pypi

4,979 tracked vulnerabilities.

CVE-2026-49471 HIGH
Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE
Jul 07, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-52830 CRITICAL
fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection
Jul 02, 2026
CVSS 9.4
EPSS 0.00
CVE-2026-49851 HIGH
Mistune: Potential DoS via quadratic-time parsing in parse_link_text
Jun 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-55255 HIGH KEV
Langflow < 1.9.2 - Authenticated Insecure Direct Object Reference
Jun 23, 2026
CVSS 8.4
EPSS 0.01
CVE-2026-56266 HIGH
Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints
Jun 22, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-54651 MEDIUM
pypdf: Possible infinite loop when processing threads/articles in writer
Jun 22, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-55443 MEDIUM
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders
Jun 22, 2026
CVSS 5.1
EPSS 0.00
CVE-2026-49291 HIGH
mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call
Jun 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-56078 HIGH
PraisonAI - Arbitrary File Read and Write via Path Traversal in MultiAgentMonitor
Jun 18, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-56074 MEDIUM
PraisonAI - Tool Approval Cache Bypass via Coarse-Grained Caching
Jun 18, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-49257 CRITICAL
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Jun 18, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-54533 MEDIUM
vantage6 node has an Improper Access Control issue
Jun 17, 2026
EPSS 0.00
CVE-2026-54445 MEDIUM
Vantage6: Set admin user and password from environment or configuration
Jun 17, 2026
EPSS 0.00
CVE-2026-12568 MEDIUM
Black Lantern Security BBOT - Arbitrary File Write in postman_download Module
Jun 17, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-12567 LOW
Black Lantern Security BBOT - Symlink-Following Arbitrary Write via github_workflows Module
Jun 17, 2026
CVSS 2.2
EPSS 0.00
CVE-2026-12566 LOW
SSRF via unvalidated WWW-Authenticate realm in docker_pull module
Jun 17, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-12565 MEDIUM
Black Lantern Security BBOT - Path Traversal (Zip-Slip) in Unarchive Module
Jun 17, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-54386 MEDIUM
marimo < 0.23.9 XSS via file Query Parameter in assets.py
Jun 17, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-48990 MEDIUM
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
Jun 17, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-48989 HIGH
Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS
Jun 17, 2026
EPSS 0.00
CVE-2026-12530 HIGH
Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()
Jun 17, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-48817 MEDIUM
Starlette: Arbitrary HTTP method dispatched to `HTTPEndpoint` attributes via `getattr`
Jun 17, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-53870 MEDIUM
Hermes Agent < 0.16.0 - World-Readable Store Files Expose Secrets
Jun 17, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-53869 HIGH
Hermes Agent < 0.16.0 - DNS Rebinding Bypass via WebSocket Endpoints
Jun 17, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-53875 HIGH
picklescan - Scanning Bypass via Dynamic Eval in scan_pytorch
Jun 17, 2026
EPSS 0.00