python-security
Safeguard articles tagged "python-security" — guides, analysis, and best practices for software supply chain and application security.
71 articles
Jinja2 sandbox escape (CVE-2022-29361)
CVE-2022-29361 lets attackers bypass Jinja2's SandboxedEnvironment via str.format, reaching unsafe attributes and risking RCE in untrusted-template apps.
Jinja2 xmlattr filter XSS (CVE-2024-22195)
CVE-2024-22195 lets attacker-controlled dict keys bypass Jinja2's xmlattr escaping for XSS. Learn affected versions, CVSS/EPSS context, and fixes.
Sentry SDK sensitive data exposure (CVE-2021-23727)
CVE-2021-23727 let sentry-sdk for Python leak OS environment variables into Sentry events, exposing secrets. Here's the impact, timeline, and fix.
pip's Version-Based Resolution and the Origin of Dependen...
CVE-2018-20225 exposed how pip's version-based resolver lets a higher-versioned public PyPI package silently override a private one — the origin of dependency confusion attacks.
The 'ctx' PyPI Package Hijack via Expired Maintainer Domain
In 2022, attackers bought an expired domain, reset a PyPI maintainer's email, and hijacked the ctx package to steal environment variables from unsuspecting installs.
PyPI typosquatting and malicious package report
A 2026 look at PyPI typosquatting trends: attack patterns, CI/CD targeting, info-stealer payloads, and how to defend the Python supply chain.
SQL Injection Prevention in Python with Parameterized Que...
SQL injection remains widespread in Python apps despite decades-old fixes. Here's how parameterized queries actually prevent it, and where ORMs still leave gaps.
Path Traversal Prevention in Python with os.path.realpath
os.path.normpath() and abspath() don't stop symlink-based path traversal. Here's how os.path.realpath() closes the gap, with real CVEs and a secure pattern.
XXE Prevention in Python with resolve_entities=False
Why lxml's XMLParser resolves external entities by default, how resolve_entities=False actually stops XXE, and where Python teams still leave file-read and SSRF paths open.
Insecure Deserialization Prevention in Python: yaml.safe_...
Why yaml.load() and pickle.load() became RCE vectors in Python, the CVEs behind them, and how safe_load() closes the gap — plus how Safeguard catches unsafe deserialization before it ships.
Secure Random Number Generation in Python with the secret...
Python's random module is predictable, not secure. Here's why CWE-338 matters, when the secrets module (PEP 506, Python 3.6) fixed it, and how to generate tokens safely.
CVE-2019-19844: Django password reset token weakness
CVE-2019-19844 let attackers hijack Django accounts by exploiting how case-sensitive email matching broke the base36 password reset token flow.