https://cve.circl.lu/rss/recent/pysec/10 2025-07-16T11:41:05.061389+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent entries. https://cve.circl.lu/vuln/pysec-2025-67 2025-07-16T11:41:05.072895+00:00 A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used. https://cve.circl.lu/vuln/pysec-2025-68 2025-07-16T11:41:05.072878+00:00 A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/add_tool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used. https://cve.circl.lu/vuln/pysec-2025-69 2025-07-16T11:41:05.072861+00:00 In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive). https://cve.circl.lu/vuln/pysec-2023-278 2025-07-16T11:41:05.072845+00:00 MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue. https://cve.circl.lu/vuln/pysec-2024-82 2025-07-16T11:41:05.072829+00:00 Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. https://cve.circl.lu/vuln/pysec-2024-83 2025-07-16T11:41:05.072813+00:00 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction. https://cve.circl.lu/vuln/pysec-2024-84 2025-07-16T11:41:05.072796+00:00 Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it. https://cve.circl.lu/vuln/pysec-2024-85 2025-07-16T11:41:05.072779+00:00 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. https://cve.circl.lu/vuln/pysec-2024-258 2025-07-16T11:41:05.072755+00:00 In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware. https://cve.circl.lu/vuln/pysec-2024-259 2025-07-16T11:41:05.072701+00:00 In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.