GuardRails
guardrails.io › blog › how-to-detect-and-fix-the-five-most-common-python-security-vulnerabilities
How To Detect and Fix the Five Most Common Python Security Vulnerabilities - GuardRails
February 27, 2023 - Python is one of the biggest programming languages used today. Here are five of its most common security vulnerabilities and how to detect them.
GitHub
github.com › fportantier › vulpy
GitHub - fportantier/vulpy: Vulnerable Python Application To Learn Secure Development · GitHub
This will permit learn how to develop python code following the best security practices. git clone https://github.com/fportantier/vulpy cd vulpy pip3 install --user -r requirements.txt ...
Starred by 128 users
Forked by 507 users
Languages Python 46.1% | CSS 37.1% | HTML 15.9%
Videos
43:27
Python Coding Mistakes, Causes of Vulnerabilities and How to Solve ...
15:11
What's wrong with this Code? Vulnerable Python Code - Walkthrough ...
15:25
How to Scan Python Code for Security Vulnerabilities? | Episode ...
18:23
Secure Coding Guide for Python - David Mather & Bart Karas, Ericsson ...
Snyk
snyk.io › blog › code-injection-python-prevention-examples
Code injection in Python: examples and prevention | Snyk
December 6, 2023 - By exploiting vulnerabilities, ... occur when an application mishandles user input. For example, insecure use of functions like eval() in Python without proper ......
Veracode
docs.veracode.com › scan open source › using agent-based scans › finding and fixing vulnerabilities › python sca agent-based scanning › fix example vulnerable method for python
Fix example vulnerable method for Python | Veracode Docs
Select the srcclr/example-python project. Select BERserk Attack Vulnerability in the rsa library in the Vulnerabilities table. The Vulnerable Methods section shows that the verify method is the vulnerable part of the library. To address the identified vulnerable method, do one of these tasks: Change your code ...
GitHub
github.com › dehvCurtis › vulnerable-code-examples
GitHub - dehvCurtis/vulnerable-code-examples: This repo provides vulnerable code examples · GitHub
This repo provides vulnerable code examples. Contribute to dehvCurtis/vulnerable-code-examples development by creating an account on GitHub.
Starred by 16 users
Forked by 72 users
Languages Python 33.3% | PHP 11.6% | HCL 11.5% | C# 11.1% | TypeScript 10.2% | JavaScript 9.1%
MozillaWiki
wiki.mozilla.org › Common_Python_Code_Vulnerabilities
Common Python Code Vulnerabilities
JavaScript is disabled in your browser · Please enable JavaScript to proceed · A required part of this site couldn’t load. This may be due to a browser extension, network issues, or browser settings. Please check your connection, disable any ad blockers, or try using a different browser
Cisco Blogs
blogs.cisco.com › cisco blogs › developer › 5 python security traps you need to avoid
5 Python Security Traps You Need to Avoid
March 30, 2022 - Simply put, a Python library is code written by others, which can be easily imported into your script. Code is written by humans, humans make mistakes and mistakes get patched (hopefully). Unfortunately, we often forget to update (and test!) our code with those patches, making it vulnerable for attacks. ... As example Python library, the Requests package (who doesn’t use this one?) before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
SonarSource
rules.sonarsource.com › python › type › vulnerability
Python static code analysis | Vulnerability
Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your PYTHON code
Aikido
aikido.dev › home › articles › top 10 python security vulnerabilities developers should avoid
Python Security Vulnerabilities | Top Issues
January 29, 2026 - Never unpickle data received from an untrusted or unauthenticated source.” In practice, this means if an attacker can feed your application a pickle (e.g., a forged cookie or a cached object), they could run any Python code on your server – essentially a pre-auth RCE (Remote Code Execution) vulnerability. Real-world example: A developer might use pickle.loads() on data received over a network (perhaps thinking it’s just a convenient way to transmit Python objects).
GitHub
github.com › anxolerd › dvpwa
GitHub - anxolerd/dvpwa: Damn Vulnerable Python Web App · GitHub
You can also sanitize text, when users input it and prohibit different kinds of code injection. As per check_paswword function and database initialization script, passwords are not stored in the database themselves, but their md5 hashes. ... As hash function produces same output for same input, same passwords will produce the same hash. Passwords are vulnerable to statistical analysis: it is possible to determine how many people use the same password, how popular the password is, etc:
Starred by 187 users
Forked by 738 users
Languages Python 55.2% | Jinja 44.3%
GitHub
github.com › Vulnerable-Code-Samples › Python_Vulnerable_Code
GitHub - Vulnerable-Code-Samples/Python_Vulnerable_Code: A small collection of vulnerable code snippets
A small collection of vulnerable code snippets . Contribute to Vulnerable-Code-Samples/Python_Vulnerable_Code development by creating an account on GitHub.
Forked by 7 users
Languages PHP 31.6% | JavaScript 16.8% | C# 14.4% | C 12.5% | Python 11.0% | Java 6.2% | PHP 31.6% | JavaScript 16.8% | C# 14.4% | C 12.5% | Python 11.0% | Java 6.2%
S2e-lab
s2e-lab.github.io › preprints › msr4ps22-preprint.pdf pdf
SecurityEval Dataset: Mining Vulnerability Examples to Evaluate
[13] to study the (vulnerable) code generated by GitHub Copilot. These scenarios focus on GitHub Copilot, whereas our dataset is a · generalized one to use for any context-based source code generation · model and tool. Our dataset is also rich with examples from 75 · CWEs with 130 scenarios. ... Python code samples spanning 75 types of vulnerabilities (CWEs).
Semgrep
semgrep.dev › write rules › secure coding › python › code injection in python
Code Injection in Python | Semgrep
This is dangerous if external data reaches the run_in_subinterp function call because it allows a malicious actor to run arbitrary Python code. ... import _testcapi # Value supplied by user user_input = "print('pwned')" # Vulnerable _testcapi.run_in_subinterp(user_input) from test import support # Value supplied by user user_input = "print('pwned')" # Vulnerable support.run_in_subinterp(user_input)
HackerNoon
hackernoon.com › 10-common-security-gotchas-in-python-and-how-to-avoid-them-e19fbe265e03
10 common security gotchas in Python and how to avoid them | HackerNoon
June 16, 2018 - Writing secure code is hard. When you learn a language, a module or a framework, you learn how it supposed to be used. When thinking about security, you need to think about how it can be misused. Python is no exception, even within the standard library there are documented bad practices for ...
Red Hat
redhat.com › en › blog › find-python-vulnerabilities
How to find third-party vulnerabilities in your Python code
November 20, 2025 - $ pip-audit --requirement ... No known vulnerabilities found · After fixing this, I can say my favorite quote from Poltergeist, "This house is clean." Yes, it can. For example, PyCharm and VS Code tell you if there is a newer version of a third-party library. For this example, I used an outdated version of Rich: You should not ignore these warnings. ... You can scan your Python projects for ...
Top answer 1 of 5
14
right from the pickle documentation:
Warning
The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
2 of 5
14
eval and exec are the classics. However, open and file can be abused too:
open('/proc/kcore', 'w').write('0' * 1000 * 1000 * 1000)
Then there are the os, sys, subprocess, and dircache modules. Pretty much anything that touches the filesystem or can be used to turn data into executable code (like os.system) is going to be on the list.
As S. Lott pointed out in the comments, writing to the filesystem and executing arbitrary external programs aren't Python-specific. However, they are worth security auditors' consideration. Most of these functions can be safely used without too much concern for security. eval and exec, on the other hand, are great big red flags. Using them safely requires meticulous care.
Medium
medium.com › @melihcolpan › python-web-applications-how-to-secure-against-common-vulnerabilities-65247d20acce
Python Web Applications: How to Secure Against Common Vulnerabilities | by Melih Çolpan | Medium
October 1, 2024 - Insecure deserialization is a vulnerability that occurs when an application deserializes untrusted data without proper validation, leading to remote code execution (RCE), privilege escalation, or denial of service (DoS) attacks.
CodeSandbox
codesandbox.io › p › github › Undead34 › vulnerable-code-examples
vulnerable-code-examples
CodeSandbox is a cloud development platform that empowers developers to code, collaborate and ship projects of any size from any device in record time.
IEEE Computer Society
computer.org › csdl › journal › oj › 2024 › 01 › 10584270 › 1Yhd1L0M0j6
A Taxonomy for Python Vulnerabilities
We cannot provide a description for this page right now
GitHub
github.com › google › security-research › security › advisories › GHSA-475q-v6j3-mjr4
Python: Code Execution Vulnerability
March 26, 2024 - Low - In order for an adversary to exploit this vulnerability, they must have control over the contents of an environment variable and the script that is used for benchmarking. ~$ pwd ~$ export SKLBENCH_NJOBS='print("Code execution!")' ~$ python3 common.py