https://cve.p4nd4.land/rss/recent/pysec/10 2025-04-29T10:26:44.118591+00:00 Vulnerability Lookup fkz@p4nd4.land python-feedgen Contains only the most 10 recent entries. https://cve.p4nd4.land/vuln/pysec-2025-31 2025-04-29T10:26:44.122123+00:00 vyper is a Pythonic Smart Contract Language for the EVM. Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access to a DynArray and the rhs modifies the array, the cached target will evaluate first, and the bounds check will not be re-evaluated during the write portion of the statement. This issue has been addressed in version 0.4.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability. https://cve.p4nd4.land/vuln/pysec-2023-278 2025-04-29T10:26:44.122118+00:00 MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue. https://cve.p4nd4.land/vuln/pysec-2024-82 2025-04-29T10:26:44.122113+00:00 Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. https://cve.p4nd4.land/vuln/pysec-2024-83 2025-04-29T10:26:44.122108+00:00 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction. https://cve.p4nd4.land/vuln/pysec-2024-84 2025-04-29T10:26:44.122102+00:00 Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it. https://cve.p4nd4.land/vuln/pysec-2024-85 2025-04-29T10:26:44.122097+00:00 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. https://cve.p4nd4.land/vuln/pysec-2024-111 2025-04-29T10:26:44.122091+00:00 A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input. https://cve.p4nd4.land/vuln/pysec-2025-32 2025-04-29T10:26:44.122085+00:00 BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8. https://cve.p4nd4.land/vuln/pysec-2025-33 2025-04-29T10:26:44.122077+00:00 Vyper is a Pythonic Smart Contract Language for the EVM. When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a consequence an attacker can provide a specific amount of gas to make these calls fail but let the overall execution continue. Then the execution result can be incorrect. Based on EVM's rules, after the failed precompile the remaining code has only 1/64 of the pre-call-gas left (as 63/64 were forwarded and spent). Hence, only fairly simple executions can follow the failed precompile calls. Therefore, we found no significantly impacted real-world contracts. None the less an advisory has been made out of an abundance of caution. There are no actions for users to take. https://cve.p4nd4.land/vuln/pysec-2025-34 2025-04-29T10:26:44.122056+00:00 The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization.