Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
uv allows ZIP payload obfuscation through parsing differentials
GHSA-pqhf-p39g-3x64 MODERATE 28 days ago
### Impact In versions 0.9.5 and earlier of uv, ZIP archives were handled in a manner that enabled two parsing differentials against other compone...
pypi
3
Dependabot PRs
CKAN vulnerable to fixed session IDs
GHSA-2hvh-cw5c-8q8q CVE-2025-64100 MODERATE 28 days ago
### Impact Session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session st...
pypi
No PRs yet
MLflow Weak Password Requirements Authentication Bypass Vulnerability
GHSA-6xj8-rrqx-r4cv CVE-2025-11200 HIGH 28 days ago
MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affec...
pypi
No PRs yet
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability
GHSA-5cvj-7rg6-jggj CVE-2025-11201 HIGH 28 days ago
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execut...
pypi
No PRs yet
FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name
GHSA-rj5c-58rq-j5g5 CVE-2025-62801 MODERATE 28 days ago
### Summary A command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on ...
pypi
No PRs yet
FastMCP vulnerable to reflected XSS in client's callback page
GHSA-mxxr-jv3v-6pgc CVE-2025-62800 MODERATE 28 days ago
### Summary While setting up an oauth client, it was noticed that the callback page hosted by the client during the flow embeds user-controlled con...
pypi
No PRs yet
FastMCP Auth Integration Allows for Confused Deputy Account Takeover
GHSA-c2jp-c369-7pvx HIGH 28 days ago
### Summary FastMCP documentation [covers the scenario](https://gofastmcp.com/integrations/azure) where it is possible to use Entra ID or other pr...
pypi
No PRs yet
CKAN vulnerable to stored XSS in resource description
GHSA-2r4h-8jxv-w2j8 CVE-2025-54384 MODERATE 28 days ago
### Impact The `helpers.markdown_extract()` function did not perform sufficient sanitization of input data before wrapping in an HTML literal elem...
pypi
No PRs yet
Keras is vulnerable to arbitrary local file loading and Server-Side Request Forgery
GHSA-mq84-hjqx-cwf2 CVE-2025-12058 MODERATE 29 days ago
The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local f...
pypi
No PRs yet
Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``
GHSA-7f5h-v6xp-fcq8 CVE-2025-62727 HIGH 29 days ago
### Summary An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's `FileResponse` ...
pypi
19
Dependabot PRs
BBOT's gitlab.py exposes globally configured "gitlab" API key
GHSA-p3v4-c93g-cmhw CVE-2025-10282 MODERATE about 1 month ago
### Summary bbot's `gitlab.py` sends the user's "gitlab" API key to on-premise GitLab instances. If a user has configured a gitlab.com API key us...
pypi
No PRs yet
pg8000 SQL injection vulnerability via a specially crafted Python list input
GHSA-wq2g-r956-j8cc CVE-2025-61385 HIGH about 1 month ago
SQL injection vulnerability in tlocke pg8000 1.31.4 allows remote attackers to execute arbitrary SQL commands via a specially crafted Python list i...
pypi
No PRs yet
LangGraph's SQLite store implementation has a SQL Injection Vulnerability
GHSA-4h97-wpxp-3757 CVE-2025-8709 HIGH about 1 month ago
A SQL injection vulnerability exists in the langchain-ai/langgraph repository, specifically in the LangGraph's SQLite store implementation. The aff...
pypi
No PRs yet
pypdf can exhaust RAM via manipulated LZWDecode streams
GHSA-jfx9-29x2-rv3j CVE-2025-62708 MODERATE about 1 month ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of ...
pypi
No PRs yet
pypdf possibly loops infinitely when reading DCT inline images without EOF marker
GHSA-vr63-x8vc-m265 CVE-2025-62707 MODERATE about 1 month ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a ...
pypi
2
Dependabot PRs
aiomysql allows arbitrary access to client files through vulnerability of a malicious MySQL server
GHSA-r397-ff8c-wv2g CVE-2025-62611 HIGH about 1 month ago
### Summary The client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the cl...
pypi
1
Dependabot PRs
Scapy Session Loading Vulnerable to Arbitrary Code Execution via Untrusted Pickle Deserialization
GHSA-cq46-m9x9-j8w2 MODERATE about 1 month ago
### Summary An unsafe deserialization vulnerability in Scapy <v2.7.0 allows attackers to execute arbitrary code **when a malicious session file is...
pypi
No PRs yet
Hugging Face Smolagents XPath injection vulnerability in the search_item_ctrl_f function
GHSA-8mf9-rmgw-33qc CVE-2025-11844 MODERATE about 1 month ago
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/visio...
pypi
No PRs yet
Nautobot Single Source of Truth (SSoT) has an unauthenticated ServiceNow configuration URL
GHSA-535g-62r7-cx6v CVE-2025-62607 MODERATE about 1 month ago
The servicenow config URL is using a generic django View with no authentication. URL: `/plugins/ssot/servicenow/config/` ### Impact _What kind of...
pypi
No PRs yet
uv has differential in tar extraction with PAX headers
GHSA-w476-p2h3-79g9 LOW about 1 month ago
### Impact In versions 0.9.4 and earlier of uv, tar archives containing PAX headers with file size overrides were not handled properly. As a resul...
pypi
No PRs yet
Taguette vulnerable to cross-site scripting via tag name, tag description, document name and document description
GHSA-g9qw-g6rv-3889 CVE-2025-62528 MODERATE about 1 month ago
### Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or desc...
pypi
No PRs yet
Taguette password reset link poisoning
GHSA-7rc8-5c8q-jr6j CVE-2025-62527 HIGH about 1 month ago
### Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email contai...
pypi
No PRs yet
Keras framework vulnerable to deserialization of untrusted data
GHSA-cvhh-q5g5-qprp CVE-2025-49655 CRITICAL about 1 month ago
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a m...
pypi
No PRs yet
pyquokka is Vulnerable to Remote Code Execution by Pickle Deserialization via FlightServer
GHSA-f74j-gffq-vm9p CVE-2025-62515 CRITICAL about 1 month ago
### Description In the FlightServer class of the pyquokka framework, the do_action() method directly uses pickle.loads() to deserialize action bod...
pypi
No PRs yet
Mammoth is vulnerable to Directory Traversal
GHSA-rmjr-87wv-gf87 CVE-2025-11849 MODERATE about 1 month ago
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the packa...
maven npm nuget +1 more
No PRs yet
reflex-dev/reflex has an Open Redirect vulnerability
GHSA-rfh5-c9h5-q8jm CVE-2025-62379 LOW about 1 month ago
### Mitigation Make sure `GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN` is not set in a production environment. So the following is correct: ``` asse...
pypi
No PRs yet
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name
GHSA-mq77-rv97-285m CVE-2025-62172 HIGH about 1 month ago
### Summary An authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can ...
pypi
No PRs yet
llama-index has Insecure Temporary File
GHSA-rg9h-vx28-xxp5 CVE-2025-7707 HIGH about 1 month ago
The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi...
pypi
No PRs yet
Authlib : JWE zip=DEF decompression bomb enables DoS
GHSA-g7f3-828f-7h7m CVE-2025-62706 MODERATE about 2 months ago
### Summary _Authlib’s JWE `zip=DEF` path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of meg...
pypi
4
Dependabot PRs
python-ldap is Vulnerable to Improper Encoding or Escaping of Output and Improper Null Termination
GHSA-p34h-wq7j-h5v6 CVE-2025-61912 MODERATE about 2 months ago
### Summary `ldap.dn.escape_dn_chars()` escapes `\x00` incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514...
pypi
No PRs yet
python-ldap has sanitization bypass in ldap.filter.escape_filter_chars
GHSA-r7r6-cc7p-4v5m CVE-2025-61911 MODERATE about 2 months ago
### Summary The sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` o...
pypi
No PRs yet
Authlib is vulnerable to Denial of Service via Oversized JOSE Segments
GHSA-pq5p-34cr-23v9 CVE-2025-61920 HIGH about 2 months ago
**Summary** Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64...
pypi
9
Dependabot PRs
BBOT's insufficient sanitization issues in gitdumper.py can lead to RCE
GHSA-h6m2-r6h9-4c44 CVE-2025-10283 CRITICAL about 2 months ago
### Summary bbot's `gitdumper.py` insufficiently sanitises a `.git/config` file, leading to Remote Code Execution (RCE). bbot's `gitdumper.py` ca...
pypi
No PRs yet
BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver
GHSA-63wh-p5fx-h4vc CVE-2025-10281 MODERATE about 2 months ago
### Summary Due to unsafe URL handling, bbot's `git_clone.py` can be made to leak a user's github.com API key to an attacker-controlled webserver....
pypi
No PRs yet
BBOT's various issues in unarchive.py can cause arbitrary file write and RCE
GHSA-fhw8-8v9p-7jp7 CVE-2025-10284 CRITICAL about 2 months ago
### Summary Various issues in bbot's `unarchive.py` allow a malicious site to cause bbot to write arbitrary files to arbitrary locations. This can...
pypi
No PRs yet
Python Social Auth - Django has unsafe account association
GHSA-wv4w-6qv2-qqfg CVE-2025-61783 MODERATE about 2 months ago
### Impact Upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead...
pypi
4
Dependabot PRs
25%
Merged
pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters
GHSA-cjjf-27cc-pvmv CVE-2025-61773 HIGH about 2 months ago
### Summary pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. ...
pypi
No PRs yet
scio is vunerable to Remote Command Execution through PyTorch
GHSA-m9mp-6x32-5rhg CRITICAL about 2 months ago
### Impact PyTorch reported a [**critical** vulnerability](https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6) when using `...
pypi
No PRs yet
Synapse's invalid device keys degrade federation functionality
GHSA-fh66-fcv5-jjfr CVE-2025-61672 MODERATE about 2 months ago
### Impact Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserv...
pypi
No PRs yet
vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class
GHSA-3f6c-7fw2-ppm4 CVE-2025-6242 HIGH about 2 months ago
### Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature s...
pypi
No PRs yet
LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities
GHSA-527m-2xhr-j27g CVE-2025-61784 HIGH about 2 months ago
## Summary ## A Server-Side Request Forgery (SSRF) vulnerability in the chat API allows any authenticated user to force the server to make arbitra...
pypi
No PRs yet
vLLM: Resource-Exhaustion (DoS) through Malicious Jinja Template in OpenAI-Compatible Server
GHSA-6fvq-23cw-5628 CVE-2025-61620 MODERATE about 2 months ago
### Summary A resource-exhaustion (denial-of-service) vulnerability exists in multiple endpoints of the OpenAI-Compatible Server due to the abilit...
pypi
No PRs yet
vLLM is vulnerable to timing attack at bearer auth
GHSA-wr9h-g72x-mwhm CVE-2025-59425 HIGH about 2 months ago
### Summary The API key support in vLLM performed validation using a method that was vulnerable to a timing attack. This could potentially allow an...
pypi
No PRs yet
python-socketio vulnerable to arbitrary Python code execution (RCE) through malicious pickle deserialization in certain multi-server deployments
GHSA-g8c6-8fjj-2r4m CVE-2025-61765 MODERATE about 2 months ago
### Summary A remote code execution vulnerability in python-socketio versions prior to 5.14.0 allows attackers to execute arbitrary Python code thr...
pypi
No PRs yet
Litestar X-Forwarded-For Header Spoofing Vulnerability Enables Rate Limit Evasion
GHSA-hm36-ffrh-c77c CVE-2025-59152 HIGH about 2 months ago
While testing Litestar's RateLimitMiddleware, I discovered that rate limits can be completely bypassed by manipulating the X-Forwarded-For header. ...
pypi
No PRs yet
LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing
GHSA-m42m-m8cr-8m58 CVE-2025-6985 HIGH about 2 months ago
The HTMLSectionSplitter class in langchain-text-splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing. This vulne...
pypi
No PRs yet
clearml is vulnerable to Path Traversal through its `safe_extract` function
GHSA-579p-qf78-fqm2 CVE-2025-8917 MODERATE about 2 months ago
A vulnerability in clearml versions before 2.0.2 allows for path traversal due to improper handling of symbolic and hard links in the `safe_extract...
pypi
No PRs yet
ZenML is vulnerable to Path Traversal through its `PathMaterializer` class
GHSA-q92x-2x5g-h365 CVE-2025-8406 MODERATE about 2 months ago
ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_direct...
pypi
No PRs yet
NiceGUI has a Reflected XSS
GHSA-8c95-hpq2-w46f CVE-2025-53354 MODERATE about 2 months ago
### Summary A Cross-Site Scripting (XSS) risk exists in NiceGUI when developers render unescaped user input into the DOM using `ui.html()`. Before...
pypi
No PRs yet
DataChain Vulnerable to Deserialization of Untrusted Data from Environment Variables
GHSA-6px8-mr29-cj4r CVE-2025-61677 LOW about 2 months ago
The DataChain library reads serialized objects from environment variables (such as `DATACHAIN__METASTORE` and `DATACHAIN__WAREHOUSE`) in the `loade...
pypi
No PRs yet