Rhoai Odh-Feature-Server-Rhel9 vulnerabilities

CVE-2026-8643 [HIGH] CWE-22 python-pip: Path traversal via malicious entry point name in pip wheel installation allows arbitrary file overwrite python-pip: Path traversal via malicious entry point name in pip wheel installation allows arbitrary file overwrite A flaw was found in pip, the package installer for Python. A remote attacker can exploit this vulnerability by tricking a victim into installing a malicious Python wheel. This wheel contains specially crafted entry-point names that use dir

CVE-2026-48710 [MEDIUM] CWE-1289 starlette: Starlette: Security restriction bypass via malformed HTTP Host header starlette: Starlette: Security restriction bypass via malformed HTTP Host header A flaw was found in Starlette, a lightweight ASGI (Asynchronous Server Gateway Interface) framework. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP `Host` request header. This malformed header could cause the `request.url` to be incorrectly reconstructed, leading

CVE-2026-44432 [HIGH] CWE-409 urllib3: urllib3: Denial of Service due to excessive HTTP response decompression urllib3: urllib3: Denial of Service due to excessive HTTP response decompression A flaw was found in urllib3, an HTTP client library for Python. This vulnerability allows a remote attacker to cause excessive resource consumption, such as high CPU usage and massive memory allocation, on the client side. This occurs when urllib3 attempts to decompress an entire HTTP response, even if onl

CVE-2026-44431 [HIGH] CWE-201 urllib3: urllib3: Information disclosure via cross-origin redirects forwarding sensitive headers urllib3: urllib3: Information disclosure via cross-origin redirects forwarding sensitive headers A flaw was found in urllib3, an HTTP client library for Python. When using the low-level API via `ProxyManager.connection_from_url().urlopen()` with `assert_same_host=False`, cross-origin redirects can still forward sensitive headers. This could allow a remote attacker to ga

CVE-2026-6357 [MEDIUM] CWE-94 pip: pip: Arbitrary code execution or information disclosure via malicious wheel package installation pip: pip: Arbitrary code execution or information disclosure via malicious wheel package installation A flaw was found in pip. Prior to version 26.1, pip's self-update check functionality would execute after installing wheel packages. This process involved importing newly installed Python modules. A malicious actor could craft a specially designed wheel package tha

CVE-2026-3219 [MEDIUM] CWE-1287 pip: pip: Incorrect file installation due to improper archive handling pip: pip: Incorrect file installation due to improper archive handling A flaw was found in pip. This vulnerability occurs because pip incorrectly processes concatenated tar and ZIP files as ZIP files, regardless of their true format. This improper handling can lead to confusing installation behavior, potentially causing the installation of unintended or 'incorrect' files. This could allow an a

CVE-2026-28684 [MEDIUM] CWE-59 python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following python-dotenv: python-dotenv: Arbitrary file overwrite via symbolic link following A flaw was found in python-dotenv. A local attacker can exploit this by crafting a symbolic link, which the `set_key()` and `unset_key()` functions in python-dotenv follow when rewriting `.env` files. This can lead to the overwriting of arbitrary files on the system. Mitigation: Mitigation for this i

CVE-2026-40347 [MEDIUM] CWE-1050 python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests python-multipart: Python-Multipart: Denial of Service via crafted multipart/form-data requests Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Upgrade to version 0.0.26 or later, which skips ahead to