Vulnerability Catalog
The full list of confirmed vulnerable Python packages. Assigned CVEs and end-to-end exploitation walkthroughs are on the Showcases & CVEs page.
Each application name in the table below links to its directory under cp-collection/ in the repository, which contains the metadata and the proof-of-concepts for that case.
Vulnerable packages
| Application | Reach | Stars | Version | Get | Set | Found by | Status |
|---|---|---|---|---|---|---|---|
| ComfyUI | Remote | 112.5K | latest | Constrained | Attr | Pyrl | Reported |
| ragflow | Remote | 80.3K | latest | Constrained | Attr | Pyrl | Reported |
| smolagents | Remote | 27.4K | v1.14.0 | Constrained | Attr | Pyrl | Reported |
| taipy | Remote | 19.2K | v4.0.3 | Constrained | Attr | Pyrl | Fixed |
| sd-webui-controlnet | Remote | 17.9K | latest | Constrained | Attr | Pyrl | Reported |
| stable-diffusion-webui-forge | Remote | 12.5K | latest | Constrained | Attr | Pyrl | Reported |
| mesop | Remote | 6.5K | v0.13.0 | Constrained | Dual | Pyrl | Reported |
| docarray | Remote | 3.1K | latest | Constrained | Attr | Pyrl | Reported |
| django-unicorn | Remote | 2.6K | 0.61.0 | Agnostic | Dual | Pyrl | Reported |
| fastapi-amis-admin | Remote | 1.5K | latest | Constrained | Attr | Pyrl | Reported |
| pytest-sftpserver | Remote | 38 | 1.3.0 | Agnostic | Dual | Pyrl | TODO |
| open-interpreter | Local | 63.5K | latest | Constrained | Attr | Pyrl | Reported |
| minGPT | Local | 24.3K | latest | Constrained | Attr | Pyrl | Reported |
| zipline | Local | 19.8K | latest | Constrained | Attr | Pyrl | Reported |
| hummingbot | Local | 18.5K | latest | Constrained | Attr | Pyrl | Reported |
| pyinstrument | Local | 7.7K | N/A | Agnostic | Dual | Pyrl | Reported |
| wfuzz | Local | 6.5K | latest | Constrained | Attr | Pyrl | Reported |
| tensorpack | Local | 6.3K | latest | Constrained | Attr | Pyrl | Reported |
| azure-cli | Local | 4.5K | v2.68.0 | Agnostic | Dual | Pyrl | Fixed |
| azure-cli-core | Local | 4.5K | latest | Agnostic | Dual | Pyrl | Reported |
| deepdoctection | Local | 3.2K | latest | Constrained | Attr | Pyrl | Reported |
| virt-manager | Local | 3.1K | latest | Constrained | Attr | Pyrl | Reported |
| sverchok | Local | 2.5K | latest | Agnostic | Dual | Pyrl | Assigned |
| fixinventory | Local | 2.1K | 4.2.0 | Agnostic | Dual | Pyrl | Reported |
| EasyCV | Local | 1.9K | latest | Constrained | Attr | Pyrl | Reported |
| nut | Local | 1.3K | latest | Constrained | Attr | Pyrl | Reported |
| CRNN_Tensorflow | Local | 1.0K | latest | Agnostic | Item | Pyrl | Reported |
| GCFT | Local | 141 | N/A | Agnostic | Dual | Pyrl | Reported |
| schemasheets | Local | 52 | 0.3.1 | Agnostic | Dual | Pyrl | Reported |
| diffusers | Package | 33.6K | latest | Constrained | Attr | Pyrl | Reported |
| spaCy | Package | 33.6K | latest | Constrained | Attr | Pyrl | Reported |
| fairseq | Package | 32.2K | latest | Constrained | Attr | Pyrl | Reported |
| pytorch-lightning | Package | 31.1K | latest | Constrained | Attr | Pyrl | Reported |
| nni | Package | 14.4K | latest | Constrained | Attr | Pyrl | Reported |
| stylegan2 | Package | 11.2K | latest | Constrained | Attr | Pyrl | Todo |
| accelerate | Package | 9.7K | latest | Constrained | Attr | Pyrl | Reported |
| mmpose | Package | 7.6K | latest | Constrained | Attr | Pyrl | Reported |
| issaclab | Package | 7.1K | v1.4.0 | Agnostic | Dual | Pyrl | Reported |
| clearml | Package | 6.7K | v1.16.5 | Agnostic | Dual | Pyrl | Reported |
| deepchem | Package | 6.7K | latest | Agnostic | Dual | Pyrl | Todo |
| ibis | Package | 6.5K | latest | Constrained | Attr | Pyrl | Reported |
| panel | Package | 5.7K | latest | Constrained | Attr | Pyrl | Reported |
| Red-DiscordBot | Package | 5.5K | latest | Constrained | Attr | Pyrl | Reported |
| optimum | Package | 3.4K | latest | Constrained | Attr | Pyrl | Reported |
| robusta | Package | 3.0K | 0.20.0 | Agnostic | Dual | Pyrl | Reported |
| legged_gym | Package | 2.9K | latest | Constrained | Attr | Pyrl | Reported |
| neural-compressor | Package | 2.6K | latest | Constrained | Attr | Pyrl | Reported |
| deepdiff | Package | 2.5K | v8.0.0 | Agnostic | Dual | diogotcorreia | Accepted |
| generative-ai-python | Package | 2.3K | latest | Constrained | Attr | Pyrl | Reported |
| wrapt | Package | 2.3K | latest | Constrained | Attr | Pyrl | Reported |
| glom | Package | 2.1K | v24.11.0 | Agnostic | Dual | Pyrl | Reported |
| evennia | Package | 2.0K | latest | Constrained | Attr | Pyrl | Reported |
| pydash | Package | 1.4K | v5.1.2 | Agnostic | Dual | abdulrah33m | Fixed |
| pykka | Package | 1.3K | latest | Constrained | Attr | Pyrl | Reported |
| EPro-PnP | Package | 1.2K | latest | Constrained | Attr | Pyrl | Reported |
| otx | Package | 1.2K | v2.2.2 | Agnostic | Dual | Pyrl | Reported |
| xorbits | Package | 1.2K | latest | Constrained | Attr | Pyrl | Reported |
| JSPyBridge | Package | 850 | 1.2.1 | Agnostic | Dual | Pyrl | Reported |
| meta_dataset | Package | 802 | N/A | Constrained | Attr | Pyrl | Reported |
| riven | Package | 789 | v0.20.1 | Constrained | Dual | Pyrl | Reported |
| torchlens | Package | 641 | 0.1.26 | Agnostic | Dual | Pyrl | Reported |
| agentlab | Package | 576 | v0.3.2 | Agnostic | Dual | Pyrl | Reported |
| tournesol | Package | 375 | N/A | Agnostic | Dual | Pyrl | Reported |
| pokitoki | Package | 339 | v210 | Constrained | Dual | Pyrl | Reported |
| nebari | Package | 326 | 2024.12.1 | Agnostic | Dual | Pyrl | Reported |
| edsnlp | Package | 165 | v0.15.0 | Agnostic | Dual | Pyrl | Reported |
| netchecks | Package | 164 | v0.5.4 | Constrained | Dual | Pyrl | Reported |
| uavSim | Package | 160 | N/A | Agnostic | Dual | Pyrl | Reported |
| jacinle | Package | 145 | N/A | Constrained | Dual | Pyrl | Reported |
| gensphere | Package | 132 | N/A | Agnostic | Dual | Pyrl | Reported |
| genielibs | Package | 113 | V24.9 | Agnostic | Dual | Pyrl | Reported |
| laboneq | Package | 52 | v2.44.0 | Agnostic | Dual | Pyrl | Reported |
| magicattr | Package | 18 | v3.9.0 | Agnostic | Dual | Pyrl | Reported |
| mo_dots | Package | 7 | 10.659.25005 | Agnostic | Dual | Pyrl | Reported |
| pystringattr | Package | 2 | N/A | Agnostic | Dual | Pyrl | Reported |
| dektools | Package | N/A | 0.2.59 | Agnostic | Dual | Pyrl | Reported |
| geodesic-api | Package | N/A | 0.66.0 | Agnostic | Dual | Pyrl | Reported |
| steam-sdk | Package | N/A | 2025.1.1 | Agnostic | Dual | Pyrl | Reported |
Reach: Remote = reachable from the network, Local = reachable from local input such as a CLI argument, Package = reachable as a public API of a library and exploitable from any caller of that library. Get and Set are the pollution primitives. Found by: this work (Pyrl) unless an external researcher is credited.