https://0.0.0.0:10001/rss/recent/pysec/10 2026-05-13T17:03:21.657636+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent entries. https://0.0.0.0:10001/vuln/pysec-2025-70 2026-05-13T17:03:21.693008+00:00 A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs because the toolkit does not enforce restrictions on requests to remote internet addresses, allowing it to also access local addresses. As a result, an attacker could exploit this flaw to perform port scans, access local services, retrieve instance metadata from cloud environments (e.g., Azure, AWS), and interact with servers on the local network. This issue has been fixed in version 0.0.28.

A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs because the toolkit does not enforce restrictions on requests to remote internet addresses, allowing it to also access local addresses. As a result, an attacker could exploit this flaw to perform port scans, access local services, retrieve instance metadata from cloud environments (e.g., Azure, AWS), and interact with servers on the local network. This issue has been fixed in version 0.0.28.

https://0.0.0.0:10001/vuln/pysec-2025-51 2026-05-13T17:03:21.692989+00:00 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This issue affects Apache Airflow Providers Snowflake: before 6.4.0. Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection Users are recommended to upgrade to version 6.4.0, which fixes the issue.

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This issue affects Apache Airflow Providers Snowflake: before 6.4.0. Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection Users are recommended to upgrade to version 6.4.0, which fixes the issue.

https://0.0.0.0:10001/vuln/pysec-2025-61 2026-05-13T17:03:21.692968+00:00 Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0.

Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0.

https://0.0.0.0:10001/vuln/pysec-2025-65 2026-05-13T17:03:21.692954+00:00 A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.

A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.

https://0.0.0.0:10001/vuln/pysec-2025-69 2026-05-13T17:03:21.692944+00:00 In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).

In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).

https://0.0.0.0:10001/vuln/pysec-2025-71 2026-05-13T17:03:21.692928+00:00 Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3.

Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3.

https://0.0.0.0:10001/vuln/pysec-2025-72 2026-05-13T17:03:21.692911+00:00 The `num2words` project was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected versions have been removed from PyPI, and users are advised to remove the affected versions from their environments.

The `num2words` project was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected versions have been removed from PyPI, and users are advised to remove the affected versions from their environments.

https://0.0.0.0:10001/vuln/pysec-2026-1 2026-05-13T17:03:21.692893+00:00 A PyPI user account compromised by an attacker and was able to upload a malicious version (1.1.5.post1) of the `dydx-v4-client` package. This version contains a highly obfuscated multi-stage loader that ultimately executes malicious code on the host system. While the final payload is not visible because it is tucked away inside 100 layers of encoding, the structural design—specifically the use of recursive decompression followed by an `exec()` call is a definitive indicator of malicious software, likely a "Crypter" or "Dropper" masquerading as a cryptocurrency-related utility. with the intent on connecting to hxxps://dydx.priceoracle.site/py to download and execute further payloads. Users of the `dydx-v4-client` package should immediately uninstall version 1.1.5.post1 and revert to the last known good version (1.1.5) or later secure versions once available. Additionally, users should monitor their systems for any unusual activity and consider running security scans to detect any potential compromise.

A PyPI user account compromised by an attacker and was able to upload a malicious version (1.1.5.post1) of the `dydx-v4-client` package. This version contains a highly obfuscated multi-stage loader that ultimately executes malicious code on the host system. While the final payload is not visible because it is tucked away inside 100 layers of encoding, the structural design—specifically the use of recursive decompression followed by an `exec()` call is a definitive indicator of malicious software, likely a "Crypter" or "Dropper" masquerading as a cryptocurrency-related utility. with the intent on connecting to hxxps://dydx.priceoracle.site/py to download and execute further payloads. Users of the `dydx-v4-client` package should immediately uninstall version 1.1.5.post1 and revert to the last known good version (1.1.5) or later secure versions once available. Additionally, users should monitor their systems for any unusual activity and consider running security scans to detect any potential compromise.

https://0.0.0.0:10001/vuln/pysec-2026-2 2026-05-13T17:03:21.692863+00:00 After an API Token exposure from an exploited Trivy dependency, two new releases of `litellm` were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. The malicious code runs during importing any module from the package and scans the file system and environment variables, collecting all kinds of sensitive data, including but not limited to private SSH keys, credentials to Git and Docker repositories, dotenv files, tokens to Kubernetes service accounts, databases and LDAP configuration. Also exfiltrated are multiple shell history files and cryptowallet keys. The malware actively attempts to obtain cloud access tokens from metadata servers and retrieve secrets stored in AWS Secrets Manager. All collected data are sent to the domain models.litellm[.]cloud Furthermore, the code includes a persistence mechanism by configuring a SystemD service unit masqueraded as "System Telemetry Service" on the host it runs on, and in a Kubernetes environment also by creating a new pod. The persistence script then contacts hxxps://checkmarx[.]zone/raw for further instructions. Anyone who has installed and run the project should assume any credentials available to litellm environment may have been exposed, and revoke/rotate them accordingly. The affected environment should be isolated and carefully reviewed against any unexpected modifications and network traffic.

After an API Token exposure from an exploited Trivy dependency, two new releases of `litellm` were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. The malicious code runs during importing any module from the package and scans the file system and environment variables, collecting all kinds of sensitive data, including but not limited to private SSH keys, credentials to Git and Docker repositories, dotenv files, tokens to Kubernetes service accounts, databases and LDAP configuration. Also exfiltrated are multiple shell history files and cryptowallet keys. The malware actively attempts to obtain cloud access tokens from metadata servers and retrieve secrets stored in AWS Secrets Manager. All collected data are sent to the domain models.litellm[.]cloud Furthermore, the code includes a persistence mechanism by configuring a SystemD service unit masqueraded as "System Telemetry Service" on the host it runs on, and in a Kubernetes environment also by creating a new pod. The persistence script then contacts hxxps://checkmarx[.]zone/raw for further instructions. Anyone who has installed and run the project should assume any credentials available to litellm environment may have been exposed, and revoke/rotate them accordingly. The affected environment should be isolated and carefully reviewed against any unexpected modifications and network traffic.

https://0.0.0.0:10001/vuln/pysec-2026-3 2026-05-13T17:03:21.692500+00:00 After an API token exposure from an exploited Trivy dependency, two new releases of `telnyx` were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. Compromised versions execute code during importing the `telnyx` module through modifications in `_client.py`. The code downloads the next stages from endpoints on the host 83.142.209[.]203, encoded in WAV files. On Windows hosts, the malicious executable is placed in `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe` for persistence and executed. On other systems, the payload is a Python script. After executing it, generated artifacts are exfiltrated to 83.142.209[.]203. Version 4.87.1 contains a typo preventing the automated execution of the malicious code. The code uses the encryption key observed in previous TeamPCP actions. The full compromise of exposed systems and all credentials reachable from them should be assumed. The credentials should be revoked/rotated, and the affected systems isolated and analyzed against malicious actions and modifications. The two versions have been removed from PyPI, and the project has been reinstated.

After an API token exposure from an exploited Trivy dependency, two new releases of `telnyx` were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. Compromised versions execute code during importing the `telnyx` module through modifications in `_client.py`. The code downloads the next stages from endpoints on the host 83.142.209[.]203, encoded in WAV files. On Windows hosts, the malicious executable is placed in `%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe` for persistence and executed. On other systems, the payload is a Python script. After executing it, generated artifacts are exfiltrated to 83.142.209[.]203. Version 4.87.1 contains a typo preventing the automated execution of the malicious code. The code uses the encryption key observed in previous TeamPCP actions. The full compromise of exposed systems and all credentials reachable from them should be assumed. The credentials should be revoked/rotated, and the affected systems isolated and analyzed against malicious actions and modifications. The two versions have been removed from PyPI, and the project has been reinstated.