Python
Monthly
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Langflow's PythonFunction component allows authenticated attackers with user interaction to inject and execute arbitrary Python code within application workflows, achieving remote code execution. The vulnerability affects Langflow deployments using Python-based AI/ML components, with exploitation feasibility depending on specific product configurations. No patch is currently available.
Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted custom component definitions.
Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the visual AI workflow builder.
Remote code execution in Open WebUI through the load_tool_module_by_id function allows authenticated attackers to execute arbitrary Python code due to insufficient input validation on user-supplied strings. An attacker with valid credentials can leverage this vulnerability to achieve code execution with service account privileges. No patch is currently available, making this a critical risk for deployed Open WebUI instances.
MetaGPT has a code injection vulnerability in actionoutput_str_to_mapping (EPSS 2.6%) allowing remote attackers to execute arbitrary code through crafted AI agent output processing.
Moonraker versions 0.9.3 and below with LDAP authentication enabled are susceptible to LDAP injection attacks through the login endpoint, enabling attackers to enumerate valid user IDs and attributes via response analysis. An unauthenticated remote attacker can exploit this vulnerability to discover LDAP directory information without requiring valid credentials. A patch is available in version 0.10.0 and later.
MacOS version of Inkscape bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle.
Malicious wheel files can modify file permissions on critical system files during extraction in Python wheel versions 0.40.0-0.46.1, enabling attackers to alter SSH keys, configuration files, or executable scripts. This path traversal and permission manipulation flaw affects systems unpacking untrusted wheels and can lead to privilege escalation or arbitrary code execution. Public exploit code exists for this vulnerability, though a patch is available in version 0.46.2.
Grist spreadsheet software has an injection vulnerability in Python formula execution that allows authenticated users to escape the formula sandbox and execute arbitrary code.
Remote code execution in Tendenci CMS versions 15.3.11 and below allows authenticated staff users to execute arbitrary code through unsafe pickle deserialization in the Helpdesk module's reporting function. The vulnerability stems from incomplete patching of CVE-2020-14942, where the run_report() function continues to use unsafe pickle.loads() despite the ticket_list() function being corrected. Public exploit code exists for this issue, though impact is limited to the privileges of the application's runtime user.
vLLM is an inference and serving engine for large language models (LLMs). [CVSS 8.8 HIGH]
When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. [CVSS 5.3 MEDIUM]
PLY (Python Lex-Yacc) library 3.11 has an unsafe feature enabling remote code execution through pickle deserialization of cached parser tables, with EPSS 0.91%.
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox restrictions and execute arbitrary code on the underlying operating system, with full instance takeover possible in Internal execution mode. Public exploit code exists for this vulnerability, which affects n8n deployments running under Internal execution mode where the Python executor has direct OS access. External execution mode deployments using Docker sidecars have reduced impact as code execution is confined to the container rather than the main node.
pyasn1 is a generic ASN.1 library for Python. versions up to 0.6.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).
Dask distributed is a distributed task scheduler for Dask. [CVSS 6.1 MEDIUM]
Keras versions up to 3.13.0 is affected by allocation of resources without limits or throttling (CVSS 7.5).
BlackSheep's HTTP client prior to version 2.4.6 is vulnerable to CRLF injection due to insufficient header validation, allowing attackers to inject malicious headers or forge HTTP requests when developers pass unsanitized user input into header fields. Only applications using BlackSheep as an HTTP client are affected; the server component is not impacted. A patch is available in version 2.4.6 and later.
Tdarr 2.00.15 media transcoding server has unauthenticated RCE through command injection in the Help terminal. Commands can be chained without any input filtering. PoC available.
Remote code execution in Azure Core Shared Client Library for Python results from insecure deserialization of untrusted data, allowing authenticated network-based attackers to achieve arbitrary code execution. The vulnerability affects Python applications utilizing the vulnerable library versions, with no patch currently available. This represents a high-severity risk for Azure SDK consumers handling external or user-supplied serialized data.
Virtualenv versions up to 20.36.1 is affected by improper link resolution before file access (CVSS 4.5).
Python's filelock SoftFileLock implementation prior to version 3.20.3 contains a TOCTOU race condition that allows local attackers with symlink creation privileges to interfere with lock file operations between permission validation and file creation. An attacker can exploit this window to create a symlink at the target lock path, causing lock operations to fail or redirect to unintended files, resulting in denial of service or unexpected behavior. Upgrade to filelock version 3.20.3 or later to remediate this vulnerability.
pypdf versions prior to 6.6.0 are vulnerable to denial of service through CPU exhaustion when processing malformed PDF files with crafted startxref entries in non-strict reading mode. An attacker can create a specially crafted PDF containing excessive whitespace that causes the library to consume significant processing resources during cross-reference table reconstruction. A patch is available in version 6.6.0 and later.
Denial of service via resource exhaustion in pypdf prior to version 6.6.0 allows remote attackers to trigger excessive processing times by submitting specially crafted PDF files with missing /Root objects and inflated /Size values. The vulnerability only affects non-strict parsing mode and causes the library to consume significant CPU resources when processing otherwise invalid documents. A patch is available in version 6.6.0 and later.
Fickling versions prior to 0.1.7 fail to properly detect malicious pickle payloads due to inadequate handling of the "builtins" module, allowing attackers to bypass security analysis and potentially execute arbitrary code. This vulnerability affects Python environments using vulnerable versions of Fickling for pickle inspection and static analysis. An attacker can craft specially designed pickle files that evade detection mechanisms, compromising the integrity of pickle validation workflows.
Fickling's static analyzer before version 0.1.7 fails to detect several dangerous Python modules in pickled objects, enabling attackers to craft malicious pickles that bypass safety checks and achieve arbitrary code execution. This vulnerability affects users relying on Fickling to validate untrusted serialized Python objects for safety. Public exploit code exists for this HIGH severity vulnerability, though a patch is available in version 0.1.7 and later.
Fickling before version 0.1.7 allows local attackers to achieve arbitrary code execution through Python pickle deserialization by chaining unblocked ctypes and pydoc modules, bypassing the tool's safety scanner which incorrectly reports malicious files as LIKELY_SAFE. An attacker with user interaction can exploit this vulnerability to execute code with the privileges of the Python process. A patch is available in version 0.1.7 and later.
Fickling's static analyzer through version 0.1.6 fails to properly classify the cProfile module as unsafe during pickle analysis, causing malicious pickles leveraging cProfile.run() to be marked as SUSPICIOUS rather than OVERTLY_MALICIOUS. Organizations using Fickling as a security gate for deserialization decisions may be deceived into executing attacker-controlled code. Public exploit code exists for this vulnerability, and patches are available in version 0.1.7 and later.
Fickling's incomplete pickle analysis allows attackers to bypass security checks by using Python's runpy module to execute arbitrary code. Versions through 0.1.6 misclassify dangerous runpy-based payloads as merely suspicious rather than malicious, enabling code execution on systems that rely on Fickling to validate pickle safety. Public exploit code exists for this vulnerability, though a patch is available in version 0.1.7.
Authlib is a Python library which builds OAuth and OpenID Connect servers. [CVSS 5.7 MEDIUM]
Logging Redactor prior to version 0.0.6 fails to properly handle non-string data types during redaction operations, causing type conversion errors that can disrupt log formatting and integrity checks. Public exploit code exists for this vulnerability, allowing attackers to craft inputs that bypass the redaction mechanism or cause denial of service through malformed log output. Users of Logging Redactor should upgrade to version 0.0.6 or later, as no patch is currently available for affected earlier versions.
SQL injection in Parsl's visualization dashboard allows unauthenticated attackers to execute arbitrary database queries through unsafe string formatting of the workflow_id parameter. Public exploit code exists for this vulnerability, enabling potential data theft or database denial of service attacks against the monitoring infrastructure. The issue affects Parsl versions prior to 2026.01.05, which includes the fix.
NiceGUI versions 2.10.0 through 3.4.1 fail to properly release Redis connections when users open and close browser tabs, allowing unauthenticated attackers to exhaust the Redis connection pool and degrade service functionality. An attacker can repeatedly trigger connection leaks without authentication, causing storage errors and degraded performance once connection limits are reached. Public exploit code exists for this vulnerability, which is patched in version 3.5.0.
NiceGUI versions 2.22.0 through 3.4.1 contain a cross-site DOM-based XSS vulnerability in the pushstate event listener for ui.sub_pages that allows attackers to manipulate URL fragment identifiers via iframe injection. Public exploit code exists for this vulnerability, and affected users should upgrade to version 3.5.0 or later as no patch is currently available for vulnerable versions.
NiceGUI versions 2.22.0 through 3.4.1 contain a stored cross-site scripting vulnerability in the click event listener of ui.sub_pages that executes attacker-controlled JavaScript when users click malicious links on the page. Public exploit code exists for this vulnerability, and affected users should upgrade to version 3.5.0 or later immediately. The vulnerability requires user interaction but can impact confidentiality and integrity with network-accessible exploitation.
Cross-site scripting (XSS) in NiceGUI versions 2.13.0 through 3.4.1 allows attackers to execute arbitrary JavaScript in users' browsers when applications pass untrusted input to the ui.navigate.history.push() or ui.navigate.history.replace() functions due to improper string escaping in generated JavaScript. Public exploit code exists for this vulnerability, and developers using affected versions should upgrade to 3.5.0 or later, or avoid passing user-controlled data to these navigation helpers. Applications that only use these functions with trusted, hardcoded URLs are unaffected.
Bokeh versions 3.8.1 and below allow attackers to bypass Origin validation in WebSocket connections by registering domains that suffix-match allowlisted domains (e.g., dashboard.corp.attacker.com for allowlist entry dashboard.corp), enabling unauthorized server interaction. Public exploit code exists for this vulnerability, which could allow attackers to access sensitive data or modify visualizations on behalf of victims. The issue is resolved in Bokeh 3.8.2.
A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced.
urllib3 versions 1.22 through 2.6.2 perform unnecessary decompression of redirect response bodies in the streaming API, consuming memory and processing resources before any read methods are invoked. An unauthenticated remote attacker can trigger excessive decompression of large redirect responses to cause denial of service through memory exhaustion or high CPU consumption. This vulnerability affects all Python applications using urllib3's streaming functionality with compressed HTTP redirects.
Panda3D's deploy-stub executable up to version 1.10.16 is vulnerable to denial of service through unvalidated stack allocation based on command-line argument counts, allowing local attackers to crash the application by supplying excessive arguments. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw can trigger reliable crashes and undefined behavior during Python interpreter initialization.
Forcepoint One DLP Client, version 23.04.5642 (and possibly newer versions), includes a restricted version of Python 2.5.4 that prevents use of the ctypes library. [CVSS 7.8 HIGH]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. [CVSS 7.5 HIGH]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. [CVSS 7.5 HIGH]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. [CVSS 6.5 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. [CVSS 7.5 HIGH]
Eopkg package manager versions before 4.4.0 fail to track files included in malicious packages, allowing undetected file installation when users install from compromised sources. An attacker can distribute packages containing hidden files that evade detection by package management tools like lseopkg. Users installing exclusively from official Solus repositories are unaffected.
Eopkg package manager versions before 4.4.0 fail to enforce the --destdir installation path, allowing malicious packages to write files to arbitrary locations on the host filesystem. An attacker can exploit this by distributing a compromised package that bypasses the intended installation directory, potentially overwriting system files or placing malicious content outside the sandboxed installation path. Users are only at risk if installing packages from untrusted or compromised sources; Solus repository packages are unaffected.
Cpp-Httplib versions up to 0.30.0 contains a vulnerability that allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack (CVSS 7.5).
A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. [CVSS 7.8 HIGH]
A serialization bug in matrix-sdk-base allows remote attackers to cause denial-of-service by sending rooms with custom m.room.join_rules values, which stalls the sync process and prevents all room processing. The vulnerability affects matrix-sdk-base versions 0.14.1 and prior and has a high availability impact (CVSS 7.5) with a patch available in version 0.16.0. With a low EPSS score of 0.06% and no KEV listing, this represents a moderate real-world risk primarily concerning service availability rather than active exploitation.
ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 allows unauthenticated attackers to disclose the webserver's Python debug log file containing system information, credentials, paths, processes and command arguments running on the device. Attackers can access sensitive information by visiting the message_log page.
A security vulnerability in version 1.0 and (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. The /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ endpoints allow low-privilege users to upload ZIP files to the server. The plupload_file_upload function handles these file uploads and constructs the destination file path by using either the name parameter or the uploaded filename, neither of which is properly sanitized. The file extension is extracted by splitting the filename, and a format string is used to construct the final file path, leaving the destination path vulnerable to path traversal. An authenticated attacker with network connectivity can write arbitrary files to the server, enabling remote code execution after overwriting an executable file. An example is the pdflatex executable, which is executed through subprocess.Popen in the write_report_pdf function after requests to a /report/latex/(\d+).pdf endpoint.
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. A remote code execution vulnerability exists in the network configuration functionality, stemming from insufficient input validation when processing network configuration parameters through administrative endpoints. The application allows administrators to modify the server's network configuration through the Django application. This configuration is processed by Bash scripts (TSsetnoproxy and TSsetproxy) that write user-controlled data directly to environment variables without proper sanitization. After updating environment variables, the scripts execute a source command on /etc/environment; if an attacker injects malicious data into environment variables, this command can enable arbitrary command execution. The vulnerability begins with the /admin/network endpoint, which passes user-supplied form data as arguments to subprocess.Popen calls. The user-supplied input is then used to update environment variables in TSsetnoproxy and TSsetproxy, and finally source $environment is executed.
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares included in this application, LocalhostAuthMiddleware, authenticates users as ionadmin if the REMOTE_ADDR property in request.META is set to 127.0.0.1, to 127.0.1.1, or to ::1. Any user with local access to the server may bypass authentication.
A remote code execution vulnerability in Thermo Fisher Torrent Suite Django application 5.18.1 (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
CVE-2025-12084 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
CVE-2025-66416 is a security vulnerability (CVSS 8.1) that allows dns rebinding protection. High severity vulnerability requiring prompt remediation. Vendor patch is available.
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.
fontTools is a library for manipulating fonts, written in Python. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required. Public exploit code available.
Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Spotipy is a Python library for the Spotify Web API. Rated low severity (CVSS 3.6), this vulnerability is no authentication required. No vendor patch available.
pypdf is a free and open-source pure-python PDF library. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
LangChain is a framework for building agents and LLM-powered applications. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the execute_query method. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A command injection vulnerability exists in the MCP Data Science Server's (reading-plus-ai/mcp-server-data-exploration) 0.1.6 in the safe_eval() function (src/mcp_server_ds/server.py:108). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
MaxKB is an open-source AI assistant for enterprise. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
MaxKB is an open-source AI assistant for enterprise. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Datadog Agent collects events and metrics from hosts and sends them to Datadog. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.
Uncontrolled search path for some Intel(R) Distribution for Python software installers before version 2025.2.0 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper input validation in OneFlow v0.9.0 allows attackers to cause a segmentation fault via adding a Python sequence to the native code during broadcasting/type conversion. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages.
Langflow's PythonFunction component allows authenticated attackers with user interaction to inject and execute arbitrary Python code within application workflows, achieving remote code execution. The vulnerability affects Langflow deployments using Python-based AI/ML components, with exploitation feasibility depending on specific product configurations. No patch is currently available.
Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted custom component definitions.
Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the visual AI workflow builder.
Remote code execution in Open WebUI through the load_tool_module_by_id function allows authenticated attackers to execute arbitrary Python code due to insufficient input validation on user-supplied strings. An attacker with valid credentials can leverage this vulnerability to achieve code execution with service account privileges. No patch is currently available, making this a critical risk for deployed Open WebUI instances.
MetaGPT has a code injection vulnerability in actionoutput_str_to_mapping (EPSS 2.6%) allowing remote attackers to execute arbitrary code through crafted AI agent output processing.
Moonraker versions 0.9.3 and below with LDAP authentication enabled are susceptible to LDAP injection attacks through the login endpoint, enabling attackers to enumerate valid user IDs and attributes via response analysis. An unauthenticated remote attacker can exploit this vulnerability to discover LDAP directory information without requiring valid credentials. A patch is available in version 0.10.0 and later.
MacOS version of Inkscape bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle.
Malicious wheel files can modify file permissions on critical system files during extraction in Python wheel versions 0.40.0-0.46.1, enabling attackers to alter SSH keys, configuration files, or executable scripts. This path traversal and permission manipulation flaw affects systems unpacking untrusted wheels and can lead to privilege escalation or arbitrary code execution. Public exploit code exists for this vulnerability, though a patch is available in version 0.46.2.
Grist spreadsheet software has an injection vulnerability in Python formula execution that allows authenticated users to escape the formula sandbox and execute arbitrary code.
Remote code execution in Tendenci CMS versions 15.3.11 and below allows authenticated staff users to execute arbitrary code through unsafe pickle deserialization in the Helpdesk module's reporting function. The vulnerability stems from incomplete patching of CVE-2020-14942, where the run_report() function continues to use unsafe pickle.loads() despite the ticket_list() function being corrected. Public exploit code exists for this issue, though impact is limited to the privileges of the application's runtime user.
vLLM is an inference and serving engine for large language models (LLMs). [CVSS 8.8 HIGH]
When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. [CVSS 5.3 MEDIUM]
PLY (Python Lex-Yacc) library 3.11 has an unsafe feature enabling remote code execution through pickle deserialization of cached parser tables, with EPSS 0.91%.
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox restrictions and execute arbitrary code on the underlying operating system, with full instance takeover possible in Internal execution mode. Public exploit code exists for this vulnerability, which affects n8n deployments running under Internal execution mode where the Python executor has direct OS access. External execution mode deployments using Docker sidecars have reduced impact as code execution is confined to the container rather than the main node.
pyasn1 is a generic ASN.1 library for Python. versions up to 0.6.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).
Dask distributed is a distributed task scheduler for Dask. [CVSS 6.1 MEDIUM]
Keras versions up to 3.13.0 is affected by allocation of resources without limits or throttling (CVSS 7.5).
BlackSheep's HTTP client prior to version 2.4.6 is vulnerable to CRLF injection due to insufficient header validation, allowing attackers to inject malicious headers or forge HTTP requests when developers pass unsanitized user input into header fields. Only applications using BlackSheep as an HTTP client are affected; the server component is not impacted. A patch is available in version 2.4.6 and later.
Tdarr 2.00.15 media transcoding server has unauthenticated RCE through command injection in the Help terminal. Commands can be chained without any input filtering. PoC available.
Remote code execution in Azure Core Shared Client Library for Python results from insecure deserialization of untrusted data, allowing authenticated network-based attackers to achieve arbitrary code execution. The vulnerability affects Python applications utilizing the vulnerable library versions, with no patch currently available. This represents a high-severity risk for Azure SDK consumers handling external or user-supplied serialized data.
Virtualenv versions up to 20.36.1 is affected by improper link resolution before file access (CVSS 4.5).
Python's filelock SoftFileLock implementation prior to version 3.20.3 contains a TOCTOU race condition that allows local attackers with symlink creation privileges to interfere with lock file operations between permission validation and file creation. An attacker can exploit this window to create a symlink at the target lock path, causing lock operations to fail or redirect to unintended files, resulting in denial of service or unexpected behavior. Upgrade to filelock version 3.20.3 or later to remediate this vulnerability.
pypdf versions prior to 6.6.0 are vulnerable to denial of service through CPU exhaustion when processing malformed PDF files with crafted startxref entries in non-strict reading mode. An attacker can create a specially crafted PDF containing excessive whitespace that causes the library to consume significant processing resources during cross-reference table reconstruction. A patch is available in version 6.6.0 and later.
Denial of service via resource exhaustion in pypdf prior to version 6.6.0 allows remote attackers to trigger excessive processing times by submitting specially crafted PDF files with missing /Root objects and inflated /Size values. The vulnerability only affects non-strict parsing mode and causes the library to consume significant CPU resources when processing otherwise invalid documents. A patch is available in version 6.6.0 and later.
Fickling versions prior to 0.1.7 fail to properly detect malicious pickle payloads due to inadequate handling of the "builtins" module, allowing attackers to bypass security analysis and potentially execute arbitrary code. This vulnerability affects Python environments using vulnerable versions of Fickling for pickle inspection and static analysis. An attacker can craft specially designed pickle files that evade detection mechanisms, compromising the integrity of pickle validation workflows.
Fickling's static analyzer before version 0.1.7 fails to detect several dangerous Python modules in pickled objects, enabling attackers to craft malicious pickles that bypass safety checks and achieve arbitrary code execution. This vulnerability affects users relying on Fickling to validate untrusted serialized Python objects for safety. Public exploit code exists for this HIGH severity vulnerability, though a patch is available in version 0.1.7 and later.
Fickling before version 0.1.7 allows local attackers to achieve arbitrary code execution through Python pickle deserialization by chaining unblocked ctypes and pydoc modules, bypassing the tool's safety scanner which incorrectly reports malicious files as LIKELY_SAFE. An attacker with user interaction can exploit this vulnerability to execute code with the privileges of the Python process. A patch is available in version 0.1.7 and later.
Fickling's static analyzer through version 0.1.6 fails to properly classify the cProfile module as unsafe during pickle analysis, causing malicious pickles leveraging cProfile.run() to be marked as SUSPICIOUS rather than OVERTLY_MALICIOUS. Organizations using Fickling as a security gate for deserialization decisions may be deceived into executing attacker-controlled code. Public exploit code exists for this vulnerability, and patches are available in version 0.1.7 and later.
Fickling's incomplete pickle analysis allows attackers to bypass security checks by using Python's runpy module to execute arbitrary code. Versions through 0.1.6 misclassify dangerous runpy-based payloads as merely suspicious rather than malicious, enabling code execution on systems that rely on Fickling to validate pickle safety. Public exploit code exists for this vulnerability, though a patch is available in version 0.1.7.
Authlib is a Python library which builds OAuth and OpenID Connect servers. [CVSS 5.7 MEDIUM]
Logging Redactor prior to version 0.0.6 fails to properly handle non-string data types during redaction operations, causing type conversion errors that can disrupt log formatting and integrity checks. Public exploit code exists for this vulnerability, allowing attackers to craft inputs that bypass the redaction mechanism or cause denial of service through malformed log output. Users of Logging Redactor should upgrade to version 0.0.6 or later, as no patch is currently available for affected earlier versions.
SQL injection in Parsl's visualization dashboard allows unauthenticated attackers to execute arbitrary database queries through unsafe string formatting of the workflow_id parameter. Public exploit code exists for this vulnerability, enabling potential data theft or database denial of service attacks against the monitoring infrastructure. The issue affects Parsl versions prior to 2026.01.05, which includes the fix.
NiceGUI versions 2.10.0 through 3.4.1 fail to properly release Redis connections when users open and close browser tabs, allowing unauthenticated attackers to exhaust the Redis connection pool and degrade service functionality. An attacker can repeatedly trigger connection leaks without authentication, causing storage errors and degraded performance once connection limits are reached. Public exploit code exists for this vulnerability, which is patched in version 3.5.0.
NiceGUI versions 2.22.0 through 3.4.1 contain a cross-site DOM-based XSS vulnerability in the pushstate event listener for ui.sub_pages that allows attackers to manipulate URL fragment identifiers via iframe injection. Public exploit code exists for this vulnerability, and affected users should upgrade to version 3.5.0 or later as no patch is currently available for vulnerable versions.
NiceGUI versions 2.22.0 through 3.4.1 contain a stored cross-site scripting vulnerability in the click event listener of ui.sub_pages that executes attacker-controlled JavaScript when users click malicious links on the page. Public exploit code exists for this vulnerability, and affected users should upgrade to version 3.5.0 or later immediately. The vulnerability requires user interaction but can impact confidentiality and integrity with network-accessible exploitation.
Cross-site scripting (XSS) in NiceGUI versions 2.13.0 through 3.4.1 allows attackers to execute arbitrary JavaScript in users' browsers when applications pass untrusted input to the ui.navigate.history.push() or ui.navigate.history.replace() functions due to improper string escaping in generated JavaScript. Public exploit code exists for this vulnerability, and developers using affected versions should upgrade to 3.5.0 or later, or avoid passing user-controlled data to these navigation helpers. Applications that only use these functions with trusted, hardcoded URLs are unaffected.
Bokeh versions 3.8.1 and below allow attackers to bypass Origin validation in WebSocket connections by registering domains that suffix-match allowlisted domains (e.g., dashboard.corp.attacker.com for allowlist entry dashboard.corp), enabling unauthorized server interaction. Public exploit code exists for this vulnerability, which could allow attackers to access sensitive data or modify visualizations on behalf of victims. The issue is resolved in Bokeh 3.8.2.
A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced.
urllib3 versions 1.22 through 2.6.2 perform unnecessary decompression of redirect response bodies in the streaming API, consuming memory and processing resources before any read methods are invoked. An unauthenticated remote attacker can trigger excessive decompression of large redirect responses to cause denial of service through memory exhaustion or high CPU consumption. This vulnerability affects all Python applications using urllib3's streaming functionality with compressed HTTP redirects.
Panda3D's deploy-stub executable up to version 1.10.16 is vulnerable to denial of service through unvalidated stack allocation based on command-line argument counts, allowing local attackers to crash the application by supplying excessive arguments. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw can trigger reliable crashes and undefined behavior during Python interpreter initialization.
Forcepoint One DLP Client, version 23.04.5642 (and possibly newer versions), includes a restricted version of Python 2.5.4 that prevents use of the ctypes library. [CVSS 7.8 HIGH]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. [CVSS 7.5 HIGH]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. [CVSS 7.5 HIGH]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. [CVSS 5.3 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. [CVSS 6.5 MEDIUM]
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. [CVSS 7.5 HIGH]
Eopkg package manager versions before 4.4.0 fail to track files included in malicious packages, allowing undetected file installation when users install from compromised sources. An attacker can distribute packages containing hidden files that evade detection by package management tools like lseopkg. Users installing exclusively from official Solus repositories are unaffected.
Eopkg package manager versions before 4.4.0 fail to enforce the --destdir installation path, allowing malicious packages to write files to arbitrary locations on the host filesystem. An attacker can exploit this by distributing a compromised package that bypasses the intended installation directory, potentially overwriting system files or placing malicious content outside the sandboxed installation path. Users are only at risk if installing packages from untrusted or compromised sources; Solus repository packages are unaffected.
Cpp-Httplib versions up to 0.30.0 contains a vulnerability that allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack (CVSS 7.5).
A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. [CVSS 7.8 HIGH]
A serialization bug in matrix-sdk-base allows remote attackers to cause denial-of-service by sending rooms with custom m.room.join_rules values, which stalls the sync process and prevents all room processing. The vulnerability affects matrix-sdk-base versions 0.14.1 and prior and has a high availability impact (CVSS 7.5) with a patch available in version 0.16.0. With a low EPSS score of 0.06% and no KEV listing, this represents a moderate real-world risk primarily concerning service availability rather than active exploitation.
ReQuest Serious Play F3 Media Server versions 7.0.3.4968 (Pro), 7.0.2.4954, 6.5.2.4954, 6.4.2.4681, 6.3.2.4203, and 2.0.1.823 allows unauthenticated attackers to disclose the webserver's Python debug log file containing system information, credentials, paths, processes and command arguments running on the device. Attackers can access sensitive information by visiting the message_log page.
A security vulnerability in version 1.0 and (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. The /configure/plugins/plugin/upload/zip/ and /configure/newupdates/offline/bundle/upload/ endpoints allow low-privilege users to upload ZIP files to the server. The plupload_file_upload function handles these file uploads and constructs the destination file path by using either the name parameter or the uploaded filename, neither of which is properly sanitized. The file extension is extracted by splitting the filename, and a format string is used to construct the final file path, leaving the destination path vulnerable to path traversal. An authenticated attacker with network connectivity can write arbitrary files to the server, enabling remote code execution after overwriting an executable file. An example is the pdflatex executable, which is executed through subprocess.Popen in the write_report_pdf function after requests to a /report/latex/(\d+).pdf endpoint.
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. A remote code execution vulnerability exists in the network configuration functionality, stemming from insufficient input validation when processing network configuration parameters through administrative endpoints. The application allows administrators to modify the server's network configuration through the Django application. This configuration is processed by Bash scripts (TSsetnoproxy and TSsetproxy) that write user-controlled data directly to environment variables without proper sanitization. After updating environment variables, the scripts execute a source command on /etc/environment; if an attacker injects malicious data into environment variables, this command can enable arbitrary command execution. The vulnerability begins with the /admin/network endpoint, which passes user-supplied form data as arguments to subprocess.Popen calls. The user-supplied input is then used to update environment variables in TSsetnoproxy and TSsetproxy, and finally source $environment is executed.
An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares included in this application, LocalhostAuthMiddleware, authenticates users as ionadmin if the REMOTE_ADDR property in request.META is set to 127.0.0.1, to 127.0.1.1, or to ::1. Any user with local access to the server may bypass authentication.
A remote code execution vulnerability in Thermo Fisher Torrent Suite Django application 5.18.1 (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
CVE-2025-12084 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
CVE-2025-66416 is a security vulnerability (CVSS 8.1) that allows dns rebinding protection. High severity vulnerability requiring prompt remediation. Vendor patch is available.
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in `django.core.serializers.xml_serializer.getInnerText()` allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML input processed by the XML `Deserializer`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.
An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. `FilteredRelation` is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet.annotate()` or `QuerySet.alias()` on PostgreSQL. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue.
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote code execution vector in a config class named Nemotron_Nano_VL_Config. When vllm loads a model config that contains an auto_map entry, the config class resolves that mapping with get_class_from_dynamic_module(...) and immediately instantiates the returned class. This fetches and executes Python from the remote repository referenced in the auto_map string. Crucially, this happens even when the caller explicitly sets trust_remote_code=False in vllm.transformers_utils.config.get_config. In practice, an attacker can publish a benign-looking frontend repo whose config.json points via auto_map to a separate malicious backend repo; loading the frontend will silently run the backend’s code on the victim host. This vulnerability is fixed in 0.11.1.
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.
fontTools is a library for manipulating fonts, written in Python. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required. Public exploit code available.
Keras version 3.11.3 is affected by a path traversal vulnerability in the keras.utils.get_file() function when extracting tar archives. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Spotipy is a Python library for the Spotify Web API. Rated low severity (CVSS 3.6), this vulnerability is no authentication required. No vendor patch available.
pypdf is a free and open-source pure-python PDF library. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
LangChain is a framework for building agents and LLM-powered applications. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component, where an attacker could cause a code injection issue. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A code injection vulnerability exists in baryhuang/mcp-server-aws-resources-python 0.1.0 that allows remote code execution through insufficient input validation in the execute_query method. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A command injection vulnerability exists in the MCP Data Science Server's (reading-plus-ai/mcp-server-data-exploration) 0.1.6 in the safe_eval() function (src/mcp_server_ds/server.py:108). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
MaxKB is an open-source AI assistant for enterprise. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
MaxKB is an open-source AI assistant for enterprise. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Datadog Agent collects events and metrics from hosts and sends them to Datadog. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.
Uncontrolled search path for some Intel(R) Distribution for Python software installers before version 2025.2.0 within Ring 3: User Applications may allow an escalation of privilege. Rated medium severity (CVSS 5.4). No vendor patch available.
OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper input validation in OneFlow v0.9.0 allows attackers to cause a segmentation fault via adding a Python sequence to the native code during broadcasting/type conversion. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.