paddlepaddle

PyPI32 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting paddlepaddlepage 1 of 1

CVE-2022-45908CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.4
2022-11-26
vulnerable: 1.8.5 ... 2.4.0rc0 (20 versions)
In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vulnerable to code injection because it calls eval on a user-supplied winstr. This may lead to arbitrary code execution.
CVE-2022-46741HIGHCVSS 7.1EG 7.1✓ Fixed in 2.4
2022-12-07
vulnerable: 1.8.5 ... 2.4.0rc0 (20 versions)
Out-of-bounds read in gather_tree in PaddlePaddle before 2.4.
CVE-2022-46742CRITICALCVSS 10.0EG 10.0✓ Fixed in 2.4.0
2022-12-07
vulnerable: 1.8.5 ... 2.4.0rc0 (17 versions)
Code injection in paddle.audio.functional.get_window in PaddlePaddle 2.4.0-rc0 allows arbitrary code execution.
CVE-2023-38669HIGHCVSS 8.3EG 8.3✓ Fixed in 2.5.0
2023-07-26
vulnerable: 1.8.5 ... 2.5.0rc1 (24 versions)
Use after free in paddle.diagonal in PaddlePaddle before 2.5.0. This resulted in a potentially exploitable condition.
CVE-2023-38670MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.5.0
2023-07-26
vulnerable: 1.8.5 ... 2.5.0rc1 (24 versions)
Null pointer dereference in paddle.flip in PaddlePaddle before 2.5.0. This resulted in a runtime crash and denial of service.
CVE-2023-38671HIGHCVSS 8.3EG 8.3✓ Fixed in 2.5.0
2023-07-26
vulnerable: 1.8.5 ... 2.5.0rc1 (24 versions)
Heap buffer overflow in paddle.trace in PaddlePaddle before 2.5.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.
CVE-2023-38672MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.5.0
2023-07-26
vulnerable: 1.8.5 ... 2.5.0rc1 (24 versions)
FPE in paddle.trace in PaddlePaddle before 2.5.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-38673CRITICALCVSS 9.6EG 9.6✓ Fixed in 2.5.0
2023-07-26
vulnerable: 1.8.5 ... 2.5.0rc1 (24 versions)
PaddlePaddle before 2.5.0 has a command injection in fs.py. This resulted in the ability to execute arbitrary commands on the operating system.
CVE-2023-38674MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
FPE in paddle.nanmedian in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-38675MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
FPE in paddle.linalg.matrix_rank in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-38676MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
Nullptr in paddle.dot in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-38677MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
FPE in paddle.linalg.eig in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-38678MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
OOB access in paddle.mode in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-52302MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
Nullptr in paddle.nextafter in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-52303MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
Nullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-52304HIGHCVSS 8.2EG 8.2✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
Stack overflow in paddle.searchsorted in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.
CVE-2023-52305MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
FPE in paddle.topk in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-52306MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
FPE in paddle.lerp in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-52307HIGHCVSS 8.2EG 8.2✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
Stack overflow in paddle.linalg.lu_unpack in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.
CVE-2023-52308MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
FPE in paddle.amin in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-52309HIGHCVSS 8.2EG 8.2✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
Heap buffer overflow in paddle.repeat_interleave in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, information disclosure, or more damage is possible.
CVE-2023-52310CRITICALCVSS 9.6EG 9.6✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the operating system.
CVE-2023-52311CRITICALCVSS 9.6EG 9.6✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
PaddlePaddle before 2.6.0 has a command injection in _wget_download. This resulted in the ability to execute arbitrary commands on the operating system.
CVE-2023-52312MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.6.1
2024-01-03
vulnerable: 1.8.5 ... 2.6.0 (14 versions)
Nullptr dereference in paddle.crop in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-52313MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
FPE in paddle.argmin and paddle.argmax in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
CVE-2023-52314CRITICALCVSS 9.6EG 9.6✓ Fixed in 2.6.0
2024-01-03
vulnerable: 1.8.5 ... 2.5.2 (13 versions)
PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. This resulted in the ability to execute arbitrary commands on the operating system.
CVE-2024-0521HIGHCVSS 7.8EG 7.8✓ Fixed in 2.6.0
2024-01-20
vulnerable: 1.8.5 ... 2.5.2 (22 versions)
Code Injection in paddlepaddle/paddle
CVE-2024-0815HIGHCVSS 8.8EG 8.8
2024-03-07
vulnerable: 1.8.5 ... 2.6.0 (12 versions)
Command injection in paddle.utils.download._wget_download (bypass filter) in paddlepaddle/paddle 2.6.0
CVE-2024-0817HIGHCVSS 7.8EG 7.8
2024-03-07
vulnerable: 1.8.5 ... 2.6.0 (12 versions)
Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0
CVE-2024-0818CRITICALCVSS 9.1EG 9.1
2024-03-07
vulnerable: 1.8.5 ... 2.6.0 (10 versions)
Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6
CVE-2024-0917CRITICALCVSS 9.8EG 9.8
2024-03-07
vulnerable: 1.8.5 ... 2.6.0 (12 versions)
remote code execution in paddlepaddle/paddle 2.6.0
CVE-2024-1603HIGHCVSS 7.5EG 7.5
2024-03-23
vulnerable: 1.8.5 ... 2.6.0 (10 versions)
paddlepaddle/paddle 2.6.0 allows arbitrary file read via paddle.vision.ops.read_file.

Check whether paddlepaddle is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for paddlepaddle CVEs against the assets you own.

Start Free Scan →