SCA: security update for epyt-flow (GHSA-74vm-8frp-7w68)

critical Tenable Self-Hosted Container Security Plugin ID 437541

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario
data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON
request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is
present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with
attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can
lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This
vulnerability is fixed in 0.16.1. (CVE-2026-25632)

See Also

https://github.com/advisories/GHSA-74vm-8frp-7w68

Plugin Details

Severity: Critical

ID: 437541

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 2/5/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.78

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-25632

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/4/2026

Vulnerability Publication Date: 2/4/2026

Reference Information

CVE: CVE-2026-25632

cwe: CWE-502