Pyspark
This hub aggregates every CVE we track for Pyspark, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
11
CVEs tracked
1
Critical
5
High
1
In CISA KEV
Severity distribution
HIGH5MEDIUM5CRITICAL1
Monthly trend
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
2024-072026-06
Latest CVEs
The 11 most recently published vulnerabilities affecting Pyspark.
- CVE-2025-55039Apache Spark, Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks6.5
- CVE-2023-32007Apache Spark: Shell command injection via Spark UI8.8
- CVE-2023-22946Apache Spark proxy-user privilege escalation from malicious configuration class6.4
- CVE-2022-31777Apache Spark XSS vulnerability in log viewer UI Javascript5.4
- CVE-2022-33891Apache Spark shell command injection vulnerability via Spark UIKEV8.8
- CVE-2021-38296Apache Spark Key Negotiation Vulnerability7.5
- CVE-2020-9480In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-cr...9.8
- CVE-2019-10099Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (co...7.5
- CVE-2018-11760When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2....5.5
- CVE-2018-1334In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using PySpark or SparkR, it's possible for a different local user to connect to the Spark application and impersonate the user runnin...4.7
- CVE-2017-12612In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentia...7.8
Product normalization is registry-driven with AI assist and human review. How it works