pypi

4,979 tracked vulnerabilities.

CVE-2026-44844 MEDIUM
eml_parser: Recursion DoS via nested message/rfc822 attachments
May 26, 2026
EPSS 0.00
CVE-2026-44843 HIGH
LangChain: Unsafe deserialization of attacker-controlled LangChain objects through overly broad `load()` allowlists
May 26, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-44708 MEDIUM
Mistune Math Plugin XSS Escape Bypass
May 26, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44209 HIGH
Banks: Critical Remote Code Execution (RCE) via Jinja2 SSTI
May 26, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44730 HIGH
OpenCTI: Privilege escalation via graphQL API abusable by organization admins, due to incorrect ACL on userEdit relationAdd
May 26, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-42448 LOW
wormhole receive, with --output pointing at an existing directory can be path-traversed
May 26, 2026
CVSS 3.5
EPSS 0.00
CVE-2026-47728 MEDIUM
Bugsink: Project scoping missing in sourcemap and debug-file lookup
May 26, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-47716 LOW
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known
May 26, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-47715 LOW
Bugsink: Issue event views can show an event from another project if its UUID is known
May 26, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-44502 MEDIUM
Bugsink: SSRF bypass in `validate_webhook_url`
May 26, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-9540 MEDIUM
vllm-project vllm OpenAI-compatible Serving Path denial of service
May 26, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-46745 MEDIUM
Apache Airflow FAB provider: LDAP Filter Injection in FAB Auth Manager _search_ldap reachable via /auth/token
May 25, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-45361 HIGH
Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)
May 25, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-2651 CRITICAL
Missing Authorization Validation in mlflow/mlflow
May 25, 2026
CVSS 9.0
EPSS 0.00
CVE-2026-4372 HIGH
Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers
May 24, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-9369 MEDIUM
NousResearch hermes-agent CLI web-dashboard web_server.py _discover_dashboard_plugins comparison
May 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-9368 HIGH
NousResearch hermes-agent Environment Variable code_execution_tool.py execute_code sandbox
May 24, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-9366 HIGH
NousResearch hermes-agent prompt_builder.py _scan_context_content injection
May 24, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-9353 HIGH
NousResearch hermes-agent Skills Guard Multi-Word Prompt skills_guard.py injection
May 24, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-3515 HIGH
Argument Injection in prefecthq/prefect
May 24, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-40864 MEDIUM
JupyterHub: Cross-origin form POSTs bypass XSRF
May 22, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-40610 MEDIUM
BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context
May 22, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-9291 HIGH
Insecure Deserialization in Amazon Braket SDK Job Results Processing
May 22, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-47102 HIGH
LiteLLM < 1.83.10 Privilege Escalation via User Update
May 21, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-47101 HIGH
LiteLLM < 1.83.14 Privilege Escalation via API Key Generation
May 21, 2026
CVSS 8.8
EPSS 0.01