Search Vulnerabilities

Malicious code in runtime-vitals (PyPI)

Malicious code in quicklytookerv (PyPI)

Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components

docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler

Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR)

Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect

Compromise of PyTorch Lightning PyPi Package Versions

Weblate vulnerable to XSS via crafted Markdown

Weblate Vulnerable to Private Translation Enumeration via Screenshot API

Playwright Capture permits access to local files and internal network resources during page capture

axonflow-sdk-python: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification

Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petabyte Allocation in KerasFileEditor)

pyquorum: Timing side‑channel in mul_mod

misp-modules website - Missing CSRF protection in the website home blueprint

misp-modules has nsafe remote resource fetching in expansion

PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)

PraisonAI has an SSRF bypass

aiograpi has dependency on vulnerable orjson 3.11.4 (CVE-2025-67221)

GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath

python-multipart has Denial of Service via unbounded multipart part headers