Python

An authenticated user can bypass the admin-configured `excluded_paths` security control in `jupyterlab-git` versions up to 0.53.0 by exploiting a case-sensitivity flaw on case-insensitive filesystems (e.g., macOS APFS, Windows NTFS), allowing unauthorized read access to git history and file content in explicitly excluded directories.

Stanza, an NLP library, is vulnerable to remote code execution (CVE-2026-54499) due to an unsafe fallback mechanism when loading PyTorch model files, allowing an attacker who can place a malicious pretrain or model file to achieve arbitrary code execution on systems processing NLP pipelines, leading to credential theft, backdoors, data exfiltration, and lateral movement.

PraisonAI's template loader is vulnerable to a path traversal flaw (GHSA-f44v-7qgw-9gh9) when processing GitHub template URIs, allowing an unauthenticated attacker to write arbitrary files or delete arbitrary directories on the system running PraisonAI, leading to corruption of user configuration, project state, or application data.

An unauthenticated remote attacker can leverage a missing authorization vulnerability (CWE-862) in the Pipecat development runner's `/ws` WebSocket endpoint to supply a crafted `callSid` in a handshake message, compelling the server to use its configured Twilio, Telnyx, or Plivo credentials to issue authenticated API requests that terminate active calls, resulting in denial of service and credential abuse.

A policy bypass vulnerability in PraisonAI (CVE-NONE) allows untrusted recipes to self-approve and execute default-denied critical shell tools, such as `execute_command`, by declaring them in `workflow.yaml` instead of `TEMPLATE.yaml requires.tools`, leading to arbitrary command execution with the privileges of the PraisonAI process.

A Server-Side Request Forgery (SSRF) vulnerability in PraisonAI's `praisonaiagents` package (versions prior to 1.6.61), specifically within the `searxng_search` and `search_web` tools, allows an attacker to exploit prompt injection by controlling the `searxng_url` parameter, enabling the server to make requests to arbitrary internal endpoints, read responses, perform network enumeration, and potentially expose cloud instance credentials.

Praisonai-platform versions up to and including 0.1.4 are vulnerable to a critical authentication bypass stemming from a hardcoded JWT signing secret ('dev-secret-change-me') and a bypassed production guard, allowing unauthenticated attackers to forge JSON Web Tokens (JWTs) and impersonate any user, leading to complete access, privilege escalation to workspace owner, and potential resource destruction.

The `praisonai-platform` package, versions 0.1.4 and below, is critically vulnerable to authentication bypass and privilege escalation due to a hardcoded default JWT signing secret (`dev-secret-change-me`) that is inadvertently enabled in default deployments, allowing an unauthenticated attacker to forge JWTs and impersonate any user.

The amazon-redshift-python-driver versions 2.1.13 and earlier is vulnerable to remote code execution (CVE-2026-8838) due to insufficient validation of server data during query result processing, potentially allowing a rogue server or man-in-the-middle to execute arbitrary code on the client.

The mistralai PyPI package version 2.4.6 contains a malicious dropper that executes on import on Linux, downloading and executing a second-stage payload from a remote IP address, potentially leading to arbitrary code execution.

Pipecat's development runner has a path traversal vulnerability in the `/files` endpoint due to lack of input validation when handling the filename parameter, allowing an unauthenticated attacker with network access to read arbitrary files on the server using `%2F`-encoded separators.

A command injection vulnerability in `utcp-cli` versions 1.1.1 and earlier allows attackers to exfiltrate all process-level secrets by injecting commands into CLI subprocesses.

A memory leak vulnerability exists in UltraJSON's `ujson.dump()` function; when writing to a file-like object, if the write operation raises an exception, the serialized JSON string object is not properly de-referenced, leading to a memory leak (CVE-2026-44660).

Heym before 0.0.21 is vulnerable to a sandbox escape (CVE-2026-45227) in the custom Python tool executor, allowing authenticated workflow authors to bypass restrictions and execute arbitrary host commands as the backend service user.

A malicious repository on Hugging Face, impersonating OpenAI's 'Privacy Filter' project, distributed information-stealing malware to Windows users by executing a PowerShell command that downloads and runs a Rust-based infostealer, which exfiltrates collected data to a command-and-control server.

A Mac adware, likely a component of OSX.Pirrit, uses multiple layers of obfuscation, including base64 encoding, zlib compression, and variable renaming, to evade detection and inject malicious JavaScript from hxxps://1049434604.rsc.cdn77.org/ij1.min.js.

This rule detects the initial creation or modification of a macOS LaunchAgent or LaunchDaemon plist file by a Python process, a common persistence technique employed by attackers using malicious scripts, compromised dependencies, or model file deserialization.

A memory exhaustion vulnerability (CVE-2026-33155) exists in a widely used Python library, affecting services like SageMaker, DataHub, and acryl-datahub due to an incomplete patch for CVE-2025-58367, requiring pinning to version 8.6.2.