🌐
GitHub
github.com › fportantier › vulpy
GitHub - fportantier/vulpy: Vulnerable Python Application To Learn Secure Development · GitHub
This will permit learn how to develop python code following the best security practices. git clone https://github.com/fportantier/vulpy cd vulpy pip3 install --user -r requirements.txt ...
Starred by 128 users
Forked by 507 users
Languages   Python 46.1% | CSS 37.1% | HTML 15.9%
🌐
GuardRails
guardrails.io › blog › how-to-detect-and-fix-the-five-most-common-python-security-vulnerabilities
How To Detect and Fix the Five Most Common Python Security Vulnerabilities - GuardRails
February 27, 2023 - Python is one of the biggest programming languages used today. Here are five of its most common security vulnerabilities and how to detect them.
Videos
43:27
🌐 YouTube
Python Coding Mistakes, Causes of Vulnerabilities and How to Solve ...
June 24, 2022
15:11
🌐 YouTube
What's wrong with this Code? Vulnerable Python Code - Walkthrough ...
December 30, 2021
15:25
🌐 YouTube
How to Scan Python Code for Security Vulnerabilities? | Episode ...
June 7, 2021
18:23
🌐 YouTube
Secure Coding Guide for Python - David Mather & Bart Karas, Ericsson ...
October 1, 2024
View all
View all
🌐
GitHub
github.com › dehvCurtis › vulnerable-code-examples
GitHub - dehvCurtis/vulnerable-code-examples: This repo provides vulnerable code examples · GitHub
This repo contains a variety of code samples of vulnerability, dependency and risk.
Starred by 16 users
Forked by 71 users
Languages   Python 33.3% | PHP 11.6% | HCL 11.5% | C# 11.1% | TypeScript 10.2% | JavaScript 9.1%
🌐
Snyk
snyk.io › blog › code-injection-python-prevention-examples
Code injection in Python: examples and prevention | Snyk
December 6, 2023 - By exploiting vulnerabilities, ... occur when an application mishandles user input. For example, insecure use of functions like eval() in Python without proper ......
🌐
Cisco Blogs
blogs.cisco.com › cisco blogs › developer › 5 python security traps you need to avoid
5 Python Security Traps You Need to Avoid
March 30, 2022 - Simply put, a Python library is code written by others, which can be easily imported into your script. Code is written by humans, humans make mistakes and mistakes get patched (hopefully). Unfortunately, we often forget to update (and test!) our code with those patches, making it vulnerable for attacks. ... As example Python library, the Requests package (who doesn’t use this one?) before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.
🌐
Veracode
docs.veracode.com › scan open source › using agent-based scans › finding and fixing vulnerabilities › python sca agent-based scanning › fix example vulnerable method for python
Fix example vulnerable method for Python | Veracode Docs
Select the srcclr/example-python project. Select BERserk Attack Vulnerability in the rsa library in the Vulnerabilities table. The Vulnerable Methods section shows that the verify method is the vulnerable part of the library. To address the identified vulnerable method, do one of these tasks: Change your code ...
🌐
MozillaWiki
wiki.mozilla.org › Common_Python_Code_Vulnerabilities
Common Python Code Vulnerabilities - MozillaWiki
JavaScript is disabled in your browser · Please enable JavaScript to proceed · A required part of this site couldn’t load. This may be due to a browser extension, network issues, or browser settings. Please check your connection, disable any ad blockers, or try using a different browser
🌐
GitHub
github.com › anxolerd › dvpwa
GitHub - anxolerd/dvpwa: Damn Vulnerable Python Web App
You can also sanitize text, when users input it and prohibit different kinds of code injection. As per check_paswword function and database initialization script, passwords are not stored in the database themselves, but their md5 hashes. ... As hash function produces same output for same input, same passwords will produce the same hash. Passwords are vulnerable to statistical analysis: it is possible to determine how many people use the same password, how popular the password is, etc:
Starred by 183 users
Forked by 712 users
Languages   Python 55.2% | Jinja 44.3% | Python 55.2% | Jinja 44.3%
Find elsewhere
🌐
GitHub
github.com › mpirnat › lets-be-bad-guys
GitHub - mpirnat/lets-be-bad-guys: A deliberately-vulnerable website and exercises for teaching about the OWASP Top 10
You’ll need Git to check out the code repository that we’ll be working with. You can download it from http://git-scm.com. All of our examples were developed and tested against Python 2.7 and 3.4.
Starred by 188 users
Forked by 365 users
Languages   HTML 60.8% | Python 24.8% | JavaScript 13.5% | CSS 0.9% | HTML 60.8% | Python 24.8% | JavaScript 13.5% | CSS 0.9%
🌐
SonarSource
rules.sonarsource.com › python › type › vulnerability
Python static code analysis | Vulnerability
Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your PYTHON code
🌐
Stack Abuse
stackabuse.com › checking-vulnerabilities-in-your-python-code-with-bandit
Checking Vulnerabilities in Your Python Code with Bandit
June 15, 2021 - In this article, you will be exploring how to use Bandit - an open source security analyzer for Python projects. Bandits generates reports on vulnerabilities in our code!
🌐
Red Hat
redhat.com › en › blog › find-python-vulnerabilities
How to find third-party vulnerabilities in your Python code
November 20, 2025 - $ pip-audit --requirement /home/josevnz/EnableSysadmin/EnableSysadminRssReader/requirements.txt No known vulnerabilities found · After fixing this, I can say my favorite quote from Poltergeist, "This house is clean." Yes, it can. For example, PyCharm and VS Code tell you if there is a newer version of a third-party library. For this example, I used an outdated version of Rich: You should not ignore these warnings. ... You can scan your Python projects for third-party library vulnerabilities using pip-audit.
🌐
Semgrep
semgrep.dev › write rules › secure coding › python › code injection in python
Code Injection in Python | Semgrep
This is dangerous if external data reaches the run_in_subinterp function call because it allows a malicious actor to run arbitrary Python code. ... import _testcapi # Value supplied by user user_input = "print('pwned')" # Vulnerable _testcapi.run_in_subinterp(user_input) from test import support # Value supplied by user user_input = "print('pwned')" # Vulnerable support.run_in_subinterp(user_input)
🌐
Aikido
aikido.dev › home › articles › top 10 python security vulnerabilities developers should avoid
Python Security Vulnerabilities | Top Issues
January 29, 2026 - Never unpickle data received from an untrusted or unauthenticated source.” In practice, this means if an attacker can feed your application a pickle (e.g., a forged cookie or a cached object), they could run any Python code on your server – essentially a pre-auth RCE (Remote Code Execution) vulnerability. Real-world example: A developer might use pickle.loads() on data received over a network (perhaps thinking it’s just a convenient way to transmit Python objects).
🌐
HackerNoon
hackernoon.com › 10-common-security-gotchas-in-python-and-how-to-avoid-them-e19fbe265e03
10 common security gotchas in Python and how to avoid them | HackerNoon
June 16, 2018 - Writing secure code is hard. When you learn a language, a module or a framework, you learn how it supposed to be used. When thinking about security, you need to think about how it can be misused. Python is no exception, even within the standard library there are documented bad practices for ...
🌐
GitHub
github.com › Contrast-Security-OSS › vulnpy
GitHub - Contrast-Security-OSS/vulnpy: Purposely-vulnerable Python functions
... ensure that vulnpy is installed in your current virtual environment with the appropriate extensions (see above) ... For example, pip install -e ".[flask]" && make flask launches a simple flask webapp with vulnpy endpoints.
Starred by 17 users
Forked by 69 users
Languages   Python 53.7% | HTML 44.3% | Makefile 1.6% | Python 53.7% | HTML 44.3% | Makefile 1.6%
🌐
GitHub
github.com › Vulnerable-Code-Samples › Python_Vulnerable_Code
GitHub - Vulnerable-Code-Samples/Python_Vulnerable_Code: A small collection of vulnerable code snippets
A collection of vulnerable code snippets taken form around the internet. Snippets taken from various blog posts, books, resources etc.
Forked by 7 users
Languages   PHP 31.6% | JavaScript 16.8% | C# 14.4% | C 12.5% | Python 11.0% | Java 6.2% | PHP 31.6% | JavaScript 16.8% | C# 14.4% | C 12.5% | Python 11.0% | Java 6.2%
🌐
ScienceDirect
sciencedirect.com › science › article › abs › pii › S0167739X24004680
DetectVul: A statement-level code vulnerability detection for Python - ScienceDirect
September 10, 2024 - In recent years, text-based approaches have been widely used to detect vulnerabilities, and Vudenc [8] is one typical example that was specifically built for Python. Specifically, in Vudenc, the author employed an RNN-based architecture like ...
🌐
Stack Overflow
stackoverflow.com › questions › 4207485 › exploitable-python-functions
security - Exploitable Python Functions - Stack Overflow
Top answer
1 of 5
14

right from the pickle documentation:

Warning

The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
2 of 5
14

eval and exec are the classics. However, open and file can be abused too:

open('/proc/kcore', 'w').write('0' * 1000 * 1000 * 1000)

Then there are the os, sys, subprocess, and dircache modules. Pretty much anything that touches the filesystem or can be used to turn data into executable code (like os.system) is going to be on the list.

As S. Lott pointed out in the comments, writing to the filesystem and executing arbitrary external programs aren't Python-specific. However, they are worth security auditors' consideration. Most of these functions can be safely used without too much concern for security. eval and exec, on the other hand, are great big red flags. Using them safely requires meticulous care.

🌐
GitHub
github.com › sgabe › DSVPWA
GitHub - sgabe/DSVPWA: Damn Simple Vulnerable Python Web Application
In comparison to other similar projects, this application also provides very basic session management and HTML templating. Currently it can be used to demonstrate the following security attacks and vulnerabilities: ... The project's goal is to be simple, hence the only requirement is Python 3.9.
Starred by 18 users
Forked by 144 users
Languages   Python 57.4% | HTML 36.7% | CSS 3.4% | Python 57.4% | HTML 36.7% | CSS 3.4%
Related queries
vulnerable python code github
vulnerable code examples in java
vulnerable code examples
vulnerable code github
python open file vulnerability
python vulnerable application
vulnerable python functions
python bandit examples