pypi

4,979 tracked vulnerabilities.

CVE-2026-41425 MEDIUM
Authlib: Cross-site request forging when using cache
Apr 24, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41140 HIGH
Poetry < 2.3.4 - Path Traversal via Tarball Extraction
Apr 24, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-41066 HIGH
lxml < 6.1.0 - XML External Entity Injection via Default Parser Configuration
Apr 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25660 CRITICAL
Authentication bypass for certain API calls
Apr 24, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-40690 MEDIUM
Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users
Apr 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-38743 MEDIUM
Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities
Apr 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41241 HIGH
pretalx: Stored cross-site scripting in organiser search typeahead
Apr 23, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-41205 HIGH
Mako: Path traversal via double-slash URI prefix in TemplateLookup
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41206 HIGH
PySpector <0.1.8 PluginSecurity.validate_plugin_code - Code Execution Bypass
Apr 23, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41182 MEDIUM
LangSmith SDK: Streaming token events bypass output redaction
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-6878 MEDIUM
ByteDance verl grader.py math_equal sandbox
Apr 23, 2026
CVSS 5.6
EPSS 0.00
CVE-2026-41314 MEDIUM
pypdf: Manipulated FlateDecode image dimensions can exhaust RAM
Apr 22, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41313 MEDIUM
pypdf: Possible long runtimes for wrong size values in incremental mode
Apr 22, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41312 MEDIUM
pypdf: Manipulated FlateDecode predictor parameters can exhaust RAM
Apr 22, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41168 MEDIUM
pypdf has possible long runtimes for wrong size values in cross-reference and object streams
Apr 22, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-6859 HIGH
Instructlab: instructlab: arbitrary code execution due to hardcoded `trust_remote_code=true`
Apr 22, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-6855 HIGH
InstructLab - Path Traversal Arbitrary File Write
Apr 22, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41133 HIGH
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
Apr 22, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-40606 MEDIUM
ProxyAuth Addon LDAP Injection in mitmproxy
Apr 21, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-40602 MEDIUM
hass-cli: Handling of user-supplied Jinja2 templates
Apr 21, 2026
CVSS 5.6
EPSS 0.00
CVE-2026-40594 MEDIUM
pyLoad: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)
Apr 21, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-40576 CRITICAL
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in excel-mcp-server
Apr 21, 2026
CVSS 9.4
EPSS 0.00
CVE-2026-39378 MEDIUM
nbconvert 6.5-7.17.0 HTMLExporter Image Embedding - Arbitrary File Read
Apr 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39377 MEDIUM
nbconvert 6.5-7.17.0 Cell Attachments - Arbitrary File Write
Apr 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35588 MEDIUM
Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values
Apr 21, 2026
CVSS 6.3
EPSS 0.00