https://vulnerability.circl.lu/rss/recent/pysec/10 2025-07-13T23:25:23.966628+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent entries. https://vulnerability.circl.lu/vuln/pysec-2025-65 2025-07-13T23:25:23.973010+00:00 A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41. https://vulnerability.circl.lu/vuln/pysec-2025-66 2025-07-13T23:25:23.972998+00:00 Improper privilege management in a REST interface allowed registered users to access unauthorized resources if the resource ID was know. This issue affects Apache StreamPipes: through 0.95.1. Users are recommended to upgrade to version 0.97.0 which fixes the issue. https://vulnerability.circl.lu/vuln/pysec-2025-67 2025-07-13T23:25:23.972987+00:00 A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown/server.py. The manipulation of the argument file.filename leads to path traversal. The exploit has been disclosed to the public and may be used. https://vulnerability.circl.lu/vuln/pysec-2025-68 2025-07-13T23:25:23.972976+00:00 A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/add_tool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used. https://vulnerability.circl.lu/vuln/pysec-2023-278 2025-07-13T23:25:23.972965+00:00 MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue. https://vulnerability.circl.lu/vuln/pysec-2024-82 2025-07-13T23:25:23.972954+00:00 Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. https://vulnerability.circl.lu/vuln/pysec-2024-83 2025-07-13T23:25:23.972942+00:00 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction. https://vulnerability.circl.lu/vuln/pysec-2024-84 2025-07-13T23:25:23.972930+00:00 Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it. https://vulnerability.circl.lu/vuln/pysec-2024-85 2025-07-13T23:25:23.972914+00:00 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. https://vulnerability.circl.lu/vuln/pysec-2025-69 2025-07-13T23:25:23.972868+00:00 In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).