VYPR

PyPI package

kedro

pkg:pypi/kedro

Vulnerabilities (4)

  • CVE-2026-35171CriApr 6, 2026
    affected < 1.3.0fixed 1.3.0

    Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which

  • CVE-2026-35167HigApr 6, 2026
    affected < 1.3.0fixed 1.3.0

    Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components

  • CVE-2024-9701CriMar 20, 2025
    affected < 0.19.9fixed 0.19.9

    A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The

  • CVE-2024-12215HigMar 20, 2025
    affected <= 0.19.8

    In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote