pypi

4,707 tracked vulnerabilities.

CVE-2026-41066 HIGH
lxml < 6.1.0 - XML External Entity Injection via Default Parser Configuration
Apr 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25660 CRITICAL
Authentication bypass for certain API calls
Apr 24, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-40690 MEDIUM
Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users
Apr 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-38743 MEDIUM
Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities
Apr 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41241 HIGH
pretalx: Stored cross-site scripting in organiser search typeahead
Apr 23, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-41205 HIGH
Mako: Path traversal via double-slash URI prefix in TemplateLookup
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41206 HIGH
PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code
Apr 23, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41182 MEDIUM
LangSmith SDK: Streaming token events bypass output redaction
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-6878 MEDIUM
ByteDance verl grader.py math_equal sandbox
Apr 23, 2026
CVSS 5.6
EPSS 0.00
CVE-2026-41314 MEDIUM
pypdf: Manipulated FlateDecode image dimensions can exhaust RAM
Apr 22, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41313 MEDIUM
pypdf: Possible long runtimes for wrong size values in incremental mode
Apr 22, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41312 MEDIUM
pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM
Apr 22, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41168 MEDIUM
pypdf has possible long runtimes for wrong size values in cross-reference and object streams
Apr 22, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-6859 HIGH
Instructlab: instructlab: arbitrary code execution due to hardcoded `trust_remote_code=true`
Apr 22, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-6855 HIGH
InstructLab - Path Traversal Arbitrary File Write
Apr 22, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41133 HIGH
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
Apr 22, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-40606 MEDIUM
ProxyAuth Addon LDAP Injection in mitmproxy
Apr 21, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-40602 MEDIUM
hass-cli: Handling of user-supplied Jinja2 templates
Apr 21, 2026
CVSS 5.6
EPSS 0.00
CVE-2026-40594 MEDIUM
pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
Apr 21, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-40576 CRITICAL
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in excel-mcp-server
Apr 21, 2026
CVSS 9.4
EPSS 0.00
CVE-2026-39378 MEDIUM
nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding
Apr 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39377 MEDIUM
nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames
Apr 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35588 MEDIUM
Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values
Apr 21, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-35587 HIGH
Glances IP Plugin has SSRF via public_api that leads to credential leakage
Apr 21, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-34839 MEDIUM
Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS
Apr 21, 2026
CVSS 6.5
EPSS 0.00
Products
tensorflow 427 tensorflow-gpu 421 tensorflow-cpu 417 Django 147 apache-airflow 111 Plone 96 open-webui 86 mlflow 70 apache-superset 67 salt 67 ansible 66 pillow 52 nova 48 gradio 46 rdiffweb 43 matrix-synapse 42 pyload-ng 41 vyper 39 vllm 38 keystone 36 moin 35 aiohttp 33 opencv-contrib-python 30 opencv-python 30 PraisonAI 27 pgadmin4 26 pypdf 24 glance 22 langflow 22 ethyca-fides 21
Quick Filters
Critical CVEs With Exploits In CISA KEV