{"id":"PYSEC-2026-3441","details":"URL path injection via unencoded user-supplied identifiers vulnerability in Apache Gravitino.\n\nThis issue affects Apache Gravitino: from 1.0.0 before 1.2.1.\n\nUsers are recommended to upgrade to version 1.2.1, which fixes the issue.","aliases":["CVE-2026-41041"],"modified":"2026-07-14T10:45:07.639819905Z","published":"2026-07-13T10:16:28.803Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2026/07/13/1"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/4dnwg1qzb2yns1fkfmq0z45vmwyzytgz"}],"affected":[{"package":{"name":"apache-gravitino","ecosystem":"PyPI","purl":"pkg:pypi/apache-gravitino"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.0.0"},{"fixed":"1.2.1"}]}],"versions":["1.0.0","1.0.1","1.0.1rc1","1.0.1rc2","1.1.0","1.1.0rc0","1.1.0rc1","1.1.0rc2","1.1.0rc3","1.1.0rc4","1.1.1","1.1.1rc1","1.1.1rc3","1.1.1rc4","1.2.0","1.2.0.dev0","1.2.0rc1","1.2.0rc10","1.2.0rc11","1.2.0rc2","1.2.0rc4","1.2.0rc5","1.2.0rc6","1.2.0rc7","1.2.0rc8","1.2.0rc9","1.2.1rc1","1.2.1rc2"],"ecosystem_specific":{},"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/apache-gravitino/PYSEC-2026-3441.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}