Suggestions search

All statuses

Filter by:

With package: python314Packages.palettable

Found 2 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-4964

6.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 3 weeks, 1 day ago

letta-ai letta File URL message_helper.py _convert_message_create_to_message server-side request forgery

A security vulnerability has been detected in letta-ai letta 0.16.4. This vulnerability affects the function _convert_message_create_to_message of the file letta/helpers/message_helper.py of the component File URL Handler. Such manipulation of the argument ImageContent leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

VDB-353841 | letta-ai letta File URL message_helper.py _convert_message_create_to_message server-side request forgery vdb-entrytechnical-description
VDB-353841 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #777645 | letta-ai letta 0.16.4 CWE-918 third-party-advisory
https://gist.github.com/YLChen-007/fde4d5ed6ac4aa876f73f8954c6214da exploit

Affected products

letta

==0.16.4

Matching in nixpkgs

pkgs.python312Packages.palettable

Library of color palettes

nixos-25.11 3.3.3
- nixos-25.11-small 3.3.3
- nixpkgs-25.11-darwin 3.3.3

pkgs.python313Packages.palettable

Library of color palettes

nixos-unstable 3.3.3
- nixpkgs-unstable 3.3.3
- nixos-unstable-small 3.3.3
nixos-25.11 3.3.3
- nixos-25.11-small 3.3.3
- nixpkgs-25.11-darwin 3.3.3

pkgs.python314Packages.palettable

Library of color palettes

nixos-unstable 3.3.3
- nixpkgs-unstable 3.3.3
- nixos-unstable-small 3.3.3

Package maintainers

@PsyanticY Psyanticy <iuns@outlook.fr>

Untriaged

Permalink CVE-2026-4965

7.3 HIGH

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 3 weeks, 1 day ago

letta-ai letta Incomplete Fix CVE-2025-6101 ast_parsers.py resolve_type eval injection

A vulnerability was detected in letta-ai letta 0.16.4. This issue affects the function resolve_type of the file letta/functions/ast_parsers.py of the component Incomplete Fix CVE-2025-6101. Performing a manipulation results in improper neutralization of directives in dynamically evaluated code. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.