https://thegriffyn.me/blog Cybersecurity blog by Hamza Haroon - penetration testing write-ups, CTF solutions, CVEs, digital forensics, and threat intelligence research. en-us hamzaharooon@protonmail.com (Hamza Haroon) hamzaharooon@protonmail.com (Hamza Haroon) Fri, 19 Jun 2026 00:00:00 GMT https://thegriffyn.me/blog/oss/twelve-cves-in-datamodel-code-generator https://thegriffyn.me/blog/oss/twelve-cves-in-datamodel-code-generator datamodel-code-generator, a Python code generator pulling roughly 14.5 million downloads a month on PyPI, shipped twelve CVEs: code injection and code execution on import, SSRF, and arbitrary local file read. Seven came from reading the source. Five more came from bypassing the fixes. Here is how an attacker-controlled schema turns a model generator into remote code execution, and why patching a sink is not the same as patching a class. Fri, 19 Jun 2026 00:00:00 GMT hamzaharooon@protonmail.com (Hamza Haroon) securitysupply-chainrcecode-injectionssrfpath-traversalpythoncve