A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_code` parameter, intended to prevent remote code execution, is overridden by untrusted serialized configuration data in a nested code path. Specifically, when l…

CVSS: 8.0 · CWE: CWE-829

View on NVD

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect. If a developer uses the `cookies` parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Version 3.14.0 patches the issue. I…

CVSS: 6.6 · CWE: CWE-346

View on NVD

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications. Version 3.14.0 patches the issue. If an application does allow attacker controll…

CVSS: 6.4 · CWE: CWE-502

View on NVD

NiceGUI is a Python-based UI framework. Prior to version 3.12.0, two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are…

CVSS: 5.3 · CWE: CWE-248

View on NVD

NiceGUI is a Python-based UI framework. Prior to version 3.12.0, ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructured_text(), an attacker can use standard Docutils directives (include, csv-table with :file:, raw with :file:) to read local files readabl…

CVSS: 7.5 · CWE: CWE-200

View on NVD

A security vulnerability has been detected in SGLang 0.5.10.post1. Impacted is an unknown function of the file python/sglang/srt/lora/lora_manager.py of the component Inference HTTP Endpoint. Such manipulation of the argument lora_path leads to reachable assertion. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is considered difficu…

CVSS: 3.7 · CWE: CWE-617

View on NVD

Exploitation requires the attacker to already be an authenticated Airflow worker holding a valid Log-server JWT issued for at least one Dag. Apache Airflow's Log server authorized JWT tokens against Dag IDs by applying Python's `str.lstrip()` to the requested path segment when verifying the JWT's `sub` claim. `str.lstrip()` strips any of a *set* of characters from the left (not a prefix), so a JW…

CVSS: 3.1 · CWE: CWE-863

View on NVD

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An authenticated attacker can supply a URL pointing to an attacker-controlled server that responds with a 302 redirect to an internal/private IP address, bypassing the is_global_host() check on the init…

CVSS: 5.0 · CWE: CWE-918

View on NVD

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates a stored link URL into a template literal inside single-quoted HTML and then writes the result to the DOM via $(div).html(html). No escaping runs between the API value and innerHTML. An attacker (Alic…

CVSS: 8.7 · CWE: CWE-79

View on NVD

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect the Flask session directory (/tmp/pyLoad/flask). An authenticated attacker can set storage_folder to the session directory and download session files of other users via /files/get/, leading to accoun…

CVSS: 6.5 · CWE: CWE-706

View on NVD

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several app_apikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify that the authenticated API key and the requested project belong to the same tenant. Because the publi…

CVSS: 7.7 · CWE: CWE-284

View on NVD

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. This vulnerability is fixed in 6.12.1.

CVSS: 5.5 · CWE: CWE-770

View on NVD

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate use of JSON Web Keys in HMAC algorithm, allowing attacker to use the issuer public key as the secret key for HMAC algorithm. This vulnerability is fixed in 2.13.0.

CVSS: 7.4 · CWE: CWE-287

View on NVD

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For b64=false, PyJWT later discards that decoded payload and replaces it with the caller-provided detache…

CVSS: 5.3 · CWE: CWE-400

View on NVD

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no rate limiting. Since kid comes from the unverified token header, an attacker can trigger unlimited outbound requests. The vulnerability surfaces only when a JWKS fetch fails; an attacker can attempt to…

CVSS: 3.7 · CWE: CWE-460

View on NVD

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature verification is performed with the algorithm bound to the PyJWK object instead of the header algorithm.…

CVSS: 5.4 · CWE: CWE-347

View on NVD

PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registering HTTPHandler, HTTPSHandler, FTPHandler, FileHandler, and DataHandler. There is currently no documented option to restrict which schemes PyJWKClient will fetch. If an application's jku URL ingestio…

CVSS: 4.2 · CWE: CWE-441

View on NVD

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0.

CVSS: 3.3 · CWE: CWE-834

View on NVD

pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. This vulnerability is fixed in 6.12.0.

CVSS: 5.5 · CWE: CWE-400

View on NVD

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the {% include %} and {% render %} tags. Targeted files would need to contain…

CVSS: 7.5 · CWE: CWE-22

View on NVD

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude C…

CVSS: 7.8 · CWE: CWE-78

View on NVD

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. This vulnerability is fixed in 5.12.1.

CVSS: 7.5 · CWE: CWE-401

View on NVD

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to LangSmith SDK Python 0.8.0 and JS/TS 0.6.0, the LangSmith SDK's prompt pull methods (pull_prompt / pull_prompt_commit in Python, pullPrompt / pullPromptCommit in JS/TS) fetch and deserialize prompt manifests from the LangSmith Hub. These manifests may contain serialized LangChain objects and model configurat…

CVSS: 7.1 · CWE: CWE-502

View on NVD

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile() endpoint writes user-supplied numeric config values (e.g., SMTP_PORT) directly into pialert.conf without validation. Since pialert.conf is loaded via Python's exec() every 3–5 minutes by the background cron process, an attacker can inject arbitrary Python code and achieve unaut…

CVSS: 9.8 · CWE: CWE-94

View on NVD

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python's exec(), injected code executes as the daemon process. With web protection disabled (the default configuration), no authentication is requir…

CVSS: 9.8 · CWE: CWE-94

View on NVD

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope. This vulnerabilit…

CVSS: 6.1 · CWE: CWE-601

View on NVD

RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The `get_user()` method in `ParticipationAdmin` renders user-controlled input using `m…

CVSS: 8.7 · CWE: CWE-79

View on NVD

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, a malicious bentofile.yaml containing a newline-injected value in envs[*].name produces unquoted RUN directives in the BentoML-generated Dockerfile. When the victim runs bentoml containerize on the imported bento, those RUN directives execute on the host during docker build.…

CVSS: 8.8 · CWE: CWE-78

View on NVD

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.39, src/bentoml/_internal/container/frontend/dockerfile/templates/base_v2.j2 interpolates docker.base_image raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.base_image value smuggles arbitrary Dockerfile directives into the…

CVSS: 8.8 · CWE: CWE-78

View on NVD

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the Image directive plugin validates the :width: and :height: options with a regex compiled as _num_re = re.compile(r"^\d+(?:\.\d*)?"). When the validated value is not a plain integer, render_block_image() inserts it directly into a style="width:...;" or style="height:...;" attribute. Because the value was accepted by…

CVSS: 4.7 · CWE: CWE-79

View on NVD

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a

table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used as href="#") and the text value (used as the visible link label) are inserted into tags via a plain Python format string — with no HTML escaping applied to either value. When heading IDs are de…

CVSS: 6.1 · CWE: CWE-79

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44897 https://nvd.nist.gov/vuln/detail/CVE-2026-44897 Tue, 26 May 2026 21:16:39 +0000 Medium CVE-2026-44897

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape(), safe_entity(), or any other sanitisation function. A double-quote character " in the id value terminates the attribute, allowing an attacker to inject arbitrary additiona…

CVSS: 6.1 · CWE: CWE-79

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44896 https://nvd.nist.gov/vuln/detail/CVE-2026-44896 Tue, 26 May 2026 21:16:39 +0000 Medium CVE-2026-44896

Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options directly into HTML attributes without escaping. This allows attribute injection and XSS even when HTMLRenderer(escape=True) is used, because these values bypass the inline renderer.

CVSS: 6.1 · CWE: CWE-79

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44844 https://nvd.nist.gov/vuln/detail/CVE-2026-44844 Tue, 26 May 2026 21:16:39 +0000 Medium CVE-2026-44844

eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an…

CVSS: 6.3 · CWE: CWE-674

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44843 https://nvd.nist.gov/vuln/detail/CVE-2026-44843 Tue, 26 May 2026 21:16:39 +0000 High CVE-2026-44843

LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load() with allowed_objects="all". This does not enable arbitrary Python object deserialization, but it does al…

CVSS: 8.2 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44708 https://nvd.nist.gov/vuln/detail/CVE-2026-44708 Tue, 26 May 2026 21:16:38 +0000 Medium CVE-2026-44708

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the mistune math plugin renders inline math ($...$) and block math ($$...$$) by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even when the parser is explicitly created with escape=True, which is supposed to guarantee that all user-controlled text is s…

CVSS: 6.1 · CWE: CWE-79

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44723 https://nvd.nist.gov/vuln/detail/CVE-2026-44723 Tue, 26 May 2026 17:16:46 +0000 Medium CVE-2026-44723

Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python_checks.yml embeds ${{ github.event.pull_request.title }} directly inside double-quoted bash strings in four separate steps across four jobs, each passing it as a CLI argument to the Python test script run_tests_model_gen_and_load.py. The shell interprets the expanded string before invoking Python, allowing an attack…

CVSS: 5.0 · CWE: CWE-78

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44502 https://nvd.nist.gov/vuln/detail/CVE-2026-44502 Tue, 26 May 2026 17:16:46 +0000 Medium CVE-2026-44502

Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be (partially) bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For malformed inputs involving backslashes and @, those components can disagree about where the authority e…

CVSS: 4.3 · CWE: CWE-918

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-4372 https://nvd.nist.gov/vuln/detail/CVE-2026-4372 Sun, 24 May 2026 14:16:16 +0000 High CVE-2026-4372

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.fr…

CVSS: 7.8 · CWE: CWE-1066

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-5843 https://nvd.nist.gov/vuln/detail/CVE-2026-5843 Fri, 22 May 2026 20:16:35 +0000 High CVE-2026-5843

The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model's config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safet…

CVSS: 8.2 · CWE: CWE-829

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-5817 https://nvd.nist.gov/vuln/detail/CVE-2026-5817 Fri, 22 May 2026 20:16:35 +0000 High CVE-2026-5817

The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files included in any model pulled from an OCI registry, resulting in arbitrary code execution on the Docker host as the Docker Deskto…

CVSS: 8.2 · CWE: CWE-829

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-40610 https://nvd.nist.gov/vuln/detail/CVE-2026-40610 Fri, 22 May 2026 20:16:34 +0000 Medium CVE-2026-40610

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact. If a victim builds an untrusted repository or other attacker-supplied build context, the attacke…

CVSS: 5.5 · CWE: CWE-59

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-48207 https://nvd.nist.gov/vuln/detail/CVE-2026-48207 Thu, 21 May 2026 17:16:21 +0000 Critical CVE-2026-48207

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes…

CVSS: 9.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31072 https://nvd.nist.gov/vuln/detail/CVE-2026-31072 Tue, 19 May 2026 16:16:20 +0000 Critical CVE-2026-31072

The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit thi…

CVSS: 9.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-33234 https://nvd.nist.gov/vuln/detail/CVE-2026-33234 Tue, 19 May 2026 02:16:16 +0000 Medium CVE-2026-33234

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogpt_platform/backend/backend/blocks/email_block.py accepts a user-supplied smtp_server (string) and smtp_port (integer) as per-execution block inputs, then passes them directly to Python's smtplib.SMTP() to open a raw T…

CVSS: 5.0 · CWE: CWE-918

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-8838 https://nvd.nist.gov/vuln/detail/CVE-2026-8838 Mon, 18 May 2026 21:16:41 +0000 Critical CVE-2026-8838

Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14.

CVSS: 9.8 · CWE: CWE-94

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-4137 https://nvd.nist.gov/vuln/detail/CVE-2026-4137 Mon, 18 May 2026 21:16:40 +0000 High CVE-2026-4137

In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with…

CVSS: 7.8 · CWE: CWE-378

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-45829 https://nvd.nist.gov/vuln/detail/CVE-2026-45829 Mon, 18 May 2026 17:16:34 +0000 Critical CVE-2026-45829

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint.

CVSS: 10.0 · CWE: CWE-94

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-7304 https://nvd.nist.gov/vuln/detail/CVE-2026-7304 Mon, 18 May 2026 12:16:16 +0000 Critical CVE-2026-7304

SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.

CVSS: 9.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2021-47952 https://nvd.nist.gov/vuln/detail/CVE-2021-47952 Sat, 16 May 2026 16:16:21 +0000 Critical CVE-2021-47952

python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute arbitrary code.

CVSS: 9.8 · CWE: CWE-94

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-45672 https://nvd.nist.gov/vuln/detail/CVE-2026-45672 Fri, 15 May 2026 21:16:38 +0000 High CVE-2026-45672

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.12, the /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set ENABLE_CODE_EXECUTION=false. The feature gate is not enforced on the API endpoint — the configuration says "disabled" but code still executes. This v…

CVSS: 8.8 · CWE: CWE-863

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-45395 https://nvd.nist.gov/vuln/detail/CVE-2026-45395 Fri, 15 May 2026 21:16:37 +0000 High CVE-2026-45395

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, the tool update endpoint (POST /api/v1/tools/id/{id}/update) is missing the workspace.tools permission check that is present on the tool create endpoint. This allows a user who has been explicitly denied tool management capabilities ( and who the administrator considers untrusted for…

CVSS: 7.2 · CWE: CWE-269

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-46383 https://nvd.nist.gov/vuln/detail/CVE-2026-46383 Fri, 15 May 2026 17:16:49 +0000 Medium CVE-2026-46383

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a local .tar.gz that is not recognized as a plugin-format bundle, APM probes whether it is a l…

CVSS: 5.5 · CWE: CWE-22

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-45370 https://nvd.nist.gov/vuln/detail/CVE-2026-45370 Thu, 14 May 2026 21:16:48 +0000 High CVE-2026-45370

python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess. When combined with CVE-2026-45369, an attacker can exfiltrate all process-level secrets in a single tool call. This vulnerability is fixed in 1.1.3.

CVSS: 7.7 · CWE: CWE-526

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-45369 https://nvd.nist.gov/vuln/detail/CVE-2026-45369 Thu, 14 May 2026 21:16:48 +0000 High CVE-2026-45369

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitute_utcp_args method in cli_communication_protocol.py inserts user-controlled tool_args values directly into shell command strings without any sanitization or escaping. These commands are then executed via /bin/bash -c (Unix) or powershell.exe -Command (Windows), allowing an attacker to inject arbitrary shell commands.…

CVSS: 8.3 · CWE: CWE-78

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44661 https://nvd.nist.gov/vuln/detail/CVE-2026-44661 Thu, 14 May 2026 21:16:47 +0000 Medium CVE-2026-44661

python-utcp is the python implementation of UTCP. Prior to 1.1.3, the utcp-http plugin is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. register_manual() validates the discovery URL against an HTTPS / loopback allowlist, but call_tool() and call_tool_streaming() reuse the resolved tool_call_template.…

CVSS: 4.7 · CWE: CWE-918

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-8597 https://nvd.nist.gov/vuln/detail/CVE-2026-8597 Thu, 14 May 2026 20:17:21 +0000 High CVE-2026-8597

Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement of model artifacts in S3 with a specially crafted pickle payload that is deserialized without verification. This issue requires a remote authenticated actor w…

CVSS: 7.2 · CWE: CWE-354

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-8596 https://nvd.nist.gov/vuln/detail/CVE-2026-8596 Thu, 14 May 2026 20:17:21 +0000 High CVE-2026-8596

Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API responses and forge valid integrity signatures for specially crafted model artifacts, achieving code execution in inference containers. This issue requires a re…

CVSS: 7.2 · CWE: CWE-312

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44827 https://nvd.nist.gov/vuln/detail/CVE-2026-44827 Thu, 14 May 2026 17:16:23 +0000 High CVE-2026-44827

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from Hugging Face Hub repositories. The _resolve_custom_pipeline_and_cls function in pipeline_loading_utils.py performs string interpolation on the custom_pipeline parameter using f"{custom_pipeline}.py". Wh…

CVSS: 8.8 · CWE: CWE-94

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-42561 https://nvd.nist.gov/vuln/detail/CVE-2026-42561 Wed, 13 May 2026 21:16:47 +0000 High CVE-2026-42561

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data, MultipartParser previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either many repeated headers without terminating…

CVSS: 7.5 · CWE: CWE-770

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-42304 https://nvd.nist.gov/vuln/detail/CVE-2026-42304 Wed, 13 May 2026 21:16:46 +0000 High CVE-2026-42304

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses previou…

CVSS: 7.5 · CWE: CWE-400

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44432 https://nvd.nist.gov/vuln/detail/CVE-2026-44432 Wed, 13 May 2026 16:16:57 +0000 High CVE-2026-44432

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algor…

CVSS: 7.5 · CWE: CWE-409

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44431 https://nvd.nist.gov/vuln/detail/CVE-2026-44431 Wed, 13 May 2026 16:16:57 +0000 Medium CVE-2026-44431

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.

CVSS: 5.3 · CWE: CWE-200

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-45227 https://nvd.nist.gov/vuln/detail/CVE-2026-45227 Tue, 12 May 2026 22:16:38 +0000 High CVE-2026-45227

Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend envir…

CVSS: 8.8 · CWE: CWE-693

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44307 https://nvd.nist.gov/vuln/detail/CVE-2026-44307 Tue, 12 May 2026 22:16:37 +0000 High CVE-2026-44307

Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory. This vulnerability is fixed in 1.3.12.

CVSS: 8.7 · CWE: CWE-22

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44304 https://nvd.nist.gov/vuln/detail/CVE-2026-44304 Tue, 12 May 2026 22:16:37 +0000 High CVE-2026-44304

Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator. This vulnerabil…

CVSS: 8.1 · CWE: CWE-90

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-43948 https://nvd.nist.gov/vuln/detail/CVE-2026-43948 Tue, 12 May 2026 22:16:35 +0000 Critical CVE-2026-43948

wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment (gym=None). A user with gym.manage_gym permission and gym=No…

CVSS: 9.9 · CWE: CWE-863

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-42545 https://nvd.nist.gov/vuln/detail/CVE-2026-42545 Tue, 12 May 2026 22:16:34 +0000 Medium CVE-2026-42545

Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a handled error. This vulnerabilit…

CVSS: 5.9 · CWE: CWE-248

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-42544 https://nvd.nist.gov/vuln/detail/CVE-2026-42544 Tue, 12 May 2026 22:16:34 +0000 High CVE-2026-42544

Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked. This vulnerability is fixed in 2.7.4.

CVSS: 7.5 · CWE: CWE-20

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31239 https://nvd.nist.gov/vuln/detail/CVE-2026-31239 Tue, 12 May 2026 18:16:52 +0000 Critical CVE-2026-31239

The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.from_pretrained() method uses torch.load() to load the pytorch_model.bin weight file without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the pi…

CVSS: 9.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31238 https://nvd.nist.gov/vuln/detail/CVE-2026-31238 Tue, 12 May 2026 18:16:52 +0000 Critical CVE-2026-31238

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the pickle m…

CVSS: 9.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31237 https://nvd.nist.gov/vuln/detail/CVE-2026-31237 Tue, 12 May 2026 18:16:52 +0000 Critical CVE-2026-31237

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method. When a user provides a dataset file path to the predict() method, the framework automatically determines the file format. If the file is a pickle (.pkl) file, it is loaded using pandas.read_pickle() without any validation or security restrictions. This allows the deserialization of a…

CVSS: 9.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31236 https://nvd.nist.gov/vuln/detail/CVE-2026-31236 Tue, 12 May 2026 18:16:51 +0000 Critical CVE-2026-31236

The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by craftin…

CVSS: 9.8 · CWE: CWE-94

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31235 https://nvd.nist.gov/vuln/detail/CVE-2026-31235 Tue, 12 May 2026 18:16:51 +0000 Critical CVE-2026-31235

The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. The class uses Python's pickle module to deserialize data received via a multiprocessing queue in the _augment_images_worker() method without any safety checks. An attacker who can influence the data placed into this queue (e.g., through social engineer…

CVSS: 9.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31232 https://nvd.nist.gov/vuln/detail/CVE-2026-31232 Tue, 12 May 2026 18:16:51 +0000 High CVE-2026-31232

The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of a…

CVSS: 8.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31231 https://nvd.nist.gov/vuln/detail/CVE-2026-31231 Tue, 12 May 2026 18:16:51 +0000 Critical CVE-2026-31231

Cognee thru v0.4.0 contains a critical remote code execution vulnerability in its notebook cell execution API endpoint. The endpoint is designed to execute arbitrary Python code provided by the user, but it does so using the unsafe exec() function without any sandboxing, validation, or security controls. An attacker can exploit this by sending a specially crafted POST request containing malicious…

CVSS: 9.8 · CWE: CWE-94

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31230 https://nvd.nist.gov/vuln/detail/CVE-2026-31230 Tue, 12 May 2026 18:16:51 +0000 Critical CVE-2026-31230

The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component (robustness_evaluation_fgsm_pytorch.py). The script uses the unsafe eval() function to parse string values provided via the --clip_values and --input_shape command-line arguments. This allows an attacker to inject arbitrary Python code into these arguments, which…

CVSS: 9.8 · CWE: CWE-88

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31229 https://nvd.nist.gov/vuln/detail/CVE-2026-31229 Tue, 12 May 2026 18:16:51 +0000 Critical CVE-2026-31229

The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses torch.load() without the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python o…

CVSS: 9.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31228 https://nvd.nist.gov/vuln/detail/CVE-2026-31228 Tue, 12 May 2026 16:16:14 +0000 Critical CVE-2026-31228

The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code execution vulnerability in its Kubeflow component. The robustness evaluation function for PyTorch models uses the unsafe eval() function to dynamically evaluate user-supplied strings for the LossFn and Optimizer parameters without any sanitization or security restrictions. An attacker can exploit this by providing a speci…

CVSS: 9.8 · CWE: CWE-94

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31225 https://nvd.nist.gov/vuln/detail/CVE-2026-31225 Tue, 12 May 2026 16:16:14 +0000 High CVE-2026-31225

The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although the function attempts to limit the execution context by providing a restricted global namespace…

CVSS: 8.8 · CWE: CWE-94

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31224 https://nvd.nist.gov/vuln/detail/CVE-2026-31224 Tue, 12 May 2026 16:16:14 +0000 High CVE-2026-31224

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A re…

CVSS: 8.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31223 https://nvd.nist.gov/vuln/detail/CVE-2026-31223 Tue, 12 May 2026 16:16:14 +0000 High CVE-2026-31223

The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or security controls. Python's pickle module is inherently dangerous for deserializing untrusted data, a…

CVSS: 8.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31222 https://nvd.nist.gov/vuln/detail/CVE-2026-31222 Tue, 12 May 2026 16:16:14 +0000 High CVE-2026-31222

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can ex…

CVSS: 8.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31221 https://nvd.nist.gov/vuln/detail/CVE-2026-31221 Tue, 12 May 2026 16:16:14 +0000 High CVE-2026-31221

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arb…

CVSS: 7.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31220 https://nvd.nist.gov/vuln/detail/CVE-2026-31220 Tue, 12 May 2026 16:16:13 +0000 Critical CVE-2026-31220

PySyft (Syft Datasite/Server) versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions (via @sy.syft_function()) for remote execution on the server. While a code approval mechanism exists, the submitted code undergoes no security checks for dangerous op…

CVSS: 9.8 · CWE: CWE-94

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31219 https://nvd.nist.gov/vuln/detail/CVE-2026-31219 Tue, 12 May 2026 16:16:13 +0000 High CVE-2026-31219

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When a user provides a single model file path (e.g., .pt or .pth) via the --model command-line argument, the function loads the file using torch.load() without enabling the weights_only=True s…

CVSS: 8.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31218 https://nvd.nist.gov/vuln/detail/CVE-2026-31218 Tue, 12 May 2026 16:16:13 +0000 High CVE-2026-31218

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When loading a model state dictionary from a state_dict.pt file via torch.load(), the function does not enable the weights_only=True security parameter. This allows the deserialization of arbi…

CVSS: 8.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31217 https://nvd.nist.gov/vuln/detail/CVE-2026-31217 Tue, 12 May 2026 16:16:13 +0000 Critical CVE-2026-31217

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) allows arbitrary code execution. When a user supplies a directory path via the --model command-line argument, the function reads a module.py file from that directory and executes its contents directly using Python's exec() function. This design…

CVSS: 9.8 · CWE: CWE-94

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31214 https://nvd.nist.gov/vuln/detail/CVE-2026-31214 Tue, 12 May 2026 16:16:13 +0000 Critical CVE-2026-31214

The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). The script uses torch.load() to process PyTorch checkpoint files (.pt) without enabling the security-restrictive weights_only=True parameter. This oversight allows the deserialization of arbitrary Python o…

CVSS: 9.8 · CWE: CWE-502

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-42874 https://nvd.nist.gov/vuln/detail/CVE-2026-42874 Mon, 11 May 2026 20:25:43 +0000 Low CVE-2026-42874

Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n sequence in them. This can be a potential source of header injection attacks. For a header injection attack through this issue to be possible, an attacker must first infiltrate the client (for example t…

CVSS: 3.7 · CWE: CWE-113

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-44226 https://nvd.nist.gov/vuln/detail/CVE-2026-44226 Mon, 11 May 2026 18:16:37 +0000 Medium CVE-2026-44226

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/ is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by requesting a non-exist…

CVSS: 5.3 · CWE: CWE-209

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-42315 https://nvd.nist.gov/vuln/detail/CVE-2026-42315 Mon, 11 May 2026 18:16:35 +0000 High CVE-2026-42315

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the set_package_data() API function call inside the data object with key "_folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary directories as download locations for a package. This vulnerability is fixed in 0.5.0b3.dev100.

CVSS: 8.1 · CWE: CWE-22

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-42314 https://nvd.nist.gov/vuln/detail/CVE-2026-42314 Mon, 11 May 2026 18:16:35 +0000 Medium CVE-2026-42314

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, package folder names are sanitized using insufficient string replacement. The pattern ....// becomes .._ after replacement (partial removal), leaving .. which can be exploited when the path is later resolved by the OS. This vulnerability is fixed in 0.5.0b3.dev100.

CVSS: 6.5 · CWE: CWE-22

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-42313 https://nvd.nist.gov/vuln/detail/CVE-2026-42313 Mon, 11 May 2026 18:16:34 +0000 High CVE-2026-42313

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The allowlist contains ("proxy", "username") and ("proxy", "password") — which protect the proxy credentials — bu…

CVSS: 8.3 · CWE: CWE-441

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-42312 https://nvd.nist.gov/vuln/detail/CVE-2026-42312 Mon, 11 May 2026 18:16:34 +0000 Medium CVE-2026-42312

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set_config_value() API method (@permission(Perms.SETTINGS)) in src/pyload/core/api/__init__.py gates security-sensitive options behind a hand-maintained allowlist ADMIN_ONLY_CORE_OPTIONS. The option ("general", "ssl_verify") is not on that allowlist. Any authenticated user with the non-admin SETTINGS…

CVSS: 6.8 · CWE: CWE-295

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31254 https://nvd.nist.gov/vuln/detail/CVE-2026-31254 Mon, 11 May 2026 17:16:20 +0000 High CVE-2026-31254

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains a code injection vulnerability (CWE-94) in its training script. The script registers the Python eval() function as a Hydra configuration resolver under the name eval. This allows configuration files to execute arbitrary Python code via the ${eval:...} syntax. An attacker can exploit this by prov…

CVSS: 7.3 · CWE: CWE-95

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31253 https://nvd.nist.gov/vuln/detail/CVE-2026-31253 Mon, 11 May 2026 17:16:20 +0000 High CVE-2026-31253

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism. The load_checkpoint() function in checkpoint.py and the checkpoint loading code in eval.py use torch.load() without enabling the security-restrictive weights_only=True parameter. This allows the d…

CVSS: 7.3 · CWE: CWE-94

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31252 https://nvd.nist.gov/vuln/detail/CVE-2026-31252 Mon, 11 May 2026 17:16:20 +0000 Medium CVE-2026-31252

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component. The framework uses torch.load() to load model weight files (e.g., llm.pt, flow.pt, hift.pt) without enabling the security-restrictive weights_only=True parameter. This allows the deserialization of arbitrary Python objects via the…

CVSS: 5.7 · CWE: CWE-94

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31251 https://nvd.nist.gov/vuln/detail/CVE-2026-31251 Mon, 11 May 2026 17:16:20 +0000 High CVE-2026-31251

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects vi…

CVSS: 7.3 · CWE: CWE-20

View on NVD

]]> https://nvd.nist.gov/vuln/detail/CVE-2026-31250 https://nvd.nist.gov/vuln/detail/CVE-2026-31250 Mon, 11 May 2026 17:16:19 +0000 High CVE-2026-31250

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. The script loads PyTorch checkpoint files (epoch_*.pt) for model averaging using torch.load() without enabling the weights_only=True security parameter. This allows the deserialization of arbitrary Python objects via…

CVSS: 7.3 · CWE: CWE-502

View on NVD

]]>