Pip

The zrok Python SDK `ProxyShare` is vulnerable to server-side request forgery (SSRF) via CVE-2026-45568. When a user sends a request with an absolute URL in the path, the Flask handler passes that path to `urllib.parse.urljoin`, which replaces the configured target host with the user-supplied host, causing the proxy to send the request to an attacker-chosen URL.

CVE-2026-45553 allows a remote attacker to read arbitrary local files by injecting reStructuredText directives into the `ui.restructured_text()` function of a NiceGUI application, if the application passes user-controlled content to that function.

An unauthenticated path traversal vulnerability exists in CloakBrowser's cloakserve component (versions 0.3.27 and earlier) where a crafted fingerprint query parameter with path traversal sequences can be used to delete arbitrary directories accessible to the service user (CVE-2026-45727).

A vulnerability in the `apm-cli` tool allows a malicious APM package to include symlinks that, when installed, can lead to file-content disclosure, by dereferencing symlinks under `.apm/prompts/` and `.apm/agents/` during `apm install`, and copying host-local file contents into the project tree.

A command injection vulnerability in `utcp-cli` versions 1.1.1 and earlier allows attackers to exfiltrate all process-level secrets by injecting commands into CLI subprocesses.

Open WebUI versions 0.9.4 and earlier are vulnerable to Server-Side Request Forgery (SSRF) due to a parsing difference between the urlparse and requests libraries in the `validate_url` function, allowing attackers to bypass URL validation and make requests to internal IP addresses.

Open WebUI is vulnerable to stored cross-site scripting (XSS) via OAuth profile picture handling, allowing an attacker to inject malicious SVG code and potentially takeover user accounts by exfiltrating JWT tokens.

A gym trainer in wger (<= 2.5) can escalate privileges to a gym manager by chaining calls to the trainer-login endpoint due to a flawed permission check, as tracked by CVE-2026-43978.

The FileSystemLoader in python-liquid versions before 2.2.0 allows malicious template authors to read arbitrary files outside the search paths via the `{% include %}` and `{% render %}` tags by using absolute paths; this is resolved in version 2.2.0 by checking for absolute paths in the `resolve_path()` method.

GuardDog versions 1.0.0 through 2.9.0 are vulnerable to Server-Side Request Forgery (SSRF) and potential `GH_TOKEN` exfiltration due to a blind URL rewrite in remote project scanning; an attacker can influence the scanned repository URL to trigger SSRF and capture the `GH_TOKEN` used by GuardDog.

A SQL injection vulnerability exists in the Oracle path of `FilterEngine.create_sqla_query` in Rucio, allowing any authenticated user to execute arbitrary SQL against the backend database via the DID search endpoint, potentially leading to full database compromise and data exfiltration.

PraisonAI versions 1.6.31 and earlier contain a Server-Side Request Forgery (SSRF) vulnerability due to inconsistent URL parsing between the application's validation logic and the underlying requests library, allowing attackers to bypass intended security checks and access internal resources.

A denial-of-service vulnerability exists in Mistune version 3.2.0 due to excessive parsing and CPU consumption when processing specially crafted reference links, leading to application hangs and service unavailability.

PyLoad versions 0.5.0b3.dev99 and earlier are vulnerable to a path traversal vulnerability in the `set_package_data` function, allowing attackers to write files to arbitrary directories with the privileges of the PyLoad process.

JupyterLab versions prior to 4.5.7 do not correctly enforce the allow-list of extensions that can be installed from PyPI Extension Manager, allowing authenticated attackers to escalate privileges and potentially exfiltrate data, move laterally, and persistently compromise server infrastructure.

A path traversal vulnerability exists in the Langflow Knowledge Bases API (`DELETE /api/v1/knowledge_bases`) that allows an authenticated attacker to delete arbitrary directories on the server's filesystem, leading to data loss and potential service disruption.

A SQL injection vulnerability exists in LiteLLM versions 1.81.16 to prior to 1.83.7 allowing an unauthenticated attacker to inject SQL queries via a crafted 'Authorization' header, potentially leading to unauthorized data access or modification.

A path traversal vulnerability exists in Mako versions 1.3.11 and earlier on Windows, allowing attackers to read arbitrary files outside the configured template directory by using backslashes in URIs to bypass directory traversal checks.

A vulnerability in GitPython versions prior to 3.1.47 allows for command execution during repository cloning by manipulating the `multi_options` parameter to inject malicious Git configurations, such as `core.hooksPath`, leading to the execution of attacker-controlled hooks.

Open WebUI is vulnerable to knowledge base destruction and RAG poisoning due to a lack of authorization checks on the `/api/v1/retrieval/process/web` endpoint, allowing an attacker to overwrite a victim's knowledge base with attacker-controlled content.

GitPython versions 3.1.30 through 3.1.46 are vulnerable to command injection by passing attacker-controlled kwargs into `Repo.clone_from()`, `Remote.fetch()`, `Remote.pull()`, or `Remote.push()`, leading to arbitrary command execution due to bypassed safety checks.

A path traversal vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations.

pyp2spec before 0.14.1 is vulnerable to code injection by writing PyPI package metadata into generated spec files without escaping RPM macro directives, allowing malicious packages to execute arbitrary commands on the build machine.

Authenticated users with low-privilege API keys could execute arbitrary commands on the host running LiteLLM via the `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list` endpoints, by submitting a server configuration including command execution parameters.

An unauthenticated SQL injection vulnerability in CKAN's `datastore_search_sql` function allows attackers to access private resources and PostgreSQL system information, affecting versions prior to 2.10.10 and versions 2.11.0 through 2.11.4.

A critical vulnerability, CVE-2025-62373, exists in Pipecat's LivekitFrameSerializer where the deserialize() method uses Python's pickle.loads() on WebSocket data without validation, allowing a malicious WebSocket client to execute arbitrary code on the Pipecat server if LivekitFrameSerializer is explicitly enabled.