Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,822

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
dbt allows Binding to an Unrestricted IP Address via socketsocket
GHSA-pmrx-695r-4349 CVE-2024-36105 MODERATE over 1 year ago
### Summary Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network interfaces, increasing the risk of unaut...
pypi
No PRs yet
Mocodo vulnerable to SQL injection in `/web/generate.php`
GHSA-j6cv-98jx-mrwr CVE-2024-35374 CRITICAL over 1 year ago
Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the `sql_case` input field in `/web/generate.php`, allowing remote attackers to exe...
pypi
No PRs yet
jupyter-scheduler's endpoint is missing authentication
GHSA-v9g2-g7j4-4jxc CVE-2024-28188 MODERATE over 1 year ago
### Impact `jupyter_scheduler` is missing an authentication check in Jupyter Server on an API endpoint (`GET /scheduler/runtime_environments`) whi...
pypi
No PRs yet
vantage6 collaboration admins can extend their influence by expanding the collaboration
GHSA-99r4-cjp4-3hmx CVE-2024-32969 LOW over 1 year ago
### Impact Collaboration administrators can add extra organizations to their collaboration. When doing that, they extend their influence: for insta...
pypi
No PRs yet
NASA AIT-Core vulnerable to remote code execution
GHSA-jqff-8g2v-642h CVE-2024-35059 CRITICAL over 1 year ago
An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands.
pypi
No PRs yet
NASA AIT-Core uses unencrypted channels to exchange data over the network
GHSA-qv6x-53jj-vw59 CVE-2024-35061 HIGH over 1 year ago
NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middl...
pypi
No PRs yet
NASA AIT-Core vulnerable to remote code execution
GHSA-4gxj-5mmr-7pxq CVE-2024-35058 CRITICAL over 1 year ago
An issue in the API wait function of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via supplying a crafted string.
pypi
No PRs yet
NASA AIT-Core vulnerable to remote code execution
GHSA-jf28-v5f6-cvpr CVE-2024-35057 CRITICAL over 1 year ago
An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via a crafted packet.
pypi
No PRs yet
NASA AIT-Core vulnerable to SQL Injection
GHSA-gpgj-xrgw-8mx2 CVE-2024-35056 CRITICAL over 1 year ago
NASA AIT-Core v2.5.2 was discovered to contain multiple SQL injection vulnerabilities via the `query_packets` and `insert` functions.
pypi
No PRs yet
PyMySQL SQL Injection vulnerability
GHSA-v9hf-5j83-6xpp CVE-2024-36039 CRITICAL over 1 year ago
PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by `escape_dict`.
pypi
118
Dependabot PRs
17%
Merged
Gradio applications running locally vulnerable to 3rd party websites accessing routes and uploading files
GHSA-48cq-79qq-6f7x CVE-2024-1727 MODERATE over 1 year ago
### Impact This CVE covers the ability of 3rd party websites to access routes and upload files to users running Gradio applications locally. For e...
pypi
No PRs yet
OMERO.web must check that the JSONP callback is a valid function
GHSA-vr85-5pwx-c6gq CVE-2024-35180 MODERATE over 1 year ago
### Background There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that hav...
pypi
No PRs yet
Requests `Session` object does not verify requests after making first request with verify=False
GHSA-9wx4-h78v-vm56 CVE-2024-35195 MODERATE over 1 year ago
When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent re...
pypi
7208
Dependabot PRs
20%
Merged
aiosmtpd STARTTLS unencrypted commands injection
GHSA-wgjv-9j3q-jhg8 CVE-2024-34083 MODERATE over 1 year ago
### Summary Servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted con...
pypi
No PRs yet
litellm passes untrusted data to `eval` function without sanitization
GHSA-7ggm-4rjg-594w CVE-2024-4264 HIGH over 1 year ago
A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the ...
pypi
No PRs yet
ConsoleMe has an Arbitrary File Read Vulnerability via Limited Git command
GHSA-3783-62vc-jr7x CVE-2024-5023 CRITICAL over 1 year ago
## ID: NFLX-2024-002 ### Impact Authenticated users can achieve limited RCE in ConsoleMe, restricted to flag inputs on a single CLI command. Due t...
pypi
No PRs yet
RunGptLLM class in LlamaIndex has a command injection
GHSA-pw38-xv9x-h8ch CVE-2024-4181 HIGH over 1 year ago
A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaA...
pypi
7
Dependabot PRs
28%
Merged
MLflow has a Local File Read/Path Traversal bypass
GHSA-rfqq-wq6w-72jm CVE-2024-3848 HIGH over 1 year ago
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulne...
pypi
No PRs yet
LoLLMS Command Injection vulnerability
GHSA-pwc9-q4hj-pg8g CVE-2024-4078 HIGH over 1 year ago
A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient ...
pypi
No PRs yet
MLflow allows low privilege users to delete any artifact
GHSA-p4jx-q62p-x5jr CVE-2024-4263 MODERATE over 1 year ago
A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an ex...
pypi
No PRs yet
Scrapy allows redirect following in protocols other than HTTP
GHSA-23j4-mw76-5v7h MODERATE over 1 year ago
### Impact Scrapy was following redirects regardless of the URL protocol, so redirects were working for `data://`, `file://`, `ftp://`, `s3://`, a...
pypi
28
Dependabot PRs
14%
Merged
Scrapy's redirects ignoring scheme-specific proxy settings
GHSA-jm3v-qxmh-hxwv MODERATE over 1 year ago
### Impact When using system proxy settings, which are scheme-specific (i.e. specific to `http://` or `https://` URLs), Scrapy was not accounting ...
pypi
28
Dependabot PRs
14%
Merged
Scrapy leaks the authorization header on same-domain but cross-origin redirects
GHSA-4qqq-9vqf-3h3f CVE-2024-1968 MODERATE over 1 year ago
### Impact Since version 2.11.1, Scrapy drops the `Authorization` header when a request is redirected to a different domain. However, it keeps the...
pypi
28
Dependabot PRs
14%
Merged
OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled
GHSA-2vjq-hg5w-5gm7 CVE-2024-32977 HIGH over 1 year ago
### Impact OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass t...
pypi
No PRs yet
Apache Airflow: XSS vulnerability in Task Instance Log/Log Details
GHSA-52gm-qmg3-r4qp CVE-2024-32077 MODERATE over 1 year ago
Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs.  Users...
pypi
No PRs yet
Nautobot's BANNER_* configuration can be used to inject arbitrary HTML content into Nautobot pages
GHSA-r2hr-4v48-fjv3 CVE-2024-34707 HIGH over 1 year ago
### Impact A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `...
pypi
No PRs yet
llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata
GHSA-56xg-wfcc-g829 CVE-2024-34359 CRITICAL over 1 year ago
## Description `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. The `__init...
pypi
72
Dependabot PRs
23%
Merged
Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
GHSA-w4h6-9wrp-v5jq CVE-2024-32874 CRITICAL over 1 year ago
**Important: Exploiting this vulnerability requires the attacker to have access to your Frigate instance, which means they could also just delete a...
pypi
No PRs yet
Apache Superset Incorrect Authorization vulnerability
GHSA-299q-3p96-5898 CVE-2024-28148 MODERATE over 1 year ago
An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request....
pypi
No PRs yet
Arbitrary HTML present after sanitization because of unicode normalization
GHSA-wvhx-q427-fgh3 CVE-2024-34078 HIGH over 1 year ago
### Impact If using `keep_typographic_whitespace=False` (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some...
pypi
No PRs yet
Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
GHSA-2g68-c3qc-8985 CVE-2024-34069 HIGH over 1 year ago
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This require...
pypi
849
Dependabot PRs
15%
Merged
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
GHSA-h75v-3vvj-5mfj CVE-2024-34064 MODERATE over 1 year ago
The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`...
pypi
1493
Dependabot PRs
16%
Merged
Litestar and Starlite vulnerable to Path Traversal
GHSA-83pv-qr33-2vcf CVE-2024-32982 HIGH over 1 year ago
# Summary **Local File Inclusion via Path Traversal in LiteStar Static File Serving** A Local File Inclusion (LFI) vulnerability has been discover...
pypi
No PRs yet
WordOps has TOCTOU race condition
GHSA-23qq-p4gq-gc2g CVE-2024-34528 MODERATE over 1 year ago
WordOps through 3.20.0 has a `wo/cli/plugins/stack_pref.py` TOCTOU race condition because the `conf_path` `os.open` does not use a mode parameter d...
pypi
No PRs yet
Nebari prints temporary Keycloak root password
GHSA-vjc4-3vgx-pq9h CVE-2024-34529 MODERATE over 1 year ago
Nebari through 2024.4.1 prints the temporary Keycloak root password.
pypi
No PRs yet
Gradio's Component Server does not properly consider` _is_server_fn` for functions
GHSA-34rf-p3r3-58x2 CVE-2024-34511 MODERATE over 1 year ago
Component Server in Gradio before 4.13 does not properly consider` _is_server_fn` for functions.
pypi
No PRs yet
Gradio allows credential leakage on Windows
GHSA-rvfh-h6c7-fc3c CVE-2024-34510 HIGH over 1 year ago
Gradio before 4.20 allows credential leakage on Windows.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-c7w6-33j3-j3mx CVE-2024-34484 MODERATE over 1 year ago
`OFPBucket` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `action.len=0`.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-ffp9-pfq9-g2ww CVE-2024-34488 HIGH over 1 year ago
`OFPMultipartReply` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `b.length=0`.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-7hmm-wg23-2w7m CVE-2024-34483 HIGH over 1 year ago
`OFPGroupDescStats` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `OFPBucket.len=0`.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-m9vm-8mv9-v5v3 CVE-2024-34487 MODERATE over 1 year ago
`OFPFlowStats` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `inst.length=0`.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-59p2-v62x-gxj8 CVE-2024-34489 HIGH over 1 year ago
`OFPHello` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `length=0`.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-fgpw-cx3v-wj95 CVE-2024-34486 HIGH over 1 year ago
`OFPPacketQueue` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `OFPQueueProp.len=0`.
pypi
No PRs yet
sagemaker-python-sdk Command Injection vulnerability
GHSA-7pc3-pr3q-58vg CVE-2024-34073 HIGH over 1 year ago
### Impact The capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module before version 2.214.3 allows for p...
pypi
No PRs yet
sagemaker-python-sdk vulnerable to Deserialization of Untrusted Data
GHSA-wjvx-jhpj-r54r CVE-2024-34072 HIGH over 1 year ago
### Impact sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is ...
pypi
No PRs yet
tqdm CLI arguments injection attack
GHSA-g7vv-2v7x-gj9p CVE-2024-34062 LOW over 1 year ago
### Impact Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrar...
pypi
478
Dependabot PRs
17%
Merged
LIEF obtain sensitive information via the name parameter
GHSA-377p-g8gr-5wpg CVE-2024-31636 LOW over 1 year ago
An issue in LIEF v.0.14.1 allows a local attacker to obtain sensitive information via the name parameter of the machd_reader.c component.
pypi
No PRs yet
changedetection.io Cross-site Scripting vulnerability
GHSA-pwgc-w4x9-gw67 CVE-2024-34061 MODERATE over 1 year ago
### Summary Input in parameter notification_urls is not processed resulting in javascript execution in the application ### Details changedetectio...
pypi
No PRs yet
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
GHSA-5m98-qgg9-wh84 CVE-2024-30251 HIGH over 1 year ago
### Summary An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will ente...
pypi
No PRs yet
pgAdmin Cross-site Scripting vulnerability in /settings/store API response json payload
GHSA-xv64-8p4r-94gq CVE-2024-4216 HIGH over 1 year ago
pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malici...
pypi
No PRs yet