Vulnerability
Malicious code in saas-common-lib-473815 (PyPI)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (0142a19ba91410cc19470321caba04aa48633df937b0ed66439cccf31877a333) utils/send_email_otp.py exposes otpEmailService(to_email, email_body), which authenticates to smtp.gmail.com using a hardcoded sender address (magizhchisk@gmail.com) and a hardcoded Gmail App Password, then calls server.send_message on a message whose From: is the author and To: is the caller-supplied recipient with caller-supplied body. Any application that imports this helper sends OTP/notification email FROM the author's personal Gmail account through author-controlled infrastructure, with no way for the caller to supply their own SMTP credentials. The recipient address and message body — installer-side data — are silently routed through the author's mailbox. Additionally, the App Password is redistributed to every installer, so anyone who installs the package can log into the author's Gmail and impersonate the sender to all prior OTP recipients. A secondary issue in utils/auth.py hardcodes SECRET_KEY = "nsn" for HS256 JWT signing; any deployment using create_access_token/verify_token from this library will issue forgeable tokens since the signing key is shipped publicly.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence