Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/kedro@0.19.7
Typepypi
Namespace
Namekedro
Version0.19.7
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.3.0
Latest_non_vulnerable_version1.3.0
Affected_by_vulnerabilities
0
url VCID-6x1m-q9dg-9ycx
vulnerability_id VCID-6x1m-q9dg-9ycx
summary Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0.
references
0
reference_url https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r
fixed_packages
0
url pkg:pypi/kedro@1.3.0
purl pkg:pypi/kedro@1.3.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/kedro@1.3.0
aliases CVE-2026-35171, GHSA-9cqf-439c-j96r, PYSEC-2026-72
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6x1m-q9dg-9ycx
1
url VCID-th6m-yd2z-ykba
vulnerability_id VCID-th6m-yd2z-ykba
summary 
Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the _get_versioned_path() method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned dataset directory.
This is reachable through multiple entry points: catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI via kedro run --load-versions=dataset:../../../secrets. An attacker who can influence the version string can force Kedro to load files from outside the intended version directory, enabling unauthorized file reads, data poisoning, or cross-tenant data access in shared environments. This vulnerability is fixed in 1.3.0.
references
0
reference_url https://github.com/kedro-org/kedro/pull/5442
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
url https://github.com/kedro-org/kedro/pull/5442
1
reference_url https://github.com/kedro-org/kedro/security/advisories/GHSA-6326-w46w-ppjw
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
url https://github.com/kedro-org/kedro/security/advisories/GHSA-6326-w46w-ppjw
fixed_packages
0
url pkg:pypi/kedro@1.3.0
purl pkg:pypi/kedro@1.3.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/kedro@1.3.0
aliases CVE-2026-35167, GHSA-6326-w46w-ppjw, PYSEC-2026-71
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-th6m-yd2z-ykba
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/kedro@0.19.7