Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,820

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Gradio Local File Inclusion vulnerability
GHSA-3f95-mxq2-2f63 CVE-2024-1728 HIGH over 1 year ago
gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton compo...
pypi
No PRs yet
LiteLLM has Server-Side Template Injection vulnerability in /completions endpoint
GHSA-46cm-pfwv-cgf8 CVE-2024-2952 CRITICAL over 1 year ago
BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_...
pypi
No PRs yet
Transformers Deserialization of Untrusted Data vulnerability
GHSA-37q5-v5qm-c9v8 CVE-2024-3568 LOW over 1 year ago
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_chec...
pypi
No PRs yet
Aim Web API vulnerable to Remote Code Execution
GHSA-mxvw-cj37-8g2h CVE-2024-2195 CRITICAL over 1 year ago
A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` en...
pypi
No PRs yet
llama-index-core Prompt Injection vulnerability leading to Arbitrary Code Execution
GHSA-wvpx-g427-q9wc CVE-2024-3098 CRITICAL over 1 year ago
A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for p...
pypi
No PRs yet
yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)
GHSA-hjq6-52gw-2g7p CVE-2024-22423 HIGH over 1 year ago
### Summary The [patch that addressed CVE-2023-40581](https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e) attempted t...
pypi
1
Dependabot PRs
DIRAC: Unauthorized users can read proxy contents during generation
GHSA-v6f3-gh5h-mqwx CVE-2024-29905 HIGH over 1 year ago
### Impact During the proxy generation process (e.g., when using `dirac-proxy-init`) it is possible for unauthorized users on the same machine to ...
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-p28x-hj68-7vfp CVE-2024-28732 HIGH over 1 year ago
An issue was discovered in OFPMatch in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infini...
pypi
No PRs yet
pgAdmin Remote Code Execution (RCE) vulnerability
GHSA-27jx-ffw8-xrqv CVE-2024-3116 HIGH over 1 year ago
pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attacker...
pypi
No PRs yet
Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check
GHSA-wpff-wm84-x5cx CVE-2024-31215 MODERATE over 1 year ago
### Impact _What kind of vulnerability is it? Who is impacted?_ SSRF vulnerability in firebase database check logic. The attacker can cause the ser...
pypi
No PRs yet
Voilà Local file inclusion
GHSA-2q59-h24c-w6fg CVE-2024-30265 HIGH over 1 year ago
### Impact Any deployment of voilà dashboard allow local file inclusion, that is to say any file on a filesystem that is readable by the user that...
pypi
No PRs yet
Pillow buffer overflow vulnerability
GHSA-44wm-f244-xhp3 CVE-2024-28219 HIGH over 1 year ago
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
pypi
914
Dependabot PRs
20%
Merged
Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page
GHSA-pmww-v6c9-7p83 CVE-2024-30248 HIGH over 1 year ago
### Summary Piccolo's admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type ...
pypi
No PRs yet
aliyundrive-webdav vulnerable to Command Injection
GHSA-73v2-rxqp-7q4f CVE-2024-29640 HIGH over 1 year ago
An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in ...
cargo pypi
No PRs yet
Saleor: Customers' addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method
GHSA-mrj3-f2h4-7w45 CVE-2024-29888 MODERATE over 1 year ago
### Summary Using `Pickup: Local stock only` as a click-and-collect points could cause a leak of customer addresses ### Details When using `Pickup...
pypi
No PRs yet
Cross site scripting (XSS) in JupyterHub via Self-XSS leveraged by Cookie Tossing
GHSA-7r3h-4ph8-w38g CVE-2024-28233 HIGH over 1 year ago
### Impact Affected configurations: - Single-origin JupyterHub deployments - JupyterHub deployments with user-controlled applications running on ...
pypi
No PRs yet
Lektor does not sanitize database path traversal
GHSA-wv28-7fpw-fj49 CVE-2024-28335 CRITICAL over 1 year ago
Lektor before 3.3.11 does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates director...
pypi
No PRs yet
gradio Server-Side Request Forgery vulnerability
GHSA-r364-m2j9-mf4h CVE-2024-2206 HIGH over 1 year ago
An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exp...
pypi
No PRs yet
Apache Airflow Improper Preservation of Permissions vulnerability
GHSA-cff3-5qrp-hqx7 CVE-2024-29735 MODERATE over 1 year ago
Improper Preservation of Permissions vulnerability in Apache Airflow. This issue affects Apache Airflow from 2.8.2 through 2.8.3. Airflow's local ...
pypi
No PRs yet
LangChain's XMLOutputParser vulnerable to XML Entity Expansion
GHSA-q84m-rmw3-4382 CVE-2024-1455 MODERATE over 1 year ago
The XMLOutputParser in LangChain uses the etree module from the XML parser in the standard python library which has some XML vulnerabilities; see: ...
pypi
No PRs yet
Unauthenticated views may expose information to anonymous users
GHSA-m732-wvh2-7cq4 CVE-2024-29199 LOW over 1 year ago
### Impact A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users, including the following...
pypi
1
Dependabot PRs
ansys-geometry-core OS Command Injection vulnerability
GHSA-38jr-29fh-w9vm CVE-2024-29189 HIGH over 1 year ago
subprocess call with shell=True identified, security issue. #### Code On file [src/ansys/geometry/core/connection/product_instance.py](https://gi...
pypi
No PRs yet
PaddlePaddle allows arbitrary file read via paddle.vision.ops.read_file
GHSA-jwrc-3v3f-5cq5 CVE-2024-1603 HIGH over 1 year ago
paddlepaddle/paddle 2.6.0 allows arbitrary file read via paddle.vision.ops.read_file.
pypi
No PRs yet
SSRF Vulnerability on assetlinks_check(act_name, well_knowns)
GHSA-wfgj-wrgh-h3r3 CVE-2024-29190 HIGH over 1 year ago
### Summary While examining the "App Link assetlinks.json file could not be found" vulnerability detected by MobSF, we, as the Trendyol Application...
pypi
No PRs yet
ESPHome vulnerable to Authentication bypass via Cross site request forgery
GHSA-5925-88xh-6h99 CVE-2024-29019 HIGH over 1 year ago
### Summary API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forg...
pypi
No PRs yet
GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace
GHSA-55m3-44xf-hg4h CVE-2024-29033 HIGH over 1 year ago
## Summary and impact [`GoogleOAuthenticator.hosted_domain`] is used to restrict what Google accounts can be authorized to access a JupyterHub. Th...
pypi
No PRs yet
`qiskit_ibm_runtime.RuntimeDecoder` can execute arbitrary code
GHSA-x4x5-jv3x-9c7m CVE-2024-29032 MODERATE over 1 year ago
### Summary deserializing json data using `qiskit_ibm_runtime.RuntimeDecoder` can be made to execute arbitrary code given a correctly formatted in...
pypi
1
Dependabot PRs
Dynamic Variable Evaluation in qiskit-ibm-runtime
GHSA-cq96-9974-v8hm LOW over 1 year ago
### Summary An `eval()` method exists `Options._get_program_inputs`. This is bad in any case, but especially bad because `Options` are also used s...
pypi
No PRs yet
Jupyter Server Proxy's Websocket Proxying does not require authentication
GHSA-w3vc-fx9p-wp4v CVE-2024-28179 CRITICAL over 1 year ago
## Summary `jupyter-server-proxy` is used to expose ports local to a Jupyter server listening to web traffic to the Jupyter server's _authenticate...
pypi
3
Dependabot PRs
33%
Merged
Black vulnerable to Regular Expression Denial of Service (ReDoS)
GHSA-fj7x-q9j7-g6q6 CVE-2024-21503 MODERATE over 1 year ago
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded...
pypi
775
Dependabot PRs
16%
Merged
Denial of service via regular expression
GHSA-wj85-w4f4-xh8h CVE-2024-28865 HIGH over 1 year ago
### Impact All historical installations of django-wiki are vulnerable to maliciously crafted article content, that can cause severe use of server ...
pypi
No PRs yet
XSS via the "Snapshot Test" feature in Classic Webcam plugin settings
GHSA-x7mf-wrh9-r76c CVE-2024-28237 MODERATE over 1 year ago
### Impact OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with...
pypi
No PRs yet
RCE in TranformGraph().to_dot_graph function
GHSA-h2x6-5jx5-46hf CVE-2023-41334 HIGH over 1 year ago
### Summary RCE due to improper input validation in TranformGraph().to_dot_graph function ### Details Due to improper input validation a maliciou...
pypi
No PRs yet
Information leakage in YAQL
GHSA-mvf6-hwxh-7v76 CVE-2024-29156 MODERATE over 1 year ago
YAQL before 3.0.0 is used in Murano, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leadi...
pypi
No PRs yet
Improper Privilege Management in djangorestframework-simplejwt
GHSA-5vcc-86wm-547q CVE-2024-22513 LOW over 1 year ago
djangorestframework-simplejwt before version 5.5.1 is vulnerable to information disclosure. A user can access web application resources even after ...
pypi
No PRs yet
Regular expression denial-of-service in Django
GHSA-vm8q-m57g-pff3 CVE-2024-27351 MODERATE over 1 year ago
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the trunc...
pypi
32
Dependabot PRs
21%
Merged
fgr Vulnerable to Insecure Default Variable Initialization
GHSA-879p-8gw4-mcpw LOW over 1 year ago
### Impact Any users whom would not desire a traceback to be included in their logs whenever an error is raised in their code will be affected. If...
pypi
No PRs yet
vantage6 vulnerable to a username timing attack on recover password/MFA token
GHSA-5h3x-6gwf-73jm CVE-2024-24770 MODERATE over 1 year ago
### Impact Much like https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in ...
pypi
No PRs yet
vantage6's CORS settings overly permissive
GHSA-4946-85pr-fvxh CVE-2024-23823 MODERATE over 1 year ago
### Impact The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. T...
pypi
No PRs yet
Whoogle Search Cross-site Scripting vulnerability
GHSA-phg6-44m7-hx3h CVE-2024-22417 MODERATE over 1 year ago
Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `element` method in `app/routes.py` does not validate the user-...
pypi
No PRs yet
Whoogle Search Path Traversal vulnerability
GHSA-hh2q-qv66-jcqg CVE-2024-22204 MODERATE over 1 year ago
Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and prior have a limited file write vulnerability when the configuration options ...
pypi
No PRs yet
Whoogle Search Server-Side Request Forgery vulnerability
GHSA-3q6g-qmpx-rqw4 CVE-2024-22205 CRITICAL over 1 year ago
Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `window` endpoint does not sanitize user-supplied input from th...
pypi
No PRs yet
Whoogle Search Path Traversal vulnerability
GHSA-q97g-c29h-x2p7 CVE-2024-22203 CRITICAL over 1 year ago
Whoogle Search is a self-hosted metasearch engine. In versions prior to 0.8.4, the `element` method in `app/routes.py` does not validate the user-c...
pypi
No PRs yet
Apache Airflow: Ignored Airflow Permission
GHSA-h574-6646-vfxx CVE-2024-28746 MODERATE over 1 year ago
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources su...
pypi
No PRs yet
aiosmtpd vulnerable to SMTP smuggling
GHSA-pr2m-px7j-xg65 CVE-2024-27305 MODERATE over 1 year ago
### Summary aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differen...
pypi
No PRs yet
Potential log injection in reset user endpoint in CKAN
GHSA-8g38-3m6v-232j CVE-2024-27097 MODERATE over 1 year ago
A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker ...
pypi
No PRs yet
Remote Code Execution Vulnerability in Microsoft Django Backend for SQL Server
GHSA-vmqv-47j8-gwv8 CVE-2024-26164 HIGH over 1 year ago
Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability
pypi
No PRs yet
WeasyPrint allows the attachment of arbitrary files and URLs to a PDF
GHSA-35jj-wx47-4w8r CVE-2024-28184 HIGH over 1 year ago
### Impact Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even...
pypi
No PRs yet
LibOSDP RMAC revert to the beginning of the session
GHSA-xhjw-7vh5-qxqm CVE-2024-52288 MODERATE over 1 year ago
- Issues: - SCS_14 is allowed on encrypted connection (osdp_phy.c) - No validation for RMAC_I is only in response to osdp_SCRYPT (osdp_cp.c) ...
pypi
No PRs yet
LibOSDP vulnerable to a null pointer deref in osdp_reply_name
GHSA-7945-5mcv-f2pp CVE-2024-52296 MODERATE over 1 year ago
### Issue: At ospd_common.c, on the osdp_reply_name function, any reply id between REPLY_ACK and REPLY_XRD is valid, but names array do not declare...
pypi
No PRs yet