Comparison Overview

PyVista provides 3D plotting and mesh analysis through an interface for the Visualization Toolkit (VTK). Version 0.46.3 of the PyVista Project is vulnerable to remote code execution via dependency confusion. Two pieces of code use`--extra-index-url`. But when `--extra-index-url` is used, pip always checks for the PyPI index first, and then the external index. One package listed in the code is not published in PyPI. If an attacker publishes a package with higher version in PyPI, the malicious code from the attacker controlled package may be pulled, leading to remote code execution and a supply chain attack. As of time of publication, a patched version is unavailable.

• https://github.com/pyvista/pyvista/blob/c96e1ddbe707fb7d3eb574dc3336de1a946f14a1/.devcontainer/offscreen/oncreatecommand.sh#L4
• https://github.com/pyvista/pyvista/blob/c96e1ddbe707fb7d3eb574dc3336de1a946f14a1/docker/slim.Dockerfile#L13
• https://github.com/pyvista/pyvista/commit/aabfb3db2b0d4980de9e94e66272240efba4ed95
• https://github.com/pyvista/pyvista/security/advisories/GHSA-xr7f-qcjc-63rv

KUNO CMS is a fully deployable full-stack blog application. In versions prior to 1.3.15, an SSRF (Server-Side Request Forgery) vulnerability exists in the Media module of the Kuno CMS administrative panel. A logged-in administrator can upload a specially crafted SVG file containing an external image reference, causing the server to initiate an outgoing connection to an arbitrary external URL. This can lead to information disclosure or internal network probing. Version 1.3.15 contains a fix for the issue.

• https://github.com/xuemian168/kuno/commit/804b2909c65b16ae2063d0f992e0711aa09475e2
• https://github.com/xuemian168/kuno/releases/tag/v1.3.15
• https://github.com/xuemian168/kuno/security/advisories/GHSA-4f5f-2c49-5mwm

The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows remote authenticated users to change the file extension when a vCard file is downloaded.

• https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43824

The YoSmart YoLink API through 2025-10-02 uses an endpoint URL that is derived from a device's MAC address along with an MD5 hash of non-secret information, such as a key that begins with cf50.

• https://bishopfox.com/blog/advisories
• https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home
• https://shop.yosmart.com/pages/product-support

The YoSmart YoLink application through 2025-10-02 has session tokens with unexpectedly long lifetimes.

• https://bishopfox.com/blog/advisories
• https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home
• https://shop.yosmart.com/pages/product-support