<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://db.gcve.eu/rss/recent/pysec/10</id>
  <title>Most recent entries from pysec</title>
  <updated>2026-07-05T13:24:50.082910+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@gcve.eu</email>
  </author>
  <link href="https://db.gcve.eu" rel="alternate"/>
  <generator uri="https://lkiesow.github.io/python-feedgen" version="1.0.0">python-feedgen</generator>
  <subtitle>Contains only the most 10 recent entries.</subtitle>
  <entry>
    <id>https://db.gcve.eu/vuln/pysec-2026-611</id>
    <title>pysec-2026-611</title>
    <updated>2026-07-01T22:17:57+00:00</updated>
    <content>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of uprobe were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</content>
    <link href="https://db.gcve.eu/vuln/pysec-2026-611"/>
    <summary>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of uprobe were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</summary>
    <published>2026-07-01T22:17:57+00:00</published>
  </entry>
  <entry>
    <id>https://db.gcve.eu/vuln/pysec-2026-616</id>
    <title>pysec-2026-616</title>
    <updated>2026-07-03T12:58:59.937124+00:00</updated>
    <content>Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, reflected cross-site scripting (XSS) vulnerability exists on the dynamic image URL generator view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could craft a URL that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is present for all sites, even if they do not enable the dynamic image serve view. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.</content>
    <link href="https://db.gcve.eu/vuln/pysec-2026-616"/>
    <summary>Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, reflected cross-site scripting (XSS) vulnerability exists on the dynamic image URL generator view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail admin could craft a URL that, when viewed by a user with higher privileges, could perform actions with that user's credentials. The vulnerability is present for all sites, even if they do not enable the dynamic image serve view. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.</summary>
    <published>2026-07-01T22:16:49.917000+00:00</published>
  </entry>
  <entry>
    <id>https://db.gcve.eu/vuln/pysec-2026-615</id>
    <title>pysec-2026-615</title>
    <updated>2026-07-03T12:58:59.841624+00:00</updated>
    <content>Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the "Can submit translation" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.</content>
    <link href="https://db.gcve.eu/vuln/pysec-2026-615"/>
    <summary>Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the "Can submit translation" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.</summary>
    <published>2026-07-01T22:16:49.787000+00:00</published>
  </entry>
  <entry>
    <id>https://db.gcve.eu/vuln/pysec-2026-614</id>
    <title>pysec-2026-614</title>
    <updated>2026-07-03T12:58:59.721161+00:00</updated>
    <content>Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, due to a missing permission check on the image preview endpoint, a user with access to the Wagtail admin can preview any image. The existing data of the image object itself is not exposed. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.</content>
    <link href="https://db.gcve.eu/vuln/pysec-2026-614"/>
    <summary>Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, due to a missing permission check on the image preview endpoint, a user with access to the Wagtail admin can preview any image. The existing data of the image object itself is not exposed. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.</summary>
    <published>2026-07-01T22:16:49.653000+00:00</published>
  </entry>
  <entry>
    <id>https://db.gcve.eu/vuln/pysec-2026-613</id>
    <title>pysec-2026-613</title>
    <updated>2026-07-03T12:58:59.603248+00:00</updated>
    <content>Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.</content>
    <link href="https://db.gcve.eu/vuln/pysec-2026-613"/>
    <summary>Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, an authenticated admin user can trigger expensive rendition processing with purposefully crafted filter specs resulting in potentially service degradation. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.</summary>
    <published>2026-07-01T22:16:49.523000+00:00</published>
  </entry>
  <entry>
    <id>https://db.gcve.eu/vuln/pysec-2026-612</id>
    <title>pysec-2026-612</title>
    <updated>2026-07-03T12:58:59.464451+00:00</updated>
    <content>Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, the Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could see the filename and name and URLs of documents and images in those collections. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.</content>
    <link href="https://db.gcve.eu/vuln/pysec-2026-612"/>
    <summary>Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, the Documents and Images chooser's chosen endpoint incorrectly listed items for which the user has not been granted choose permission. A user with access to the Wagtail admin could see the filename and name and URLs of documents and images in those collections. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been fixed in versions 7.0.8, 7.3.3, and 7.4.2.</summary>
    <published>2026-07-01T22:16:49.297000+00:00</published>
  </entry>
  <entry>
    <id>https://db.gcve.eu/vuln/pysec-2026-610</id>
    <title>pysec-2026-610</title>
    <updated>2026-07-01T22:08:28+00:00</updated>
    <content>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of ufish were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</content>
    <link href="https://db.gcve.eu/vuln/pysec-2026-610"/>
    <summary>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of ufish were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</summary>
    <published>2026-07-01T22:08:28+00:00</published>
  </entry>
  <entry>
    <id>https://db.gcve.eu/vuln/pysec-2026-609</id>
    <title>pysec-2026-609</title>
    <updated>2026-07-01T21:35:49+00:00</updated>
    <content>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of synago were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</content>
    <link href="https://db.gcve.eu/vuln/pysec-2026-609"/>
    <summary>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of synago were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</summary>
    <published>2026-07-01T21:35:49+00:00</published>
  </entry>
  <entry>
    <id>https://db.gcve.eu/vuln/pysec-2026-608</id>
    <title>pysec-2026-608</title>
    <updated>2026-07-01T21:33:35+00:00</updated>
    <content>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of pantheon-toolsets were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</content>
    <link href="https://db.gcve.eu/vuln/pysec-2026-608"/>
    <summary>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of pantheon-toolsets were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</summary>
    <published>2026-07-01T21:33:35+00:00</published>
  </entry>
  <entry>
    <id>https://db.gcve.eu/vuln/pysec-2026-607</id>
    <title>pysec-2026-607</title>
    <updated>2026-07-01T21:24:58+00:00</updated>
    <content>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of pantheon-agents were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</content>
    <link href="https://db.gcve.eu/vuln/pysec-2026-607"/>
    <summary>Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of pantheon-agents were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
</summary>
    <published>2026-07-01T21:24:58+00:00</published>
  </entry>
</feed>
