pypi

4,986 tracked vulnerabilities.

CVE-2026-33744 HIGH
BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml
Mar 27, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-33718 HIGH
OpenHands is Vulnerable to Command Injection through its Git Diff Handler
Mar 27, 2026
CVSS 7.6
EPSS 0.02
CVE-2026-33699 HIGH
pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-29071 LOW
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
Mar 27, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-29070 MEDIUM
Open WebUI has unauthorized deletion of knowledge files
Mar 27, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-28788 HIGH
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite
Mar 27, 2026
CVSS 7.1
EPSS 0.03
CVE-2026-28786 MEDIUM
Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`
Mar 27, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-27893 HIGH
vLLM's hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-out
Mar 27, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-33682 MEDIUM
Streamlit on Windows has Unauthenticated SSRF Vulnerability (NTLM Credential Exposure)
Mar 26, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-33545 MEDIUM
MobSF has SQL Injection in its SQLite Database Viewer Utils
Mar 26, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33430 HIGH
Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions
Mar 26, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-27602 HIGH
Modoboa <2.7.1 Domain Names - Authenticated OS Command Injection
Mar 25, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-25645 MEDIUM
Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
Mar 25, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-24159 HIGH
NVIDIA NeMo Framework < 2.6.2 - Remote Code Execution via Untrusted Data Deserialization
Mar 24, 2026
CVSS 7.8
EPSS 0.01
CVE-2026-24157 HIGH
NVIDIA NeMo Framework < 2.6.2 - Remote Code Execution via Checkpoint Loading
Mar 24, 2026
CVSS 7.8
EPSS 0.01
CVE-2026-33509 HIGH
pyload-ng: SETTINGS Permission Users Can Achieve Remote Code Execution via Unrestricted Reconnect Script Configuration
Mar 24, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33332 HIGH
NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
Mar 24, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33314 MEDIUM
pyload-ng: Improper Authentication and Origin Validation Error
Mar 24, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33497 HIGH
Langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading
Mar 24, 2026
CVSS 7.5
EPSS 0.08
CVE-2026-33484 HIGH
Langflow has Unauthenticated IDOR on Image Downloads
Mar 24, 2026
CVSS 7.5
EPSS 0.06
CVE-2026-33310 HIGH
Intake <2.0.9 Parameter Defaults - Command Injection
Mar 24, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-33309 CRITICAL
Langflow 1.2.0-1.8.1 v2 File Upload - Arbitrary File Write
Mar 24, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-33046 HIGH
Indico < 3.3.12 - Remote Code Execution via LaTeX Sanitizer Bypass
Mar 23, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-26209 HIGH
cbor2 < 5.9.0 - Denial of Service via Deeply Nested CBOR Structures
Mar 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-4539 LOW
pygments archetype.py AdlLexer redos
Mar 22, 2026
CVSS 3.3
EPSS 0.00