official Docker image); the fix is available in v0.9.6. No CISA KEV listing was present in the input data, so widespread in-the-wild exploitation is unconfirmed.
Memory exhaustion via audio decompression bomb in vLLM's `/v1/audio/transcriptions` endpoint allows a remote attacker to crash or severely degrade the inference server by uploading a crafted OPUS file that passes the 25MB compressed-size check but decodes to ~14.9GB of float32 PCM in memory. Affected are vLLM installations through v0.23.0 with speech-to-text (ASR) functionality enabled. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the attack methodology is fully detailed in GitHub Security Advisory GHSA-6pr9-rp53-2pmc, making independent reproduction trivial. The official CVSS PR:L rating conflicts with the advisory's explicit claim of unauthenticated exploitation - security teams should audit whether their deployment enforces authentication on the audio endpoint.
Heap memory address leakage in vLLM's Anthropic API router and speech-to-text WebSocket paths exposes the same ASLR-bypass primitive previously fixed in CVE-2026-22778. Five exception-handling sites across `vllm/entrypoints/anthropic/api_router.py`, `vllm/entrypoints/anthropic/serving.py`, and `vllm/entrypoints/speech_to_text/realtime/connection.py` echo raw `str(e)` output - including PIL BytesIO object repr strings containing heap addresses - directly to unauthenticated callers. A proof-of-concept is referenced in the advisory, and when chained with the parent CVE's libopenjp2 heap overflow, this leak reduces ASLR entropy from approximately 4 billion candidates to 8, enabling RCE; no public exploit identified at time of analysis for this CVE in isolation.
Temperature parameter validation in vLLM (pip/vllm ≤ 0.23.0) can be bypassed by supplying NaN or positive Infinity as the temperature value, because Python's IEEE 754 float comparison operators silently return False for these inputs, allowing the values to propagate unchecked into GPU CUDA sampling kernels. The invalid inputs trigger undefined behavior or fatal CUDA errors that crash the inference worker process, dropping all in-flight requests and degrading service for every concurrent user sharing that worker. No public exploit has been identified at time of analysis, though the trigger condition is fully disclosed in the published GHSA-7h4p-rffg-7823 advisory and is trivially reproducible from that description alone.
Authentication bypass in Backpropagate 1.1.0 and 1.1.1 lets any client that can reach the Reflex web UI's bound port take full control of the training control plane, despite the operator passing --auth user:pass. The CLI advertised and confirmed authentication as active, but the Reflex backend never read the BACKPROPAGATE_UI_AUTH variable and registered no middleware, so dataset upload, training control, GGUF export, and HuggingFace Hub push were exposed unauthenticated. No public exploit identified at time of analysis, but the gap is trivially reachable and CVSS 4.0 is 9.3.
In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.
Server-Side Request Forgery in Pydantic AI (versions 1.56.0-1.101.0, 2.0.0b1, 2.0.0b2) allows unauthenticated network attackers to bypass the cloud-metadata IP blocklist by encoding metadata service addresses (e.g., 169.254.169.254) in IPv6 transition forms - specifically IPv4-compatible IPv6, NAT64 RFC 8215 local-use prefixes, operator-chosen NAT64 prefixes, and ISATAP - that the prior remediation (CVE-2026-46678) failed to decode, enabling retrieval of cloud IAM short-term credentials. Exploitation is constrained by two simultaneous prerequisites: the application must use the non-default `force_download='allow-local'` mode and must operate on a network that routes the affected IPv6 transition forms (e.g., IPv6-only or dual-stack-with-NAT64 Kubernetes clusters). This is the third iteration in an escalating bypass chain (CVE-2026-25580 → CVE-2026-46678 → CVE-2026-48782), and no public exploit has been identified at time of analysis.
Unauthenticated remote code execution in Crawl4AI's Docker API (versions <= 0.8.6) lets attackers escape the computed-fields expression sandbox and run arbitrary OS commands inside the container. The AST validator behind `_safe_eval_expression()` only blocked attribute names beginning with an underscore, so a crafted `JsonCssExtractionStrategy` schema can reach generator/frame attributes (`gi_frame`, `f_back`, `f_builtins`) to recover the real `__import__` and execute code. Because JWT auth is disabled by default, a single `POST /crawl` request suffices; publicly available exploit code exists (SSVC: PoC) and the vendor rates it CVSS 10.0, though EPSS is low at 0.45%.
Path manipulation in the LangGraph Python SDK (langgraph-sdk) version 0.3.14 and earlier lets caller-supplied identifier values containing URL-special characters redirect an HTTP request to a different resource — or resource type — than the SDK call intended. When applications forward untrusted, unvalidated identifiers into SDK methods and rely on upstream URL-prefix authorization, an attacker can reach, modify, or delete resources outside their authorization scope. There is no public exploit identified at time of analysis and EPSS is low (0.22%), but CVSS is rated 9.1 due to high confidentiality and integrity impact.
Arbitrary Python runtime execution in OpenClaw before 2026.5.2 lets an attacker with write access to the workspace plant a malicious .env file that overrides the CLOUDSDK_PYTHON variable used during Gmail setup, redirecting gcloud invocations to an attacker-controlled Python interpreter and leading to code execution. The CVSS 4.0 vector (AV:L/AT:P/UI:A) confirms the attack is local, requires a specific attack condition, and depends on a user/operator action - no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary Python object reconstruction from checkpoint payloads stored in a SQLite backing store, enabling code execution at checkpoint load time. Affected deployments are those where an unauthorized party can modify checkpoint bytes at rest - a high-privilege prerequisite (PR:H, AV:A per CVSS) that already implies a significant prior compromise. This is explicitly framed as a defense-in-depth concern: the issue escalates an existing 'checkpoint-store write access' incident into full application runtime code execution. No public exploit code or CISA KEV listing has been identified at time of analysis.
Sandbox escape in n8n workflow automation platform allows authenticated users with workflow edit privileges to execute arbitrary code on the Python Task Runner container via a crafted Python Code Node. The flaw affects n8n versions prior to 1.123.48, 2.21.8, and 2.22.4 when the optional Python Task Runner is enabled, and no public exploit identified at time of analysis. Successful exploitation grants code execution inside the task runner container, providing a foothold for further lateral movement within the n8n deployment.
Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python code on the host by abusing the Shareable Playground (Public Flows) feature. When a flow is shared, the /api/v1/build_public_tmp endpoint accepts user-supplied node code in the JSON payload field data.nodes[X].data.node.template.code.value and executes it during graph instantiation. Publicly available exploit code exists via the GitHub Security Advisory GHSA-v5ff-9q35-q26f, including a working cURL-based PoC.
Arbitrary code execution in vLLM versions prior to 0.22.0 allows remote unauthenticated attackers to run code on the inference server by publishing a malicious HuggingFace model, when vLLM is launched in Python optimized mode (python -O or PYTHONOPTIMIZE=1). The sole guardrail restricting which activation function classes can be loaded from a model's config.json is implemented with a Python assert, which is stripped at compile time under -O, leaving an unrestricted import gadget directly fed by attacker-controlled data. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q8gq-377p-jq3r) and a coordinated huntr.com submission document the issue in detail.
Cross-tenant data access in Langflow versions prior to 1.9.0 allows any authenticated user to read, modify, rename, or permanently delete other users' messages, sessions, build artifacts, and LLM transaction logs via seven unprotected `/api/v1/monitor` endpoints. The flaw stems from missing ownership checks (IDOR/BOLA) where `flow_id` or resource UUIDs are accepted verbatim without verifying the requester owns them. No public exploit identified at time of analysis beyond the detailed PoC in the vendor advisory, and the issue is not listed in CISA KEV.
Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a more-privileged Python process running from a legacy all-users installation, enabling arbitrary code execution under an elevated context. The root cause is a VPATH-based fallback landmark mechanism compiled into release builds: on Windows, VPATH resolves two directory levels above PCbuild/, placing the Modules/Setup.local landmark outside the install directory in a location writable by unprivileged users under the legacy EXE installer's default all-users path. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, high confidentiality and integrity impact (VC:H/VI:H) reflect the ability to fully substitute Python's module loading path.
Uncontrolled CPU consumption in python-multipart's QuerystringParser (versions <0.0.30) allows remote unauthenticated attackers to cause denial of service by submitting small crafted application/x-www-form-urlencoded bodies using semicolons as field separators. The two-step separator lookup degenerates into O(B²) byte comparisons, letting a ~1 MiB body burn seconds of CPU per request and exhaust workers in Starlette/FastAPI applications that call request.form(). No public exploit identified at time of analysis, though a clear proof-of-concept payload pattern (a;a;a;...) is described in the GHSA advisory.
Parser differential in python-multipart's QuerystringParser enables HTTP parameter pollution against applications protected by WHATWG-compliant upstream components (WAFs, API gateways). Versions prior to 0.0.30 tokenize semicolons as field separators in application/x-www-form-urlencoded bodies - diverging from WHATWG, modern browsers, and Python's urllib.parse - allowing an attacker to craft a request body whose fields are parsed differently by an upstream body inspector than by the backend, smuggling form parameters the intermediary never validated. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the attack primitive is well-understood and mirrors the class of issue fixed in CPython as CVE-2021-23336.
Parameter smuggling in python-multipart below 0.0.30 allows unauthenticated network attackers to present a different field name or filename to an upstream WAF, proxy, or gateway than the value actually delivered to the backend application. The root cause is that parse_options_header delegates to Python's email.message.Message, which silently applies RFC 2231/5987 extended parameter decoding - a behavior explicitly forbidden for multipart/form-data by RFC 7578 §4.2 - causing the extended value to override the plain parameter and bypass inspection logic. Concrete downstream consequences include circumventing filename-based upload controls and, where applications construct filesystem paths from the parsed filename without sanitization, achieving path traversal via decoded percent sequences such as ..%2F or injecting null bytes (%00) to confuse validators. No public exploit has been identified and the vulnerability is not in CISA KEV; CVSS 3.7 with AC:H reflects that exploitation requires a specific upstream inspector in the deployment topology.
Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.
Tar parser interpretation differential in node-tar (npm `tar` package) <= 7.5.15 allows a crafted archive to present a different member list to node-tar than to GNU tar, libarchive, or Python tarfile, enabling security scanner evasion in pipelines that scan with one tool and extract with another. The flaw stems from node-tar incorrectly applying a PAX extended header's `size=` override to intermediary GNU long-name (`L`) and long-link (`K`) metadata headers, desynchronizing the stream cursor and causing node-tar to raise a checksum error and report zero members while reference parsers correctly extract files. A detailed, working proof-of-concept (Python stdlib only) is included in the advisory; no active exploitation (CISA KEV) has been confirmed at time of analysis, but the broad npm ecosystem blast radius - node-tar backs npm's own tarball handling - materially elevates real-world risk.
Server-side request forgery in python-utcp 1.1.0's utcp-gql and utcp-websocket components allows remote low-privileged attackers to coerce the server into issuing arbitrary outbound HTTP requests, potentially reaching internal infrastructure not exposed to the public internet. The affected library implements the universal-tool-calling-protocol and the vulnerable code paths reside in its GraphQL and WebSocket transport handlers. A public exploit has been disclosed via GitHub, and the vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.
Unauthenticated denial-of-service in File Browser (filebrowser/filebrowser) versions <= 2.63.5 allows remote attackers to exhaust CPU and memory by submitting arbitrarily large passwords to the public /api/login endpoint, which are then passed unchecked into the bcrypt-style CheckPwd hashing routine. Publicly available exploit code exists in the GitHub advisory PoC, and concurrent abuse can crash the container and even destabilize the host Docker daemon. EPSS is low (0.04%) and the issue is not in CISA KEV, but the trivial AV:N/AC:L/PR:N exploitation profile makes it a real availability risk for any internet-exposed instance.
Remote code execution in Kitty terminal emulator versions prior to 0.47.0 allows any process or remote peer that can write bytes to the terminal - including SSH sessions, file viewers like cat or less, log tailers, and TUI applications - to execute attacker-supplied Python code inside the running kitty process with full user privileges. Exploitation requires no approval prompt, no shell integration, no clipboard interaction, and no editor involvement, making any rendered untrusted content a viable injection vector. No public exploit identified at time of analysis, but the trivial trigger conditions and broad attack surface make this a high-priority patch.
Out-of-bounds memory read in Tornado's optional C extension `tornado.speedups` exposes up to 3 bytes of uninitialized memory via a missing length validation in the `websocket_mask` function. Applications running Tornado versions prior to 6.5.6 with the native extension active and `xsrf_cookies=True` are reachable from the network without authentication (CVSS AV:N/PR:N), though high attack complexity (AC:H) is indicated by the dual configuration prerequisite. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS stands at 0.04% (11th percentile), consistent with the low exploitation probability for a constrained information-disclosure primitive. Vendor-released patch is Tornado 6.5.6.
Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the UPDATE_COLLECTION permission to execute arbitrary code on the server by submitting a malicious model repository with trust_remote_code=true to the collection update endpoint. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.4 and HiddenLayer's disclosure indicate a high-severity flaw in a widely used AI vector database. The vulnerability sits in the AI/ML supply chain layer, making it particularly relevant for organizations using ChromaDB as a backend for RAG or embedding pipelines.
Authorization bypass in ChromaDB's Python implementation lets authenticated tenants reach data outside their authorization boundary by invoking the V1 collection-level REST endpoints, which forward None as both the tenant and database identifiers to the authorization layer. The flaw, disclosed by HiddenLayer, exposes high-impact reads and writes to cross-tenant collections in this Python vector database. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Cross-tenant authorization bypass in ChromaDB's SimpleRBACAuthorizationProvider (versions 0.5.0 and later) allows authenticated users to perform actions against tenants, databases, and collections they do not own. The provider verifies that a user holds a given permission but never validates the scope of that permission against the target resource, enabling lateral movement across multi-tenant deployments. No public exploit identified at time of analysis, but the flaw was disclosed by HiddenLayer and affects any Chroma deployment relying on the built-in RBAC provider for tenant isolation.
Cross-tenant data access in ChromaDB Python project version 0.4.17 and later allows any authenticated user to read, write, update, or delete data in collections belonging to other tenants, breaking the tenant isolation boundary that multi-tenant deployments rely on. The flaw, reported by HiddenLayer and tracked under CWE-639, carries a CVSS 4.0 score of 8.8 reflecting high confidentiality and integrity impact on both the vulnerable system and downstream tenants. No public exploit identified at time of analysis and not listed in CISA KEV.
Arbitrary Python code execution in Vim prior to 9.2.0597 occurs when a user triggers Python omni-completion (`<C-x><C-o>`) on a buffer containing crafted `def` or `class` headers, because the pythoncomplete autoload reconstructs definitions and runs them through `exec()`, which evaluates default values, annotations, and base-class expressions at definition time. The earlier g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this sink. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in Vim prior to 9.2.0561 occurs when a user opens a malicious Python file and triggers Python omni-completion (python3complete.vim or pythoncomplete.vim), causing Vim's completion script to execute import/from statements from the buffer through Python's import machinery and run attacker-controlled package code as the editing user. Affects any Vim build with +python3 or +python interpreter support; no public exploit identified at time of analysis, but the upstream patch and detailed advisory (GHSA-52mc-rq6p-rc7c) make the issue well-documented. The CVSS 4.0 score of 7.3 reflects required user interaction (opening the file and invoking completion) but high impact on confidentiality, integrity, and availability of the user's account.
Server-side request forgery in Kolibri (pip/kolibri <= 0.19.3) allows network-reachable attackers to force the Kolibri server to issue outbound HTTP requests to arbitrary internal hosts, cloud metadata endpoints, and internal services, with JSON response bodies reflected directly to the caller. The primary GET endpoint at /api/auth/remotefacilityuser required no authentication whatsoever, making this exploitable by any party with network access to the Kolibri server. A working proof-of-concept was retained internally by the reporting researcher but was not published; no public exploit code exists and CISA KEV listing has not been identified at time of analysis.
Path traversal in Keras archive extraction utilities prior to version 3.14.0 allows remote attackers to write files outside the intended extraction directory when a victim loads a malicious model archive. The flaw stems from validating archive member paths against the process current working directory rather than the actual extraction destination, which collapses to the filesystem root in common Docker, CI/CD, and Jupyter setups. No public exploit identified at time of analysis, but the upstream fix and a Huntr bounty disclosure make targeted exploitation against ML pipelines plausible.
Memory exhaustion and CPU starvation in python-zeroconf before 0.149.12 allows any unauthenticated LAN-adjacent host to OOM-kill or stall the zeroconf process by flooding TC-flagged mDNS queries over UDP/5353. The `AsyncListener.handle_query_or_defer` method retained all TC-bit packets in an unbounded `_deferred[addr]` dictionary - each entry up to 8,966 bytes of raw buffer plus parsed DNS state - with no cap on per-address queue depth or total distinct source addresses, and the per-arrival dedup scan ran O(N) causing quadratic CPU growth as queues expanded. Trivially spoofed source IPs multiply the memory footprint across `_deferred`/`_timers`; on Raspberry Pi-class hardware running Home Assistant, sustained flood traffic causes OOM termination; no public exploit identified at time of analysis.
Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API access token from pipeboard-co/meta-ads-mcp through version 1.0.108 when the server is run with the streamable-HTTP transport on a network-reachable port. The AuthInjectionMiddleware silently forwards requests lacking an Authorization or X-PIPEBOARD-API-TOKEN header, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and Graph API error responses echo the request URL - including the token query parameter - back to the caller. A working proof-of-concept is published in GHSA-9gw6-46qc-99vr; no public exploit identified at time of analysis as a separate weaponized tool, but the PoC is sufficient to reproduce end-to-end.
Route-level authentication bypass in Traefik's StripPrefix middleware allows unauthenticated remote attackers to reach protected backend endpoints (e.g., /admin, /internal/config) by crafting request paths such as /api../admin or /api%2e%2e/admin. The public router matches before path normalization, but StripPrefix subsequently normalizes the path via JoinPath() so the backend receives the protected path without the authentication middleware ever running. Publicly available exploit code exists (full PoC in the advisory), patches are released, and EPSS sits at 0.22% (45th percentile) with no CISA KEV listing.
Local arbitrary code execution in PDM (Python Development Master) versions <= 2.26.9 allows attacker-controlled repositories to execute Python code under the invoking user's privileges when any pdm command (even `pdm --version`) is run inside a malicious checkout. The root cause is implicit loading of project-local `.pdm-plugins` via `site.addsitedir()`, which processes `.pth` files containing executable `import` statements before CLI parsing. Publicly available exploit code exists in the advisory PoC, and CWE-94 code injection is confirmed; no public exploit identified at time of analysis as actively used in the wild.
Arbitrary code execution in Dulwich (pure-Python Git implementation) versions 0.23.2 through 1.2.4 allows a malicious upstream repository to drop executable files into a victim's .git/hooks/ directory during a recursive clone or submodule update. When the victim subsequently runs any git or dulwich command that invokes the planted hook, the attacker's code executes with the victim's privileges. No public exploit identified at time of analysis, though the technique mirrors the well-documented upstream Git flaws CVE-2024-32002 and CVE-2024-32004.
Arbitrary file clobber in PDM (Python Development Master) below version 2.27.0 allows an attacker who controls a cloned project repository to overwrite files outside the repository root by planting symlinks at project-local config paths (pdm.toml, .pdm-python, .python-version) that PDM writes to without symlink protection. When a developer runs any PDM command triggering a project-local config write against the malicious checkout, the tool follows the symlink and overwrites the target with attacker-influenced content - up to arbitrary file corruption relative to the invoking user's privileges. A working proof-of-concept is included in the GitHub security advisory GHSA-ghq2-5c67-fprm; no active exploitation is confirmed in CISA KEV at time of analysis.
Denial of service in kafka-python versions prior to 2.3.2 allows a malicious or man-in-the-middle Kafka broker to freeze the client's event loop during SCRAM authentication by returning an excessive PBKDF2 iteration count. Because ScramClient.process_server_first_message() forwards the broker-supplied value directly to hashlib.pbkdf2_hmac() without bounds checking, producers, consumers, admin clients, and group heartbeats all stall, leading to consumer-group eviction and reconnect loops. No public exploit identified at time of analysis, though VulnCheck has published a vendor-style advisory and an upstream patch has been merged.
Denial of service in the kafka-python client library (versions prior to 2.3.2) allows a malicious Kafka broker or man-in-the-middle attacker to exhaust client memory or wedge connections by sending a crafted 4-byte frame length header. The protocol parser's receive_bytes() function performs no bounds check on the declared frame size, leading to multi-gigabyte allocations or uncaught ValueError exceptions that stop consumer heartbeats. No public exploit identified at time of analysis; reported by VulnCheck with an upstream patch already merged.
Host validation bypass in Litestar's AllowedHostsMiddleware allows unauthenticated remote attackers to circumvent the allowed-hosts allowlist by omitting the HTTP Host header and substituting a client-controlled X-Forwarded-Host header set to any whitelisted domain. Affected are all Litestar deployments (pip/litestar < 2.22.0) using AllowedHostsConfig that are reachable without a trusted reverse proxy stripping X-Forwarded-Host - a condition reflected in the CVSS AC:H rating. Publicly available exploit code exists demonstrating the bypass; no CISA KEV listing at time of analysis.
Cross-Site Scripting in Litestar Python web framework versions prior to 2.22.0 allows remote attackers to execute arbitrary JavaScript in victim browsers by poisoning the csrftoken cookie, whose contents are rendered into HTML templates without escaping when the documented csrf_input helper is used. Publicly available exploit code exists via the GitHub Security Advisory GHSA-542p-wvx7-72m4, which includes two working proof-of-concept applications. The flaw only manifests in applications that combine a template engine (Jinja, Mako, MiniJinja) with CSRF protection and the recommended hidden CSRF input field pattern.
Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privileged authenticated user (without 'admin' or 'power' roles) to execute arbitrary Python on the server by abusing unsafe jsonpickle deserialization of App Key Value Store (KV Store) data. CVSS is 8.8 (network, low complexity, low privileges) and the issue is currently rated as no public exploit identified at time of analysis. The flaw is reported by Cisco and disclosed via Splunk advisory SVD-2026-0601.
Arbitrary directory deletion in julien040/anyquery 0.4.4 and earlier allows an authenticated low-privileged bearer-token holder to delete any directory accessible to the server process by submitting a SQL query that invokes clear_plugin_cache with a path-traversal payload. The flaw stems from path.Join silently resolving '..' segments before os.RemoveAll, and publicly available exploit code exists in the GitHub Security Advisory GHSA-j9rx-rppg-6hh4. Verified impact includes irreversible deletion of files outside the intended $XDG_CACHE_HOME/anyquery/plugins/ cache root, producing data loss and denial of service.
{version,uptime,status,checks}/<server_ip>` route family passes the Flask URL path parameter directly into a Python `requests.get()` call without any allowlist or blocklist validation, making IPv4 literals such as 169.254.169.254, RFC1918 ranges, and 127.0.0.1 all valid targets. No publicly available patches exist at time of analysis, and no public exploit code or CISA KEV listing has been identified.
Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) allows remote unauthenticated attackers to forge JWT tokens for arbitrary users including administrators. The signing secret is hardcoded to the literal string 'random' in both the dev.env template and as a Viper default in cmd/serve.go, and publicly available exploit code exists in the advisory. No CISA KEV listing or EPSS data is provided, but the secret is trivially derivable from the public GitHub repository.
Papra's webhook delivery system allows any authenticated organisation member to bypass SSRF protections and cause the server to issue HTTP requests to loopback, link-local, and RFC-1918 addresses by exploiting automatic redirect-following in the ofetch HTTP client. The SSRF blocklist is enforced on registered webhook URLs but never applied to 3xx redirect destinations, meaning an attacker-controlled server can return a 302/307 response pointing to any internal address and Papra's server will follow it. A public proof-of-concept is available and exploitation was confirmed against the official Docker image; no CISA KEV listing is present at time of analysis.
Denial of service against Xen host management is possible through deliberate abuse of the unfair domctl system-wide lock, affecting all Xen versions from 3.3 onwards. A less-privileged domain can monopolize the lock used to serialize guest creation and management operations, starving the control domain or equally/more-privileged entities of lock access and potentially rendering the entire host unmanageable. No public exploit identified at time of analysis, and no CVSS score was published with XSA-492.
Xen Hypervisor's domctl locking mechanism, when XSM/Flask mandatory access control is enabled, acquires the system-wide serialization lock for certain operations before performing any Flask permission checks. This allows a less-privileged guest domain to seize the lock without authorization and stall equally or more privileged entities - including the control domain (dom0) and Xenstore domain - potentially causing a Denial of Service affecting the entire physical host. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via crafted collaborationInstruction strings stored on Bedrock Agent collaborators. When another user in the same AWS account imports the agent, the malicious triple-quote payload breaks out of the generated Python docstring and executes attacker-controlled code on AWS AgentCore Runtime under the imported agent's IAM execution role, as well as on the importing user's local environment. No public exploit identified at time of analysis, but the cross-user, cross-environment scope and 9.0 CVSS rating make this a high-priority patch.
Unauthenticated open redirect in Authlib's OAuth 2.0 authorization endpoint allows any remote attacker to weaponize a trusted authorization server domain as a redirector - no client registration, no authenticated session, and no prior state required. The flaw affects all deployments of pip/authlib < 1.6.10 and == 1.7.0 running an authorization endpoint via the Flask or Django integrations. Publicly available exploit code exists and was dynamically confirmed against the live HEAD (v1.6.6-104-g68e6ab3f); no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV status absent), but the trivial, zero-prerequisite exploit path makes phishing and domain-allowlist bypass practical at scale.
Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to direct the ait-bsc process to append attacker-controlled binary data to arbitrary files on the host filesystem, limited only by the OS permissions of the running process. Affected are AIT-Core 3.1.0 and all 2.x versions before 2.6.1, exploitable via a direct HTTP request if the BSC port is network-accessible or via a browser-based CSRF attack that works even against localhost-bound deployments. Publicly available exploit code exists (python_poc.py, attacker_tcp.py, and test1.html), though no CISA KEV listing was identified at time of analysis.
Authenticated remote code execution in DbGate (all versions through 7.1.8) allows any user with valid credentials to execute arbitrary OS commands as the process owner - root in Docker - by injecting newline-delimited JavaScript into the unsanitized `functionName` parameter of the `/runners/load-reader` API endpoint. A prior partial mitigation (`require = null`) introduced in commit cf3f95c (June 2025) is trivially bypassed using the dynamic `import()` language keyword, which cannot be nullified at runtime. Publicly available exploit code exists demonstrating full root-level command execution; this vulnerability is not listed in CISA KEV at time of analysis.
Cross-workspace Insecure Direct Object Reference in praisonai-platform before 0.1.4 allows any authenticated workspace member to read, modify, or delete AI agents belonging to entirely different workspaces by supplying a foreign agent UUID to the CRUD endpoints. The membership authorization gate checks only whether the caller belongs to the workspace in the URL path - it never verifies that the target agent actually resides in that workspace - so an attacker with any valid JWT can pivot across tenant boundaries. In multi-tenant deployments where agents store LLM API keys in runtime_config (BYOK), this also becomes a credential theft vector. No public exploit is identified at time of analysis, though GHSA-7p8g-6c6g-h9w7 publishes a complete step-by-step exploit chain.
Remote code execution in DbGate versions 7.1.8 and earlier allows network-adjacent attackers to achieve full container compromise via a Zip Slip flaw in the archive unzip endpoint. Because the default Docker deployment runs as root and the bundled 'none' authentication provider issues JWT tokens without credentials, any attacker reachable on the network can upload a malicious ZIP that writes files anywhere on the filesystem, including cron entries for code execution. Publicly available exploit code exists in the GHSA advisory itself, and an upstream patched release (7.1.9) is available.
Argument injection in the kubectl_generic tool of mcp-server-kubernetes (npm, ≤ 3.6.2) enables Kubernetes bearer token exfiltration through indirect prompt injection, allowing privilege escalation to the operator's full RBAC permissions. An attacker with limited cluster access plants a crafted JSON payload in pod log output; when an AI agent using the MCP server reads those logs and follows the injected instruction, kubectl_generic calls kubectl with attacker-controlled --server and --insecure-skip-tls-verify flags, forwarding the operator's kubeconfig bearer token to an attacker-controlled HTTPS endpoint. A fully working public PoC exists confirmed end-to-end on a live kind cluster using Claude Haiku; the fix is available in version 3.7.0. No active exploitation per CISA KEV is confirmed at time of analysis.
Weak cache key construction in onnx-mlir's torch backend (versions up to 0.5.0.0) omits tensor data type (dtype) from placeholder node hash keys, enabling cache collisions between semantically distinct nodes. A locally authenticated attacker with high-complexity manipulation can cause the compiler to incorrectly reuse cached compilation results across mismatched dtypes, yielding low-integrity and low-availability impacts. No public exploit is identified at time of analysis; the upstream fix is confirmed via commit 72c5187 and PR #3427.
Command injection in stata-mcp (MCP-for-Stata) versions prior to 1.17.3 allows attackers to execute arbitrary Stata commands - including the `shell` directive - by supplying a crafted `log_file_name` parameter to the `stata_do` MCP tool or CLI. The flaw bypasses the existing `GuardValidator` security control, which only inspects do-file content and never examines wrapper parameters, enabling remote code execution and arbitrary file writes via path traversal. Publicly available exploit code exists in the GHSA advisory PoC, though no public exploit identified at time of analysis indicates in-the-wild abuse.
Authorization bypass in DFIR-IRIS prior to v2.4.28 allows any authenticated user to read IOCs across cases they should not access, perform bulk IOC disclosure, and create cases without role checks via an optional GraphQL endpoint at /graphql. No public exploit identified at time of analysis, but the trivial nature of the IDOR (simply supplying an arbitrary caseId to the GraphQL resolver) makes weaponization straightforward for anyone with valid platform credentials. EPSS data not provided; the vulnerability is not listed in CISA KEV.
Unauthenticated open redirect in Shopware's SSO entry point (GET /api/oauth/sso/auth) allows any remote attacker to cause a victim's browser to navigate to an arbitrary attacker-controlled URL - including javascript: URIs - by supplying a malicious Referer header. Affected are shopware/core and shopware/platform versions 6.7.3.0 through 6.7.10.0; the redirect is served from a trusted /api/oauth/ origin, materially increasing phishing credibility. A Python proof-of-concept demonstrating three distinct exploitation variants (no Referer, external HTTPS redirect, javascript: scheme injection) exists; no active exploitation is confirmed in CISA KEV at time of analysis.
SQL injection in OpenMeter's meter creation API allows any authenticated tenant to execute arbitrary ClickHouse SQL against a shared database with no row-level security, enabling full cross-tenant data exfiltration. The vulnerable endpoint is POST /api/v1/meters, where the valueProperty and groupBy fields are interpolated directly into ClickHouse SELECT statements via fmt.Sprintf without parameterization, and the sanitization function (sqlbuilder.Escape) only escapes library-internal placeholder characters - not single quotes. A publicly available exploit code (PoC) exists demonstrating confirmed time-based blind injection, and no public exploit identified at time of analysis in the CISA KEV sense, though the PoC lowers the barrier to exploitation significantly.
{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Functions, APIGateways, and FunctionEvents. The write paths construct PermissionOptions without setting MemberIds, causing the platform-layer FilterProjectsByPermissions to short-circuit and skip OPA enforcement entirely. Publicly available exploit code exists (detailed working PoC in the advisory), and the issue is fixed in Nuclio 1.16.0 via PR #4107.
Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the Tautulli or Plex Media Server host into fetching arbitrary attacker-chosen URLs via the public `/image/<hash>` route. A low-privilege guest first seeds a malicious external URL into the `image_hash_lookup` table, after which any unauthenticated external user can trigger the SSRF by requesting the resulting hash. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-m6j6-rc2c-8vpm and a vendor patch in v2.17.1 confirm the issue.
Open redirect in WebOb (pip/webob <= 1.8.9) enables unauthenticated network attackers to redirect victims to arbitrary attacker-controlled domains by bypassing the prior CVE-2024-42353 patch. The bypass exploits Python 3.10+'s silent stripping of ASCII control characters (tab, CR, LF) from URLs before parsing, so a crafted path like /\t/attacker.com passes the previous // guard, then gets normalized by urlsplit into a protocol-relative URL pointing to attacker.com. No public exploit has been identified at time of analysis beyond the advisory's own proof-of-concept code, but the bypass technique is trivial and the full exploit path is published in the GitHub advisory GHSA-fh3h-vg37-cc95.
Cross-site request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to hijack administrator accounts by tricking an authenticated admin into visiting a malicious page. The `/configUpdate` endpoint accepts state-changing requests without enforcing POST or validating anti-CSRF tokens, and because the session cookie uses SameSite=Lax it remains attached to top-level cross-site navigations. No public exploit identified at time of analysis, but the fix is explicitly called out in the v2.17.1 release notes.
Stored cross-site scripting in Tautulli before 2.17.1 allows low-privilege authenticated users (including guests when guest access is enabled) to inject HTML/JavaScript into the main application log via the log_js_errors endpoint, which later executes in an administrator's browser when the admin opens the logFile viewer. The flaw enables privilege escalation against the Plex Media Server monitoring tool's admin account. No public exploit identified at time of analysis, but the vendor-published advisory and confirmed patch in 2.17.1 make the issue well-documented.
Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh installations (pre-setup wizard) by abusing the newsletter custom template directory feature to load a malicious Mako template from an attacker-controlled SMB share. On completed installations the same chain remains exploitable by any authenticated admin. Publicly available exploit code exists per SSVC, and the SSVC framework rates this as automatable with total technical impact, though no CISA KEV listing has been confirmed.
Path traversal in Tautulli's cache deletion API endpoint allows authenticated low-privilege users to delete arbitrary directories outside the configured cache root, resulting in arbitrary data loss and service disruption. All Tautulli versions prior to 2.17.1 are affected; the vendor-confirmed fix is v2.17.1 (released 2026-05-04). The CVSS 4.0 E:P modifier confirms proof-of-concept exploit code exists, and no public exploit identified at time of analysis rises to CISA KEV-confirmed active exploitation.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Resource exhaustion in joserfc (versions 1.3.4-1.6.5) is possible because the RFC7797 unencoded-payload (b64=false) JWS code path skips the configured JWSRegistry.max_payload_length check, while the standard compact and flattened JSON paths correctly raise ExceededSizeError. Remotely submitted, cryptographically valid b64=false JWS tokens with arbitrarily large payloads are deserialized without size enforcement, consuming memory or CPU on the verifying server. No public exploit has been identified and the vulnerability is not in the CISA KEV catalog; a vendor-released fix is available in version 1.6.7.
Command injection in the AWS Bedrock AgentCore Python SDK (versions >= 1.1.3, < 1.6.1) allows remote authenticated users to execute arbitrary commands within the Code Interpreter sandbox by supplying crafted package name arguments to the install_packages() method. The flaw stems from improper neutralization of argument delimiters (CWE-88), letting attacker-controlled strings break out of the intended pip-install argument context. No public exploit identified at time of analysis, but a vendor patch and advisory are available from AWS.
Authorization bypass in Avo (Ruby on Rails admin framework) versions <= 3.32.0 and 4.0.0.beta.1 through 4.0.0.beta.50 allows authenticated low-privileged users to attach arbitrary related records to parent resources via a direct POST to the associations endpoint, bypassing the `attach_<association>?` policy enforced only on the form-rendering GET. Publicly available exploit code exists (Python PoC in the GHSA advisory), and in deployments where associations encode teams, tenants, roles, or memberships, exploitation yields privilege escalation and cross-tenant data exposure.
{flow_id} endpoint, causing disk exhaustion (DoS) and leaking the absolute filesystem path of the cache directory in the JSON response. No public exploit identified at time of analysis beyond the reporter's PoC, and the issue is not on CISA KEV, but exploitation is trivial - a single unauthenticated curl request - and the fix landed in 1.9.1 via PR #12831.
Private note disclosure in Open WebUI (≤0.8.10) allows any authenticated user to read the full contents of another user's private notes by exploiting a namespace collision in the Socket.IO collaborative editing subsystem. The ydoc:document:join handler enforces authorization only for document IDs prefixed with 'note:' (colon), but the YdocManager storage layer normalizes all IDs by substituting underscores for colons - making 'note:abc' and 'note_abc' identical storage keys. A fully functional public PoC exploit script is included in the GitHub Security Advisory. No KEV listing; fix is available in version 0.8.11.
Incorrect authorization in Open WebUI versions 0.9.5 and earlier allows any authenticated non-admin user to route LLM inference requests to arbitrary configured Ollama backends - including internally restricted, higher-privilege, or admin-disabled instances - by supplying a raw integer `url_idx` path parameter on eight indexed proxy routes. The flaw bypasses backend-level access isolation entirely: model authorization is checked, but backend authorization is silently skipped when `url_idx` is caller-supplied, and disabled backends remain reachable because their disabled state is never re-evaluated at request time. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the attack requires only a valid user account and knowledge of the URL pattern, making it a low-barrier insider threat in any multi-backend deployment.
Private RAG knowledge-base content belonging to any user can be fully exfiltrated by any authenticated low-privilege account in Open WebUI v0.9.5 deployments running Milvus with multitenancy enabled. This is a second-order bypass of the previously released fix for CVE-2026-44560 (GHSA-h36f-rqpx-j5wx): the prior patch introduced collection-level ACL checks, but the ACL's permissive handling of unknown collection names combined with unsanitized string interpolation into Milvus filter expressions creates an injection path that renders the ACL ineffective. A public proof-of-concept in the form of a ready-to-run curl command exists; no CISA KEV listing was identified at time of analysis.
SSRF protection bypass in Open WebUI's SafePlaywrightURLLoader (versions <= 0.9.5) allows authenticated users to access internal network resources by supplying an externally-hosted URL that returns an HTTP 301/302 redirect to a private address. Because Playwright's page.goto() automatically follows redirects without re-validating the destination, attackers can reach localhost, container-network peers, or cloud metadata endpoints (169.254.169.254) even when ENABLE_RAG_LOCAL_WEB_FETCH=False. A working PoC is published in the GHSA advisory; there is no public exploit identified at time of analysis being actively used, and no CISA KEV listing.
Authenticated path traversal and SSRF in Open WebUI's terminal-server reverse proxy (versions <= 0.9.5) allows non-admin users with granted terminal access to escape the intended path or policy scope using double-encoded traversal sequences (%252e%252e). The flaw bypasses the project's own _sanitize_proxy_path mitigation, which performs only a single URL-decode pass before the '..' check, letting attackers reach unintended endpoints, files, and internal services routed by the terminal server. No public exploit identified at time of analysis, though the vendor advisory includes working proof-of-concept request strings.
Unauthenticated remote code execution in NVIDIA Spatial Intelligence Lab's GEN3C inference API server allows network attackers to execute arbitrary Python code by sending crafted pickle payloads to the /request-inference and /seed-model endpoints. The endpoints feed raw HTTP bodies directly into pickle.loads() with no authentication or validation, so a standard __reduce__ gadget yields code execution as the inference process. No public exploit identified at time of analysis, but the upstream patch and a VulnCheck advisory document the precise vulnerable code path.
Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the scanner by invoking the module-level profile.run() function, which is missing from the blocklist that only covers Profile.run and Profile.runctx. The scanner reports zero issues while pickle.loads() triggers exec() of attacker-controlled Python. No public exploit identified at time of analysis beyond the proof-of-concept in the GHSA advisory, and the issue is not listed in CISA KEV.
Remote code execution in python-statemachine 3.0.0 through 3.1.x allows attackers to run arbitrary Python in the host process by supplying a crafted SCXML document whose `<data expr="...">` attributes are passed unsandboxed to eval() inside SCXMLProcessor. Reported by VulnCheck with publicly available exploit code and a vendor advisory (GHSA-v4jc-pm6r-3vj8); no public exploit identified at time of analysis as actively in the wild, and the flaw is not listed in CISA KEV.
Broken Object Level Authorization in Open WebUI's `search_knowledge_files` builtin tool (versions ≤ 0.9.5) allows any authenticated user to enumerate file metadata from private or restricted knowledge bases they do not own or have permission to access. By sending a crafted chat completion request with native function calling enabled and supplying an arbitrary `knowledge_id`, an attacker bypasses the `AccessGrants` permission model entirely, receiving file IDs, filenames, knowledge base names, and timestamps. No KEV listing exists at time of analysis, but a detailed proof-of-concept with full reproduction steps is publicly documented in GitHub Security Advisory GHSA-cx9v-4qj2-jrw6, and a vendor-released patch is available in version 0.9.6.
Insecure Direct Object Reference in Open WebUI's prompt version-history API (versions ≤ 0.9.5) allows authenticated users to read or delete other users' private prompt history entries. Three endpoints authorize the URL-supplied `prompt_id` but pass caller-controlled `history_id` values to model-layer functions without verifying the history row belongs to the authorized prompt - a binding enforced correctly in a fourth endpoint but absent in these three. A functional proof-of-concept is included in the GitHub Security Advisory; no public KEV listing exists but exploitation steps are fully documented.
Sibling-prefix path traversal in open-webui 0.9.5 and earlier allows any authenticated user to read arbitrary files from directories adjacent to the configured cache directory, provided those directories share the string prefix 'cache' (e.g., cache_backup, cached_models). The flaw exists in serve_cache_file() at main.py:2914, where a missing trailing path separator in the startswith boundary check causes os.path.abspath() to validate resolved sibling paths as if they were within the cache root. Publicly available exploit code exists in the GHSA advisory (PoC confirmed against open-webui 0.9.5 via raw ASGI delivery); no confirmed active exploitation (not in CISA KEV) at time of analysis.
Stored cross-site scripting in Open WebUI versions up to and including 0.9.5 allows any authenticated user holding the default workspace.models permission to embed an SVG payload in a model's profile_image_url and hijack the session of anyone who opens that image URL as a top-level document. The flaw is an incomplete-patch bypass of GHSA-3wgj-c2hg-vm6q and GHSA-3856-3vxq-m6fc - the input validator and the MIME allowlist plus X-Content-Type-Options:nosniff added to the user and webhook endpoints were never applied to ModelMeta or the model image serving endpoint. No public exploit identified at time of analysis beyond the working PoC included in the advisory, and CVSS 7.6 reflects the cross-origin scope change leading to JWT theft and account takeover.
{id} content and delete endpoints. The flaw is a missing ownership check on model metadata that is later trusted as an authorization source by has_access_to_file(). A working proof-of-concept exercising the real insert sink and view_file branch is published in the GitHub Security Advisory, but no public exploit identified at time of analysis in CISA KEV.
Cross-user file read and deletion in Open WebUI <=0.9.5 allows authenticated users to access or destroy other users' files by attaching arbitrary file_id values to their own chat messages and sharing the chat. The flaw stems from missing ownership checks in Chats.insert_chat_files() combined with a shared-chat authorization branch that ignores access_type, so a read grant also satisfies write/delete checks. No public exploit identified at time of analysis, though a detailed PoC is included in the GitHub Security Advisory.
Cross-user file disclosure in Open WebUI (pip package open-webui, versions ≤ 0.9.5) allows any authenticated user to read the content of files uploaded by other users by supplying a victim's file UUID as the image_url.url value in POST /api/chat/completions. The server's image-conversion middleware resolves the UUID against the global file table with no ownership check, base64-encodes the file, and injects it into the LLM prompt, from which the attacker reads the content via a transcription instruction. No KEV listing confirms active exploitation, but a complete step-by-step reproduction proof-of-concept is embedded in the public GitHub Security Advisory (GHSA-wch8-mhj5-9frg), materially increasing exploitation likelihood; the vendor-released fix is version 0.9.6.
Server-side request forgery in Open WebUI versions 0.9.5 and earlier allows authenticated OAuth users to read arbitrary internal HTTP responses by abusing the `_process_picture_url` function in `backend/open_webui/utils/oauth.py`, which validates only the initial URL and then permits aiohttp's default 10-redirect follow chain to reach internal addresses. The decoded response body is stored in the attacker's `profile_image_url` and retrievable via `GET /api/v1/auths/`, yielding cloud metadata credentials and access to localhost-bound services. Publicly available exploit code exists (detailed sentinel-verified PoC supplied by the reporter); no public exploit identified at time of analysis in the form of weaponized tooling, and the CVE is not on the CISA KEV list.
{event_id}/update` endpoint validates write access only on the source calendar, silently omitting the destination `calendar_id` authorization check that `create_event` correctly enforces - a classic IDOR pattern. A verified public proof-of-concept exists against v0.9.4 (the official Docker image); the fix is available in v0.9.6. No CISA KEV listing was present in the input data, so widespread in-the-wild exploitation is unconfirmed.
Memory exhaustion via audio decompression bomb in vLLM's `/v1/audio/transcriptions` endpoint allows a remote attacker to crash or severely degrade the inference server by uploading a crafted OPUS file that passes the 25MB compressed-size check but decodes to ~14.9GB of float32 PCM in memory. Affected are vLLM installations through v0.23.0 with speech-to-text (ASR) functionality enabled. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the attack methodology is fully detailed in GitHub Security Advisory GHSA-6pr9-rp53-2pmc, making independent reproduction trivial. The official CVSS PR:L rating conflicts with the advisory's explicit claim of unauthenticated exploitation - security teams should audit whether their deployment enforces authentication on the audio endpoint.
Heap memory address leakage in vLLM's Anthropic API router and speech-to-text WebSocket paths exposes the same ASLR-bypass primitive previously fixed in CVE-2026-22778. Five exception-handling sites across `vllm/entrypoints/anthropic/api_router.py`, `vllm/entrypoints/anthropic/serving.py`, and `vllm/entrypoints/speech_to_text/realtime/connection.py` echo raw `str(e)` output - including PIL BytesIO object repr strings containing heap addresses - directly to unauthenticated callers. A proof-of-concept is referenced in the advisory, and when chained with the parent CVE's libopenjp2 heap overflow, this leak reduces ASLR entropy from approximately 4 billion candidates to 8, enabling RCE; no public exploit identified at time of analysis for this CVE in isolation.
Temperature parameter validation in vLLM (pip/vllm ≤ 0.23.0) can be bypassed by supplying NaN or positive Infinity as the temperature value, because Python's IEEE 754 float comparison operators silently return False for these inputs, allowing the values to propagate unchecked into GPU CUDA sampling kernels. The invalid inputs trigger undefined behavior or fatal CUDA errors that crash the inference worker process, dropping all in-flight requests and degrading service for every concurrent user sharing that worker. No public exploit has been identified at time of analysis, though the trigger condition is fully disclosed in the published GHSA-7h4p-rffg-7823 advisory and is trivially reproducible from that description alone.
Authentication bypass in Backpropagate 1.1.0 and 1.1.1 lets any client that can reach the Reflex web UI's bound port take full control of the training control plane, despite the operator passing --auth user:pass. The CLI advertised and confirmed authentication as active, but the Reflex backend never read the BACKPROPAGATE_UI_AUTH variable and registered no middleware, so dataset upload, training control, GGUF export, and HuggingFace Hub push were exposed unauthenticated. No public exploit identified at time of analysis, but the gap is trivially reachable and CVSS 4.0 is 9.3.
In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.
Server-Side Request Forgery in Pydantic AI (versions 1.56.0-1.101.0, 2.0.0b1, 2.0.0b2) allows unauthenticated network attackers to bypass the cloud-metadata IP blocklist by encoding metadata service addresses (e.g., 169.254.169.254) in IPv6 transition forms - specifically IPv4-compatible IPv6, NAT64 RFC 8215 local-use prefixes, operator-chosen NAT64 prefixes, and ISATAP - that the prior remediation (CVE-2026-46678) failed to decode, enabling retrieval of cloud IAM short-term credentials. Exploitation is constrained by two simultaneous prerequisites: the application must use the non-default `force_download='allow-local'` mode and must operate on a network that routes the affected IPv6 transition forms (e.g., IPv6-only or dual-stack-with-NAT64 Kubernetes clusters). This is the third iteration in an escalating bypass chain (CVE-2026-25580 → CVE-2026-46678 → CVE-2026-48782), and no public exploit has been identified at time of analysis.
Unauthenticated remote code execution in Crawl4AI's Docker API (versions <= 0.8.6) lets attackers escape the computed-fields expression sandbox and run arbitrary OS commands inside the container. The AST validator behind `_safe_eval_expression()` only blocked attribute names beginning with an underscore, so a crafted `JsonCssExtractionStrategy` schema can reach generator/frame attributes (`gi_frame`, `f_back`, `f_builtins`) to recover the real `__import__` and execute code. Because JWT auth is disabled by default, a single `POST /crawl` request suffices; publicly available exploit code exists (SSVC: PoC) and the vendor rates it CVSS 10.0, though EPSS is low at 0.45%.
Path manipulation in the LangGraph Python SDK (langgraph-sdk) version 0.3.14 and earlier lets caller-supplied identifier values containing URL-special characters redirect an HTTP request to a different resource — or resource type — than the SDK call intended. When applications forward untrusted, unvalidated identifiers into SDK methods and rely on upstream URL-prefix authorization, an attacker can reach, modify, or delete resources outside their authorization scope. There is no public exploit identified at time of analysis and EPSS is low (0.22%), but CVSS is rated 9.1 due to high confidentiality and integrity impact.
Arbitrary Python runtime execution in OpenClaw before 2026.5.2 lets an attacker with write access to the workspace plant a malicious .env file that overrides the CLOUDSDK_PYTHON variable used during Gmail setup, redirecting gcloud invocations to an attacker-controlled Python interpreter and leading to code execution. The CVSS 4.0 vector (AV:L/AT:P/UI:A) confirms the attack is local, requires a specific attack condition, and depends on a user/operator action - no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unsafe deserialization in LangGraph SQLite Checkpoint's JsonPlusSerializer (versions 4.1.0 and prior) allows arbitrary Python object reconstruction from checkpoint payloads stored in a SQLite backing store, enabling code execution at checkpoint load time. Affected deployments are those where an unauthorized party can modify checkpoint bytes at rest - a high-privilege prerequisite (PR:H, AV:A per CVSS) that already implies a significant prior compromise. This is explicitly framed as a defense-in-depth concern: the issue escalates an existing 'checkpoint-store write access' incident into full application runtime code execution. No public exploit code or CISA KEV listing has been identified at time of analysis.
Sandbox escape in n8n workflow automation platform allows authenticated users with workflow edit privileges to execute arbitrary code on the Python Task Runner container via a crafted Python Code Node. The flaw affects n8n versions prior to 1.123.48, 2.21.8, and 2.22.4 when the optional Python Task Runner is enabled, and no public exploit identified at time of analysis. Successful exploitation grants code execution inside the task runner container, providing a foothold for further lateral movement within the n8n deployment.
Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python code on the host by abusing the Shareable Playground (Public Flows) feature. When a flow is shared, the /api/v1/build_public_tmp endpoint accepts user-supplied node code in the JSON payload field data.nodes[X].data.node.template.code.value and executes it during graph instantiation. Publicly available exploit code exists via the GitHub Security Advisory GHSA-v5ff-9q35-q26f, including a working cURL-based PoC.
Arbitrary code execution in vLLM versions prior to 0.22.0 allows remote unauthenticated attackers to run code on the inference server by publishing a malicious HuggingFace model, when vLLM is launched in Python optimized mode (python -O or PYTHONOPTIMIZE=1). The sole guardrail restricting which activation function classes can be loaded from a model's config.json is implemented with a Python assert, which is stripped at compile time under -O, leaving an unrestricted import gadget directly fed by attacker-controlled data. No public exploit identified at time of analysis, but the vendor advisory (GHSA-q8gq-377p-jq3r) and a coordinated huntr.com submission document the issue in detail.
Cross-tenant data access in Langflow versions prior to 1.9.0 allows any authenticated user to read, modify, rename, or permanently delete other users' messages, sessions, build artifacts, and LLM transaction logs via seven unprotected `/api/v1/monitor` endpoints. The flaw stems from missing ownership checks (IDOR/BOLA) where `flow_id` or resource UUIDs are accepted verbatim without verifying the requester owns them. No public exploit identified at time of analysis beyond the detailed PoC in the vendor advisory, and the issue is not listed in CISA KEV.
Privilege escalation in CPython on Windows enables a low-privileged local user to hijack the module search path of a more-privileged Python process running from a legacy all-users installation, enabling arbitrary code execution under an elevated context. The root cause is a VPATH-based fallback landmark mechanism compiled into release builds: on Windows, VPATH resolves two directory levels above PCbuild/, placing the Modules/Setup.local landmark outside the install directory in a location writable by unprivileged users under the legacy EXE installer's default all-users path. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, high confidentiality and integrity impact (VC:H/VI:H) reflect the ability to fully substitute Python's module loading path.
Uncontrolled CPU consumption in python-multipart's QuerystringParser (versions <0.0.30) allows remote unauthenticated attackers to cause denial of service by submitting small crafted application/x-www-form-urlencoded bodies using semicolons as field separators. The two-step separator lookup degenerates into O(B²) byte comparisons, letting a ~1 MiB body burn seconds of CPU per request and exhaust workers in Starlette/FastAPI applications that call request.form(). No public exploit identified at time of analysis, though a clear proof-of-concept payload pattern (a;a;a;...) is described in the GHSA advisory.
Parser differential in python-multipart's QuerystringParser enables HTTP parameter pollution against applications protected by WHATWG-compliant upstream components (WAFs, API gateways). Versions prior to 0.0.30 tokenize semicolons as field separators in application/x-www-form-urlencoded bodies - diverging from WHATWG, modern browsers, and Python's urllib.parse - allowing an attacker to craft a request body whose fields are parsed differently by an upstream body inspector than by the backend, smuggling form parameters the intermediary never validated. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the attack primitive is well-understood and mirrors the class of issue fixed in CPython as CVE-2021-23336.
Parameter smuggling in python-multipart below 0.0.30 allows unauthenticated network attackers to present a different field name or filename to an upstream WAF, proxy, or gateway than the value actually delivered to the backend application. The root cause is that parse_options_header delegates to Python's email.message.Message, which silently applies RFC 2231/5987 extended parameter decoding - a behavior explicitly forbidden for multipart/form-data by RFC 7578 §4.2 - causing the extended value to override the plain parameter and bypass inspection logic. Concrete downstream consequences include circumventing filename-based upload controls and, where applications construct filesystem paths from the parsed filename without sanitization, achieving path traversal via decoded percent sequences such as ..%2F or injecting null bytes (%00) to confuse validators. No public exploit has been identified and the vulnerability is not in CISA KEV; CVSS 3.7 with AC:H reflects that exploitation requires a specific upstream inspector in the deployment topology.
Server-side request forgery in Starlette's StaticFiles on Windows allows unauthenticated remote attackers to coerce the application process into making outbound SMB connections to attacker-controlled hosts, leaking the service account's NTLMv2 hash for offline cracking or NTLM relay. The flaw affects all Starlette versions before 1.1.0 (including downstream frameworks like FastAPI) when running on Windows in the default follow_symlink=False configuration, and no public exploit identified at time of analysis though the GHSA advisory provides full technical detail sufficient to reproduce.
Tar parser interpretation differential in node-tar (npm `tar` package) <= 7.5.15 allows a crafted archive to present a different member list to node-tar than to GNU tar, libarchive, or Python tarfile, enabling security scanner evasion in pipelines that scan with one tool and extract with another. The flaw stems from node-tar incorrectly applying a PAX extended header's `size=` override to intermediary GNU long-name (`L`) and long-link (`K`) metadata headers, desynchronizing the stream cursor and causing node-tar to raise a checksum error and report zero members while reference parsers correctly extract files. A detailed, working proof-of-concept (Python stdlib only) is included in the advisory; no active exploitation (CISA KEV) has been confirmed at time of analysis, but the broad npm ecosystem blast radius - node-tar backs npm's own tarball handling - materially elevates real-world risk.
Server-side request forgery in python-utcp 1.1.0's utcp-gql and utcp-websocket components allows remote low-privileged attackers to coerce the server into issuing arbitrary outbound HTTP requests, potentially reaching internal infrastructure not exposed to the public internet. The affected library implements the universal-tool-calling-protocol and the vulnerable code paths reside in its GraphQL and WebSocket transport handlers. A public exploit has been disclosed via GitHub, and the vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.
Unauthenticated denial-of-service in File Browser (filebrowser/filebrowser) versions <= 2.63.5 allows remote attackers to exhaust CPU and memory by submitting arbitrarily large passwords to the public /api/login endpoint, which are then passed unchecked into the bcrypt-style CheckPwd hashing routine. Publicly available exploit code exists in the GitHub advisory PoC, and concurrent abuse can crash the container and even destabilize the host Docker daemon. EPSS is low (0.04%) and the issue is not in CISA KEV, but the trivial AV:N/AC:L/PR:N exploitation profile makes it a real availability risk for any internet-exposed instance.
Remote code execution in Kitty terminal emulator versions prior to 0.47.0 allows any process or remote peer that can write bytes to the terminal - including SSH sessions, file viewers like cat or less, log tailers, and TUI applications - to execute attacker-supplied Python code inside the running kitty process with full user privileges. Exploitation requires no approval prompt, no shell integration, no clipboard interaction, and no editor involvement, making any rendered untrusted content a viable injection vector. No public exploit identified at time of analysis, but the trivial trigger conditions and broad attack surface make this a high-priority patch.
Out-of-bounds memory read in Tornado's optional C extension `tornado.speedups` exposes up to 3 bytes of uninitialized memory via a missing length validation in the `websocket_mask` function. Applications running Tornado versions prior to 6.5.6 with the native extension active and `xsrf_cookies=True` are reachable from the network without authentication (CVSS AV:N/PR:N), though high attack complexity (AC:H) is indicated by the dual configuration prerequisite. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS stands at 0.04% (11th percentile), consistent with the low exploitation probability for a constrained information-disclosure primitive. Vendor-released patch is Tornado 6.5.6.
Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the UPDATE_COLLECTION permission to execute arbitrary code on the server by submitting a malicious model repository with trust_remote_code=true to the collection update endpoint. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.4 and HiddenLayer's disclosure indicate a high-severity flaw in a widely used AI vector database. The vulnerability sits in the AI/ML supply chain layer, making it particularly relevant for organizations using ChromaDB as a backend for RAG or embedding pipelines.
Authorization bypass in ChromaDB's Python implementation lets authenticated tenants reach data outside their authorization boundary by invoking the V1 collection-level REST endpoints, which forward None as both the tenant and database identifiers to the authorization layer. The flaw, disclosed by HiddenLayer, exposes high-impact reads and writes to cross-tenant collections in this Python vector database. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Cross-tenant authorization bypass in ChromaDB's SimpleRBACAuthorizationProvider (versions 0.5.0 and later) allows authenticated users to perform actions against tenants, databases, and collections they do not own. The provider verifies that a user holds a given permission but never validates the scope of that permission against the target resource, enabling lateral movement across multi-tenant deployments. No public exploit identified at time of analysis, but the flaw was disclosed by HiddenLayer and affects any Chroma deployment relying on the built-in RBAC provider for tenant isolation.
Cross-tenant data access in ChromaDB Python project version 0.4.17 and later allows any authenticated user to read, write, update, or delete data in collections belonging to other tenants, breaking the tenant isolation boundary that multi-tenant deployments rely on. The flaw, reported by HiddenLayer and tracked under CWE-639, carries a CVSS 4.0 score of 8.8 reflecting high confidentiality and integrity impact on both the vulnerable system and downstream tenants. No public exploit identified at time of analysis and not listed in CISA KEV.
Arbitrary Python code execution in Vim prior to 9.2.0597 occurs when a user triggers Python omni-completion (`<C-x><C-o>`) on a buffer containing crafted `def` or `class` headers, because the pythoncomplete autoload reconstructs definitions and runs them through `exec()`, which evaluates default values, annotations, and base-class expressions at definition time. The earlier g:pythoncomplete_allow_import mitigation (GHSA-52mc-rq6p-rc7c) does not cover this sink. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in Vim prior to 9.2.0561 occurs when a user opens a malicious Python file and triggers Python omni-completion (python3complete.vim or pythoncomplete.vim), causing Vim's completion script to execute import/from statements from the buffer through Python's import machinery and run attacker-controlled package code as the editing user. Affects any Vim build with +python3 or +python interpreter support; no public exploit identified at time of analysis, but the upstream patch and detailed advisory (GHSA-52mc-rq6p-rc7c) make the issue well-documented. The CVSS 4.0 score of 7.3 reflects required user interaction (opening the file and invoking completion) but high impact on confidentiality, integrity, and availability of the user's account.
Server-side request forgery in Kolibri (pip/kolibri <= 0.19.3) allows network-reachable attackers to force the Kolibri server to issue outbound HTTP requests to arbitrary internal hosts, cloud metadata endpoints, and internal services, with JSON response bodies reflected directly to the caller. The primary GET endpoint at /api/auth/remotefacilityuser required no authentication whatsoever, making this exploitable by any party with network access to the Kolibri server. A working proof-of-concept was retained internally by the reporting researcher but was not published; no public exploit code exists and CISA KEV listing has not been identified at time of analysis.
Path traversal in Keras archive extraction utilities prior to version 3.14.0 allows remote attackers to write files outside the intended extraction directory when a victim loads a malicious model archive. The flaw stems from validating archive member paths against the process current working directory rather than the actual extraction destination, which collapses to the filesystem root in common Docker, CI/CD, and Jupyter setups. No public exploit identified at time of analysis, but the upstream fix and a Huntr bounty disclosure make targeted exploitation against ML pipelines plausible.
Memory exhaustion and CPU starvation in python-zeroconf before 0.149.12 allows any unauthenticated LAN-adjacent host to OOM-kill or stall the zeroconf process by flooding TC-flagged mDNS queries over UDP/5353. The `AsyncListener.handle_query_or_defer` method retained all TC-bit packets in an unbounded `_deferred[addr]` dictionary - each entry up to 8,966 bytes of raw buffer plus parsed DNS state - with no cap on per-address queue depth or total distinct source addresses, and the per-arrival dedup scan ran O(N) causing quadratic CPU growth as queues expanded. Trivially spoofed source IPs multiply the memory footprint across `_deferred`/`_timers`; on Raspberry Pi-class hardware running Home Assistant, sustained flood traffic causes OOM termination; no public exploit identified at time of analysis.
Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API access token from pipeboard-co/meta-ads-mcp through version 1.0.108 when the server is run with the streamable-HTTP transport on a network-reachable port. The AuthInjectionMiddleware silently forwards requests lacking an Authorization or X-PIPEBOARD-API-TOKEN header, tool handlers fall back to the META_ACCESS_TOKEN environment variable, and Graph API error responses echo the request URL - including the token query parameter - back to the caller. A working proof-of-concept is published in GHSA-9gw6-46qc-99vr; no public exploit identified at time of analysis as a separate weaponized tool, but the PoC is sufficient to reproduce end-to-end.
Route-level authentication bypass in Traefik's StripPrefix middleware allows unauthenticated remote attackers to reach protected backend endpoints (e.g., /admin, /internal/config) by crafting request paths such as /api../admin or /api%2e%2e/admin. The public router matches before path normalization, but StripPrefix subsequently normalizes the path via JoinPath() so the backend receives the protected path without the authentication middleware ever running. Publicly available exploit code exists (full PoC in the advisory), patches are released, and EPSS sits at 0.22% (45th percentile) with no CISA KEV listing.
Local arbitrary code execution in PDM (Python Development Master) versions <= 2.26.9 allows attacker-controlled repositories to execute Python code under the invoking user's privileges when any pdm command (even `pdm --version`) is run inside a malicious checkout. The root cause is implicit loading of project-local `.pdm-plugins` via `site.addsitedir()`, which processes `.pth` files containing executable `import` statements before CLI parsing. Publicly available exploit code exists in the advisory PoC, and CWE-94 code injection is confirmed; no public exploit identified at time of analysis as actively used in the wild.
Arbitrary code execution in Dulwich (pure-Python Git implementation) versions 0.23.2 through 1.2.4 allows a malicious upstream repository to drop executable files into a victim's .git/hooks/ directory during a recursive clone or submodule update. When the victim subsequently runs any git or dulwich command that invokes the planted hook, the attacker's code executes with the victim's privileges. No public exploit identified at time of analysis, though the technique mirrors the well-documented upstream Git flaws CVE-2024-32002 and CVE-2024-32004.
Arbitrary file clobber in PDM (Python Development Master) below version 2.27.0 allows an attacker who controls a cloned project repository to overwrite files outside the repository root by planting symlinks at project-local config paths (pdm.toml, .pdm-python, .python-version) that PDM writes to without symlink protection. When a developer runs any PDM command triggering a project-local config write against the malicious checkout, the tool follows the symlink and overwrites the target with attacker-influenced content - up to arbitrary file corruption relative to the invoking user's privileges. A working proof-of-concept is included in the GitHub security advisory GHSA-ghq2-5c67-fprm; no active exploitation is confirmed in CISA KEV at time of analysis.
Denial of service in kafka-python versions prior to 2.3.2 allows a malicious or man-in-the-middle Kafka broker to freeze the client's event loop during SCRAM authentication by returning an excessive PBKDF2 iteration count. Because ScramClient.process_server_first_message() forwards the broker-supplied value directly to hashlib.pbkdf2_hmac() without bounds checking, producers, consumers, admin clients, and group heartbeats all stall, leading to consumer-group eviction and reconnect loops. No public exploit identified at time of analysis, though VulnCheck has published a vendor-style advisory and an upstream patch has been merged.
Denial of service in the kafka-python client library (versions prior to 2.3.2) allows a malicious Kafka broker or man-in-the-middle attacker to exhaust client memory or wedge connections by sending a crafted 4-byte frame length header. The protocol parser's receive_bytes() function performs no bounds check on the declared frame size, leading to multi-gigabyte allocations or uncaught ValueError exceptions that stop consumer heartbeats. No public exploit identified at time of analysis; reported by VulnCheck with an upstream patch already merged.
Host validation bypass in Litestar's AllowedHostsMiddleware allows unauthenticated remote attackers to circumvent the allowed-hosts allowlist by omitting the HTTP Host header and substituting a client-controlled X-Forwarded-Host header set to any whitelisted domain. Affected are all Litestar deployments (pip/litestar < 2.22.0) using AllowedHostsConfig that are reachable without a trusted reverse proxy stripping X-Forwarded-Host - a condition reflected in the CVSS AC:H rating. Publicly available exploit code exists demonstrating the bypass; no CISA KEV listing at time of analysis.
Cross-Site Scripting in Litestar Python web framework versions prior to 2.22.0 allows remote attackers to execute arbitrary JavaScript in victim browsers by poisoning the csrftoken cookie, whose contents are rendered into HTML templates without escaping when the documented csrf_input helper is used. Publicly available exploit code exists via the GitHub Security Advisory GHSA-542p-wvx7-72m4, which includes two working proof-of-concept applications. The flaw only manifests in applications that combine a template engine (Jinja, Mako, MiniJinja) with CSRF protection and the recommended hidden CSRF input field pattern.
Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privileged authenticated user (without 'admin' or 'power' roles) to execute arbitrary Python on the server by abusing unsafe jsonpickle deserialization of App Key Value Store (KV Store) data. CVSS is 8.8 (network, low complexity, low privileges) and the issue is currently rated as no public exploit identified at time of analysis. The flaw is reported by Cisco and disclosed via Splunk advisory SVD-2026-0601.
Arbitrary directory deletion in julien040/anyquery 0.4.4 and earlier allows an authenticated low-privileged bearer-token holder to delete any directory accessible to the server process by submitting a SQL query that invokes clear_plugin_cache with a path-traversal payload. The flaw stems from path.Join silently resolving '..' segments before os.RemoveAll, and publicly available exploit code exists in the GitHub Security Advisory GHSA-j9rx-rppg-6hh4. Verified impact includes irreversible deletion of files outside the intended $XDG_CACHE_HOME/anyquery/plugins/ cache root, producing data loss and denial of service.
{version,uptime,status,checks}/<server_ip>` route family passes the Flask URL path parameter directly into a Python `requests.get()` call without any allowlist or blocklist validation, making IPv4 literals such as 169.254.169.254, RFC1918 ranges, and 127.0.0.1 all valid targets. No publicly available patches exist at time of analysis, and no public exploit code or CISA KEV listing has been identified.
Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) allows remote unauthenticated attackers to forge JWT tokens for arbitrary users including administrators. The signing secret is hardcoded to the literal string 'random' in both the dev.env template and as a Viper default in cmd/serve.go, and publicly available exploit code exists in the advisory. No CISA KEV listing or EPSS data is provided, but the secret is trivially derivable from the public GitHub repository.
Papra's webhook delivery system allows any authenticated organisation member to bypass SSRF protections and cause the server to issue HTTP requests to loopback, link-local, and RFC-1918 addresses by exploiting automatic redirect-following in the ofetch HTTP client. The SSRF blocklist is enforced on registered webhook URLs but never applied to 3xx redirect destinations, meaning an attacker-controlled server can return a 302/307 response pointing to any internal address and Papra's server will follow it. A public proof-of-concept is available and exploitation was confirmed against the official Docker image; no CISA KEV listing is present at time of analysis.
Denial of service against Xen host management is possible through deliberate abuse of the unfair domctl system-wide lock, affecting all Xen versions from 3.3 onwards. A less-privileged domain can monopolize the lock used to serialize guest creation and management operations, starving the control domain or equally/more-privileged entities of lock access and potentially rendering the entire host unmanageable. No public exploit identified at time of analysis, and no CVSS score was published with XSA-492.
Xen Hypervisor's domctl locking mechanism, when XSM/Flask mandatory access control is enabled, acquires the system-wide serialization lock for certain operations before performing any Flask permission checks. This allows a less-privileged guest domain to seize the lock without authorization and stall equally or more privileged entities - including the control domain (dom0) and Xenstore domain - potentially causing a Denial of Service affecting the entire physical host. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via crafted collaborationInstruction strings stored on Bedrock Agent collaborators. When another user in the same AWS account imports the agent, the malicious triple-quote payload breaks out of the generated Python docstring and executes attacker-controlled code on AWS AgentCore Runtime under the imported agent's IAM execution role, as well as on the importing user's local environment. No public exploit identified at time of analysis, but the cross-user, cross-environment scope and 9.0 CVSS rating make this a high-priority patch.
Unauthenticated open redirect in Authlib's OAuth 2.0 authorization endpoint allows any remote attacker to weaponize a trusted authorization server domain as a redirector - no client registration, no authenticated session, and no prior state required. The flaw affects all deployments of pip/authlib < 1.6.10 and == 1.7.0 running an authorization endpoint via the Flask or Django integrations. Publicly available exploit code exists and was dynamically confirmed against the live HEAD (v1.6.6-104-g68e6ab3f); no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV status absent), but the trivial, zero-prerequisite exploit path makes phishing and domain-allowlist bypass practical at scale.
Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to direct the ait-bsc process to append attacker-controlled binary data to arbitrary files on the host filesystem, limited only by the OS permissions of the running process. Affected are AIT-Core 3.1.0 and all 2.x versions before 2.6.1, exploitable via a direct HTTP request if the BSC port is network-accessible or via a browser-based CSRF attack that works even against localhost-bound deployments. Publicly available exploit code exists (python_poc.py, attacker_tcp.py, and test1.html), though no CISA KEV listing was identified at time of analysis.
Authenticated remote code execution in DbGate (all versions through 7.1.8) allows any user with valid credentials to execute arbitrary OS commands as the process owner - root in Docker - by injecting newline-delimited JavaScript into the unsanitized `functionName` parameter of the `/runners/load-reader` API endpoint. A prior partial mitigation (`require = null`) introduced in commit cf3f95c (June 2025) is trivially bypassed using the dynamic `import()` language keyword, which cannot be nullified at runtime. Publicly available exploit code exists demonstrating full root-level command execution; this vulnerability is not listed in CISA KEV at time of analysis.
Cross-workspace Insecure Direct Object Reference in praisonai-platform before 0.1.4 allows any authenticated workspace member to read, modify, or delete AI agents belonging to entirely different workspaces by supplying a foreign agent UUID to the CRUD endpoints. The membership authorization gate checks only whether the caller belongs to the workspace in the URL path - it never verifies that the target agent actually resides in that workspace - so an attacker with any valid JWT can pivot across tenant boundaries. In multi-tenant deployments where agents store LLM API keys in runtime_config (BYOK), this also becomes a credential theft vector. No public exploit is identified at time of analysis, though GHSA-7p8g-6c6g-h9w7 publishes a complete step-by-step exploit chain.
Remote code execution in DbGate versions 7.1.8 and earlier allows network-adjacent attackers to achieve full container compromise via a Zip Slip flaw in the archive unzip endpoint. Because the default Docker deployment runs as root and the bundled 'none' authentication provider issues JWT tokens without credentials, any attacker reachable on the network can upload a malicious ZIP that writes files anywhere on the filesystem, including cron entries for code execution. Publicly available exploit code exists in the GHSA advisory itself, and an upstream patched release (7.1.9) is available.
Argument injection in the kubectl_generic tool of mcp-server-kubernetes (npm, ≤ 3.6.2) enables Kubernetes bearer token exfiltration through indirect prompt injection, allowing privilege escalation to the operator's full RBAC permissions. An attacker with limited cluster access plants a crafted JSON payload in pod log output; when an AI agent using the MCP server reads those logs and follows the injected instruction, kubectl_generic calls kubectl with attacker-controlled --server and --insecure-skip-tls-verify flags, forwarding the operator's kubeconfig bearer token to an attacker-controlled HTTPS endpoint. A fully working public PoC exists confirmed end-to-end on a live kind cluster using Claude Haiku; the fix is available in version 3.7.0. No active exploitation per CISA KEV is confirmed at time of analysis.
Weak cache key construction in onnx-mlir's torch backend (versions up to 0.5.0.0) omits tensor data type (dtype) from placeholder node hash keys, enabling cache collisions between semantically distinct nodes. A locally authenticated attacker with high-complexity manipulation can cause the compiler to incorrectly reuse cached compilation results across mismatched dtypes, yielding low-integrity and low-availability impacts. No public exploit is identified at time of analysis; the upstream fix is confirmed via commit 72c5187 and PR #3427.
Command injection in stata-mcp (MCP-for-Stata) versions prior to 1.17.3 allows attackers to execute arbitrary Stata commands - including the `shell` directive - by supplying a crafted `log_file_name` parameter to the `stata_do` MCP tool or CLI. The flaw bypasses the existing `GuardValidator` security control, which only inspects do-file content and never examines wrapper parameters, enabling remote code execution and arbitrary file writes via path traversal. Publicly available exploit code exists in the GHSA advisory PoC, though no public exploit identified at time of analysis indicates in-the-wild abuse.
Authorization bypass in DFIR-IRIS prior to v2.4.28 allows any authenticated user to read IOCs across cases they should not access, perform bulk IOC disclosure, and create cases without role checks via an optional GraphQL endpoint at /graphql. No public exploit identified at time of analysis, but the trivial nature of the IDOR (simply supplying an arbitrary caseId to the GraphQL resolver) makes weaponization straightforward for anyone with valid platform credentials. EPSS data not provided; the vulnerability is not listed in CISA KEV.
Unauthenticated open redirect in Shopware's SSO entry point (GET /api/oauth/sso/auth) allows any remote attacker to cause a victim's browser to navigate to an arbitrary attacker-controlled URL - including javascript: URIs - by supplying a malicious Referer header. Affected are shopware/core and shopware/platform versions 6.7.3.0 through 6.7.10.0; the redirect is served from a trusted /api/oauth/ origin, materially increasing phishing credibility. A Python proof-of-concept demonstrating three distinct exploitation variants (no Referer, external HTTPS redirect, javascript: scheme injection) exists; no active exploitation is confirmed in CISA KEV at time of analysis.
SQL injection in OpenMeter's meter creation API allows any authenticated tenant to execute arbitrary ClickHouse SQL against a shared database with no row-level security, enabling full cross-tenant data exfiltration. The vulnerable endpoint is POST /api/v1/meters, where the valueProperty and groupBy fields are interpolated directly into ClickHouse SELECT statements via fmt.Sprintf without parameterization, and the sanitization function (sqlbuilder.Escape) only escapes library-internal placeholder characters - not single quotes. A publicly available exploit code (PoC) exists demonstrating confirmed time-based blind injection, and no public exploit identified at time of analysis in the CISA KEV sense, though the PoC lowers the barrier to exploitation significantly.
{id}) or delete (DELETE /api/projects) any project on the platform, triggering cascading deletion of associated Functions, APIGateways, and FunctionEvents. The write paths construct PermissionOptions without setting MemberIds, causing the platform-layer FilterProjectsByPermissions to short-circuit and skip OPA enforcement entirely. Publicly available exploit code exists (detailed working PoC in the advisory), and the issue is fixed in Nuclio 1.16.0 via PR #4107.
Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the Tautulli or Plex Media Server host into fetching arbitrary attacker-chosen URLs via the public `/image/<hash>` route. A low-privilege guest first seeds a malicious external URL into the `image_hash_lookup` table, after which any unauthenticated external user can trigger the SSRF by requesting the resulting hash. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-m6j6-rc2c-8vpm and a vendor patch in v2.17.1 confirm the issue.
Open redirect in WebOb (pip/webob <= 1.8.9) enables unauthenticated network attackers to redirect victims to arbitrary attacker-controlled domains by bypassing the prior CVE-2024-42353 patch. The bypass exploits Python 3.10+'s silent stripping of ASCII control characters (tab, CR, LF) from URLs before parsing, so a crafted path like /\t/attacker.com passes the previous // guard, then gets normalized by urlsplit into a protocol-relative URL pointing to attacker.com. No public exploit has been identified at time of analysis beyond the advisory's own proof-of-concept code, but the bypass technique is trivial and the full exploit path is published in the GitHub advisory GHSA-fh3h-vg37-cc95.
Cross-site request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to hijack administrator accounts by tricking an authenticated admin into visiting a malicious page. The `/configUpdate` endpoint accepts state-changing requests without enforcing POST or validating anti-CSRF tokens, and because the session cookie uses SameSite=Lax it remains attached to top-level cross-site navigations. No public exploit identified at time of analysis, but the fix is explicitly called out in the v2.17.1 release notes.
Stored cross-site scripting in Tautulli before 2.17.1 allows low-privilege authenticated users (including guests when guest access is enabled) to inject HTML/JavaScript into the main application log via the log_js_errors endpoint, which later executes in an administrator's browser when the admin opens the logFile viewer. The flaw enables privilege escalation against the Plex Media Server monitoring tool's admin account. No public exploit identified at time of analysis, but the vendor-published advisory and confirmed patch in 2.17.1 make the issue well-documented.
Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh installations (pre-setup wizard) by abusing the newsletter custom template directory feature to load a malicious Mako template from an attacker-controlled SMB share. On completed installations the same chain remains exploitable by any authenticated admin. Publicly available exploit code exists per SSVC, and the SSVC framework rates this as automatable with total technical impact, though no CISA KEV listing has been confirmed.
Path traversal in Tautulli's cache deletion API endpoint allows authenticated low-privilege users to delete arbitrary directories outside the configured cache root, resulting in arbitrary data loss and service disruption. All Tautulli versions prior to 2.17.1 are affected; the vendor-confirmed fix is v2.17.1 (released 2026-05-04). The CVSS 4.0 E:P modifier confirms proof-of-concept exploit code exists, and no public exploit identified at time of analysis rises to CISA KEV-confirmed active exploitation.