VYPR

Vendor CVEs

Jqhph

All CVEs

58 total · sorted by risk
  • CVE-2024-48206CriOct 29, 2024
    risk 0.64cvss 9.8epss 0.01

    A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code.

  • CVE-2022-34064CriJun 24, 2022
    risk 0.64cvss 9.8epss 0.01

    The Zibal package in PyPI v1.0.0 was discovered to contain a code execution backdoor. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

  • CVE-2022-34055CriJun 24, 2022
    risk 0.64cvss 9.8epss 0.02

    The drxhello package in PyPI v0.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

  • CVE-2022-34054CriJun 24, 2022
    risk 0.64cvss 9.8epss 0.02

    The Perdido package in PyPI v0.0.1 to v0.0.2 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

  • CVE-2022-34053CriJun 24, 2022
    risk 0.64cvss 9.8epss 0.02

    The DR-Web-Engine package in PyPI v0.2.0b0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

  • CVE-2022-33000CriJun 24, 2022
    risk 0.64cvss 9.8epss 0.02

    The ML-Scanner package in PyPI v0.1.0 to v0.1.5 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

  • CVE-2022-32997CriJun 24, 2022
    risk 0.64cvss 9.8epss 0.02

    The RootInteractive package in PyPI v0.0.5 to v0.0.19b0 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges.

  • CVE-2021-20204CriMay 6, 2021
    risk 0.64cvss 9.8epss 0.02

    A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This…

  • CVE-2018-20027CriDec 17, 2018
    risk 0.64cvss 9.8epss 0.02

    The yaml_parse.load method in Pylearn2 allows code injection.

  • CVE-2018-12557CriJun 19, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the…

  • CVE-2026-10731CriJun 9, 2026
    risk 0.60cvss epss 0.00

    SQL injection in the ‘two_steps_auth_code’ parameter processed by the ‘twoStepsAuthVerification’ function within the ‘/user-login’ endpoint. The two-factor authentication (2FA) functionality can be accessed without prior authentication, allowing unauthenticated…

  • CVE-2026-38360CriMay 8, 2026
    risk 0.58cvss 9.8epss 0.06

    Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, BaseHttpRequestHandler.get_temp_root(), BaseHttpRequestHandler._post() components.

  • CVE-2016-0727HigApr 14, 2017
    risk 0.54cvss 7.8epss 0.01

    The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and before 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account…

  • CVE-2024-8007HigAug 21, 2024
    risk 0.53cvss 8.1epss 0.00

    A flaw was found in the openstack-tripleo-common component of the Red Hat OpenStack Platform (RHOSP) director. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could…

  • CVE-2014-5282HigFeb 6, 2018
    risk 0.53cvss 8.1epss 0.01

    Docker before 1.3 does not properly validate image IDs, which allows remote attackers to redirect to another image through the loading of untrusted images via 'docker load'.

  • CVE-2026-39832CriMay 22, 2026
    risk 0.52cvss 9.1epss 0.00

    When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client…

  • CVE-2022-28696HigAug 18, 2022
    risk 0.51cvss 7.8epss 0.00

    Uncontrolled search path in the Intel(R) Distribution for Python before version 2022.0.3 may allow an authenticated user to potentially enable escalation of privilege via local access.

  • CVE-2018-20159HigDec 15, 2018
    risk 0.51cvss 7.2epss 0.10

    i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file…

  • CVE-2018-6552HigMay 31, 2018
    risk 0.51cvss 7.8epss 0.00

    Apport does not properly handle crashes originating from a PID namespace allowing local users to create certain files as root which an attacker could leverage to perform a denial of service via resource exhaustion, possibly gain root privileges, or escape from containers. The…

  • CVE-2026-50031HigJun 3, 2026
    risk 0.49cvss 7.5epss 0.00

    ipmi-oem in FreeIPMI before 1.6.18 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to…

  • CVE-2021-42521HigAug 25, 2022
    risk 0.49cvss 7.5epss 0.01

    There is a NULL pointer dereference vulnerability in VTK before 9.2.5, and it lies in IO/Infovis/vtkXMLTreeReader.cxx. The vendor didn't check the return value of libxml2 API 'xmlDocGetRootElement', and try to dereference it. It is unsafe as the return value can be NULL and that…

  • CVE-2011-3147HigApr 22, 2019
    risk 0.49cvss 8.6epss 0.01

    Versions of nova before 2012.1 could expose hypervisor host files to a guest operating system when processing a maliciously constructed qcow filesystem.

  • CVE-2019-6690HigMar 21, 2019
    risk 0.49cvss 7.5epss 0.09

    python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg to decrypt other ciphertext than intended. To perform the attack, the passphrase to gnupg must be controlled by the adversary and the ciphertext should be trusted. Related to a "CWE-20: Improper Input…

  • CVE-2018-12088HigJun 10, 2018
    risk 0.49cvss 7.5epss 0.02

    S3QL before 2.27 mishandles checksumming, and consequently allows replay attacks in which an attacker who controls the backend can present old versions of the filesystem metadata database as up-to-date, temporarily inject zero-valued bytes into files, or temporarily hide parts…

  • CVE-2026-44393HigJun 4, 2026
    risk 0.48cvss 7.4epss 0.00

    An issue was discovered in OpenStack oslo.messaging 1.0.0 through 17.3.0. The oslo.messaging RabbitMQ driver does not perform TLS hostname verification when connecting to the message broker. When ssl_ca_file is configured, the driver enables certificate chain validation but does…

  • CVE-2024-22017HigMar 19, 2024
    risk 0.48cvss 7.3epss 0.01

    setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users…

  • CVE-2026-11837HigJun 10, 2026
    risk 0.47cvss 7.3epss 0.00

    A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage…

  • CVE-2026-44246HigMay 12, 2026
    risk 0.47cvss 7.2epss 0.00

    nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is vulnerable to Agentic Workflow Injection. The workflow sets allowed_non_write_users: ${{…

  • CVE-2026-37737MedJun 5, 2026
    risk 0.42cvss 6.5epss 0.00

    sanic-cors version 2.2.0 and prior contains an improper regular expression in the try_match() function in sanic_cors/core.py that uses re.match without end-anchoring. This allows an attacker to bypass CORS origin allowlists by registering a domain that begins with a trusted…

  • CVE-2026-47066HigMay 25, 2026
    risk 0.42cvss 7.5epss 0.01

    Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in benoitc hackney allows Excessive Allocation. The Alt-Svc response header parser in src/hackney_altsvc.erl does not guarantee forward progress. When parse_token/2 receives a non-token, non-whitespace,…

  • CVE-2026-20238MedMay 20, 2026
    risk 0.42cvss 6.5epss 0.00

    In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.The app contains an `authorize.conf` configuration file…

  • CVE-2026-6659HigMay 8, 2026
    risk 0.42cvss 7.5epss 0.00

    Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts. The built-in rand function is predictable, and unsuitable for cryptography.

  • CVE-2026-38361HigMay 8, 2026
    risk 0.42cvss 7.5epss 0.03

    Multiple unauthenticated denial-of-service (DoS) issues in fohrloop dash-uploader v0.1.0 through v0.7.0a2. The chunked-upload handler (dash_uploader/httprequesthandler.py, dash_uploader/upload.py) trusts unsanitized, attacker-controlled upload parameters (e.g. flowTotalChunks)…

  • CVE-2026-6657MedJun 3, 2026
    risk 0.40cvss 6.1epss 0.00

    A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration is used. The issue arises from the use of `re.match()` for validating the `Origin` header, which only anchors at the…

  • CVE-2026-41074HigMay 22, 2026
    risk 0.39cvss 7.1epss 0.00

    RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing…

  • CVE-2026-9751MedJun 9, 2026
    risk 0.36cvss 5.5epss 0.00

    The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text.

  • CVE-2024-29085MedNov 13, 2024
    risk 0.36cvss 5.5epss 0.00

    Improper access control for some BigDL software maintained by Intel(R) before version 2.5.0 may allow an authenticated user to potentially enable escalation of privilege via adjacent access.

  • CVE-2014-5509MedJan 8, 2018
    risk 0.36cvss 5.5epss 0.00

    clipedit in the Clipboard module for Perl allows local users to delete arbitrary files via a symlink attack on /tmp/clipedit$$.

  • CVE-2026-46448MedJun 16, 2026
    risk 0.35cvss 5.4epss 0.00

    In OpenStack Nova before 33.0.2, the server create API does not strip certain hint data. The resulting instance has no Placement allocation.

  • CVE-2014-8780MedMar 7, 2018
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in Jease 2.11 allows remote authenticated users to inject arbitrary web script or HTML via a content section note.

  • CVE-2023-41821MedMay 3, 2024
    risk 0.33cvss 5.0epss 0.00

    A an improper export vulnerability was reported in the Motorola Setup application that could allow a local attacker to read sensitive user information. 

  • CVE-2026-52902MedJun 9, 2026
    risk 0.31cvss 4.7epss 0.00

    A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbitrary YAML-formatted files from the local filesystem when a user imports it…

  • CVE-2026-11621MedJun 9, 2026
    risk 0.31cvss 4.7epss 0.00

    A weakness has been identified in Dcat-Admin up to 2.2.3-beta. This impacts the function editorMDUpload of the file /admin/dcat-api/editor-md/upload of the component User Setting Page. This manipulation of the argument editormd-image-file causes unrestricted upload. The attack…

  • CVE-2018-1113MedJul 3, 2018
    risk 0.31cvss 4.8epss 0.00

    setup before version 2.11.4-1.fc28 in Fedora and Red Hat Enterprise Linux added /sbin/nologin and /usr/sbin/nologin to /etc/shells. This violates security assumptions made by pam_shells and some daemons which allow access based on a user's shell being listed in /etc/shells.…

  • CVE-2026-8643MedJun 1, 2026
    risk 0.29cvss 5.5epss 0.00

    pip would treat console_scripts and gui_scripts as paths instead of file names without sanitizing the resolved absolute path to the installation directory, leading to entry points being installed outside the installation directory.

  • CVE-2026-48111MedJun 5, 2026
    risk 0.28cvss 4.3epss 0.00

    7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parser(CPP/7zip/Archive/UefiHandler.cpp). The function validates an…

  • CVE-2026-46745MedMay 25, 2026
    risk 0.27cvss 5.3epss 0.01

    Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immediate upgrade is not possible,…

  • CVE-2026-8404LowJun 3, 2026
    risk 0.20cvss 3.1epss 0.00

    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.middleware.cache.UpdateCacheMiddleware` in Django does not match `Cache-Control` response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached…

  • CVE-2026-7666LowJun 3, 2026
    risk 0.20cvss 3.1epss 0.00

    An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. `django.core.mail.backends.smtp.EmailBackend` in Django fails to prevent reuse of a partially-initialized connection after a failed `STARTTLS` handshake when `fail_silently=True`, which allows on-path…

  • CVE-2026-48587LowJun 3, 2026
    risk 0.20cvss 3.1epss 0.00

    An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. `django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header values before comparison, which allows remote attackers to read cached responses…

Page 1 of 2