<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent entries from pysec</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent entries.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Wed, 08 Jul 2026 21:51:54 +0000</lastBuildDate>
    <item>
      <title>pysec-2026-2030</title>
      <link>https://vulnerability.circl.lu/vuln/pysec-2026-2030</link>
      <description>### Impact
Due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

### Patches
Patched versions have been released as Wagtail 6.3.6, 7.0.4, 7.1.3 and 7.2.2. The new 7.3 feature release also incorporates this fix.

### Workarounds
No workaround is available.

### Acknowledgements

Many thanks to @thxtech for reporting this issue.

### For more information

If there are any questions or comments about this advisory:

- Visit Wagtail's [support channels](https://docs.wagtail.io/en/stable/support.html)
- Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view our [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).</description>
      <content:encoded>### Impact
Due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.

### Patches
Patched versions have been released as Wagtail 6.3.6, 7.0.4, 7.1.3 and 7.2.2. The new 7.3 feature release also incorporates this fix.

### Workarounds
No workaround is available.

### Acknowledgements

Many thanks to @thxtech for reporting this issue.

### For more information

If there are any questions or comments about this advisory:

- Visit Wagtail's [support channels](https://docs.wagtail.io/en/stable/support.html)
- Send an email to [security@wagtail.org](mailto:security@wagtail.org) (view our [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/vuln/pysec-2026-2030</guid>
      <pubDate>Tue, 07 Jul 2026 16:42:05 +0000</pubDate>
    </item>
    <item>
      <title>pysec-2026-1224</title>
      <link>https://vulnerability.circl.lu/vuln/pysec-2026-1224</link>
      <description>Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded.</description>
      <content:encoded>Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded.</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/vuln/pysec-2026-1224</guid>
      <pubDate>Tue, 07 Jul 2026 16:42:05 +0000</pubDate>
    </item>
    <item>
      <title>pysec-2026-1888</title>
      <link>https://vulnerability.circl.lu/vuln/pysec-2026-1888</link>
      <description>### Summary

SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API has been identified.

### Impact

- Function and Payload Tampering: Attackers with DescribeTrainingJob permissions may extract HMAC secret keys and forge serialized function payloads stored in S3. These tampered payloads would be processed and executed without triggering integrity validation errors, enabling unintended code substitution.
- Arbitrary Code Execution in the Training Environment: An third party with both DescribeTrainingJob permissions and write access to the job's S3 output location can extract the HMAC key, craft inappropriate Python objects, and achieve remote code execution in the client's Python process when the victim retrieves remote function results.
- Data and Credentials Handling: Arbitrary remote code execution may interact with sensitive data, model artifacts, environment variables, and potentially AWS metadata.
- Cross-Tenant or Shared Environment Risks: In multi-tenant, shared S3 bucket, a disclosed HMAC key could act as a pivot point to perform inappropriate actions against other users' remote function workloads. This could leverage the IAM permissions, shared S3 buckets, or VPC resources to compromise adjacent services or data.

### Impacted versions

- SageMaker Python SDK v3 &lt; v3.2.0
- SageMaker Python SDK v2 &lt; v2.256.0

### Patches
This issue has been addressed in SageMaker Python SDK version [v3.2.0](https://github.com/aws/sagemaker-python-sdk/tree/22d30f577a6139431a1fb9154b7b88a0e2a1ace6) and [v2.256.0](https://github.com/aws/sagemaker-python-sdk/tree/a140cfcd12abfee10254cb4dea3bb10758e4321c). Upgrading to the latest version immediately and ensuring any forked or derivative code is patched to incorporate the new fixes is recommended.

### Workarounds
Customers using self-signed certificates for internal model downloads should add their private Certificate Authority (CA) certificate to the container image rather than relying on the SDK’s previous insecure configuration. This opt-in approach maintains security while accommodating internal trusted domains.

### Resources
If there are any questions or comments about this advisory, contact AWS Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.</description>
      <content:encoded>### Summary

SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API has been identified.

### Impact

- Function and Payload Tampering: Attackers with DescribeTrainingJob permissions may extract HMAC secret keys and forge serialized function payloads stored in S3. These tampered payloads would be processed and executed without triggering integrity validation errors, enabling unintended code substitution.
- Arbitrary Code Execution in the Training Environment: An third party with both DescribeTrainingJob permissions and write access to the job's S3 output location can extract the HMAC key, craft inappropriate Python objects, and achieve remote code execution in the client's Python process when the victim retrieves remote function results.
- Data and Credentials Handling: Arbitrary remote code execution may interact with sensitive data, model artifacts, environment variables, and potentially AWS metadata.
- Cross-Tenant or Shared Environment Risks: In multi-tenant, shared S3 bucket, a disclosed HMAC key could act as a pivot point to perform inappropriate actions against other users' remote function workloads. This could leverage the IAM permissions, shared S3 buckets, or VPC resources to compromise adjacent services or data.

### Impacted versions

- SageMaker Python SDK v3 &lt; v3.2.0
- SageMaker Python SDK v2 &lt; v2.256.0

### Patches
This issue has been addressed in SageMaker Python SDK version [v3.2.0](https://github.com/aws/sagemaker-python-sdk/tree/22d30f577a6139431a1fb9154b7b88a0e2a1ace6) and [v2.256.0](https://github.com/aws/sagemaker-python-sdk/tree/a140cfcd12abfee10254cb4dea3bb10758e4321c). Upgrading to the latest version immediately and ensuring any forked or derivative code is patched to incorporate the new fixes is recommended.

### Workarounds
Customers using self-signed certificates for internal model downloads should add their private Certificate Authority (CA) certificate to the container image rather than relying on the SDK’s previous insecure configuration. This opt-in approach maintains security while accommodating internal trusted domains.

### Resources
If there are any questions or comments about this advisory, contact AWS Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/vuln/pysec-2026-1888</guid>
      <pubDate>Tue, 07 Jul 2026 16:42:05 +0000</pubDate>
    </item>
    <item>
      <title>pysec-2026-1886</title>
      <link>https://vulnerability.circl.lu/vuln/pysec-2026-1886</link>
      <description>### Summary
SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where SSL certificate verification was globally disabled in the Triton Python backend has been found.

### Impact
Arbitrary Code Execution: Disabling SSL verification allows third parties to intercept HTTPS traffic and replace models or dependencies with inappropriate versions. This could lead to remote code execution in the Triton container.

### Impacted versions

- SageMaker Python SDK v3 &lt; v3.1.1
- SageMaker Python SDK v2 &lt; v2.256.0

### Patches
This issue has been addressed in SageMaker Python SDK version [v3.1.1](https://github.com/aws/sagemaker-python-sdk/tree/1ab6d30401946e92fdbea18497675681649e0153) and [v2.256.0](https://github.com/aws/sagemaker-python-sdk/tree/a140cfcd12abfee10254cb4dea3bb10758e4321c). It is recommended to upgrade to the latest version immediately and ensure any forked or derivative code is patched to incorporate the new fixes.

### Workarounds
Customers using self-signed certificates for internal model downloads should add their private Certificate Authority (CA) certificate to the container image rather than relying on the SDK’s previous insecure configuration. This opt-in approach maintains security while accommodating internal trusted domains.

### References
If there are any questions or comments about this advisory, contact AWS Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.</description>
      <content:encoded>### Summary
SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. An issue where SSL certificate verification was globally disabled in the Triton Python backend has been found.

### Impact
Arbitrary Code Execution: Disabling SSL verification allows third parties to intercept HTTPS traffic and replace models or dependencies with inappropriate versions. This could lead to remote code execution in the Triton container.

### Impacted versions

- SageMaker Python SDK v3 &lt; v3.1.1
- SageMaker Python SDK v2 &lt; v2.256.0

### Patches
This issue has been addressed in SageMaker Python SDK version [v3.1.1](https://github.com/aws/sagemaker-python-sdk/tree/1ab6d30401946e92fdbea18497675681649e0153) and [v2.256.0](https://github.com/aws/sagemaker-python-sdk/tree/a140cfcd12abfee10254cb4dea3bb10758e4321c). It is recommended to upgrade to the latest version immediately and ensure any forked or derivative code is patched to incorporate the new fixes.

### Workarounds
Customers using self-signed certificates for internal model downloads should add their private Certificate Authority (CA) certificate to the container image rather than relying on the SDK’s previous insecure configuration. This opt-in approach maintains security while accommodating internal trusted domains.

### References
If there are any questions or comments about this advisory, contact AWS Security via the [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/vuln/pysec-2026-1886</guid>
      <pubDate>Tue, 07 Jul 2026 16:42:05 +0000</pubDate>
    </item>
    <item>
      <title>pysec-2026-1789</title>
      <link>https://vulnerability.circl.lu/vuln/pysec-2026-1789</link>
      <description>### Summary

An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the host loading a pickle payload from an untrusted source.

### Details

It's possible to hide the `eval` call nested under another callable via `getattr`.

### PoC

```python
import builtins

class EvilClass:
    @staticmethod
    def _obfuscated_eval(payload):
        getattr(builtins, "eval")(payload)

    def __reduce__(self):
        payload = "__import__('os').system('echo \"successful attack\"')"
        return self._obfuscated_eval, (payload,)
```


### Impact

Who is impacted? 
Any organization or individual relying on picklescan to detect malicious pickle files from untrusted sources.

What is the impact? 
Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.

Supply Chain Attack: Attackers can distribute infected pickle files to system that load serialized ML models, APIs, or saved Python objects from untrusted sources.</description>
      <content:encoded>### Summary

An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the host loading a pickle payload from an untrusted source.

### Details

It's possible to hide the `eval` call nested under another callable via `getattr`.

### PoC

```python
import builtins

class EvilClass:
    @staticmethod
    def _obfuscated_eval(payload):
        getattr(builtins, "eval")(payload)

    def __reduce__(self):
        payload = "__import__('os').system('echo \"successful attack\"')"
        return self._obfuscated_eval, (payload,)
```


### Impact

Who is impacted? 
Any organization or individual relying on picklescan to detect malicious pickle files from untrusted sources.

What is the impact? 
Attackers can embed malicious code in pickle file that remains undetected but executes when the pickle file is loaded.

Supply Chain Attack: Attackers can distribute infected pickle files to system that load serialized ML models, APIs, or saved Python objects from untrusted sources.</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/vuln/pysec-2026-1789</guid>
      <pubDate>Tue, 07 Jul 2026 16:42:05 +0000</pubDate>
    </item>
    <item>
      <title>pysec-2026-1491</title>
      <link>https://vulnerability.circl.lu/vuln/pysec-2026-1491</link>
      <description>### Summary
An IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index.

This attack requires knowing the user's UUID which can be leaked through shared conversations where an AI generated image is present.

### Details
When users share conversations which contain AI generated images, the file path for the image is constructed using the user's UUID. Knowing this UUID, an attacker is able to intercept the OAuth callback for Notion and replace the `state` parameter with the other user's UUID and sync notion onto their account.

### PoC

The vulnerable line of code exists in `src/khoj/routers/notion.py` on the callback endpoint.
```python
@notion_router.get("/auth/callback")
async def notion_auth_callback(request: Request, background_tasks: BackgroundTasks):
    code = request.query_params.get("code")
    state = request.query_params.get("state")  # &lt;-- Attacker controlled
    if not code or not state:
        return Response("Missing code or state", status_code=400)

    user: KhojUser = await aget_user_by_uuid(state)  # &lt;-- No verification!

    await NotionConfig.objects.filter(user=user).adelete()  # &lt;-- Deletes victim's config
    
    # ... OAuth token exchange ...
    
    access_token = final_response.get("access_token")
    await NotionConfig.objects.acreate(token=access_token, user=user)  # &lt;-- Stores attacker's token
```

To exploit is relatively easy. Once we know the victim's UUID, we simply initiate the Notion sync process on our own account and intercept the callback, replacing the `state` parameter with the victim's UUID.

### Impact
Deletes user's existing Notion sync and replaces it with attacker-controlled Notion. Could allow for index poisoning. I'm not entirely sure what Khoj does with synced files but if it's being passed as context to an LLM then I can imagine there's potential here.</description>
      <content:encoded>### Summary
An IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index.

This attack requires knowing the user's UUID which can be leaked through shared conversations where an AI generated image is present.

### Details
When users share conversations which contain AI generated images, the file path for the image is constructed using the user's UUID. Knowing this UUID, an attacker is able to intercept the OAuth callback for Notion and replace the `state` parameter with the other user's UUID and sync notion onto their account.

### PoC

The vulnerable line of code exists in `src/khoj/routers/notion.py` on the callback endpoint.
```python
@notion_router.get("/auth/callback")
async def notion_auth_callback(request: Request, background_tasks: BackgroundTasks):
    code = request.query_params.get("code")
    state = request.query_params.get("state")  # &lt;-- Attacker controlled
    if not code or not state:
        return Response("Missing code or state", status_code=400)

    user: KhojUser = await aget_user_by_uuid(state)  # &lt;-- No verification!

    await NotionConfig.objects.filter(user=user).adelete()  # &lt;-- Deletes victim's config
    
    # ... OAuth token exchange ...
    
    access_token = final_response.get("access_token")
    await NotionConfig.objects.acreate(token=access_token, user=user)  # &lt;-- Stores attacker's token
```

To exploit is relatively easy. Once we know the victim's UUID, we simply initiate the Notion sync process on our own account and intercept the callback, replacing the `state` parameter with the victim's UUID.

### Impact
Deletes user's existing Notion sync and replaces it with attacker-controlled Notion. Could allow for index poisoning. I'm not entirely sure what Khoj does with synced files but if it's being passed as context to an LLM then I can imagine there's potential here.</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/vuln/pysec-2026-1491</guid>
      <pubDate>Tue, 07 Jul 2026 16:36:56 +0000</pubDate>
    </item>
    <item>
      <title>pysec-2026-1796</title>
      <link>https://vulnerability.circl.lu/vuln/pysec-2026-1796</link>
      <description>When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.</description>
      <content:encoded>When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/vuln/pysec-2026-1796</guid>
      <pubDate>Tue, 07 Jul 2026 16:36:56 +0000</pubDate>
    </item>
    <item>
      <title>pysec-2026-1075</title>
      <link>https://vulnerability.circl.lu/vuln/pysec-2026-1075</link>
      <description>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of tiktoken-mcp were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</description>
      <content:encoded>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of tiktoken-mcp were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/vuln/pysec-2026-1075</guid>
      <pubDate>Tue, 07 Jul 2026 16:26:46 +0000</pubDate>
    </item>
    <item>
      <title>pysec-2026-1074</title>
      <link>https://vulnerability.circl.lu/vuln/pysec-2026-1074</link>
      <description>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of ray-mcp-server were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</description>
      <content:encoded>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of ray-mcp-server were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/vuln/pysec-2026-1074</guid>
      <pubDate>Tue, 07 Jul 2026 16:19:27 +0000</pubDate>
    </item>
    <item>
      <title>pysec-2026-1073</title>
      <link>https://vulnerability.circl.lu/vuln/pysec-2026-1073</link>
      <description>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of orchestr8-platform were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</description>
      <content:encoded>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of orchestr8-platform were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/vuln/pysec-2026-1073</guid>
      <pubDate>Tue, 07 Jul 2026 16:16:21 +0000</pubDate>
    </item>
  </channel>
</rss>
