pypi

4,979 tracked vulnerabilities.

CVE-2026-44661 MEDIUM
python-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
May 14, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-8597 HIGH
Missing integrity verification in Triton inference handler in Amazon SageMaker Python SDK
May 14, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-8596 HIGH
Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path
May 14, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-44520 MEDIUM
Docling-Graph: SSRF via Missing Internal IP Validation in URLInputHandler
May 14, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-44513 HIGH
Diffusers: `trust_remote_code` bypass via `custom_pipeline` and local custom components
May 14, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-44504 HIGH
Aegra: Cross-user run injection in /threads/{thread_id}/runs (IDOR)
May 14, 2026
EPSS 0.00
CVE-2026-44503 HIGH
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
May 14, 2026
EPSS 0.01
CVE-2026-44484 CRITICAL
Compromise of PyTorch Lightning PyPi Package Versions
May 14, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-44919 MEDIUM
OpenStack Ironic - Denial of Service via Infinite Loop in Checksum Calculation
May 14, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44439 HIGH
LookyLoo - PlaywrightCapture permits access to local files and internal network resources during page capture
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44368 MEDIUM
PyQuorum: Timing side‑channel in mul_mod
May 13, 2026
EPSS 0.00
CVE-2026-42561 HIGH
Python-Multipart: Denial of Service via unbounded multipart part headers
May 13, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-42304 HIGH
Twisted: Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44364 CRITICAL
misp-modules website - Missing CSRF protection in the website home blueprint
May 13, 2026
EPSS 0.00
CVE-2026-44363 MEDIUM
Unsafe remote resource fetching in expansion misp-modules
May 13, 2026
EPSS 0.00
CVE-2026-42032 CRITICAL
CKAN: Unauthenticated Authorization Bypass in `datastore_search_sql`
May 13, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-42031 CRITICAL NUCLEI
CKAN: Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql`
May 13, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-41255 MEDIUM
CKAN: CSRF exemption primed by anonymous requests
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41132 HIGH
CKAN: No certificate validation on STMP connection
May 13, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-44432 HIGH
urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
May 13, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44431 MEDIUM
urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
May 13, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-42557 CRITICAL
jupyterlab: Command linker attributes in HTML enable one-click command execution from untrusted content
May 13, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-42266 HIGH
jupyterlab: Extension Manager API/GUI Policy Discrepancy allowing 3rd party (malicious) extensions install via POST request.
May 13, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-44307 HIGH
Mako: Path traversal via backslash URI on Windows in TemplateLookup
May 12, 2026
EPSS 0.01
CVE-2026-44305 MEDIUM
Lemur: LDAP TLS certificate verification globally disabled enables credential interception
May 12, 2026
CVSS 6.8
EPSS 0.00