Security Advisories

Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer

GHSA-xv5p-fjw5-vrj6 CVE-2025-62703 HIGH 2 days ago

### Summary The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server i...

pypi

No PRs yet

Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices

GHSA-xh5w-g8gq-r3v9 CVE-2025-13609 HIGH 3 days ago

A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platfor...

pypi

No PRs yet

vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs

GHSA-pmqf-x6x8-p7qw CVE-2025-62372 HIGH 7 days ago

### Summary Users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct `ndim` but incorrect `sh...

pypi

No PRs yet

vLLM deserialization vulnerability leading to DoS and potential RCE

GHSA-mrw7-hf4f-83pf CVE-2025-62164 HIGH 7 days ago

### Summary A memory corruption vulnerability that leading to a crash (denial-of-service) and potentially remote code execution (RCE) exists in vLL...

pypi

No PRs yet

LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates

GHSA-6qv9-48xg-fc7f CVE-2025-65106 HIGH 7 days ago

## Context A template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals...

pypi

33

Dependabot PRs

OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization.

GHSA-hcqg-5g63-7j9h CVE-2025-65073 HIGH 11 days ago

OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone ...

pypi

No PRs yet

AWS Advanced Python Wrapper: Privilege Escalation in Aurora PostgreSQL instance

GHSA-4jvf-wx3f-2x8q CVE-2025-12967 HIGH 14 days ago

### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. ...

pypi

No PRs yet

pgAdmin has vulnerability in LDAP authentication mechanism that allows bypassing TLS certificate verification

GHSA-g4r8-3qmh-pmch CVE-2025-12765 HIGH 14 days ago

pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification.

pypi

No PRs yet

pgAdmin is affected by an LDAP injection vulnerability

GHSA-cvf4-f829-762v CVE-2025-12764 HIGH 14 days ago

pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP charac...

pypi

No PRs yet

Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)

GHSA-rrx3-2x4g-mq2h CVE-2025-64509 HIGH 15 days ago

### Impact In affected versions, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, le...

pypi

No PRs yet

Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input

GHSA-fc2v-vcwj-269v CVE-2025-64508 HIGH 15 days ago

### Impact In affected versions, brotli "bombs" (highly compressed brotli streams, such as many zeros) can be sent to the server. Since the server...

pypi

No PRs yet

Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc

GHSA-f83h-ghpp-7wcc HIGH 20 days ago

### 🚀 Overview This report **demonstrates a real-world privilege escalation** vulnerability in [pdfminer.six](https://github.com/pdfminer/pdfminer...

pypi

No PRs yet

Arbitrary Code Execution in pdfminer.six via Crafted PDF Input

GHSA-wf5f-4jwr-ppcp CVE-2025-64512 HIGH 20 days ago

### Summary pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()`...

pypi

1

Dependabot PRs

AstrBot contains a directory traversal vulnerability

GHSA-xrj9-mw57-j34v CVE-2025-57698 HIGH 20 days ago

AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-...

pypi

No PRs yet

Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events

GHSA-cm35-v4vp-5xvx CVE-2025-64496 HIGH 20 days ago

### Summary Open WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external m...

npm pypi

No PRs yet

Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE

GHSA-w7xj-8fx7-wfch CVE-2025-64495 HIGH 20 days ago

### Summary The functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabl...

npm pypi

No PRs yet

LangGraph Checkpoint affected by RCE in "json" mode of JsonPlusSerializer

GHSA-wwqv-p2pp-99h5 CVE-2025-64439 HIGH 22 days ago

# Summary Prior to `langgraph-checkpoint` version `3.0` , LangGraph’s `JsonPlusSerializer` (used as the default serialization protocol for all che...

pypi

No PRs yet

Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows

GHSA-qw25-v68c-qjf3 CVE-2025-64458 HIGH 22 days ago

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a conseq...

pypi

79

Dependabot PRs

Dosage vulnerable to a Directory Traversal through crafted HTTP responses

GHSA-4vcx-3pj3-44m7 CVE-2025-64184 HIGH 23 days ago

### Impact When downloadinging comic images, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, ...

pypi

No PRs yet

motionEye vulnerable to RCE via unsanitized motion config parameter

GHSA-j945-qm58-4gjx CVE-2025-60787 HIGH 24 days ago

## Summary A command injection vulnerability in MotionEye allows attackers to achieve Remote Code Execution (RCE) by supplying malicious values in ...

pypi

No PRs yet

Agno session state overwrites between different sessions/users

GHSA-vw84-hprm-cxmm CVE-2025-64168 HIGH 27 days ago

### Impact Under certain conditions (under high concurrency), when `session_state` is passed to an Agent or Team during run or arun calls, a race c...

pypi

No PRs yet

Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation

GHSA-2qfp-q593-8484 CVE-2025-6176 HIGH 28 days ago

Scrapy versions up to 2.13.3 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The prote...

pypi

5

Dependabot PRs

Keras keras.utils.get_file API is vulnerable to a path traversal attack

GHSA-28jp-44vh-q42h CVE-2025-12060 HIGH 28 days ago

The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utili...

pypi

No PRs yet

LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore

GHSA-7p73-8jqx-23r8 CVE-2025-64104 HIGH 29 days ago

### Summary LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper paramet...

pypi

No PRs yet

MLflow Weak Password Requirements Authentication Bypass Vulnerability

GHSA-6xj8-rrqx-r4cv CVE-2025-11200 HIGH 29 days ago

MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affec...

pypi

No PRs yet

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability

GHSA-5cvj-7rg6-jggj CVE-2025-11201 HIGH 29 days ago

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execut...

pypi

No PRs yet

FastMCP Auth Integration Allows for Confused Deputy Account Takeover

GHSA-c2jp-c369-7pvx HIGH 29 days ago

### Summary FastMCP documentation [covers the scenario](https://gofastmcp.com/integrations/azure) where it is possible to use Entra ID or other pr...

pypi

No PRs yet

Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``

GHSA-7f5h-v6xp-fcq8 CVE-2025-62727 HIGH about 1 month ago

### Summary An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's `FileResponse` ...

pypi

20

Dependabot PRs

pg8000 SQL injection vulnerability via a specially crafted Python list input

GHSA-wq2g-r956-j8cc CVE-2025-61385 HIGH about 1 month ago

SQL injection vulnerability in tlocke pg8000 1.31.4 allows remote attackers to execute arbitrary SQL commands via a specially crafted Python list i...

pypi

No PRs yet

LangGraph's SQLite store implementation has a SQL Injection Vulnerability

GHSA-4h97-wpxp-3757 CVE-2025-8709 HIGH about 1 month ago

A SQL injection vulnerability exists in the langchain-ai/langgraph repository, specifically in the LangGraph's SQLite store implementation. The aff...

pypi

No PRs yet

aiomysql allows arbitrary access to client files through vulnerability of a malicious MySQL server

GHSA-r397-ff8c-wv2g CVE-2025-62611 HIGH about 1 month ago

### Summary The client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the cl...

pypi

1

Dependabot PRs

Taguette password reset link poisoning

GHSA-7rc8-5c8q-jr6j CVE-2025-62527 HIGH about 1 month ago

### Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email contai...

pypi

No PRs yet

Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name

GHSA-mq77-rv97-285m CVE-2025-62172 HIGH about 1 month ago

### Summary An authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can ...

pypi

No PRs yet

llama-index has Insecure Temporary File

GHSA-rg9h-vx28-xxp5 CVE-2025-7707 HIGH about 2 months ago

The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi...

pypi

No PRs yet

Authlib is vulnerable to Denial of Service via Oversized JOSE Segments

GHSA-pq5p-34cr-23v9 CVE-2025-61920 HIGH about 2 months ago

**Summary** Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64...

pypi

9

Dependabot PRs

pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters

GHSA-cjjf-27cc-pvmv CVE-2025-61773 HIGH about 2 months ago

### Summary pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. ...

pypi

No PRs yet

vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class

GHSA-3f6c-7fw2-ppm4 CVE-2025-6242 HIGH about 2 months ago

### Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature s...

pypi

No PRs yet

LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities

GHSA-527m-2xhr-j27g CVE-2025-61784 HIGH about 2 months ago

## Summary ## A Server-Side Request Forgery (SSRF) vulnerability in the chat API allows any authenticated user to force the server to make arbitra...

pypi

No PRs yet

vLLM is vulnerable to timing attack at bearer auth

GHSA-wr9h-g72x-mwhm CVE-2025-59425 HIGH about 2 months ago

### Summary The API key support in vLLM performed validation using a method that was vulnerable to a timing attack. This could potentially allow an...

pypi

No PRs yet

Litestar X-Forwarded-For Header Spoofing Vulnerability Enables Rate Limit Evasion

GHSA-hm36-ffrh-c77c CVE-2025-59152 HIGH about 2 months ago

While testing Litestar's RateLimitMiddleware, I discovered that rate limits can be completely bypassed by manipulating the X-Forwarded-For header. ...

pypi

No PRs yet

LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing

GHSA-m42m-m8cr-8m58 CVE-2025-6985 HIGH about 2 months ago

The HTMLSectionSplitter class in langchain-text-splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing. This vulne...

pypi

No PRs yet

Django vulnerable to SQL injection in column aliases

GHSA-hpr9-3m2g-3j9p CVE-2025-59681 HIGH about 2 months ago

An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggre...

pypi

21

Dependabot PRs

llama-index-core insecurely handles temporary files

GHSA-cr7q-2w66-hjcm CVE-2025-7647 HIGH 2 months ago

The llama-index-core package, up to version 0.12.44, contains a vulnerability in the `get_cache_dir()` function where a predictable, hardcoded dire...

pypi

No PRs yet

Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

GHSA-9ggr-2464-2j32 CVE-2025-59420 HIGH 2 months ago

## Summary Authlib’s JWS verification accepts tokens that declare unknown critical header parameters (`crit`), violating RFC 7515 “must‑understand”...

pypi

No PRs yet

The Keras `Model.load_model` method silently ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.

GHSA-36rr-ww3j-vrjv CVE-2025-9905 HIGH 2 months ago

**Note:** This report has already been discussed with the Google OSS VRP team, who recommended that I reach out directly to the Keras team. I’ve ch...

pypi

No PRs yet

Keras is vulnerable to Deserialization of Untrusted Data

GHSA-36fq-jgmw-4r9c CVE-2025-9906 HIGH 2 months ago

### Arbitrary Code Execution in Keras Keras versions prior to 3.11.0 allow for arbitrary code execution when loading a crafted `.keras` model arch...

pypi

No PRs yet

Neo4j Cypher MCP server is vulnerable to DNS rebinding

GHSA-vcqx-v2mg-7chx CVE-2025-10193 HIGH 3 months ago

### Impact DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute un...

pypi

No PRs yet

xml2rfc is vulnerable to arbitrary file reads through prepped files

GHSA-9mv7-3c64-mmqw CVE-2025-11059 HIGH 3 months ago

### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious lin...

pypi

No PRs yet

PyInstaller has local privilege escalation vulnerability

GHSA-p2xp-xx3r-mffc CVE-2025-59042 HIGH 3 months ago

### Impact Due to a special entry being appended to `sys.path` during the bootstrap process of a PyInstaller-frozen application, and due to the bo...

pypi

No PRs yet

Monai: Unsafe use of Pickle deserialization may lead to RCE

GHSA-p8cm-mm2v-gwjm CVE-2025-58757 HIGH 3 months ago

>To prevent this report from being deemed inapplicable or out of scope, due to the project's unique nature (for medical applications) and widesprea...

pypi

No PRs yet

24,784

1,790

3,506

8,617

Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer

Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices

vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs

vLLM deserialization vulnerability leading to DoS and potential RCE

LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates

OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization.

AWS Advanced Python Wrapper: Privilege Escalation in Aurora PostgreSQL instance

pgAdmin has vulnerability in LDAP authentication mechanism that allows bypassing TLS certificate verification

pgAdmin is affected by an LDAP injection vulnerability

Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)

Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input

Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc

Arbitrary Code Execution in pdfminer.six via Crafted PDF Input

AstrBot contains a directory traversal vulnerability

Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events

Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE

LangGraph Checkpoint affected by RCE in "json" mode of JsonPlusSerializer

Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows

Dosage vulnerable to a Directory Traversal through crafted HTTP responses

motionEye vulnerable to RCE via unsanitized motion config parameter

Agno session state overwrites between different sessions/users

Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation

Keras keras.utils.get_file API is vulnerable to a path traversal attack

LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore

MLflow Weak Password Requirements Authentication Bypass Vulnerability

MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability

FastMCP Auth Integration Allows for Confused Deputy Account Takeover

Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``

pg8000 SQL injection vulnerability via a specially crafted Python list input

LangGraph's SQLite store implementation has a SQL Injection Vulnerability

aiomysql allows arbitrary access to client files through vulnerability of a malicious MySQL server

Taguette password reset link poisoning

Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name

llama-index has Insecure Temporary File

Authlib is vulnerable to Denial of Service via Oversized JOSE Segments

pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters

vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class

LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities

vLLM is vulnerable to timing attack at bearer auth

Litestar X-Forwarded-For Header Spoofing Vulnerability Enables Rate Limit Evasion

LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing

Django vulnerable to SQL injection in column aliases

llama-index-core insecurely handles temporary files

Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.

Keras is vulnerable to Deserialization of Untrusted Data

Neo4j Cypher MCP server is vulnerable to DNS rebinding

xml2rfc is vulnerable to arbitrary file reads through prepped files

PyInstaller has local privilege escalation vulnerability

Monai: Unsafe use of Pickle deserialization may lead to RCE

The Keras `Model.load_model` method silently ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.