Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,820

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Authentication bypass in dtale
GHSA-v9q6-fm48-rx74 CVE-2024-3408 HIGH over 1 year ago
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vuln...
pypi
No PRs yet
SQL injection in litellm
GHSA-h6m6-jj8v-94jj CVE-2024-5225 MODERATE over 1 year ago
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` endpoint. The vulnerability a...
pypi
No PRs yet
onnx allows Arbitrary File Overwrite in download_model_with_test_data
GHSA-6rq9-53c3-f7vj CVE-2024-5187 HIGH over 1 year ago
A vulnerability in the `download_model_with_test_data` function of the onnx/onnx framework, versions before 1.16.2, allow for arbitrary file overwr...
pypi
No PRs yet
LoLLMS Path Traversal vulnerability
GHSA-p8h7-c8gw-6x8c CVE-2024-4881 HIGH over 1 year ago
A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in ve...
pypi
No PRs yet
scikit-learn sensitive data leakage vulnerability
GHSA-jw8x-6495-233v CVE-2024-5206 MODERATE over 1 year ago
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, ...
pypi
No PRs yet
Arbitrary system path lookup in h20
GHSA-x234-r5fg-x52m CVE-2024-5550 MODERATE over 1 year ago
In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vul...
pypi
No PRs yet
Arbitrary file deletion in litellm
GHSA-3xr8-qfvj-9p9j CVE-2024-4888 HIGH over 1 year ago
BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` ...
pypi
No PRs yet
SQL injection in litellm
GHSA-8j42-pcfm-3467 CVE-2024-4890 MODERATE over 1 year ago
A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability ar...
pypi
5
Dependabot PRs
20%
Merged
Undefined Behavior in mlflow
GHSA-8f8q-q2j7-7j2m CVE-2024-3099 MODERATE over 1 year ago
A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw...
pypi
No PRs yet
Cross site scripting in zenml
GHSA-vwgf-7f9h-h499 CVE-2024-2171 LOW over 1 year ago
A stored Cross-Site Scripting (XSS) vulnerability was identified in the zenml-io/zenml repository, specifically within the 'logo_url' field. By inj...
pypi
No PRs yet
Race condition in zenml
GHSA-c546-8jmq-hprj CVE-2024-2032 LOW over 1 year ago
A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with t...
pypi
No PRs yet
Improper authorization in zenml
GHSA-9x88-4jg8-4vf7 CVE-2024-2035 MODERATE over 1 year ago
An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vu...
pypi
No PRs yet
Local File Inclusion in mlflow
GHSA-j46q-5pxx-8vmw CVE-2024-2928 HIGH over 1 year ago
A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This ...
pypi
No PRs yet
Server-Side Request Forgery in langchain-community.retrievers.web_research.WebResearchRetriever
GHSA-q25c-c977-4cmh CVE-2024-3095 MODERATE over 1 year ago
A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component in langchain-community (langchain-community.retri...
pypi
35
Dependabot PRs
9%
Merged
Denial of service in langchain-community
GHSA-3hjh-jh2h-vrg6 CVE-2024-2965 MODERATE over 1 year ago
Denial of service in `SitemapLoader` Document Loader in the `langchain-community` package, affecting versions below 0.2.5. The `parse_sitemap` meth...
pypi
3
Dependabot PRs
33%
Merged
Improper authentication in zenml
GHSA-j527-v579-m98h CVE-2024-2213 LOW over 1 year ago
An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access t...
pypi
No PRs yet
Clickjacking in zenml
GHSA-mq73-g4qr-fgcq CVE-2024-2383 MODERATE over 1 year ago
A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Fra...
pypi
No PRs yet
Remote code execution in mlflow
GHSA-5q6c-ffvg-xcm9 CVE-2024-0520 CRITICAL over 1 year ago
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS co...
pypi
No PRs yet
Jupyter server on Windows discloses Windows user password hash
GHSA-hrw6-wg82-cm62 CVE-2024-35178 HIGH over 1 year ago
### Summary Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user ru...
pypi
No PRs yet
Local file inclusion in gradio
GHSA-6v6g-j5fq-hpvw CVE-2024-4941 HIGH over 1 year ago
A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio and was discovered in version 4.25. The vulnerability arises...
pypi
No PRs yet
Remote code execution in pytorch lightning
GHSA-cgwc-qvrx-rf7f CVE-2024-5452 CRITICAL over 1 year ago
A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserial...
pypi
No PRs yet
Server-Side Request Forgery in gradio
GHSA-973g-55hp-3frw CVE-2024-4325 HIGH over 1 year ago
A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio and was discovered in version 4.21.0, specifically within the `/...
pypi
No PRs yet
Observable Timing Discrepancy in pypqc
GHSA-hvh4-5qr6-3v7r HIGH over 1 year ago
### Impact `kyber512`, `kyber768`, and `kyber1024` on Mac OS \(or when compiled with clang\) only: An attacker able to submit many decapsulation re...
pypi
No PRs yet
PyMongo Out-of-bounds Read in the bson module
GHSA-m87m-mmvp-v9qm CVE-2024-5629 MODERATE over 1 year ago
Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could ...
pypi
No PRs yet
Arbitrary JavaScript execution due to using outdated libraries
GHSA-4m3g-6r7g-jv4f LOW over 1 year ago
### Summary gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript executio...
pypi
No PRs yet
Skops unsafe deserialization
GHSA-q49c-6v6g-wgq3 CVE-2024-37065 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbit...
pypi
No PRs yet
ydata unsafe deserialization
GHSA-cg49-hrj4-3rpr CVE-2024-37064 HIGH over 1 year ago
Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously craft...
pypi
No PRs yet
MLFlow improper input validation
GHSA-pqcv-qw2r-r859 CVE-2024-37061 HIGH over 1 year ago
Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to exe...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-cv6c-7963-wxcg CVE-2024-37060 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Reci...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-cwgg-w6mp-w9hg CVE-2024-37058 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Lang...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-j8mg-pqc5-x9gj CVE-2024-37057 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded T...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-wf7f-8fxf-xfxc CVE-2024-37059 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTo...
pypi
No PRs yet
ydata unsafe deserialization
GHSA-fpvj-m2h6-6wc5 CVE-2024-37062 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a malicously crafte...
pypi
No PRs yet
ydata cross-site scripting
GHSA-2r57-2mrh-ggjv CVE-2024-37063 HIGH over 1 year ago
A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run ...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-43c4-9qgj-x742 CVE-2024-37053 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scik...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-76cg-cfhx-373f CVE-2024-37052 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scik...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-7p8j-qv6x-f4g4 CVE-2024-37056 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded Lig...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-x38x-g6gr-jqff CVE-2024-37055 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmd...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-ghv6-9r9j-wh4j CVE-2024-37054 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFu...
pypi
No PRs yet
qdrant input validation failure
GHSA-7m75-x27w-r52r CVE-2024-3829 CRITICAL over 1 year ago
qdrant/qdrant version 1.9.0-dev is vulnerable to arbitrary file read and write during the snapshot recovery process. Attackers can exploit this vul...
pypi
No PRs yet
path traversal vulnerability was identified in the parisneo/lollms-webui
GHSA-9p73-x86v-jw57 CVE-2024-4330 MODERATE over 1 year ago
A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises du...
pypi
No PRs yet
code injection vulnerability exists in the huggingface/text-generation-inference repository
GHSA-qq99-p57r-g3v7 CVE-2024-3924 MODERATE over 1 year ago
A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file...
pypi
No PRs yet
Improper Handling of Insufficient Permissions in `wagtail.contrib.settings`
GHSA-xxfm-vmcf-g33f CVE-2024-35228 MODERATE over 1 year ago
### Impact Due to an improperly applied permission check in the `wagtail.contrib.settings` module, a user with access to the Wagtail admin and know...
pypi
1
Dependabot PRs
Slack integration leaks sensitive information in logs
GHSA-c2g2-gx4j-rj3j CVE-2024-35196 LOW over 1 year ago
### Impact Sentry's Slack integration incorrectly records the incoming request body in logs. This request data can contain sensitive information, i...
pypi
No PRs yet
Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints
GHSA-rcvg-jj3g-rj7c CVE-2024-35189 MODERATE over 1 year ago
The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain se...
pypi
No PRs yet
Vanna prompt injection code execution
GHSA-7735-w2jp-gvg6 CVE-2024-5565 CRITICAL over 1 year ago
The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and...
pypi
No PRs yet
Nautobot dynamic-group-members doesn't enforce permission restrictions on member objects
GHSA-qmjf-wc2h-6x3q CVE-2024-36112 MODERATE over 1 year ago
### Impact _What kind of vulnerability is it? Who is impacted?_ A user with permissions to view Dynamic Group records (`extras.view_dynamicgroup` ...
pypi
1
Dependabot PRs
Fides Webserver Logs Hosted Database Password Partial Exposure Vulnerability
GHSA-8cm5-jfj2-26q7 CVE-2024-34715 LOW over 1 year ago
The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the w...
pypi
No PRs yet
ansibleguy-webui Cross-site Scripting vulnerability
GHSA-927p-xrc2-x2gj CVE-2024-36110 HIGH over 1 year ago
### Impact Multiple forms in version <0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thu...
pypi
No PRs yet
rockhopper Buffer Overflow vulnerability
GHSA-4r4c-66gf-g9g5 CVE-2022-4969 MODERATE over 1 year ago
A vulnerability, which was classified as critical, has been found in bwoodsend rockhopper up to 0.1.2. Affected by this issue is the function `coun...
pypi
No PRs yet