Skip to main content

Python

2159 CVEs product

Monthly

CVE-2026-40605 MEDIUM PATCH This Month

Path traversal in Tautulli's cache deletion API endpoint allows authenticated low-privilege users to delete arbitrary directories outside the configured cache root, resulting in arbitrary data loss and service disruption. All Tautulli versions prior to 2.17.1 are affected; the vendor-confirmed fix is v2.17.1 (released 2026-05-04). The CVSS 4.0 E:P modifier confirms proof-of-concept exploit code exists, and no public exploit identified at time of analysis rises to CISA KEV-confirmed active exploitation.

Python Path Traversal Tautulli
NVD GitHub
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-44181 PyPI CRITICAL PATCH GHSA Act Now

Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to execute arbitrary Python code and OS commands in the Enterprise Gateway pod by injecting Jinja2 expressions into KERNEL_XXX environment variables sent via the kernel-creation API. Successful exploitation yields the gateway's Kubernetes service account token, which (per the published PoC RBAC dump) carries cluster-impacting verbs over pods, secrets, and persistent volumes - providing a realistic path to full Kubernetes cluster compromise. A working PoC is published in the GHSA advisory (GHSA-f49j-v924-fx9w); no CISA KEV listing at time of analysis.

Kubernetes Python Ssti RCE
NVD GitHub
EPSS
0.9%
CVE-2026-41234 PHP HIGH PATCH GHSA This Week

Authenticated zone-file injection in Froxlor <=2.3.6 allows a customer with DNS editing enabled to inject newline characters into TXT record content via the DomainZones.add API, breaking out of the record line in the generated BIND zone file and injecting arbitrary BIND directives ($INCLUDE, $GENERATE) or DNS records (A, MX, CNAME). The flaw is an incomplete fix for CVE-2026-30932, which sanitized LOC/RP/SSHFP/TLSA records but left TXT handling reliant only on Dns::encloseTXTContent(), which strips no control characters. Publicly available exploit code exists (detailed PoC including a Python script in the GHSA advisory), but there is no public exploit identified at time of analysis in CISA KEV and no EPSS score was provided.

Python Apache PHP Information Disclosure Docker +1
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-44017 PyPI HIGH PATCH GHSA This Week

Path traversal (Zip Slip) in IBM's Docling document processing library before v2.91.0 allows arbitrary file write when the EasyOCR model download function extracts ZIP archives without validating member paths. An attacker who can intercept or substitute the model download source (via MITM, DNS spoofing, or upstream supply-chain compromise) can drop files anywhere the process can write, leading to RCE or persistence. No public exploit identified at time of analysis and the vulnerability is not on the CISA KEV list.

Python Path Traversal RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8404 PyPI LOW PATCH Monitor

Incorrect cache storage in Django's UpdateCacheMiddleware exposes responses that should have been excluded from caching due to uppercase or mixed-case Cache-Control directives (e.g., 'Private', 'NO-STORE'). Affected versions 5.2.x before 5.2.15 and 6.0.x before 6.0.6 fail to perform case-insensitive comparison of Cache-Control directive strings, causing the middleware to cache responses it should skip, which remote attackers can then retrieve. No public exploit has been identified at time of analysis, and active exploitation is not confirmed; the low CVSS 4.0 score of 2.3 accurately reflects limited scope, though real-world impact scales with how sensitive the incorrectly cached data is.

Information Disclosure Python
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-7666 PyPI LOW PATCH Monitor

Django's SMTP email backend silently downgrades to cleartext transmission when a STARTTLS handshake fails under the `fail_silently=True` configuration, exposing email content to on-path network interception. Affected are Django 6.0.x before 6.0.6 and 5.2.x before 5.2.15; older unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated but may also be vulnerable. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects the high attack complexity and mandatory on-path network positioning required for exploitation.

Information Disclosure Python
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-6873 PyPI LOW PATCH Monitor

Cookie context confusion in Django's signed cookie implementation allows a remote low-privileged attacker to substitute a cookie signed in one application context into a different context where a distinct (name, salt) pair produces the same concatenated string. Affected are Django 6.0 before 6.0.6 and Django 5.2 before 5.2.15; older unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated but may also be affected. The real-world impact is limited to low-confidence data exposure (VC:L), with no public exploit identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects a low-severity, contextually constrained flaw.

Jwt Attack Code Injection Python
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-5241 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in Hugging Face Transformers 5.2.0 allows a malicious model repository to bypass the user's explicit trust_remote_code=False safeguard when loading a LightGlue model via AutoModel.from_pretrained(). The LightGlueConfig deserializes the trust_remote_code flag from the untrusted config.json and propagates the attacker-controlled value into a nested AutoConfig.from_pretrained() call, enabling execution of arbitrary attacker-supplied Python during model initialization. Rated CVSS 9.6 (AV:N/AC:L/PR:N/UI:R) with publicly available exploit code exists via the Huntr disclosure, though EPSS is currently 0.07% (22th percentile) and the CVE is not on CISA KEV.

RCE Python Transformers
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-48587 PyPI LOW PATCH Monitor

Cache-bypass information disclosure in Django's `has_vary_header()` utility allows remote attackers to read cached HTTP responses intended for other users by exploiting improper whitespace handling in `Vary` header comparisons. Affected versions are Django 5.2.x before 5.2.15 and 6.0.x before 6.0.6; earlier unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated and may also be affected per the vendor. The CVSS 4.0 score of 2.3 reflects constrained real-world impact requiring both a non-default prerequisite condition and user interaction, with no public exploit or confirmed active exploitation identified at time of analysis.

Information Disclosure Python
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-35193 PyPI LOW PATCH Monitor

Cache information disclosure in Django 5.2.x and 6.0.x allows remote unauthenticated attackers to read private authenticated responses served from shared caching layers. The `UpdateCacheMiddleware` component omits `Authorization` from the `Vary` response header when authenticated requests lack an explicit `Cache-Control: public` directive, causing caches to serve authenticated users' responses to subsequent unauthenticated requestors at the same URL. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects meaningful - but constrained - real-world impact gated behind specific deployment prerequisites.

Information Disclosure Python
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-47265 PyPI MEDIUM PATCH GHSA This Month

Cross-origin cookie leakage in aiohttp prior to 3.14.0 allows sensitive per-request cookies to be forwarded to attacker-controlled domains when a redirect is followed. When application code passes cookies via the `cookies` parameter of an aiohttp request, those cookies are not dropped upon following a cross-origin redirect - violating the origin isolation guarantee users expect. An attacker who can influence redirect responses (e.g., via a compromised or malicious upstream server) can harvest cookie values intended only for the original origin. No public exploit identified at time of analysis; EPSS data not provided in source intelligence.

Information Disclosure Python
NVD GitHub VulDB
CVSS 4.0
6.6
EPSS
0.0%
CVE-2026-34993 PyPI HIGH PATCH GHSA This Week

Arbitrary code execution in the aiohttp Python framework (versions prior to 3.14.0) arises when CookieJar.load() deserializes an attacker-controlled file, classed as CWE-502 unsafe deserialization. An attacker who can plant or substitute the persisted cookie file and induce the application to load it gains code execution in the host process. There is no public exploit identified at time of analysis, EPSS is very low (0.06%), and CISA SSVC rates exploitation as none - consistent with the library's own note that the function is normally used on the user's own trusted data.

RCE Deserialization Python Aiohttp
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-10300 PyPI LOW POC PATCH Monitor

Reachable assertion in SGLang 0.5.10.post1's LoRA adapter scheduler allows a remote unauthenticated attacker to trigger a denial of service via a crafted `lora_path` argument to the inference HTTP endpoint. The root cause is a logic flaw in the batch prefill scheduler: chunked LoRA prefill requests already admitted to the prefill queue are invisible to the LoRA admission check, enabling N+1 distinct adapters to be submitted when `max_loras_per_batch=N`, which forces an assertion failure in `lora_manager.py`. A publicly available proof-of-concept exists (no public exploit identified at time of analysis in the KEV sense), and the CVSS 4.0 score of 2.9 reflects high attack complexity and limited availability impact.

Denial Of Service Python
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-47412 PyPI HIGH PATCH GHSA This Week

{id} request. The DELETE endpoint enforces only member-level authorization instead of owner-level, and the destructive action is silent, immediate, and without recovery path. No public exploit identified at time of analysis, but source-level analysis confirms the gap and a vendor patch is available.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47415 PyPI HIGH PATCH GHSA This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform versions prior to 0.1.4 allows any authenticated workspace member to read, modify, or delete issues belonging to other tenants by supplying a known issue UUID against their own workspace path. The issue CRUD endpoints validate workspace membership but never verify that the targeted issue actually belongs to that workspace, breaking multi-tenant isolation. No public exploit identified at time of analysis, but the vulnerability is source-verified end-to-end with an upstream fix released as version 0.1.4.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-47413 PyPI CRITICAL PATCH GHSA Act Now

{workspace_id}/members. The endpoint enforces only the default member-tier gate and forwards the caller-supplied role directly to MemberService.add, which validates the role string but never checks the caller's permission to assign it. No public exploit identified at time of analysis, but a detailed exploit chain is documented in the vendor advisory.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-47411 PyPI MEDIUM PATCH GHSA This Month

{workspace_id} endpoint. The CVSS vector (PR:L/AC:L/AV:N/UI:N/I:H) confirms this is a low-complexity network attack requiring only member-tier credentials, and the integrity impact is rated High because the settings field can be used as a configuration-injection primitive - redirecting LLM provider URLs, webhook endpoints, or invite flows to attacker-controlled infrastructure. No public exploit identified at time of analysis, though the exploit chain is trivially reproducible from the published GitHub Security Advisory GHSA-rcmc-q9rj-4wmq.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47417 PyPI HIGH PATCH GHSA This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform versions prior to 0.1.4 allows any authenticated workspace member to read and inject comments on issues belonging to any other tenant in a multi-tenant deployment. The comment endpoints validate workspace membership but never verify that the URL-supplied issue_id actually belongs to that workspace, breaking tenant isolation. No public exploit identified at time of analysis, but source-code-level analysis confirms the gap end-to-end.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47418 PyPI HIGH PATCH GHSA This Week

{workspace_id}/projects/{project_id} only verify membership in the URL-supplied workspace, then perform primary-key-only lookups against the Project table without scoping by workspace_id. No public exploit identified at time of analysis, and EPSS/KEV signals are not provided for this advisory.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47425 LIB MEDIUM PATCH GHSA This Month

Arbitrary file write via path traversal in rattler's noarch:python entry-point installer allows a malicious conda package to write executable files outside the install prefix on both Unix and Windows. Any user of rattler < 0.43.2, pixi < 0.69.0, or rattler-build < 0.65.0 who installs a crafted noarch:python package is affected - no special configuration or flag opt-in is required. The attacker-controlled file is written with mode 0o775 on Unix or as a copied launcher .exe on Windows, enabling code execution when the entry-point is subsequently invoked. No public exploit code is identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Microsoft Path Traversal Python
NVD GitHub
EPSS
0.1%
CVE-2026-45426 PyPI LOW PATCH Monitor

{/, l, o, g} - rather than a literal prefix strip, causing the filename derived from the URL to diverge from the file actually served. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Python Apache Deserialization Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-46764 PyPI MEDIUM PATCH This Month

The event log detail endpoint in Apache Airflow before 3.2.2 applies a generic DAG-level audit log permission check rather than scoping authorization to the specific DAG that owns the requested event log entry, allowing any authenticated low-privilege user to read audit log entries belonging to DAGs outside their permitted scope. The flaw is a broken object-level authorization (IDOR) pattern - classified as CWE-639 - where the user-supplied `event_log_id` path parameter can reference log rows from unauthorized DAGs without triggering a rejection. No public exploit code exists and the issue is not listed in CISA KEV, but the attack is trivially executable by any authenticated Airflow user in a multi-tenant deployment.

Python Apache Deserialization Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45360 PyPI HIGH PATCH GHSA This Week

Arbitrary Python module import in Apache Airflow versions prior to 3.2.2 occurs when the scheduler deserializes custom DeadlineReference objects, because the prior implementation called import_string() directly on an attacker-controllable __class_path field. Rated CVSS 7.3 with low confidentiality/integrity/availability impact, this issue has no public exploit identified at time of analysis and EPSS estimates exploitation probability at 0.02% (6th percentile).

Apache Deserialization Python
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-48726 PyPI MEDIUM PATCH This Month

JWT session tokens remain valid after logout in Apache Airflow deployments using FabAuthManager or KeycloakAuthManager due to an unreachable revoke_token() call in the logout code path. Versions before 3.2.2 are affected. When the configured auth manager returns an external redirect URL on logout (as Keycloak-backed deployments do), the logout handler redirects the browser before invoking revoke_token(), leaving the JWT - with its embedded jti claim - unregistered in the RevokedToken table and therefore still accepted by the API. No public exploit is identified at time of analysis, and EPSS exploitation probability stands at 0.01% (4th percentile), but the impact is meaningful in environments where session hijacking or token theft is a realistic threat model.

Authentication Bypass Apache Python
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47416 PyPI CRITICAL PATCH GHSA Act Now

{workspace_id}/members/{user_id} request. The route's FastAPI dependency defaults to min_role="member" and is never overridden, while the service layer applies the requested role with no caller-privilege or role-hierarchy checks. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-c2m8-4gcg-v22g) provides full reproduction details and a fix is shipped in 0.1.4.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-47409 PyPI HIGH PATCH GHSA This Week

{workspace_id}/members/{user_id}`, which defaults to `min_role="member"` instead of requiring owner/admin privileges, and there is no public exploit identified at time of analysis.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47414 PyPI HIGH PATCH GHSA This Week

Cross-workspace label tampering in praisonai-platform <=0.1.2 lets any authenticated workspace member rewrite, delete, attach, detach, and enumerate labels belonging to other tenants because five label endpoints only check workspace membership and never verify that the URL-supplied label_id or issue_id actually belongs to that workspace. Reported by the upstream MervinPraison/PraisonAI project with a fix in 0.1.4; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-47406 PyPI HIGH PATCH GHSA This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform (<=0.1.2) allows any authenticated workspace member to read, create, and delete issue dependencies belonging to foreign workspaces by supplying arbitrary issue UUIDs in URL paths and request bodies. The dependency endpoints only enforce membership on the URL workspace_id while passing unvalidated issue and dependency identifiers to DependencyService, enabling cross-tenant linking of issues across any two workspaces in the deployment. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-4x6r-9v57-3gqw confirms the flaw and a fixed version (0.1.4) is available.

Python Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-47410 PyPI CRITICAL PATCH GHSA Act Now

Pre-authentication full account takeover in praisonai-platform (pip package, versions <= 0.1.2) allows remote unauthenticated attackers to forge JWTs for any user, including workspace owners and admins. The JWT signing key silently falls back to the hardcoded literal 'dev-secret-change-me' from the public GitHub source because the production-mode guard only triggers when PLATFORM_ENV is explicitly set to a non-default value, which default deployments do not do. Publicly available exploit code exists in the GHSA advisory itself, though no public exploit campaign or CISA KEV listing has been reported at time of analysis.

RCE Python
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47405 PyPI HIGH PATCH GHSA This Week

Vertical privilege escalation in PraisonAI Platform versions 0.1.2 and earlier allows any authenticated low-privilege workspace member to self-promote to owner and take over the workspace. The flaw stems from administrative FastAPI routes reusing a shared authorization dependency that defaults to the lowest 'member' role, so role-mutation endpoints never enforce admin/owner checks. A working PoC is published in the GHSA-h37g-4h4p-9x97 advisory, though no public exploit identified at time of analysis in mass-exploitation form, and the issue is not currently in CISA KEV.

Privilege Escalation Python Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-47399 PyPI HIGH PATCH GHSA This Week

Cross-workspace object access in PraisonAI Platform (pip package praisonai-platform <= 0.1.2) allows any authenticated workspace member to read, modify, and delete agents, projects, issues, and comments belonging to other workspaces by supplying the victim object's global UUID through their own workspace-scoped URL. The flaw stems from route-layer membership checks not being bound to service-layer object lookups, breaking tenant isolation in multi-tenant deployments. A working PoC is published in the GHSA advisory, though there is no public exploit identified at time of analysis beyond the advisory's own demonstration.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-47407 PyPI CRITICAL PATCH GHSA Act Now

Cross-tenant IDOR and privilege escalation in PraisonAI Platform (pip package praisonai-platform <= 0.1.2) allow any registered user to read, modify, or delete agents, issues, projects, labels, comments, and dependencies across every workspace, and to promote themselves to admin/owner of any workspace they are invited to. The FastAPI `require_workspace_member` dependency validates membership against the URL prefix workspace but never checks that nested resource IDs belong to that workspace, while privileged member-management routes inherit the default `min_role="member"` instead of requiring admin/owner. Publicly available exploit code exists in the form of a reporter-supplied PoC, open registration on the default `0.0.0.0:8000` bind makes exploitation trivial, and CVSS, EPSS, and CISA KEV signals are not provided in the supplied data.

Privilege Escalation Python
NVD GitHub
EPSS
0.0%
CVE-2026-47408 PyPI MEDIUM PATCH GHSA This Month

{workspace_id}/issues/{issue_id}/activity endpoint validates workspace membership but passes issue_id directly to an unscoped database query, returning actor identities, action types, and before/after field values from the details JSON blob for any issue UUID reachable by the attacker. No public exploit has been identified at time of analysis, but the vulnerability is source-inspection-verified via the GHSA-27p4-pjqv-whgj advisory.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-48169 PyPI HIGH PATCH GHSA This Week

Cross-workspace IDOR and member-to-owner privilege escalation in PraisonAI Platform API (pip package praisonai-platform <= 0.1.2) lets any authenticated user read, modify, and delete issues and projects belonging to other tenants, and lets any workspace member promote themselves to owner and evict the legitimate owner. The two flaws chain together: a single member-level invite to any workspace becomes platform-wide data access plus full takeover of any workspace the attacker is added to. No public exploit identified at time of analysis beyond the detailed PoC published in the GHSA advisory, and the issue is not in CISA KEV.

Privilege Escalation Python Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-47397 PyPI HIGH PATCH GHSA This Week

Arbitrary file write in PraisonAI <= 4.6.39 enables remote attackers to plant attacker-controlled files at arbitrary filesystem paths when a victim uses the Python API to crawl attacker-hosted web content. The flaw stems from write_file.py skipping path validation whenever workspace=None, which is the default state in production, and is triggered indirectly via hidden HTML metadata that PraisonAI agents interpret as legitimate instructions. No public exploit identified at time of analysis beyond the detailed PoC included in the GitHub Security Advisory (GHSA-hvhp-v2gc-268q).

Path Traversal Python
NVD GitHub
EPSS
0.1%
CVE-2026-47391 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in PraisonAI's first-party A2A server example (pip package <= 4.6.39) allows unauthenticated network attackers to execute arbitrary Python on the server process by sending a JSON-RPC message/send request to /a2a that drives the LLM-backed agent into invoking an eval()-based calculate tool. The chain combines three first-party defaults - no auth_token, 0.0.0.0 bind, and an eval()-backed example tool - and was confirmed end-to-end against a real Gemini model with a canary marker file write. No public exploit identified at time of analysis beyond the proof-of-concept in the advisory itself, and the issue is not in CISA KEV.

Denial Of Service RCE Code Injection Python
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47394 PyPI HIGH PATCH GHSA This Week

Unauthenticated arbitrary file read in PraisonAI's MCP server (pip/PraisonAI <= 4.6.39) allows remote callers to retrieve any file readable by the host user via the praisonai.workflow.show, praisonai.workflow.validate, and praisonai.deploy.validate tool handlers. The flaw is an incomplete fix for CVE-2026-44336: a hardening helper was applied to the rules.* tools but not to these adjacent workflow/deploy handlers, and the dispatcher still forwards unvalidated kwargs to handlers. Publicly available exploit code exists (working proof-of-concept in the advisory); no public exploit identified at time of analysis as a packaged exploit, but the advisory itself ships a runnable PoC.

Docker PostgreSQL Path Traversal Python
NVD GitHub
EPSS
0.1%
CVE-2026-47392 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in PraisonAI praisonaiagents <=1.6.39 and PraisonAI <=4.6.39 allows authenticated attackers to fully escape the execute_code() subprocess sandbox by leveraging print.__self__ to reach the real builtins module and reconstructing __import__ at runtime. The flaw defeats prior patches for CVE-2026-39888, CVE-2026-34938, and CVE-2026-40158, enabling arbitrary OS command execution on the host wherever agent input can be influenced via prompt injection or direct code submission. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-4mr5-g6f9-cfrh), and EPSS/KEV signals are not yet published for this newly disclosed novel bypass.

Command Injection Node.js RCE Python
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-47395 PyPI MEDIUM PATCH GHSA This Month

Local SSRF in PraisonAI's direct-prompt CLI allows an attacker who can influence prompt text to cause the operator's machine to fetch loopback and private-network HTTP resources, injecting the response body into the LLM prompt context. Affected packages are pip/praisonai <= 4.6.39 and pip/praisonaiagents <= 1.6.39; patches are available in 4.6.40 and 1.6.40 respectively. Publicly available exploit code exists (confirmed working PoC in the GHSA advisory), no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), and the CVSS 5.5 score reflects a meaningful confidentiality impact (C:H) constrained by a local attack vector.

Information Disclosure Mozilla SSRF Python
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47393 PyPI CRITICAL PATCH GHSA Act Now

Authentication bypass in PraisonAI versions <= 4.6.39 allows remote unauthenticated attackers to invoke arbitrary LLM orchestration via the Flask API server generated by the documented `praisonai deploy --type api` quickstart. The generator defaults `auth_enabled=False`, causing `check_auth()` to short-circuit to `True` and accept any request to `/chat` and `/agents`, exposing the operator's LLM API keys and any agent-attached tools (python_repl, bash, file I/O, HTTP). Publicly available exploit code exists in the form of a working PoC, and CVSS scores this 9.8 critical.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47396 PyPI CRITICAL PATCH GHSA Act Now

Unauthenticated remote agent control in PraisonAI's call server (versions <= 4.6.39) allows any network-reachable client to enumerate, inspect, invoke, and unregister registered agents when the operator launches `praisonai-call` without setting the `CALL_SERVER_TOKEN` environment variable. The flaw stems from a fail-open authentication dependency combined with the server binding to 0.0.0.0 by default, and a working proof-of-concept is published in the GHSA advisory demonstrating end-to-end exploitation against a default deployment.

Python Authentication Bypass Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-47390 PyPI MEDIUM PATCH GHSA This Month

SSRF protection bypass in PraisonAI's spider_tools component (praisonaiagents <= 1.6.39, PraisonAI <= 4.6.39) allows an attacker who can influence URLs submitted to scrape_page(), crawl(), or extract_text() to reach loopback-only HTTP services by supplying alternate loopback address encodings such as octal IPv4, hex, decimal integer, or trailing-dot hostname forms. The _validate_url() function performs only exact-string blocklist checks against 'localhost' and '127.0.0.1', without DNS resolution, IP normalization, or post-connect address validation, causing the bypass. Publicly available exploit code (PoC) has been confirmed functional; no active exploitation via CISA KEV has been identified at time of analysis.

RCE SSRF Python
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-47398 PyPI HIGH PATCH GHSA This Week

Remote code execution in PraisonAI versions 2.0.0 through 4.6.39 allows attackers to execute arbitrary Python code via two unguarded spec.loader.exec_module call sites in agents_generator.py. The flaw is a sibling of CVE-2026-44334: the v4.6.32 chokepoint refactor added a PRAISONAI_ALLOW_LOCAL_TOOLS env-var gate to tool_override.py but missed the load_tools_from_module and load_tools_from_module_class sinks, which load arbitrary module paths from YAML agent configuration without validation. Publicly available exploit code exists (working PoC published with the advisory) and a fixed release is available in 4.6.40.

RCE Code Injection Python
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-47234 PHP MEDIUM PATCH GHSA This Month

Plaintext credential exposure in Admidio v5.0.9 and earlier causes session IDs and persistent auto-login cookie values to be written to application logs whenever debug logging is enabled. Both the ADMIDIO_*_SESSION_ID and the long-lived ADMIDIO_*_AUTO_LOGIN_ID tokens are recorded verbatim by Session::setCookie() and Session::start(), effectively turning the log sink into a recoverable credential store. Any actor with read access to log files, log backups, or external log aggregation pipelines can extract and replay these tokens to hijack active sessions or gain persistent account access. Publicly available exploit code exists as documented in GitHub advisory GHSA-mch8-wf3h-6x88; this CVE is not currently listed in CISA KEV.

Information Disclosure PHP CSRF Python
NVD GitHub
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-47232 PHP MEDIUM PATCH GHSA This Month

Missing CSRF protection on the PKCS#12 private key export endpoint in Admidio v5.0.9 allows a network-based attacker to force an authenticated administrator's browser to trigger an unauthorized SSO private key export. The SecurityUtils::validateCsrfToken() call in modules/sso/keys.php was commented out on the 'export' case, permitting forged cross-site POST requests to invoke KeyService::exportToPkcs12() without a valid form token. While same-origin policy prevents the attacker from reading the streamed .p12 response directly, a working proof-of-concept is publicly documented in the GitHub security advisory and a vendor-confirmed fix is available in version 5.0.10.

OpenSSL Ubuntu CSRF Python PHP
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-47213 PyPI MEDIUM GHSA This Month

Timeout enforcement in BoxLite sandbox service fails to kill processes because the implementation sends the catchable SIGALRM signal (signal 14) instead of the uncatchable SIGKILL signal (signal 9) in guest/src/service/exec/timeout.rs. All BoxLite versions up to and including 0.8.2 (pip/boxlite) are affected. A low-privileged attacker who can submit workloads to the BoxLite API can register a SIGALRM handler or set it to SIG_IGN with a single call, surviving past any configured execution timeout and exhausting VM resources to degrade availability for all BoxLite users. Publicly available exploit code exists in GitHub advisory GHSA-xjhv-pp2r-6f82; no patch has been released as of time of analysis.

Denial Of Service Python
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47184 PyPI MEDIUM PATCH GHSA This Month

Memory exhaustion in python-zeroconf's DNSCache component allows any unauthenticated host on the same Layer-2 segment to OOM-kill or severely degrade processes that consume mDNS/DNS-SD services (CVSS 6.5, AV:A/PR:N). The DNSCache._async_add method imposed no upper bound on cache entries, permitting a local-link attacker to multicast valid mDNS responses with unique names that accumulate across all four internal data structures faster than the 10-second cleanup interval can purge them. A second distinct variant exploits TTL re-advertisement to bloat the internal _expire_heap independently of the cache entry counter, providing a second unbounded growth path that bypasses any entry-count monitoring. No public exploit is identified at time of analysis; a vendor-released patch is available as of zeroconf 0.149.6 or 0.149.7 (minor version discrepancy between sources - see confidence notes).

Canonical Python Denial Of Service Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47183 PyPI MEDIUM PATCH GHSA This Month

Memory exhaustion in python-zeroconf's exception deduplication logic allows any unauthenticated LAN-adjacent host to permanently pin approximately 9 KB of heap memory per unique malformed mDNS packet, enabling denial of service against zeroconf-dependent applications. The flaw affects all versions of the pip package `zeroconf` prior to 0.149.6; the unbounded `_seen_logs` dict in `QuietLogger` and `DNSIncoming._log_exception_debug` retained full Python traceback objects - and thus raw inbound packet buffers - keyed by attacker-influenced exception strings derived from ephemeral source ports, byte offsets, and pointer links. No public exploit or CISA KEV listing exists at time of analysis, but the attack is mechanistically straightforward and particularly severe on memory-constrained deployments such as Home Assistant on Raspberry Pi-class hardware, where sustained flood traffic can OOM-kill the process and disable HomeKit, Chromecast/Matter, and AirPlay discovery.

Canonical Python Denial Of Service Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-47180 PyPI MEDIUM PATCH GHSA This Month

Uncontrolled recursion in python-zeroconf's mDNS DNS name decoder (versions < 0.149.5) allows any unauthenticated host on the local link to crash or degrade the mDNS listener with a single ~3 kB packet. The `_decode_labels_at_offset` method recurses once per DNS compression pointer (RFC 1035 §4.1.4) with no cap on unique forward-pointer chain depth; a packet carrying ~1500 chained pointers overflows CPython's default call stack, and because `RecursionError` was omitted from `DECODE_EXCEPTIONS`, the exception escaped `DNSIncoming.__init__` rather than being handled gracefully. Replaying at a few hertz produces sustained CPU burn, log flooding, and degradation of all mDNS-dependent services (HomeKit, Chromecast/Matter, AirPlay, network printers); no public exploit identified at time of analysis, but the attack is trivially constructible from the published advisory and test fixture in PR #1719.

Information Disclosure Python Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44829 Go HIGH PATCH GHSA This Week

Zip slip path traversal in Gotenberg through version 8.32.0 allows remote unauthenticated attackers to plant files outside the extraction directory on Windows hosts that unzip multi-output API responses. Because Gotenberg runs on Linux containers, its filepath.Base sanitisation never strips Windows-style backslashes from uploaded multipart filenames, so a crafted name like '..\..\..\Windows\System32\evil.pdf' is preserved verbatim as a zip entry name and honoured by Windows extractors (7-Zip, WinRAR, .NET ZipFile, Explorer). A working publicly available exploit code exists in the GHSA advisory; the issue is not present in CISA KEV and no EPSS score was provided.

Docker Microsoft Path Traversal Python
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41237 PHP HIGH PATCH GHSA This Week

DNS zone file injection in Froxlor (versions before 2.3.7) allows authenticated users with DNS management permissions to inject arbitrary records into bind9 zone files through incomplete validation of LOC, RP, SSHFP, and TLSA record types. This is the second attempt at fixing the issue (originally tracked as CVE-2026-30932) - the LOC regex still matches newlines via \s+, TLSA matchingType=0 accepts unbounded hex payloads, and validators return raw input without zone-file escaping. Publicly available exploit code exists demonstrating both pre-fix injection and post-fix bypasses, though no public exploit identified in active campaigns at time of analysis.

Authentication Bypass PHP Python
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-42563 PyPI HIGH PATCH GHSA This Week

Command injection in Dulwich (pure-Python Git implementation) versions >= 0.24.0 and < 1.2.5 allows remote attackers to execute arbitrary OS commands when a victim merges an attacker-controlled branch and has a custom merge driver configured that references the %P placeholder. The ProcessMergeDriver passes attacker-controlled file paths from the git tree into subprocess.run with shell=True, so a path like 'x; touch /tmp/pwned #' is interpreted as a shell metacharacter sequence. Publicly available exploit code exists (working POC in the GitHub Security Advisory GHSA-9277-mp7x-85jf); no public exploit in CISA KEV at time of analysis.

Command Injection RCE Python
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-46439 PyPI HIGH PATCH GHSA This Week

Server-side template injection in the compliance-trestle `trestle author jinja` command enables arbitrary command execution when operators process attacker-controlled OSCAL data (SSP documents or Lookup Tables). Because the renderer recursively re-evaluates already-rendered output through a non-sandboxed Jinja2 Environment, malicious Jinja expressions placed in data fields like a system title are executed in a second pass even when the template itself is trusted and static. A proof-of-concept is published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild, and the issue is not on CISA KEV.

RCE Code Injection Python
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46345 PyPI HIGH POC PATCH GHSA This Week

Arbitrary file write in compliance-trestle's `trestle author jinja` command allows a local user supplying a crafted `-o/--output` argument to write files anywhere the invoking user can write, due to missing validation of `../`, `..\`, and absolute paths. Affected versions are <= 3.12.1 and >= 4.0.0, < 4.0.3, with fixes in 3.12.2 and 4.0.3. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-4q5v-7g7x-j79w) includes a full reproducer; CVSS 8.4 reflects high impact on confidentiality, integrity, and availability.

Microsoft RCE Path Traversal Python
NVD GitHub
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-45774 PyPI MEDIUM PATCH GHSA This Month

Arbitrary file read in IBM's compliance-trestle Python library allows any file accessible to the running process to be extracted by supplying a malicious OSCAL profile YAML with path traversal sequences in the imports[].href field. Three confirmed attack vectors exist: via the trestle:// URI scheme, via relative href paths, and via back_matter rlinks - all exploiting the same root cause in LocalFetcher. Publicly available exploit code (PoC) exists demonstrating extraction of /etc/passwd, cloud credential files, and SSH private keys; no CISA KEV listing is confirmed at time of analysis.

IBM Path Traversal Python
NVD GitHub
EPSS
0.1%
CVE-2026-45296 HIGH PATCH This Week

Cross-tenant data exposure in OpenReplay self-hosted session replay suite (versions prior to 1.26.0) allows an attacker holding any valid API key for their own tenant to enumerate sessions and retrieve sensitive session event data belonging to other tenants. The flaw stems from app_apikey routes in the Python API that validate the API key and the existence of a projectKey independently, but never confirm the two belong to the same tenant. No public exploit identified at time of analysis, though the trivial nature of the abuse (substituting a browser-visible projectKey) makes weaponization straightforward.

Python Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-48525 PyPI MEDIUM POC PATCH GHSA This Month

Uncontrolled resource consumption in PyJWT 2.8.0-2.12.1 exposes any service that verifies detached JWS tokens to unauthenticated denial-of-service. When the unencoded-payload extension (b64=false, RFC 7797) is in use, PyJWT unnecessarily Base64URL-decodes the compact-serialization payload segment before discarding it in favor of the caller-supplied detached payload - turning that segment into an attacker-controlled amplifier for CPU and memory exhaustion regardless of signature validity. No public exploit has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully unauthenticated remote exploitation against any affected endpoint using this feature.

Python Denial Of Service Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-48523 PyPI MEDIUM PATCH GHSA This Month

Algorithm allow-list bypass in PyJWT 2.9.0-2.12.1 permits an attacker who controls a registered JWK/JWKS private key to circumvent caller-enforced algorithm restrictions during JWT signature verification. The library correctly checks the token header's alg claim against the caller-supplied allow-list, but then performs the actual cryptographic verification using the algorithm bound to the PyJWK object rather than the header-declared algorithm - creating a exploitable mismatch. Specifically, the documented PyJWKClient.get_signing_key_from_jwt() flow is affected, meaning applications relying on this pattern for algorithm-restricted JWT validation may accept tokens signed with algorithms they explicitly prohibited. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass Jwt Attack Python Red Hat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-48526 PyPI HIGH POC PATCH GHSA This Week

Authentication bypass in PyJWT versions prior to 2.13.0 allows remote attackers to forge valid JSON Web Tokens by exploiting an algorithm confusion flaw where the library fails to validate that a JSON Web Key intended for asymmetric verification is not reused as an HMAC shared secret. An attacker who knows the issuer's public key (typically distributed openly via JWKS endpoints) can sign HMAC-algorithm tokens with that public key and have them accepted as legitimate. No public exploit identified at time of analysis, though the underlying algorithm-confusion class is a well-documented JWT attack pattern.

Python Authentication Bypass Pyjwt
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-48524 PyPI LOW POC PATCH GHSA Monitor

Unconstrained outbound JWKS requests in PyJWT's PyJWKClient.get_signing_key() allow unauthenticated remote attackers to amplify HTTP traffic toward a downstream JWKS endpoint by submitting JWTs carrying arbitrary, unrecognized kid values. All PyJWT versions prior to 2.13.0 are affected when the PyJWKClient class is used for signature verification. The availability impact is low (CVSS A:L) and exploitation success is gated on the upstream JWKS provider exhibiting rate limiting or transient failures; no public exploit code exists and this CVE does not appear in CISA KEV.

Information Disclosure Python
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-48522 PyPI MEDIUM PATCH GHSA This Month

PyJWKClient in PyJWT prior to 2.13.0 passes attacker-influenced URIs directly to Python's urllib.request.urlopen() without restricting URI schemes, enabling Server-Side Request Forgery (SSRF) across file://, FTP, and data-URI schemes against applications that accept untrusted jku values. Affected deployments include any Python application using PyJWKClient where the jku URL originates from a JWT header, OAuth flow parameter, or externally influenced configuration. No public exploit exists and no CISA KEV listing is present; real-world exploitation is constrained by a CVSS-confirmed high attack complexity (AC:H) and required user interaction (UI:R), making opportunistic mass exploitation unlikely.

SSRF Python Red Hat
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-48155 PyPI MEDIUM PATCH GHSA This Month

Memory exhaustion in pypdf prior to 6.12.0 allows an attacker who supplies a crafted PDF to cause large memory consumption in any application that processes it using layout mode text extraction. The vulnerability is triggered by PDFs containing text positioning operators with abnormally large x- or y-coordinate offsets, causing the library to allocate unbounded whitespace and newline characters during rendering. No confirmed active exploitation exists (not in CISA KEV), and SSVC rates this as non-automatable with partial technical impact, placing it in a lower operational priority tier despite the straightforward exploitation mechanic.

Python Denial Of Service Suse Red Hat
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-48156 PyPI MEDIUM PATCH GHSA This Month

Denial-of-service via algorithmic complexity in pypdf before 6.12.0 allows an attacker who can supply a crafted PDF file to cause excessive processing time during cross-reference stream parsing. The vulnerability is triggered by crafting a PDF with /W [0 0 0] field values in a cross-reference stream combined with a large /Size value, which causes the library to perform unbounded iteration over zero-byte entries. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, any application that processes untrusted PDF input using pypdf is exposed.

Information Disclosure Python Suse Red Hat
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-48735 PyPI MEDIUM PATCH GHSA This Month

Memory exhaustion in pypdf's XMP metadata parser allows denial of service via specially crafted PDF files containing oversized or element-dense XMP blocks, affecting all versions prior to 6.12.1. The vulnerability stems from an absence of input limits in the XML-based XMP parsing subsystem (CWE-770), meaning processing a malicious PDF can consume unbounded system memory. No public exploit code has been identified at time of analysis, and no confirmed active exploitation exists; however, the patch diff is publicly visible on GitHub, making trivial exploit construction feasible.

Python Denial Of Service Suse Red Hat
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-42999 PyPI HIGH PATCH This Week

Authorization bypass in OpenStack Keystone before 29.0.2 lets any authenticated user override trusted RBAC policy targets by injecting attributes like user_id or project_id into the JSON request body. The enforce_call routine unconditionally merges the raw request body over database-derived target data, so low-privileged users can perform operations on resources owned by other users or projects. No public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.03%), but the flaw is trivially exploitable by any account and a vendor patch is available.

Python Authentication Bypass Keystone
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-45725 PyPI HIGH PATCH GHSA This Week

Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets an attacker who controls a referenced OSCAL artifact plant attacker-supplied content anywhere the trestle process can write. The HTTPSFetcher and SFTPFetcher cache layer builds the local cache file path directly from the URL path component, so when trestle imports a remote OSCAL profile whose href contains `../` traversal the fetched HTTP/SFTP response body escapes the .trestle cache directory; overwriting files such as /etc/cron.d entries, ~/.ssh/authorized_keys, or a module on sys.path turns the primitive into code execution. A reproducible public proof-of-concept exists in the GHSA advisory (GHSA-g3vg-vx23-3858); the flaw is not listed in CISA KEV and no CVSS or EPSS scoring is provided, but the maintainers have shipped fixes in 4.0.3 and 3.12.2.

IBM RCE Python Nginx Path Traversal
NVD GitHub
EPSS
0.0%
CVE-2026-46621 Maven CRITICAL PATCH GHSA Act Now

Remote code execution in Yamcs (the open-source mission control framework, yamcs-core) before 5.12.7 lets an authenticated operator holding the ChangeMissionDatabase privilege overwrite a Python (Jython) algorithm via the Mission Database REST API and run arbitrary OS commands on the host. The Jython script engine is invoked without a sandbox, so injected algorithm text can import java.lang.Runtime and shell out. Publicly available exploit code exists (a full PoC is published in the GitHub Security Advisory), but the issue is not listed in CISA KEV and no public in-the-wild exploitation is identified.

RCE Java Command Injection Code Injection Python
NVD GitHub
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-46562 Maven CRITICAL PATCH GHSA Act Now

Remote code execution in the Yamcs mission control framework (org.yamcs:yamcs-core, releases 4.7.3 through 5.12.6) lets a caller of the algorithm-override endpoint run arbitrary Java/OS code on the ground server. The Nashorn JavaScript engine that evaluates user-supplied algorithm text is created without a ClassFilter, so payloads can reach any Java class (e.g. java.lang.Runtime) and execute commands as the Yamcs process user; because the default install (no security.yaml) gives the built-in guest user superuser=true, the endpoint is reachable by an unauthenticated network attacker. A detailed working exploit is published in the GitHub Security Advisory (publicly available exploit code exists); the issue is not listed in CISA KEV and no EPSS score was provided in the input.

Java RCE Code Injection Python
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-25879 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.

PostgreSQL Python Information Disclosure SQLi RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-44887 CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Pi.Alert, an open-source WiFi/LAN intruder detector with web-based service monitoring, in all versions prior to the 2026-05-07 release. The web configuration editor writes attacker-controlled content into pialert.conf, which the background scan daemon subsequently evaluates with Python's exec(), so injected statements run with the daemon's privileges. Because the product ships with web protection disabled by default, an attacker reaching the web interface needs no credentials, yielding a CVSS 9.8 critical flaw; no public exploit identified at time of analysis.

Code Injection RCE Python
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-44888 CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Pi.Alert, a Python-based Wi-Fi/LAN intruder detector, in all releases prior to the 2026-05-07 fix. The web UI's SaveConfigFile() endpoint writes attacker-supplied numeric configuration values such as SMTP_PORT into pialert.conf with no validation, and because that file is reloaded via Python's exec() by a background cron job every 3-5 minutes, injected Python executes at the OS level. On default installations (PIALERT_WEB_PROTECTION = False) no credentials are required, matching the CVSS 9.8 network/no-privilege rating; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but trivial complexity and full CIA impact make it a high-priority patch.

Code Injection RCE Python
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-42197 HIGH PATCH This Week

Stored cross-site scripting in the RELATE web courseware lets any enrolled student inject JavaScript that executes in an administrator's authenticated browser session, enabling full admin account takeover. The payload is planted via the freely editable first_name/last_name fields on the /profile/ page and fires when an admin opens the Participation list in the Django admin panel. No public exploit has been identified, but the root cause is confirmed in source and fixed upstream; with a CVSS of 8.7 and a scope-changing impact, this is a high-severity privilege-escalation issue.

XSS Python
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-48544 PyPI HIGH GHSA This Week

Unauthorized file disclosure in Taipy 4.1.1 lets remote unauthenticated attackers read files outside an extension library's intended directory through the GUI ElementLibrary.get_resource() resource handler. The containment check used str.startswith() without a trailing separator, so a crafted request with traversal segments can resolve into a prefix-matching sibling directory on disk while still passing the flawed check. Impact is confined to confidentiality (file read), with no public exploit identified at time of analysis and no CISA KEV listing.

Path Traversal Python
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-44847 HIGH PATCH This Week

Authentication bypass in MaxKB (1Panel-dev) versions prior to 2.9.0 allows remote unauthenticated attackers to invoke webhook trigger endpoints and execute their bound tasks. The flaw stems from the WebhookAuth class unconditionally returning a successful authentication tuple, which Django REST Framework interprets as a valid identity, combined with no backend enforcement of per-trigger token requirements. No public exploit identified at time of analysis, but the trivial nature of the bypass and open-source visibility of the patch make exploitation straightforward for any attacker who can enumerate or guess trigger IDs.

Python Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-44723 MEDIUM PATCH This Month

{{ github.event.pull_request.title }} directly into bash double-quoted strings across four steps in four separate jobs, enabling shell escape via crafted PR title content. No public exploit has been identified and EPSS stands at 0.03% (10th percentile), though the supply-chain nature of this CI-targeting vulnerability means successful exploitation could expose repository secrets and runner tokens.

Python Command Injection Vowpal Wabbit
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-4372 PyPI HIGH PATCH GHSA This Week

Remote code execution in HuggingFace Transformers prior to 5.3.0 allows attackers to achieve arbitrary code execution on a victim's machine by publishing a malicious model whose config.json sets the `_attn_implementation_internal` field to an attacker-controlled Hub repository. When the victim calls the standard `AutoModelForCausalLM.from_pretrained()` API, the library silently downloads and executes Python kernels from that repository with the victim's privileges, bypassing the `trust_remote_code` safety gate. No public exploit is identified at time of analysis (EPSS 0.03%, SSVC exploitation: none), but the technical impact is total and the attack uses the documented, default usage pattern.

Python Deserialization RCE Huggingface Transformers
NVD GitHub
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-5843 HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to achieve RCE on the host by tricking the MLX inference backend into loading a Python file from an attacker-controlled OCI model registry. The MLX-LM library imports the file referenced by config.json's model_file field via importlib without any trust_remote_code gate, and the backend runs unsandboxed as the Docker Desktop user. Patched in Docker Desktop 4.71.0; no public exploit identified at time of analysis and EPSS is very low (0.01%), but the SSVC technical impact is rated total.

Python Apple RCE Docker
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-5817 HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's vllm-metal inference backend on macOS allows any container on the Docker network to trigger host-level RCE by pulling a malicious model from an OCI registry and requesting inference. The Docker Model Runner unconditionally sets trust_remote_code=True and runs without sandboxing, so AutoTokenizer.from_pretrained() loads attacker-controlled Python from the model and executes it as the Docker Desktop user. No public exploit identified at time of analysis; EPSS sits at 0.01% and SSVC marks exploitation as 'none' despite total technical impact.

Python Apple RCE Docker
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-46715 PyPI MEDIUM PATCH GHSA This Month

Session freshness bypass in Flask-Security-Too 5.8.0 allows an attacker who controls a stale authenticated victim session to satisfy the victim session's reauthentication requirement using their own OAuth identity, not the victim's. The flaw in `oauth_glue.py` causes `oauth_verify_response()` to update `session["fs_paa"]` (the freshness timestamp) without verifying that the OAuth-resolved user matches the currently authenticated session user. Exploitation was confirmed via a detailed proof-of-concept that successfully changed a victim user's username through the built-in `/change-username` route after bypassing the freshness gate. Publicly available exploit code exists; no CISA KEV listing at time of analysis.

Python CSRF Authentication Bypass Suse
NVD GitHub
EPSS
0.0%
CVE-2026-46670 PHP CRITICAL POC PATCH GHSA Act Now

Unauthenticated SQL injection in YesWiki's Bazar form-import path allows any remote visitor to inject arbitrary SQL into an INSERT statement and exfiltrate the entire database, including yeswiki_users.password hashes. Affects YesWiki 4.6.1, 4.6.2, and the doryphore-dev branch prior to 4.6.4. Publicly available exploit code exists (a working Python PoC is published in the GHSA advisory), though no public exploit identified in CISA KEV at time of analysis.

PHP Python SQLi Docker
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-46701 npm HIGH POC PATCH GHSA This Week

Unauthenticated cross-origin MCP tool invocation in Network-AI v5.4.4 allows a remote attacker to lure a victim to a malicious web page that silently invokes any of the 22 exposed MCP tools (including config_set, agent_spawn, blackboard_write, and token_create/revoke) against the victim's locally running MCP SSE server. The vulnerability stems from an empty default secret combined with a wildcard CORS policy, and publicly available exploit code exists in the GHSA advisory demonstrating end-to-end exploitation. No CISA KEV listing yet and EPSS data was not provided, but the published PoC and trivial attack mechanics make this a meaningful risk for any user running the default Docker deployment.

Python RCE Docker
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-46703 LIB CRITICAL PATCH GHSA Act Now

Arbitrary file write on the host in Boxlite sandbox service versions prior to 0.9.0 allows attackers to escape the OCI image extraction root via crafted symlink entries in layer tarballs, enabling remote code execution on the host (typically as root). Exploitation requires a user to pull and load a malicious OCI image distributed through registries such as DockerHub. Publicly available exploit code exists (vendor-published PoC); no public exploit identified in CISA KEV at time of analysis.

Path Traversal Python RCE
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-46695 LIB CRITICAL PATCH GHSA Act Now

Sandbox escape in Boxlite versions prior to 0.9.0 lets untrusted code running inside the lightweight VM remount host-shared virtiofs directories from read-only to read-write, enabling arbitrary writes to host files that operators believed were protected. Because the container is granted all 41 Linux capabilities (including CAP_SYS_ADMIN), a trivial 'mount -o remount,rw' bypasses the client-side MS_RDONLY enforcement, and in AI-agent deployments this leads to host code execution by tampering with mounted code, virtualenvs, or credentials. Publicly available exploit code exists (working PoC published in the GHSA advisory) and the issue carries a CVSS 10.0 with scope change; no public exploit identified at time of analysis in CISA KEV.

Node.js Docker Authentication Bypass RCE Python
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-46556 PyPI MEDIUM GHSA This Month

Blind Server-Side Request Forgery in FlaskBB's avatar URL handling allows any authenticated user to force the server to issue arbitrary HTTP GET requests to internal network endpoints, including cloud instance metadata services (AWS IMDSv1 at 169.254.169.254, GCP, Azure equivalents). All versions up to and including 2.2.0 of the pip-distributed FlaskBB package are affected, with no vendor-released patch available at time of analysis. A proof-of-concept is publicly available via the GitHub Security Advisory, and three distinct exploitation channels have been demonstrated: direct credential exfiltration from cloud metadata services, internal port scanning via differential error responses, and triggering of internal APIs (Elasticsearch, etcd, Consul, CI/CD webhooks).

Microsoft Elastic Python SSRF
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-46561 PyPI MEDIUM PATCH GHSA This Month

Redirect-based SSRF bypass in pyload-ng's parse_urls API allows authenticated attackers with ADD permission to probe internal network services and cloud metadata endpoints by chaining an open redirect through an attacker-controlled host. The prior SSRF fix (commit 33c55da, GHSA-7gvf-3w72-p2pg) correctly hardened HTTPChunk but left HTTPRequest used by RequestFactory.get_url() with allow_private_ip=True, rendering the is_global_host() check on the initial URL ineffective against 302 redirects to private IP space. A public proof-of-concept exploit exists demonstrating exfiltration of AWS IMDSv1 metadata; no public exploit identified at time of analysis for active in-the-wild exploitation, and CVE-2026-46561 is not listed in the CISA KEV catalog.

Microsoft Python SSRF
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-46517 PyPI HIGH GHSA This Week

Unsafe default code execution in InternLM LMDeploy (<=0.12.3) lets a malicious Hugging Face model repository run arbitrary Python on the host whenever a user loads it through any LMDeploy CLI (serve, calibrate, gptq, awq). The library hardcodes transformers.AutoConfig.from_pretrained(..., trust_remote_code=True) in get_model_arch and related helpers with no flag, env var, or warning to opt out, overriding HF Transformers' default-secure stance. No public exploit identified at time of analysis, and exploitation requires the user to load an untrusted repo, so risk is hardening-level rather than network-reachable RCE.

Code Injection Python RCE
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-46497 PyPI LOW PATCH GHSA Monitor

Two-layer blind SSRF in Crawlee for Python (pip/crawlee >= 1.0.0, < 1.7.0) allows an attacker who controls a sitemap or robots.txt file to force the crawler to issue HTTP requests against internal network services (layer 1, all HTTP clients), and - when CurlImpersonateHttpClient is configured - to dispatch non-HTTP scheme requests including gopher://, file://, dict://, and ftp:// (layer 2). The layer 2 escalation enables canonical Redis exploitation via gopher://, making RCE on unauthenticated internal Redis instances achievable from a public-facing crawler. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the researcher-credited advisory details a fully articulated attack path including Redis RCE.

SSRF Redis RCE Canonical Python
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-46432 PyPI HIGH PATCH GHSA This Week

Arbitrary code execution in InternLM lmdeploy <= 0.12.3 occurs because trust_remote_code=True is hardcoded across HuggingFace model-loading call sites in lmdeploy/archs.py and lmdeploy/utils.py. An attacker who can influence the model_path passed to an lmdeploy serving process can point it at a malicious HuggingFace repository, causing Transformers to download and execute attacker-controlled Python code with the privileges of the serving daemon. Publicly available exploit code exists in the GHSA advisory, and an upstream fix has been merged via PR #4511 (fixed in 0.13.0).

Kubernetes Code Injection RCE Denial Of Service Python
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-48207 PyPI CRITICAL PATCH GHSA Act Now

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

Deserialization Apache Python
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-40102 MEDIUM PATCH This Month

ORM Field Reference Injection in Plane versions 1.3.0 and below enables any authenticated workspace MEMBER to exfiltrate sensitive data - including bcrypt password hashes, API tokens, and user email addresses - via a single crafted GET request. The SavedAnalyticEndpoint omits the field allowlist validation present in the regular AnalyticsEndpoint, passing the user-supplied segment parameter directly into Django F() expressions, which then traverse foreign-key relationships and return referenced field values in the JSON response. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack is trivially reconstructable from the public GHSA-93x3-ghh7-72j3 advisory and the exfiltrated data directly enables secondary attacks.

Information Disclosure Nosql Injection Python
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Path traversal in Tautulli's cache deletion API endpoint allows authenticated low-privilege users to delete arbitrary directories outside the configured cache root, resulting in arbitrary data loss and service disruption. All Tautulli versions prior to 2.17.1 are affected; the vendor-confirmed fix is v2.17.1 (released 2026-05-04). The CVSS 4.0 E:P modifier confirms proof-of-concept exploit code exists, and no public exploit identified at time of analysis rises to CISA KEV-confirmed active exploitation.

Python Path Traversal Tautulli
NVD GitHub
EPSS 1%
CRITICAL PATCH Act Now

Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to execute arbitrary Python code and OS commands in the Enterprise Gateway pod by injecting Jinja2 expressions into KERNEL_XXX environment variables sent via the kernel-creation API. Successful exploitation yields the gateway's Kubernetes service account token, which (per the published PoC RBAC dump) carries cluster-impacting verbs over pods, secrets, and persistent volumes - providing a realistic path to full Kubernetes cluster compromise. A working PoC is published in the GHSA advisory (GHSA-f49j-v924-fx9w); no CISA KEV listing at time of analysis.

Kubernetes Python Ssti +1
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Authenticated zone-file injection in Froxlor <=2.3.6 allows a customer with DNS editing enabled to inject newline characters into TXT record content via the DomainZones.add API, breaking out of the record line in the generated BIND zone file and injecting arbitrary BIND directives ($INCLUDE, $GENERATE) or DNS records (A, MX, CNAME). The flaw is an incomplete fix for CVE-2026-30932, which sanitized LOC/RP/SSHFP/TLSA records but left TXT handling reliant only on Dns::encloseTXTContent(), which strips no control characters. Publicly available exploit code exists (detailed PoC including a Python script in the GHSA advisory), but there is no public exploit identified at time of analysis in CISA KEV and no EPSS score was provided.

Python Apache PHP +3
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Path traversal (Zip Slip) in IBM's Docling document processing library before v2.91.0 allows arbitrary file write when the EasyOCR model download function extracts ZIP archives without validating member paths. An attacker who can intercept or substitute the model download source (via MITM, DNS spoofing, or upstream supply-chain compromise) can drop files anywhere the process can write, leading to RCE or persistence. No public exploit identified at time of analysis and the vulnerability is not on the CISA KEV list.

Python Path Traversal RCE
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Incorrect cache storage in Django's UpdateCacheMiddleware exposes responses that should have been excluded from caching due to uppercase or mixed-case Cache-Control directives (e.g., 'Private', 'NO-STORE'). Affected versions 5.2.x before 5.2.15 and 6.0.x before 6.0.6 fail to perform case-insensitive comparison of Cache-Control directive strings, causing the middleware to cache responses it should skip, which remote attackers can then retrieve. No public exploit has been identified at time of analysis, and active exploitation is not confirmed; the low CVSS 4.0 score of 2.3 accurately reflects limited scope, though real-world impact scales with how sensitive the incorrectly cached data is.

Information Disclosure Python
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Django's SMTP email backend silently downgrades to cleartext transmission when a STARTTLS handshake fails under the `fail_silently=True` configuration, exposing email content to on-path network interception. Affected are Django 6.0.x before 6.0.6 and 5.2.x before 5.2.15; older unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated but may also be vulnerable. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects the high attack complexity and mandatory on-path network positioning required for exploitation.

Information Disclosure Python
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cookie context confusion in Django's signed cookie implementation allows a remote low-privileged attacker to substitute a cookie signed in one application context into a different context where a distinct (name, salt) pair produces the same concatenated string. Affected are Django 6.0 before 6.0.6 and Django 5.2 before 5.2.15; older unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated but may also be affected. The real-world impact is limited to low-confidence data exposure (VC:L), with no public exploit identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects a low-severity, contextually constrained flaw.

Jwt Attack Code Injection Python
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Remote code execution in Hugging Face Transformers 5.2.0 allows a malicious model repository to bypass the user's explicit trust_remote_code=False safeguard when loading a LightGlue model via AutoModel.from_pretrained(). The LightGlueConfig deserializes the trust_remote_code flag from the untrusted config.json and propagates the attacker-controlled value into a nested AutoConfig.from_pretrained() call, enabling execution of arbitrary attacker-supplied Python during model initialization. Rated CVSS 9.6 (AV:N/AC:L/PR:N/UI:R) with publicly available exploit code exists via the Huntr disclosure, though EPSS is currently 0.07% (22th percentile) and the CVE is not on CISA KEV.

RCE Python Transformers
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cache-bypass information disclosure in Django's `has_vary_header()` utility allows remote attackers to read cached HTTP responses intended for other users by exploiting improper whitespace handling in `Vary` header comparisons. Affected versions are Django 5.2.x before 5.2.15 and 6.0.x before 6.0.6; earlier unsupported series (5.0.x, 4.1.x, 3.2.x) were not evaluated and may also be affected per the vendor. The CVSS 4.0 score of 2.3 reflects constrained real-world impact requiring both a non-default prerequisite condition and user interaction, with no public exploit or confirmed active exploitation identified at time of analysis.

Information Disclosure Python
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Cache information disclosure in Django 5.2.x and 6.0.x allows remote unauthenticated attackers to read private authenticated responses served from shared caching layers. The `UpdateCacheMiddleware` component omits `Authorization` from the `Vary` response header when authenticated requests lack an explicit `Cache-Control: public` directive, causing caches to serve authenticated users' responses to subsequent unauthenticated requestors at the same URL. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects meaningful - but constrained - real-world impact gated behind specific deployment prerequisites.

Information Disclosure Python
NVD VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Cross-origin cookie leakage in aiohttp prior to 3.14.0 allows sensitive per-request cookies to be forwarded to attacker-controlled domains when a redirect is followed. When application code passes cookies via the `cookies` parameter of an aiohttp request, those cookies are not dropped upon following a cross-origin redirect - violating the origin isolation guarantee users expect. An attacker who can influence redirect responses (e.g., via a compromised or malicious upstream server) can harvest cookie values intended only for the original origin. No public exploit identified at time of analysis; EPSS data not provided in source intelligence.

Information Disclosure Python
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Arbitrary code execution in the aiohttp Python framework (versions prior to 3.14.0) arises when CookieJar.load() deserializes an attacker-controlled file, classed as CWE-502 unsafe deserialization. An attacker who can plant or substitute the persisted cookie file and induce the application to load it gains code execution in the host process. There is no public exploit identified at time of analysis, EPSS is very low (0.06%), and CISA SSVC rates exploitation as none - consistent with the library's own note that the function is normally used on the user's own trusted data.

RCE Deserialization Python +1
NVD GitHub VulDB
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Reachable assertion in SGLang 0.5.10.post1's LoRA adapter scheduler allows a remote unauthenticated attacker to trigger a denial of service via a crafted `lora_path` argument to the inference HTTP endpoint. The root cause is a logic flaw in the batch prefill scheduler: chunked LoRA prefill requests already admitted to the prefill queue are invisible to the LoRA admission check, enabling N+1 distinct adapters to be submitted when `max_loras_per_batch=N`, which forces an assertion failure in `lora_manager.py`. A publicly available proof-of-concept exists (no public exploit identified at time of analysis in the KEV sense), and the CVSS 4.0 score of 2.9 reflects high attack complexity and limited availability impact.

Denial Of Service Python
NVD VulDB GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

{id} request. The DELETE endpoint enforces only member-level authorization instead of owner-level, and the destructive action is silent, immediate, and without recovery path. No public exploit identified at time of analysis, but source-level analysis confirms the gap and a vendor patch is available.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform versions prior to 0.1.4 allows any authenticated workspace member to read, modify, or delete issues belonging to other tenants by supplying a known issue UUID against their own workspace path. The issue CRUD endpoints validate workspace membership but never verify that the targeted issue actually belongs to that workspace, breaking multi-tenant isolation. No public exploit identified at time of analysis, but the vulnerability is source-verified end-to-end with an upstream fix released as version 0.1.4.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

{workspace_id}/members. The endpoint enforces only the default member-tier gate and forwards the caller-supplied role directly to MemberService.add, which validates the role string but never checks the caller's permission to assign it. No public exploit identified at time of analysis, but a detailed exploit chain is documented in the vendor advisory.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

{workspace_id} endpoint. The CVSS vector (PR:L/AC:L/AV:N/UI:N/I:H) confirms this is a low-complexity network attack requiring only member-tier credentials, and the integrity impact is rated High because the settings field can be used as a configuration-injection primitive - redirecting LLM provider URLs, webhook endpoints, or invite flows to attacker-controlled infrastructure. No public exploit identified at time of analysis, though the exploit chain is trivially reproducible from the published GitHub Security Advisory GHSA-rcmc-q9rj-4wmq.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform versions prior to 0.1.4 allows any authenticated workspace member to read and inject comments on issues belonging to any other tenant in a multi-tenant deployment. The comment endpoints validate workspace membership but never verify that the URL-supplied issue_id actually belongs to that workspace, breaking tenant isolation. No public exploit identified at time of analysis, but source-code-level analysis confirms the gap end-to-end.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

{workspace_id}/projects/{project_id} only verify membership in the URL-supplied workspace, then perform primary-key-only lookups against the Project table without scoping by workspace_id. No public exploit identified at time of analysis, and EPSS/KEV signals are not provided for this advisory.

Python Authentication Bypass
NVD GitHub
EPSS 0%
MEDIUM PATCH This Month

Arbitrary file write via path traversal in rattler's noarch:python entry-point installer allows a malicious conda package to write executable files outside the install prefix on both Unix and Windows. Any user of rattler < 0.43.2, pixi < 0.69.0, or rattler-build < 0.65.0 who installs a crafted noarch:python package is affected - no special configuration or flag opt-in is required. The attacker-controlled file is written with mode 0o775 on Unix or as a copied launcher .exe on Windows, enabling code execution when the entry-point is subsequently invoked. No public exploit code is identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Microsoft Path Traversal Python
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

{/, l, o, g} - rather than a literal prefix strip, causing the filename derived from the URL to diverge from the file actually served. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Python Apache Deserialization +1
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The event log detail endpoint in Apache Airflow before 3.2.2 applies a generic DAG-level audit log permission check rather than scoping authorization to the specific DAG that owns the requested event log entry, allowing any authenticated low-privilege user to read audit log entries belonging to DAGs outside their permitted scope. The flaw is a broken object-level authorization (IDOR) pattern - classified as CWE-639 - where the user-supplied `event_log_id` path parameter can reference log rows from unauthorized DAGs without triggering a rejection. No public exploit code exists and the issue is not listed in CISA KEV, but the attack is trivially executable by any authenticated Airflow user in a multi-tenant deployment.

Python Apache Deserialization +1
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Arbitrary Python module import in Apache Airflow versions prior to 3.2.2 occurs when the scheduler deserializes custom DeadlineReference objects, because the prior implementation called import_string() directly on an attacker-controllable __class_path field. Rated CVSS 7.3 with low confidentiality/integrity/availability impact, this issue has no public exploit identified at time of analysis and EPSS estimates exploitation probability at 0.02% (6th percentile).

Apache Deserialization Python
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

JWT session tokens remain valid after logout in Apache Airflow deployments using FabAuthManager or KeycloakAuthManager due to an unreachable revoke_token() call in the logout code path. Versions before 3.2.2 are affected. When the configured auth manager returns an external redirect URL on logout (as Keycloak-backed deployments do), the logout handler redirects the browser before invoking revoke_token(), leaving the JWT - with its embedded jti claim - unregistered in the RevokedToken table and therefore still accepted by the API. No public exploit is identified at time of analysis, and EPSS exploitation probability stands at 0.01% (4th percentile), but the impact is meaningful in environments where session hijacking or token theft is a realistic threat model.

Authentication Bypass Apache Python
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

{workspace_id}/members/{user_id} request. The route's FastAPI dependency defaults to min_role="member" and is never overridden, while the service layer applies the requested role with no caller-privilege or role-hierarchy checks. No public exploit identified at time of analysis, but the GitHub Security Advisory (GHSA-c2m8-4gcg-v22g) provides full reproduction details and a fix is shipped in 0.1.4.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

{workspace_id}/members/{user_id}`, which defaults to `min_role="member"` instead of requiring owner/admin privileges, and there is no public exploit identified at time of analysis.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cross-workspace label tampering in praisonai-platform <=0.1.2 lets any authenticated workspace member rewrite, delete, attach, detach, and enumerate labels belonging to other tenants because five label endpoints only check workspace membership and never verify that the URL-supplied label_id or issue_id actually belongs to that workspace. Reported by the upstream MervinPraison/PraisonAI project with a fix in 0.1.4; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Cross-workspace Insecure Direct Object Reference in praisonai-platform (<=0.1.2) allows any authenticated workspace member to read, create, and delete issue dependencies belonging to foreign workspaces by supplying arbitrary issue UUIDs in URL paths and request bodies. The dependency endpoints only enforce membership on the URL workspace_id while passing unvalidated issue and dependency identifiers to DependencyService, enabling cross-tenant linking of issues across any two workspaces in the deployment. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-4x6r-9v57-3gqw confirms the flaw and a fixed version (0.1.4) is available.

Python Authentication Bypass Information Disclosure
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Pre-authentication full account takeover in praisonai-platform (pip package, versions <= 0.1.2) allows remote unauthenticated attackers to forge JWTs for any user, including workspace owners and admins. The JWT signing key silently falls back to the hardcoded literal 'dev-secret-change-me' from the public GitHub source because the production-mode guard only triggers when PLATFORM_ENV is explicitly set to a non-default value, which default deployments do not do. Publicly available exploit code exists in the GHSA advisory itself, though no public exploit campaign or CISA KEV listing has been reported at time of analysis.

RCE Python
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Vertical privilege escalation in PraisonAI Platform versions 0.1.2 and earlier allows any authenticated low-privilege workspace member to self-promote to owner and take over the workspace. The flaw stems from administrative FastAPI routes reusing a shared authorization dependency that defaults to the lowest 'member' role, so role-mutation endpoints never enforce admin/owner checks. A working PoC is published in the GHSA-h37g-4h4p-9x97 advisory, though no public exploit identified at time of analysis in mass-exploitation form, and the issue is not currently in CISA KEV.

Privilege Escalation Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-workspace object access in PraisonAI Platform (pip package praisonai-platform <= 0.1.2) allows any authenticated workspace member to read, modify, and delete agents, projects, issues, and comments belonging to other workspaces by supplying the victim object's global UUID through their own workspace-scoped URL. The flaw stems from route-layer membership checks not being bound to service-layer object lookups, breaking tenant isolation in multi-tenant deployments. A working PoC is published in the GHSA advisory, though there is no public exploit identified at time of analysis beyond the advisory's own demonstration.

Python Authentication Bypass
NVD GitHub
EPSS 0%
CRITICAL PATCH Act Now

Cross-tenant IDOR and privilege escalation in PraisonAI Platform (pip package praisonai-platform <= 0.1.2) allow any registered user to read, modify, or delete agents, issues, projects, labels, comments, and dependencies across every workspace, and to promote themselves to admin/owner of any workspace they are invited to. The FastAPI `require_workspace_member` dependency validates membership against the URL prefix workspace but never checks that nested resource IDs belong to that workspace, while privileged member-management routes inherit the default `min_role="member"` instead of requiring admin/owner. Publicly available exploit code exists in the form of a reporter-supplied PoC, open registration on the default `0.0.0.0:8000` bind makes exploitation trivial, and CVSS, EPSS, and CISA KEV signals are not provided in the supplied data.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

{workspace_id}/issues/{issue_id}/activity endpoint validates workspace membership but passes issue_id directly to an unscoped database query, returning actor identities, action types, and before/after field values from the details JSON blob for any issue UUID reachable by the attacker. No public exploit has been identified at time of analysis, but the vulnerability is source-inspection-verified via the GHSA-27p4-pjqv-whgj advisory.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-workspace IDOR and member-to-owner privilege escalation in PraisonAI Platform API (pip package praisonai-platform <= 0.1.2) lets any authenticated user read, modify, and delete issues and projects belonging to other tenants, and lets any workspace member promote themselves to owner and evict the legitimate owner. The two flaws chain together: a single member-level invite to any workspace becomes platform-wide data access plus full takeover of any workspace the attacker is added to. No public exploit identified at time of analysis beyond the detailed PoC published in the GHSA advisory, and the issue is not in CISA KEV.

Privilege Escalation Python Authentication Bypass +1
NVD GitHub
EPSS 0%
HIGH PATCH This Week

Arbitrary file write in PraisonAI <= 4.6.39 enables remote attackers to plant attacker-controlled files at arbitrary filesystem paths when a victim uses the Python API to crawl attacker-hosted web content. The flaw stems from write_file.py skipping path validation whenever workspace=None, which is the default state in production, and is triggered indirectly via hidden HTML metadata that PraisonAI agents interpret as legitimate instructions. No public exploit identified at time of analysis beyond the detailed PoC included in the GitHub Security Advisory (GHSA-hvhp-v2gc-268q).

Path Traversal Python
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in PraisonAI's first-party A2A server example (pip package <= 4.6.39) allows unauthenticated network attackers to execute arbitrary Python on the server process by sending a JSON-RPC message/send request to /a2a that drives the LLM-backed agent into invoking an eval()-based calculate tool. The chain combines three first-party defaults - no auth_token, 0.0.0.0 bind, and an eval()-backed example tool - and was confirmed end-to-end against a real Gemini model with a canary marker file write. No public exploit identified at time of analysis beyond the proof-of-concept in the advisory itself, and the issue is not in CISA KEV.

Denial Of Service RCE Code Injection +1
NVD GitHub
EPSS 0%
HIGH PATCH This Week

Unauthenticated arbitrary file read in PraisonAI's MCP server (pip/PraisonAI <= 4.6.39) allows remote callers to retrieve any file readable by the host user via the praisonai.workflow.show, praisonai.workflow.validate, and praisonai.deploy.validate tool handlers. The flaw is an incomplete fix for CVE-2026-44336: a hardening helper was applied to the rules.* tools but not to these adjacent workflow/deploy handlers, and the dispatcher still forwards unvalidated kwargs to handlers. Publicly available exploit code exists (working proof-of-concept in the advisory); no public exploit identified at time of analysis as a packaged exploit, but the advisory itself ships a runnable PoC.

Docker PostgreSQL Path Traversal +1
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution in PraisonAI praisonaiagents <=1.6.39 and PraisonAI <=4.6.39 allows authenticated attackers to fully escape the execute_code() subprocess sandbox by leveraging print.__self__ to reach the real builtins module and reconstructing __import__ at runtime. The flaw defeats prior patches for CVE-2026-39888, CVE-2026-34938, and CVE-2026-40158, enabling arbitrary OS command execution on the host wherever agent input can be influenced via prompt injection or direct code submission. Publicly available exploit code exists in the GitHub Security Advisory (GHSA-4mr5-g6f9-cfrh), and EPSS/KEV signals are not yet published for this newly disclosed novel bypass.

Command Injection Node.js RCE +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Local SSRF in PraisonAI's direct-prompt CLI allows an attacker who can influence prompt text to cause the operator's machine to fetch loopback and private-network HTTP resources, injecting the response body into the LLM prompt context. Affected packages are pip/praisonai <= 4.6.39 and pip/praisonaiagents <= 1.6.39; patches are available in 4.6.40 and 1.6.40 respectively. Publicly available exploit code exists (confirmed working PoC in the GHSA advisory), no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV listing absent), and the CVSS 5.5 score reflects a meaningful confidentiality impact (C:H) constrained by a local attack vector.

Information Disclosure Mozilla SSRF +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in PraisonAI versions <= 4.6.39 allows remote unauthenticated attackers to invoke arbitrary LLM orchestration via the Flask API server generated by the documented `praisonai deploy --type api` quickstart. The generator defaults `auth_enabled=False`, causing `check_auth()` to short-circuit to `True` and accept any request to `/chat` and `/agents`, exposing the operator's LLM API keys and any agent-attached tools (python_repl, bash, file I/O, HTTP). Publicly available exploit code exists in the form of a working PoC, and CVSS scores this 9.8 critical.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated remote agent control in PraisonAI's call server (versions <= 4.6.39) allows any network-reachable client to enumerate, inspect, invoke, and unregister registered agents when the operator launches `praisonai-call` without setting the `CALL_SERVER_TOKEN` environment variable. The flaw stems from a fail-open authentication dependency combined with the server binding to 0.0.0.0 by default, and a working proof-of-concept is published in the GHSA advisory demonstrating end-to-end exploitation against a default deployment.

Python Authentication Bypass Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

SSRF protection bypass in PraisonAI's spider_tools component (praisonaiagents <= 1.6.39, PraisonAI <= 4.6.39) allows an attacker who can influence URLs submitted to scrape_page(), crawl(), or extract_text() to reach loopback-only HTTP services by supplying alternate loopback address encodings such as octal IPv4, hex, decimal integer, or trailing-dot hostname forms. The _validate_url() function performs only exact-string blocklist checks against 'localhost' and '127.0.0.1', without DNS resolution, IP normalization, or post-connect address validation, causing the bypass. Publicly available exploit code (PoC) has been confirmed functional; no active exploitation via CISA KEV has been identified at time of analysis.

RCE SSRF Python
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in PraisonAI versions 2.0.0 through 4.6.39 allows attackers to execute arbitrary Python code via two unguarded spec.loader.exec_module call sites in agents_generator.py. The flaw is a sibling of CVE-2026-44334: the v4.6.32 chokepoint refactor added a PRAISONAI_ALLOW_LOCAL_TOOLS env-var gate to tool_override.py but missed the load_tools_from_module and load_tools_from_module_class sinks, which load arbitrary module paths from YAML agent configuration without validation. Publicly available exploit code exists (working PoC published with the advisory) and a fixed release is available in 4.6.40.

RCE Code Injection Python
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Plaintext credential exposure in Admidio v5.0.9 and earlier causes session IDs and persistent auto-login cookie values to be written to application logs whenever debug logging is enabled. Both the ADMIDIO_*_SESSION_ID and the long-lived ADMIDIO_*_AUTO_LOGIN_ID tokens are recorded verbatim by Session::setCookie() and Session::start(), effectively turning the log sink into a recoverable credential store. Any actor with read access to log files, log backups, or external log aggregation pipelines can extract and replay these tokens to hijack active sessions or gain persistent account access. Publicly available exploit code exists as documented in GitHub advisory GHSA-mch8-wf3h-6x88; this CVE is not currently listed in CISA KEV.

Information Disclosure PHP CSRF +1
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Missing CSRF protection on the PKCS#12 private key export endpoint in Admidio v5.0.9 allows a network-based attacker to force an authenticated administrator's browser to trigger an unauthorized SSO private key export. The SecurityUtils::validateCsrfToken() call in modules/sso/keys.php was commented out on the 'export' case, permitting forged cross-site POST requests to invoke KeyService::exportToPkcs12() without a valid form token. While same-origin policy prevents the attacker from reading the streamed .p12 response directly, a working proof-of-concept is publicly documented in the GitHub security advisory and a vendor-confirmed fix is available in version 5.0.10.

OpenSSL Ubuntu CSRF +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Timeout enforcement in BoxLite sandbox service fails to kill processes because the implementation sends the catchable SIGALRM signal (signal 14) instead of the uncatchable SIGKILL signal (signal 9) in guest/src/service/exec/timeout.rs. All BoxLite versions up to and including 0.8.2 (pip/boxlite) are affected. A low-privileged attacker who can submit workloads to the BoxLite API can register a SIGALRM handler or set it to SIG_IGN with a single call, surviving past any configured execution timeout and exhausting VM resources to degrade availability for all BoxLite users. Publicly available exploit code exists in GitHub advisory GHSA-xjhv-pp2r-6f82; no patch has been released as of time of analysis.

Denial Of Service Python
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory exhaustion in python-zeroconf's DNSCache component allows any unauthenticated host on the same Layer-2 segment to OOM-kill or severely degrade processes that consume mDNS/DNS-SD services (CVSS 6.5, AV:A/PR:N). The DNSCache._async_add method imposed no upper bound on cache entries, permitting a local-link attacker to multicast valid mDNS responses with unique names that accumulate across all four internal data structures faster than the 10-second cleanup interval can purge them. A second distinct variant exploits TTL re-advertisement to bloat the internal _expire_heap independently of the cache entry counter, providing a second unbounded growth path that bypasses any entry-count monitoring. No public exploit is identified at time of analysis; a vendor-released patch is available as of zeroconf 0.149.6 or 0.149.7 (minor version discrepancy between sources - see confidence notes).

Canonical Python Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory exhaustion in python-zeroconf's exception deduplication logic allows any unauthenticated LAN-adjacent host to permanently pin approximately 9 KB of heap memory per unique malformed mDNS packet, enabling denial of service against zeroconf-dependent applications. The flaw affects all versions of the pip package `zeroconf` prior to 0.149.6; the unbounded `_seen_logs` dict in `QuietLogger` and `DNSIncoming._log_exception_debug` retained full Python traceback objects - and thus raw inbound packet buffers - keyed by attacker-influenced exception strings derived from ephemeral source ports, byte offsets, and pointer links. No public exploit or CISA KEV listing exists at time of analysis, but the attack is mechanistically straightforward and particularly severe on memory-constrained deployments such as Home Assistant on Raspberry Pi-class hardware, where sustained flood traffic can OOM-kill the process and disable HomeKit, Chromecast/Matter, and AirPlay discovery.

Canonical Python Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Uncontrolled recursion in python-zeroconf's mDNS DNS name decoder (versions < 0.149.5) allows any unauthenticated host on the local link to crash or degrade the mDNS listener with a single ~3 kB packet. The `_decode_labels_at_offset` method recurses once per DNS compression pointer (RFC 1035 §4.1.4) with no cap on unique forward-pointer chain depth; a packet carrying ~1500 chained pointers overflows CPython's default call stack, and because `RecursionError` was omitted from `DECODE_EXCEPTIONS`, the exception escaped `DNSIncoming.__init__` rather than being handled gracefully. Replaying at a few hertz produces sustained CPU burn, log flooding, and degradation of all mDNS-dependent services (HomeKit, Chromecast/Matter, AirPlay, network printers); no public exploit identified at time of analysis, but the attack is trivially constructible from the published advisory and test fixture in PR #1719.

Information Disclosure Python Suse
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Zip slip path traversal in Gotenberg through version 8.32.0 allows remote unauthenticated attackers to plant files outside the extraction directory on Windows hosts that unzip multi-output API responses. Because Gotenberg runs on Linux containers, its filepath.Base sanitisation never strips Windows-style backslashes from uploaded multipart filenames, so a crafted name like '..\..\..\Windows\System32\evil.pdf' is preserved verbatim as a zip entry name and honoured by Windows extractors (7-Zip, WinRAR, .NET ZipFile, Explorer). A working publicly available exploit code exists in the GHSA advisory; the issue is not present in CISA KEV and no EPSS score was provided.

Docker Microsoft Path Traversal +1
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

DNS zone file injection in Froxlor (versions before 2.3.7) allows authenticated users with DNS management permissions to inject arbitrary records into bind9 zone files through incomplete validation of LOC, RP, SSHFP, and TLSA record types. This is the second attempt at fixing the issue (originally tracked as CVE-2026-30932) - the LOC regex still matches newlines via \s+, TLSA matchingType=0 accepts unbounded hex payloads, and validators return raw input without zone-file escaping. Publicly available exploit code exists demonstrating both pre-fix injection and post-fix bypasses, though no public exploit identified in active campaigns at time of analysis.

Authentication Bypass PHP Python
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Command injection in Dulwich (pure-Python Git implementation) versions >= 0.24.0 and < 1.2.5 allows remote attackers to execute arbitrary OS commands when a victim merges an attacker-controlled branch and has a custom merge driver configured that references the %P placeholder. The ProcessMergeDriver passes attacker-controlled file paths from the git tree into subprocess.run with shell=True, so a path like 'x; touch /tmp/pwned #' is interpreted as a shell metacharacter sequence. Publicly available exploit code exists (working POC in the GitHub Security Advisory GHSA-9277-mp7x-85jf); no public exploit in CISA KEV at time of analysis.

Command Injection RCE Python
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Server-side template injection in the compliance-trestle `trestle author jinja` command enables arbitrary command execution when operators process attacker-controlled OSCAL data (SSP documents or Lookup Tables). Because the renderer recursively re-evaluates already-rendered output through a non-sandboxed Jinja2 Environment, malicious Jinja expressions placed in data fields like a system title are executed in a second pass even when the template itself is trusted and static. A proof-of-concept is published in the GHSA advisory; no public exploit identified at time of analysis as actively used in the wild, and the issue is not on CISA KEV.

RCE Code Injection Python
NVD GitHub
EPSS 0% CVSS 8.4
HIGH POC PATCH This Week

Arbitrary file write in compliance-trestle's `trestle author jinja` command allows a local user supplying a crafted `-o/--output` argument to write files anywhere the invoking user can write, due to missing validation of `../`, `..\`, and absolute paths. Affected versions are <= 3.12.1 and >= 4.0.0, < 4.0.3, with fixes in 3.12.2 and 4.0.3. No public exploit identified at time of analysis, though the GitHub Security Advisory (GHSA-4q5v-7g7x-j79w) includes a full reproducer; CVSS 8.4 reflects high impact on confidentiality, integrity, and availability.

Microsoft RCE Path Traversal +1
NVD GitHub
EPSS 0%
MEDIUM PATCH This Month

Arbitrary file read in IBM's compliance-trestle Python library allows any file accessible to the running process to be extracted by supplying a malicious OSCAL profile YAML with path traversal sequences in the imports[].href field. Three confirmed attack vectors exist: via the trestle:// URI scheme, via relative href paths, and via back_matter rlinks - all exploiting the same root cause in LocalFetcher. Publicly available exploit code (PoC) exists demonstrating extraction of /etc/passwd, cloud credential files, and SSH private keys; no CISA KEV listing is confirmed at time of analysis.

IBM Path Traversal Python
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Cross-tenant data exposure in OpenReplay self-hosted session replay suite (versions prior to 1.26.0) allows an attacker holding any valid API key for their own tenant to enumerate sessions and retrieve sensitive session event data belonging to other tenants. The flaw stems from app_apikey routes in the Python API that validate the API key and the existence of a projectKey independently, but never confirm the two belong to the same tenant. No public exploit identified at time of analysis, though the trivial nature of the abuse (substituting a browser-visible projectKey) makes weaponization straightforward.

Python Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Uncontrolled resource consumption in PyJWT 2.8.0-2.12.1 exposes any service that verifies detached JWS tokens to unauthenticated denial-of-service. When the unencoded-payload extension (b64=false, RFC 7797) is in use, PyJWT unnecessarily Base64URL-decodes the compact-serialization payload segment before discarding it in favor of the caller-supplied detached payload - turning that segment into an attacker-controlled amplifier for CPU and memory exhaustion regardless of signature validity. No public exploit has been identified at time of analysis, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms fully unauthenticated remote exploitation against any affected endpoint using this feature.

Python Denial Of Service Red Hat
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Algorithm allow-list bypass in PyJWT 2.9.0-2.12.1 permits an attacker who controls a registered JWK/JWKS private key to circumvent caller-enforced algorithm restrictions during JWT signature verification. The library correctly checks the token header's alg claim against the caller-supplied allow-list, but then performs the actual cryptographic verification using the algorithm bound to the PyJWK object rather than the header-declared algorithm - creating a exploitable mismatch. Specifically, the documented PyJWKClient.get_signing_key_from_jwt() flow is affected, meaning applications relying on this pattern for algorithm-restricted JWT validation may accept tokens signed with algorithms they explicitly prohibited. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

Authentication Bypass Jwt Attack Python +1
NVD GitHub
EPSS 0% CVSS 7.4
HIGH POC PATCH This Week

Authentication bypass in PyJWT versions prior to 2.13.0 allows remote attackers to forge valid JSON Web Tokens by exploiting an algorithm confusion flaw where the library fails to validate that a JSON Web Key intended for asymmetric verification is not reused as an HMAC shared secret. An attacker who knows the issuer's public key (typically distributed openly via JWKS endpoints) can sign HMAC-algorithm tokens with that public key and have them accepted as legitimate. No public exploit identified at time of analysis, though the underlying algorithm-confusion class is a well-documented JWT attack pattern.

Python Authentication Bypass Pyjwt
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

Unconstrained outbound JWKS requests in PyJWT's PyJWKClient.get_signing_key() allow unauthenticated remote attackers to amplify HTTP traffic toward a downstream JWKS endpoint by submitting JWTs carrying arbitrary, unrecognized kid values. All PyJWT versions prior to 2.13.0 are affected when the PyJWKClient class is used for signature verification. The availability impact is low (CVSS A:L) and exploitation success is gated on the upstream JWKS provider exhibiting rate limiting or transient failures; no public exploit code exists and this CVE does not appear in CISA KEV.

Information Disclosure Python
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

PyJWKClient in PyJWT prior to 2.13.0 passes attacker-influenced URIs directly to Python's urllib.request.urlopen() without restricting URI schemes, enabling Server-Side Request Forgery (SSRF) across file://, FTP, and data-URI schemes against applications that accept untrusted jku values. Affected deployments include any Python application using PyJWKClient where the jku URL originates from a JWT header, OAuth flow parameter, or externally influenced configuration. No public exploit exists and no CISA KEV listing is present; real-world exploitation is constrained by a CVSS-confirmed high attack complexity (AC:H) and required user interaction (UI:R), making opportunistic mass exploitation unlikely.

SSRF Python Red Hat
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Memory exhaustion in pypdf prior to 6.12.0 allows an attacker who supplies a crafted PDF to cause large memory consumption in any application that processes it using layout mode text extraction. The vulnerability is triggered by PDFs containing text positioning operators with abnormally large x- or y-coordinate offsets, causing the library to allocate unbounded whitespace and newline characters during rendering. No confirmed active exploitation exists (not in CISA KEV), and SSVC rates this as non-automatable with partial technical impact, placing it in a lower operational priority tier despite the straightforward exploitation mechanic.

Python Denial Of Service Suse +1
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Denial-of-service via algorithmic complexity in pypdf before 6.12.0 allows an attacker who can supply a crafted PDF file to cause excessive processing time during cross-reference stream parsing. The vulnerability is triggered by crafting a PDF with /W [0 0 0] field values in a cross-reference stream combined with a large /Size value, which causes the library to perform unbounded iteration over zero-byte entries. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, any application that processes untrusted PDF input using pypdf is exposed.

Information Disclosure Python Suse +1
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Memory exhaustion in pypdf's XMP metadata parser allows denial of service via specially crafted PDF files containing oversized or element-dense XMP blocks, affecting all versions prior to 6.12.1. The vulnerability stems from an absence of input limits in the XML-based XMP parsing subsystem (CWE-770), meaning processing a malicious PDF can consume unbounded system memory. No public exploit code has been identified at time of analysis, and no confirmed active exploitation exists; however, the patch diff is publicly visible on GitHub, making trivial exploit construction feasible.

Python Denial Of Service Suse +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authorization bypass in OpenStack Keystone before 29.0.2 lets any authenticated user override trusted RBAC policy targets by injecting attributes like user_id or project_id into the JSON request body. The enforce_call routine unconditionally merges the raw request body over database-derived target data, so low-privileged users can perform operations on resources owned by other users or projects. No public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.03%), but the flaw is trivially exploitable by any account and a vendor patch is available.

Python Authentication Bypass Keystone
NVD VulDB
EPSS 0%
HIGH PATCH This Week

Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets an attacker who controls a referenced OSCAL artifact plant attacker-supplied content anywhere the trestle process can write. The HTTPSFetcher and SFTPFetcher cache layer builds the local cache file path directly from the URL path component, so when trestle imports a remote OSCAL profile whose href contains `../` traversal the fetched HTTP/SFTP response body escapes the .trestle cache directory; overwriting files such as /etc/cron.d entries, ~/.ssh/authorized_keys, or a module on sys.path turns the primitive into code execution. A reproducible public proof-of-concept exists in the GHSA advisory (GHSA-g3vg-vx23-3858); the flaw is not listed in CISA KEV and no CVSS or EPSS scoring is provided, but the maintainers have shipped fixes in 4.0.3 and 3.12.2.

IBM RCE Python +2
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote code execution in Yamcs (the open-source mission control framework, yamcs-core) before 5.12.7 lets an authenticated operator holding the ChangeMissionDatabase privilege overwrite a Python (Jython) algorithm via the Mission Database REST API and run arbitrary OS commands on the host. The Jython script engine is invoked without a sandbox, so injected algorithm text can import java.lang.Runtime and shell out. Publicly available exploit code exists (a full PoC is published in the GitHub Security Advisory), but the issue is not listed in CISA KEV and no public in-the-wild exploitation is identified.

RCE Java Command Injection +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in the Yamcs mission control framework (org.yamcs:yamcs-core, releases 4.7.3 through 5.12.6) lets a caller of the algorithm-override endpoint run arbitrary Java/OS code on the ground server. The Nashorn JavaScript engine that evaluates user-supplied algorithm text is created without a ClassFilter, so payloads can reach any Java class (e.g. java.lang.Runtime) and execute commands as the Yamcs process user; because the default install (no security.yaml) gives the built-in guest user superuser=true, the endpoint is reachable by an unauthenticated network attacker. A detailed working exploit is published in the GitHub Security Advisory (publicly available exploit code exists); the issue is not listed in CISA KEV and no EPSS score was provided in the input.

Java RCE Code Injection +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.

PostgreSQL Python Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Pi.Alert, an open-source WiFi/LAN intruder detector with web-based service monitoring, in all versions prior to the 2026-05-07 release. The web configuration editor writes attacker-controlled content into pialert.conf, which the background scan daemon subsequently evaluates with Python's exec(), so injected statements run with the daemon's privileges. Because the product ships with web protection disabled by default, an attacker reaching the web interface needs no credentials, yielding a CVSS 9.8 critical flaw; no public exploit identified at time of analysis.

Code Injection RCE Python
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated remote code execution affects Pi.Alert, a Python-based Wi-Fi/LAN intruder detector, in all releases prior to the 2026-05-07 fix. The web UI's SaveConfigFile() endpoint writes attacker-supplied numeric configuration values such as SMTP_PORT into pialert.conf with no validation, and because that file is reloaded via Python's exec() by a background cron job every 3-5 minutes, injected Python executes at the OS level. On default installations (PIALERT_WEB_PROTECTION = False) no credentials are required, matching the CVSS 9.8 network/no-privilege rating; there is no public exploit identified at time of analysis and the CVE is not in CISA KEV, but trivial complexity and full CIA impact make it a high-priority patch.

Code Injection RCE Python
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in the RELATE web courseware lets any enrolled student inject JavaScript that executes in an administrator's authenticated browser session, enabling full admin account takeover. The payload is planted via the freely editable first_name/last_name fields on the /profile/ page and fires when an admin opens the Participation list in the Django admin panel. No public exploit has been identified, but the root cause is confirmed in source and fixed upstream; with a CVSS of 8.7 and a scope-changing impact, this is a high-severity privilege-escalation issue.

XSS Python
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Unauthorized file disclosure in Taipy 4.1.1 lets remote unauthenticated attackers read files outside an extension library's intended directory through the GUI ElementLibrary.get_resource() resource handler. The containment check used str.startswith() without a trailing separator, so a crafted request with traversal segments can resolve into a prefix-matching sibling directory on disk while still passing the flawed check. Impact is confined to confidentiality (file read), with no public exploit identified at time of analysis and no CISA KEV listing.

Path Traversal Python
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authentication bypass in MaxKB (1Panel-dev) versions prior to 2.9.0 allows remote unauthenticated attackers to invoke webhook trigger endpoints and execute their bound tasks. The flaw stems from the WebhookAuth class unconditionally returning a successful authentication tuple, which Django REST Framework interprets as a valid identity, combined with no backend enforcement of per-trigger token requirements. No public exploit identified at time of analysis, but the trivial nature of the bypass and open-source visibility of the patch make exploitation straightforward for any attacker who can enumerate or guess trigger IDs.

Python Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

{{ github.event.pull_request.title }} directly into bash double-quoted strings across four steps in four separate jobs, enabling shell escape via crafted PR title content. No public exploit has been identified and EPSS stands at 0.03% (10th percentile), though the supply-chain nature of this CI-targeting vulnerability means successful exploitation could expose repository secrets and runner tokens.

Python Command Injection Vowpal Wabbit
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Remote code execution in HuggingFace Transformers prior to 5.3.0 allows attackers to achieve arbitrary code execution on a victim's machine by publishing a malicious model whose config.json sets the `_attn_implementation_internal` field to an attacker-controlled Hub repository. When the victim calls the standard `AutoModelForCausalLM.from_pretrained()` API, the library silently downloads and executes Python kernels from that repository with the victim's privileges, bypassing the `trust_remote_code` safety gate. No public exploit is identified at time of analysis (EPSS 0.03%, SSVC exploitation: none), but the technical impact is total and the attack uses the documented, default usage pattern.

Python Deserialization RCE +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to achieve RCE on the host by tricking the MLX inference backend into loading a Python file from an attacker-controlled OCI model registry. The MLX-LM library imports the file referenced by config.json's model_file field via importlib without any trust_remote_code gate, and the backend runs unsandboxed as the Docker Desktop user. Patched in Docker Desktop 4.71.0; no public exploit identified at time of analysis and EPSS is very low (0.01%), but the SSVC technical impact is rated total.

Python Apple RCE +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in Docker Desktop's vllm-metal inference backend on macOS allows any container on the Docker network to trigger host-level RCE by pulling a malicious model from an OCI registry and requesting inference. The Docker Model Runner unconditionally sets trust_remote_code=True and runs without sandboxing, so AutoTokenizer.from_pretrained() loads attacker-controlled Python from the model and executes it as the Docker Desktop user. No public exploit identified at time of analysis; EPSS sits at 0.01% and SSVC marks exploitation as 'none' despite total technical impact.

Python Apple RCE +1
NVD
EPSS 0%
MEDIUM PATCH This Month

Session freshness bypass in Flask-Security-Too 5.8.0 allows an attacker who controls a stale authenticated victim session to satisfy the victim session's reauthentication requirement using their own OAuth identity, not the victim's. The flaw in `oauth_glue.py` causes `oauth_verify_response()` to update `session["fs_paa"]` (the freshness timestamp) without verifying that the OAuth-resolved user matches the currently authenticated session user. Exploitation was confirmed via a detailed proof-of-concept that successfully changed a victim user's username through the built-in `/change-username` route after bypassing the freshness gate. Publicly available exploit code exists; no CISA KEV listing at time of analysis.

Python CSRF Authentication Bypass +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Unauthenticated SQL injection in YesWiki's Bazar form-import path allows any remote visitor to inject arbitrary SQL into an INSERT statement and exfiltrate the entire database, including yeswiki_users.password hashes. Affects YesWiki 4.6.1, 4.6.2, and the doryphore-dev branch prior to 4.6.4. Publicly available exploit code exists (a working Python PoC is published in the GHSA advisory), though no public exploit identified in CISA KEV at time of analysis.

PHP Python SQLi +1
NVD GitHub
EPSS 0% CVSS 7.6
HIGH POC PATCH This Week

Unauthenticated cross-origin MCP tool invocation in Network-AI v5.4.4 allows a remote attacker to lure a victim to a malicious web page that silently invokes any of the 22 exposed MCP tools (including config_set, agent_spawn, blackboard_write, and token_create/revoke) against the victim's locally running MCP SSE server. The vulnerability stems from an empty default secret combined with a wildcard CORS policy, and publicly available exploit code exists in the GHSA advisory demonstrating end-to-end exploitation. No CISA KEV listing yet and EPSS data was not provided, but the published PoC and trivial attack mechanics make this a meaningful risk for any user running the default Docker deployment.

Python RCE Docker
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Arbitrary file write on the host in Boxlite sandbox service versions prior to 0.9.0 allows attackers to escape the OCI image extraction root via crafted symlink entries in layer tarballs, enabling remote code execution on the host (typically as root). Exploitation requires a user to pull and load a malicious OCI image distributed through registries such as DockerHub. Publicly available exploit code exists (vendor-published PoC); no public exploit identified in CISA KEV at time of analysis.

Path Traversal Python RCE
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Sandbox escape in Boxlite versions prior to 0.9.0 lets untrusted code running inside the lightweight VM remount host-shared virtiofs directories from read-only to read-write, enabling arbitrary writes to host files that operators believed were protected. Because the container is granted all 41 Linux capabilities (including CAP_SYS_ADMIN), a trivial 'mount -o remount,rw' bypasses the client-side MS_RDONLY enforcement, and in AI-agent deployments this leads to host code execution by tampering with mounted code, virtualenvs, or credentials. Publicly available exploit code exists (working PoC published in the GHSA advisory) and the issue carries a CVSS 10.0 with scope change; no public exploit identified at time of analysis in CISA KEV.

Node.js Docker Authentication Bypass +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Blind Server-Side Request Forgery in FlaskBB's avatar URL handling allows any authenticated user to force the server to issue arbitrary HTTP GET requests to internal network endpoints, including cloud instance metadata services (AWS IMDSv1 at 169.254.169.254, GCP, Azure equivalents). All versions up to and including 2.2.0 of the pip-distributed FlaskBB package are affected, with no vendor-released patch available at time of analysis. A proof-of-concept is publicly available via the GitHub Security Advisory, and three distinct exploitation channels have been demonstrated: direct credential exfiltration from cloud metadata services, internal port scanning via differential error responses, and triggering of internal APIs (Elasticsearch, etcd, Consul, CI/CD webhooks).

Microsoft Elastic Python +1
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Redirect-based SSRF bypass in pyload-ng's parse_urls API allows authenticated attackers with ADD permission to probe internal network services and cloud metadata endpoints by chaining an open redirect through an attacker-controlled host. The prior SSRF fix (commit 33c55da, GHSA-7gvf-3w72-p2pg) correctly hardened HTTPChunk but left HTTPRequest used by RequestFactory.get_url() with allow_private_ip=True, rendering the is_global_host() check on the initial URL ineffective against 302 redirects to private IP space. A public proof-of-concept exploit exists demonstrating exfiltration of AWS IMDSv1 metadata; no public exploit identified at time of analysis for active in-the-wild exploitation, and CVE-2026-46561 is not listed in the CISA KEV catalog.

Microsoft Python SSRF
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Unsafe default code execution in InternLM LMDeploy (<=0.12.3) lets a malicious Hugging Face model repository run arbitrary Python on the host whenever a user loads it through any LMDeploy CLI (serve, calibrate, gptq, awq). The library hardcodes transformers.AutoConfig.from_pretrained(..., trust_remote_code=True) in get_model_arch and related helpers with no flag, env var, or warning to opt out, overriding HF Transformers' default-secure stance. No public exploit identified at time of analysis, and exploitation requires the user to load an untrusted repo, so risk is hardening-level rather than network-reachable RCE.

Code Injection Python RCE
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Two-layer blind SSRF in Crawlee for Python (pip/crawlee >= 1.0.0, < 1.7.0) allows an attacker who controls a sitemap or robots.txt file to force the crawler to issue HTTP requests against internal network services (layer 1, all HTTP clients), and - when CurlImpersonateHttpClient is configured - to dispatch non-HTTP scheme requests including gopher://, file://, dict://, and ftp:// (layer 2). The layer 2 escalation enables canonical Redis exploitation via gopher://, making RCE on unauthenticated internal Redis instances achievable from a public-facing crawler. No public exploit code has been identified at time of analysis and this CVE is not listed in the CISA KEV catalog, but the researcher-credited advisory details a fully articulated attack path including Redis RCE.

SSRF Redis RCE +2
NVD GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Arbitrary code execution in InternLM lmdeploy <= 0.12.3 occurs because trust_remote_code=True is hardcoded across HuggingFace model-loading call sites in lmdeploy/archs.py and lmdeploy/utils.py. An attacker who can influence the model_path passed to an lmdeploy serving process can point it at a malicious HuggingFace repository, causing Transformers to download and execute attacker-controlled Python code with the privileges of the serving daemon. Publicly available exploit code exists in the GHSA advisory, and an upstream fix has been merged via PR #4511 (fixed in 0.13.0).

Kubernetes Code Injection RCE +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

Deserialization Apache Python
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

ORM Field Reference Injection in Plane versions 1.3.0 and below enables any authenticated workspace MEMBER to exfiltrate sensitive data - including bcrypt password hashes, API tokens, and user email addresses - via a single crafted GET request. The SavedAnalyticEndpoint omits the field allowlist validation present in the regular AnalyticsEndpoint, passing the user-supplied segment parameter directly into Django F() expressions, which then traverse foreign-key relationships and return referenced field values in the JSON response. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the attack is trivially reconstructable from the public GHSA-93x3-ghh7-72j3 advisory and the exfiltrated data directly enables secondary attacks.

Information Disclosure Nosql Injection Python
NVD GitHub VulDB
Prev Page 4 of 24 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy