pypi

4,979 tracked vulnerabilities.

CVE-2026-48525 MEDIUM
PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS
May 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-48524 LOW
PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)
May 28, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-48523 MEDIUM
PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys
May 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-48522 MEDIUM
PyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, data: schemes
May 28, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-48156 LOW
pypdf: Possible long runtimes for zero-only width values in cross-reference streams
May 28, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-48155 MEDIUM
pypdf: Possible large memory usage for large offsets for layout mode text
May 28, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-45017 HIGH
Python Liquid: Absolute paths escape filesystem loader search path
May 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44660 HIGH
UltraJSON: Memory Leak in ujson.dump() on Write Failure
May 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-45134 HIGH
LangSmith Client SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
May 27, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-44681 MEDIUM
Authlib: Open Redirect in Authlib OIDC Implicit/Hybrid Authorization
May 27, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44346 HIGH
BentoML: Dockerfile command injection via envs[*].name in bentofile.yaml
May 27, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-44345 HIGH
BentoML: Dockerfile command injection via docker.base_image
May 27, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-44353 MEDIUM
Streamlink: Arbitrary local file read via file:// URI in HLS and DASH
May 27, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-9712 LOW
pretix - Insecure Direct Object Reference
May 27, 2026
EPSS 0.00
CVE-2026-48545 MEDIUM
Gradio < 6.15.0 Cookie Injection via Shared Proxy Client
May 27, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-48544 HIGH
Taipy 4.1.1 Path Traversal via ElementLibrary.get_resource()
May 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44972 MEDIUM
GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content
May 27, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-44971 HIGH
GuardDog: Blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration
May 27, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-49017 HIGH
Openstack Swift - Loop with Unreachable Exit Condition ('Infinite Loop')
May 27, 2026
EPSS 0.00
CVE-2026-49014 HIGH
Gdal < 3.13.0 - Stack-based Buffer Overflow
May 27, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-48710 MEDIUM NUCLEI
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks
May 26, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-44899 MEDIUM
Mistune Image Directive CSS Injection Vulnerability
May 26, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-44898 MEDIUM
Mistune TOC Anchor Injection XSS
May 26, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44897 MEDIUM
Mistune Heading ID Attribute Injection XSS
May 26, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44896 MEDIUM
Mistune: XSS via unescaped figclass/figwidth in Figure directive
May 26, 2026
CVSS 6.1
EPSS 0.00