pypi

4,986 tracked vulnerabilities.

CVE-2025-33245 HIGH
NVIDIA NeMo Framework <=2.6.1 - Malicious Data Deserialization Remote Code Execution
Feb 18, 2026
CVSS 8.0
EPSS 0.01
CVE-2025-69872 CRITICAL
DiskCache <= 5.6.3 - Remote Code Execution via Pickle Deserialization
Feb 11, 2026
CVSS 9.8
EPSS 0.01
CVE-2025-64712 CRITICAL
unstructured < 0.18.18 - Path Traversal and Arbitrary File Write via MSG Attachment Processing
Feb 04, 2026
CVSS 9.8
EPSS 0.01
CVE-2025-70560 HIGH
Boltz 2.0.0 - Remote Code Execution via Insecure Pickle Deserialization
Feb 03, 2026
CVSS 8.4
EPSS 0.00
CVE-2025-70559 MEDIUM
pdfminer.six < 20251230 - Remote Code Execution via Insecure CMap Cache Deserialization
Feb 03, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-14550 HIGH
Django 4.2-4.2.27, 5.2-5.2.10, 6.0-6.0.1 - Denial of Service via Duplicate ASGI Headers
Feb 03, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-13473 MEDIUM
Django <6.0.2-4.2.28 - Info Disclosure
Feb 03, 2026
CVSS 5.3
EPSS 0.01
CVE-2025-70960 MEDIUM
Tendenci CMS 15.3.7 - Stored Cross-Site Scripting in Forums Module
Feb 02, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-70959 MEDIUM
Tendenci CMS 15.3.7 - Stored Cross-Site Scripting in Jobs Module
Feb 02, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-69207 MEDIUM
khoj < 2.0.0-beta.23 - Unauthenticated IDOR via Notion OAuth Callback State Parameter
Feb 02, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-6208 MEDIUM
Llama Index <0.12.23 - Memory Corruption
Feb 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2025-10279 HIGH
mlflow < 3.4.0 - Arbitrary Code Execution via Insecure Temporary Directory Permissions
Feb 02, 2026
CVSS 7.0
EPSS 0.00
CVE-2025-69662 HIGH
geopandas < 1.1.2 - SQL Injection via to_postgis() Function
Jan 30, 2026
CVSS 8.6
EPSS 0.00
CVE-2025-62349 MEDIUM
Salt 3006.12-3006.16 and 3007.4-3007.8 - Authentication Bypass via Protocol Downgrade
Jan 30, 2026
CVSS 6.2
EPSS 0.00
CVE-2025-62348 HIGH
Salt < 3006.17, 3006.0-3006.16, 3007.0-3007.8 - Remote Code Execution via Unsafe YAML Decode in junos Execution Module
Jan 30, 2026
CVSS 7.8
EPSS 0.00
CVE-2025-11687 MEDIUM
gi-docgen < 2025.5 - Cross-Site Scripting via q GET Parameter
Jan 26, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-67221 HIGH
orjson < 3.11.4 - Denial of Service via Deeply Nested JSON Documents
Jan 22, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-71176 MEDIUM
pytest < 9.0.3 - Denial of Service via Insecure Temporary Directory Permissions
Jan 22, 2026
CVSS 6.8
EPSS 0.00
CVE-2025-68616 HIGH
WeasyPrint < 68.0 - Server-Side Request Forgery via HTTP Redirect Bypass
Jan 19, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-68675 HIGH
Apache Airflow <3.1.6 - Info Disclosure
Jan 16, 2026
CVSS 7.5
EPSS 0.02
CVE-2025-68438 HIGH
Apache Airflow 3.1.0-3.1.5 - Exposure of Sensitive Information in Rendered Templates UI
Jan 16, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-68492 MEDIUM
Chainlit < 2.8.5 - Authorization Bypass via User-Controlled Key
Jan 14, 2026
CVSS 4.2
EPSS 0.00
CVE-2025-68472 HIGH
MindsDB < 25.11.1 - Unauthenticated Path Traversal and Arbitrary File Read via File Upload API
Jan 12, 2026
CVSS 8.1
EPSS 0.19
CVE-2025-14279 HIGH
MLFlow <= 3.4.0 - DNS Rebinding Attack via Missing Origin Header Validation
Jan 12, 2026
CVSS 8.1
EPSS 0.00
CVE-2025-15506 LOW
OpenColorIO < 2.5.1 - Out-of-Bounds Read in ConvertToRegularExpression
Jan 11, 2026
CVSS 3.3
EPSS 0.00