PYSEC-2026-430

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/murano-dashboard/PYSEC-2026-430.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-430
Aliases
Published
2026-06-29T11:50:33.043646Z
Modified
2026-06-29T12:26:46.584121738Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenStack Murano Code Execution
Details

OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.

References

Affected packages

PyPI / murano-dashboard

Package

Name
murano-dashboard
View open source insights on deps.dev
Purl
pkg:pypi/murano-dashboard

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.0.1

Affected versions

2.*
2.0.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/murano-dashboard/PYSEC-2026-430.yaml"