https://cve.circl.lu/rss/recent/pysec/10 2025-02-21T10:52:47.985141+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent entries. https://cve.circl.lu/vuln/pysec-2024-231 2025-02-21T10:52:47.994472+00:00 LightGBM Remote Code Execution Vulnerability https://cve.circl.lu/vuln/pysec-2024-111 2025-02-21T10:52:47.994454+00:00 A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input. https://cve.circl.lu/vuln/pysec-2023-278 2025-02-21T10:52:47.994436+00:00 MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue. https://cve.circl.lu/vuln/pysec-2024-82 2025-02-21T10:52:47.994418+00:00 Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. https://cve.circl.lu/vuln/pysec-2024-83 2025-02-21T10:52:47.994400+00:00 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction. https://cve.circl.lu/vuln/pysec-2024-84 2025-02-21T10:52:47.994381+00:00 Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it. https://cve.circl.lu/vuln/pysec-2024-85 2025-02-21T10:52:47.994363+00:00 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. https://cve.circl.lu/vuln/pysec-2024-232 2025-02-21T10:52:47.994343+00:00 python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217. https://cve.circl.lu/vuln/pysec-2024-233 2025-02-21T10:52:47.994316+00:00 python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319. https://cve.circl.lu/vuln/pysec-2023-163 2025-02-21T10:52:47.994257+00:00 An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library.