Vulnerabilities

search
ID
Packages
Summary
Published
arrow_upward
Attributes
PYSEC-2026-161
  • PyPI/starlette
 Missing Host header validation poisons request.url.path, bypassing path-based security checks 3 hours ago
  • Fix available
MAL-2026-4253
  • PyPI/pylogft
 Malicious code in pylogft (PyPI) 9 hours ago
  • No fix available
MAL-2026-4231
  • PyPI/pylogfmt
 Malicious code in pylogfmt (PyPI) 15 hours ago
  • No fix available
GHSA-f396-4rp4-7v2j
  • Go/github.com/boxlite-ai/boxlite/sdks/go
  • PyPI/boxlite
  • crates.io/boxlite
  • crates.io/boxlite-cli
  • npm/@boxlite-ai/boxlite
 Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host 18 hours ago
  • Fix available
  • Severity - 9.6 (Critical)
GHSA-g6ww-w5j2-r7x3
  • Go/github.com/boxlite-ai/boxlite/sdks/go
  • PyPI/boxlite
  • crates.io/boxlite
  • crates.io/boxlite-cli
  • npm/@boxlite-ai/boxlite
 BoxLite: Permission Bypass Allows Modification of Read-Only Files 18 hours ago
  • Fix available
  • Severity - 10.0 (Critical)
GHSA-cqp8-fcvh-x7r3
  • PyPI/pydantic-ai
  • PyPI/pydantic-ai-slim
 Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580) 19 hours ago
  • Fix available
  • Severity - 6.8 (Medium)
GHSA-54mc-gghv-4cfj
  • PyPI/sqladmin
 SQLAdmin: Authorization Bypass on `ajax_lookup` 19 hours ago
  • Fix available
  • Severity - 4.3 (Medium)
GHSA-xq32-9g7q-7297
  • PyPI/flaskbb
 FlaskBB: SSRF in get_image_info() via unrestricted avatar URL 19 hours ago
  • No fix available
  • Severity - 6.5 (Medium)
GHSA-8rp3-xc6w-5qp5
  • PyPI/pyload-ng
 pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API 20 hours ago
  • Fix available
  • Severity - 5.0 (Medium)
GHSA-9xq9-36w5-q796
  • PyPI/lmdeploy
 lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out 21 hours ago
  • No fix available
  • Severity - 7.8 (High)
GHSA-3r75-xc34-5f44
  • PyPI/crawlee
 Crawlee for Python: SSRF via sitemap-derived URLs 21 hours ago
  • Fix available
  • Severity - 2.3 (Low)
GHSA-rq6v-x3j8-7qgf
  • PyPI/sagemaker
 Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler 22 hours ago
  • Fix available
  • Severity - 6.4 (Medium)
GHSA-7hh5-prp2-mfh5
  • PyPI/sagemaker
 Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path 22 hours ago
  • Fix available
  • Severity - 8.5 (High)
GHSA-m549-qq94-fvhg
  • PyPI/lmdeploy
 LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization 23 hours ago
  • Fix available
  • Severity - 7.8 (High)
GHSA-5h3g-px23-w6vw
  • PyPI/mvt
 Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing 23 hours ago
  • Fix available
  • Severity - 5.3 (Medium)
GHSA-vrxg-gm77-7q5g
  • PyPI/windows-mcp
 Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS 23 hours ago
  • Fix available
  • Severity - 8.9 (High)
Load more...