pypi
4,707 tracked vulnerabilities.
CVE-2026-44556
HIGH
Open WebUI: responses passthrough endpoint lacks access control authorization
May 15, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-44555
HIGH
Open WebUI: Base Model Routing Bypasses Access Control via Model Chaining
May 15, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-44554
HIGH
Open WebUI: Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44553
HIGH
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44552
HIGH
Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning
May 15, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-44551
CRITICAL
Open WebUI: LDAP Empty Password Authentication Bypass
May 15, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-44550
MEDIUM
Open WebUI: Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts
May 15, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-46383
MEDIUM
Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`
May 15, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-45539
HIGH
Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree
May 15, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-44641
HIGH
Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host files during install
May 15, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-2652
HIGH
Authentication Bypass in mlflow/mlflow
May 15, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-45370
HIGH
python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection
May 14, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-45369
HIGH
python-utcp: Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol
May 14, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-44661
MEDIUM
python-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
May 14, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-8597
HIGH
Missing integrity verification in Triton inference handler in Amazon SageMaker Python SDK
May 14, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-8596
HIGH
Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path
May 14, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-44520
MEDIUM
Docling-Graph: SSRF via Missing Internal IP Validation in URLInputHandler
May 14, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-44513
HIGH
Diffusers: `trust_remote_code` bypass via `custom_pipeline` and local custom components
May 14, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-44504
HIGH
Aegra: Cross-user run injection in /threads/{thread_id}/runs (IDOR)
May 14, 2026
EPSS 0.00
CVE-2026-44503
HIGH
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
May 14, 2026
EPSS 0.00
CVE-2026-44484
CRITICAL
Compromise of PyTorch Lightning PyPi Package Versions
May 14, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-44919
MEDIUM
OpenStack Ironic - Denial of Service via Infinite Loop in Checksum Calculation
May 14, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44439
MEDIUM
LookyLoo - PlaywrightCapture permits access to local files and internal network resources during page capture
May 13, 2026
EPSS 0.00
CVE-2026-44368
MEDIUM
PyQuorum: Timing side‑channel in mul_mod
May 13, 2026
EPSS 0.00
CVE-2026-42561
HIGH
Python-Multipart: Denial of Service via unbounded multipart part headers
May 13, 2026
CVSS 7.5
EPSS 0.00
Products
tensorflow 427
tensorflow-gpu 421
tensorflow-cpu 417
Django 147
apache-airflow 111
Plone 96
open-webui 86
mlflow 70
apache-superset 67
salt 67
ansible 66
pillow 52
nova 48
gradio 46
rdiffweb 43
matrix-synapse 42
pyload-ng 41
vyper 39
vllm 38
keystone 36
moin 35
aiohttp 33
opencv-contrib-python 30
opencv-python 30
PraisonAI 27
pgadmin4 26
pypdf 24
glance 22
langflow 22
ethyca-fides 21
Quick Filters