<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://vulnerability.circl.lu/rss/recent/pysec/10</id>
  <title>Most recent entries from pysec</title>
  <updated>2026-07-07T20:07:53.211828+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@circl.lu</email>
  </author>
  <link href="https://vulnerability.circl.lu" rel="alternate"/>
  <generator uri="https://lkiesow.github.io/python-feedgen" version="1.0.0">python-feedgen</generator>
  <subtitle>Contains only the most 10 recent entries.</subtitle>
  <entry>
    <id>https://vulnerability.circl.lu/vuln/pysec-2026-2077</id>
    <title>pysec-2026-2077</title>
    <updated>2026-07-07T17:25:53.702556+00:00</updated>
    <content>### Impact
There is a stored cross site scripting vulnerability for SVG images.

Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link.

All versions of Zope are impacted on sites that allow untrusted users to upload images.


### Patches
Patches will be released in Zope 4.8.10 and 5.8.5.

### Workarounds
Make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default only the Manager has this permission.</content>
    <link href="https://vulnerability.circl.lu/vuln/pysec-2026-2077"/>
    <summary>### Impact
There is a stored cross site scripting vulnerability for SVG images.

Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link.

All versions of Zope are impacted on sites that allow untrusted users to upload images.


### Patches
Patches will be released in Zope 4.8.10 and 5.8.5.

### Workarounds
Make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default only the Manager has this permission.</summary>
    <published>2026-07-07T11:45:24.678692+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/vuln/pysec-2026-2076</id>
    <title>pysec-2026-2076</title>
    <updated>2026-07-07T17:25:53.624994+00:00</updated>
    <content>### Impact
Anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access.

### Patches
The problem is fixed in version 7.2.

### Workarounds
The problem can be fixed by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.

### References
https://github.com/zopefoundation/AccessControl/issues/159</content>
    <link href="https://vulnerability.circl.lu/vuln/pysec-2026-2076"/>
    <summary>### Impact
Anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access.

### Patches
The problem is fixed in version 7.2.

### Workarounds
The problem can be fixed by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.

### References
https://github.com/zopefoundation/AccessControl/issues/159</summary>
    <published>2026-07-07T14:34:43.747557+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/vuln/pysec-2026-2075</id>
    <title>pysec-2026-2075</title>
    <updated>2026-07-07T17:25:53.555288+00:00</updated>
    <content>### Impact
Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure.

`AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe.

Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it.

### Patches
A fix will be introduced in the versions 4.4, 5.8 and 6.2.

### Workarounds
There are no workarounds.

### References
https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-xjw2-6jm9-rf67 describes the corresponding problem for `RestrictedPython`.
</content>
    <link href="https://vulnerability.circl.lu/vuln/pysec-2026-2075"/>
    <summary>### Impact
Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute access and subscription from accessible objects. Those attribute accesses and subscriptions use Python's full blown `getattr` and `getitem`, not the policy restricted `AccessControl` variants `_getattr_` and `_getitem_`. This can lead to critical information disclosure.

`AccessControl` already provides a safe variant for `str.format` and denies access to `string.Formatter`. However, `str.format_map` is still unsafe.

Affected are all users who allow untrusted users to create `AccessControl` controlled Python code and execute it.

### Patches
A fix will be introduced in the versions 4.4, 5.8 and 6.2.

### Workarounds
There are no workarounds.

### References
https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-xjw2-6jm9-rf67 describes the corresponding problem for `RestrictedPython`.
</summary>
    <published>2026-07-07T11:45:23.791023+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/vuln/pysec-2026-2074</id>
    <title>pysec-2026-2074</title>
    <updated>2026-07-07T17:25:53.475581+00:00</updated>
    <content>A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.</content>
    <link href="https://vulnerability.circl.lu/vuln/pysec-2026-2074"/>
    <summary>A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.</summary>
    <published>2026-07-07T14:34:36.616482+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/vuln/pysec-2026-2073</id>
    <title>pysec-2026-2073</title>
    <updated>2026-07-07T17:25:53.417319+00:00</updated>
    <content>### Impact

The Python package "zhmcclient" writes password-like properties in clear text into its HMC and API logs in the following cases:

* The 'boot-ftp-password' and 'ssc-master-pw' properties when creating or updating a partition in DPM mode, in the zhmcclient API and HMC logs
* The 'ssc-master-pw' and 'zaware-master-pw' properties when updating an LPAR in classic mode, in the zhmcclient API and HMC logs
* The 'ssc-master-pw' and 'zaware-master-pw' properties when creating or updating an image activation profile in classic mode, in the zhmcclient API and HMC logs
* The 'password' property when creating or updating an HMC user, in the zhmcclient API log
* The 'bind-password' property when creating or updating an LDAP server definition, in the zhmcclient API and HMC logs

This issue affects only users of the zhmcclient package that have enabled the Python loggers named "zhmcclient.api" (for the API log) or "zhmcclient.hmc" (for the HMC log) and that use the functions listed above.

### Patches

Has been fixed in zhmcclient version 1.18.1

### Workarounds

Not applicable, since fix is available.

### References

None
</content>
    <link href="https://vulnerability.circl.lu/vuln/pysec-2026-2073"/>
    <summary>### Impact

The Python package "zhmcclient" writes password-like properties in clear text into its HMC and API logs in the following cases:

* The 'boot-ftp-password' and 'ssc-master-pw' properties when creating or updating a partition in DPM mode, in the zhmcclient API and HMC logs
* The 'ssc-master-pw' and 'zaware-master-pw' properties when updating an LPAR in classic mode, in the zhmcclient API and HMC logs
* The 'ssc-master-pw' and 'zaware-master-pw' properties when creating or updating an image activation profile in classic mode, in the zhmcclient API and HMC logs
* The 'password' property when creating or updating an HMC user, in the zhmcclient API log
* The 'bind-password' property when creating or updating an LDAP server definition, in the zhmcclient API and HMC logs

This issue affects only users of the zhmcclient package that have enabled the Python loggers named "zhmcclient.api" (for the API log) or "zhmcclient.hmc" (for the HMC log) and that use the functions listed above.

### Patches

Has been fixed in zhmcclient version 1.18.1

### Workarounds

Not applicable, since fix is available.

### References

None
</summary>
    <published>2026-07-07T14:34:46.070715+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/vuln/pysec-2026-2072</id>
    <title>pysec-2026-2072</title>
    <updated>2026-07-07T17:25:53.356048+00:00</updated>
    <content>ZenML Server in the ZenML package before 0.46.7 for Python allows remote privilege escalation because the `/api/v1/users/{user_name_or_id}/activate` REST API endpoint allows access on the basis of a valid username along with a new password in the request body. These are also patched versions: 0.44.4, 0.43.1, and 0.42.2.</content>
    <link href="https://vulnerability.circl.lu/vuln/pysec-2026-2072"/>
    <summary>ZenML Server in the ZenML package before 0.46.7 for Python allows remote privilege escalation because the `/api/v1/users/{user_name_or_id}/activate` REST API endpoint allows access on the basis of a valid username along with a new password in the request body. These are also patched versions: 0.44.4, 0.43.1, and 0.42.2.</summary>
    <published>2026-07-07T11:45:33.016802+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/vuln/pysec-2026-2071</id>
    <title>pysec-2026-2071</title>
    <updated>2026-07-07T17:25:53.229259+00:00</updated>
    <content>ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.</content>
    <link href="https://vulnerability.circl.lu/vuln/pysec-2026-2071"/>
    <summary>ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.</summary>
    <published>2026-07-07T16:03:06.450033+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/vuln/pysec-2026-2070</id>
    <title>pysec-2026-2070</title>
    <updated>2026-07-07T17:25:53.169324+00:00</updated>
    <content>zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the absence of rate-limiting on the '/api/v1/current-user' endpoint, which does not restrict the number of attempts an attacker can make to guess the current password. Successful exploitation results in the attacker being able to change the password and take control of the account.</content>
    <link href="https://vulnerability.circl.lu/vuln/pysec-2026-2070"/>
    <summary>zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the absence of rate-limiting on the '/api/v1/current-user' endpoint, which does not restrict the number of attempts an attacker can make to guess the current password. Successful exploitation results in the attacker being able to change the password and take control of the account.</summary>
    <published>2026-07-07T14:34:44.431797+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/vuln/pysec-2026-2069</id>
    <title>pysec-2026-2069</title>
    <updated>2026-07-07T17:25:53.106881+00:00</updated>
    <content>A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attacker to maintain access to a compromised account without the victim's ability to revoke this access. This issue was observed in a self-hosted ZenML deployment via Docker, where after changing the password from one browser, the session remained active and usable in another browser without requiring re-authentication.</content>
    <link href="https://vulnerability.circl.lu/vuln/pysec-2026-2069"/>
    <summary>A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attacker to maintain access to a compromised account without the victim's ability to revoke this access. This issue was observed in a self-hosted ZenML deployment via Docker, where after changing the password from one browser, the session remained active and usable in another browser without requiring re-authentication.</summary>
    <published>2026-07-07T14:34:34.551064+00:00</published>
  </entry>
  <entry>
    <id>https://vulnerability.circl.lu/vuln/pysec-2026-2068</id>
    <title>pysec-2026-2068</title>
    <updated>2026-07-07T17:25:53.044019+00:00</updated>
    <content>A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (`\n`) characters in component names. When a low-privileged user adds a component through the API endpoint `api/v1/workspaces/default/components` with a name containing a `\n` character, it leads to uncontrolled resource consumption. This vulnerability results in the inability of users to add new components in certain categories (e.g., 'Image Builder') and to register new stacks through the UI, thereby degrading the user experience and potentially rendering the ZenML Dashboard unusable. The issue does not affect component addition through the Web UI, as `\n` characters are properly escaped in that context. The vulnerability was tested on ZenML running in Docker, and it was observed in both Firefox and Chrome browsers.</content>
    <link href="https://vulnerability.circl.lu/vuln/pysec-2026-2068"/>
    <summary>A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (`\n`) characters in component names. When a low-privileged user adds a component through the API endpoint `api/v1/workspaces/default/components` with a name containing a `\n` character, it leads to uncontrolled resource consumption. This vulnerability results in the inability of users to add new components in certain categories (e.g., 'Image Builder') and to register new stacks through the UI, thereby degrading the user experience and potentially rendering the ZenML Dashboard unusable. The issue does not affect component addition through the Web UI, as `\n` characters are properly escaped in that context. The vulnerability was tested on ZenML running in Docker, and it was observed in both Firefox and Chrome browsers.</summary>
    <published>2026-07-07T14:34:35.381629+00:00</published>
  </entry>
</feed>
