pypi

4,979 tracked vulnerabilities.

CVE-2026-53874 CRITICAL
picklescan - Arbitrary Code Execution via Obfuscated eval Call
Jun 17, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-53873 CRITICAL
picklescan - Arbitrary Code Execution via profile.run() Blocklist Bypass
Jun 17, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-53872 HIGH
picklescan - Arbitrary File Read via Unsafe Pickle Deserialization
Jun 17, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-3490 CRITICAL
picklescan - Universal Blocklist Bypass via pkgutil.resolve_name
Jun 17, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-55748 MEDIUM
Openstack Horizon - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Jun 17, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-47103 CRITICAL
Python StateMachine 3.0.0 < 3.2.0 RCE via SCXML eval() Injection
Jun 17, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-50203 CRITICAL
Apache Airflow Sftp Provider < 5.8.1 - Path Traversal
Jun 17, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-48797 CRITICAL
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Jun 17, 2026
EPSS 0.00
CVE-2026-48782 MEDIUM
Pydantic AI - Cloud Metadata Server-Side Request Forgery Blocklist Bypass
Jun 17, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-12491 MEDIUM
Vllm: vllm: image exif rotation & png trns transparency not normalized, causing mismatch between model input and expectations
Jun 17, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-48776 MEDIUM
langchain-ai - LangGraph SDK Has Unsafe URL Path Construction
Jun 17, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-46448 MEDIUM
Openstack Nova - Incorrect Resource Transfer Between Spheres
Jun 16, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-48775 MEDIUM
LangGraph Checkpoint: Unsafe JSON deserialization in checkpoint loading
Jun 16, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-12398 HIGH
Galaxy_ng: shell injection in legacy role import via unsanitized git ref names
Jun 16, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-47157 MEDIUM
aiograpi: Unsafe signup challenge path handling
Jun 11, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-52726 HIGH
Dulwich's submodule path traversal in porcelain.submodule_update / porcelain.clone(recurse_submodules=True) yields RCE via attacker-dropped .git/hooks payload
Jun 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-47734 MEDIUM
Dulwich has unbounded memory allocation in receive-pack from crafted thin packs
Jun 10, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-47712 LOW
Dulwich doesn't sanitize commit subjects in `porcelain.format_patch`
Jun 10, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-47213 MEDIUM
BoxLite: Timeout Bypass Vulnerability
Jun 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-46703 CRITICAL
BoxLite < 0.9.0 OCI Image Handling - Arbitrary Host File Write
Jun 10, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-46695 CRITICAL
BoxLite: Permission Bypass in boxlite Allows Modification of Read-Only Files
Jun 10, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-46645 MEDIUM
SQLAdmin: Authorization Bypass on `ajax_lookup`
Jun 10, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-42563 HIGH
Dulwich Vulnerable to Command Injection via Merge Driver Path
Jun 10, 2026
EPSS 0.01
CVE-2026-42305 HIGH
Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows
Jun 10, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-50127 MEDIUM
Weblate SSRF: outbound URL guard misses the NAT64 well-known prefix (64:ff9b::/96)
Jun 10, 2026
CVSS 5.9
EPSS 0.00