Safeguard
Tag

python-security

Safeguard articles tagged "python-security" — guides, analysis, and best practices for software supply chain and application security.

71 articles

Vulnerability Analysis

Jinja2 sandbox escape (CVE-2022-29361)

CVE-2022-29361 lets attackers bypass Jinja2's SandboxedEnvironment via str.format, reaching unsafe attributes and risking RCE in untrusted-template apps.

Dec 26, 20257 min read
Vulnerability Analysis

Jinja2 xmlattr filter XSS (CVE-2024-22195)

CVE-2024-22195 lets attacker-controlled dict keys bypass Jinja2's xmlattr escaping for XSS. Learn affected versions, CVSS/EPSS context, and fixes.

Dec 26, 20257 min read
Vulnerability Analysis

Sentry SDK sensitive data exposure (CVE-2021-23727)

CVE-2021-23727 let sentry-sdk for Python leak OS environment variables into Sentry events, exposing secrets. Here's the impact, timeline, and fix.

Dec 26, 20257 min read
Open Source Security

pip's Version-Based Resolution and the Origin of Dependen...

CVE-2018-20225 exposed how pip's version-based resolver lets a higher-versioned public PyPI package silently override a private one — the origin of dependency confusion attacks.

Dec 3, 20257 min read
Open Source Security

The 'ctx' PyPI Package Hijack via Expired Maintainer Domain

In 2022, attackers bought an expired domain, reset a PyPI maintainer's email, and hijacked the ctx package to steal environment variables from unsuspecting installs.

Dec 3, 20257 min read
Open Source Security

PyPI typosquatting and malicious package report

A 2026 look at PyPI typosquatting trends: attack patterns, CI/CD targeting, info-stealer payloads, and how to defend the Python supply chain.

Nov 28, 20257 min read
Industry Analysis

SQL Injection Prevention in Python with Parameterized Que...

SQL injection remains widespread in Python apps despite decades-old fixes. Here's how parameterized queries actually prevent it, and where ORMs still leave gaps.

Oct 27, 20257 min read
Industry Analysis

Path Traversal Prevention in Python with os.path.realpath

os.path.normpath() and abspath() don't stop symlink-based path traversal. Here's how os.path.realpath() closes the gap, with real CVEs and a secure pattern.

Oct 24, 20257 min read
Industry Analysis

XXE Prevention in Python with resolve_entities=False

Why lxml's XMLParser resolves external entities by default, how resolve_entities=False actually stops XXE, and where Python teams still leave file-read and SSRF paths open.

Oct 22, 20257 min read
Industry Analysis

Insecure Deserialization Prevention in Python: yaml.safe_...

Why yaml.load() and pickle.load() became RCE vectors in Python, the CVEs behind them, and how safe_load() closes the gap — plus how Safeguard catches unsafe deserialization before it ships.

Oct 20, 20257 min read
Industry Analysis

Secure Random Number Generation in Python with the secret...

Python's random module is predictable, not secure. Here's why CWE-338 matters, when the secrets module (PEP 506, Python 3.6) fixed it, and how to generate tokens safely.

Oct 20, 20257 min read
Vulnerability Analysis

CVE-2019-19844: Django password reset token weakness

CVE-2019-19844 let attackers hijack Django accounts by exploiting how case-sensitive email matching broke the base36 password reset token flow.

Oct 9, 20257 min read
python-security (Page 4) — Safeguard Blog