Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,820

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Django MarkdownX Cross-Site Scripting (XSS) vulnerability
GHSA-fvx8-79hx-x82f CVE-2024-2319 MODERATE over 1 year ago
Cross-Site Scripting (XSS) vulnerability in the Django MarkdownX project, affecting version 4.0.2. An attacker could store a specially crafted Java...
pypi
No PRs yet
pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user
GHSA-rj98-crf4-g69w CVE-2024-2044 CRITICAL almost 2 years ago
pgAdmin prior to version 8.4 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the...
pypi
No PRs yet
PaddlePaddle Path Traversal vulnerability
GHSA-2rp8-hff9-c5wr CVE-2024-0818 CRITICAL almost 2 years ago
Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6
pypi
No PRs yet
PaddlePaddle vulnerable to remote code execution
GHSA-mrmm-qmrj-xgp6 CVE-2024-0917 CRITICAL almost 2 years ago
remote code execution in paddlepaddle/paddle 2.6.0
pypi
No PRs yet
PaddlePaddle command injection in paddle.utils.download._wget_download
GHSA-qqv2-35q8-p2g2 CVE-2024-0815 HIGH almost 2 years ago
Command injection in paddle.utils.download._wget_download (bypass filter) in paddlepaddle/paddle 2.6.0
pypi
No PRs yet
PaddlePaddle command injection vulnerability
GHSA-fh54-3vhg-mpc2 CVE-2024-0817 HIGH almost 2 years ago
Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0
pypi
No PRs yet
JWCrypto vulnerable to JWT bomb Attack in `deserialize` function
GHSA-j857-7rvv-vj97 CVE-2024-28102 MODERATE almost 2 years ago
## Affected version Vendor: https://github.com/latchset/jwcrypto Version: 1.5.5 ## Description An attacker can cause a DoS attack by passing in a ...
pypi
No PRs yet
RPyC's missing security check results in code execution when using numpy.array on the server-side.
GHSA-h5cg-53g7-gqjw CVE-2024-27758 HIGH almost 2 years ago
An issue in Open Source: RPyC v.4.00 thru v.5.3.1 allows a remote attacker to execute arbitrary code via a crafted script to the `__array__` attrib...
pypi
No PRs yet
esphome vulnerable to stored Cross-site Scripting in edit configuration file API
GHSA-9p43-hj5j-96h5 CVE-2024-27287 MODERATE almost 2 years ago
### Summary Edit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) s...
pypi
No PRs yet
Phone information disclosure vulnerability
GHSA-xg5p-8wg5-rhxm CVE-2024-22889 MODERATE almost 2 years ago
Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted r...
pypi
No PRs yet
eth-abi is vulnerable to recursive DoS
GHSA-3qwc-47jf-5rf7 MODERATE almost 2 years ago
This is related to recent ZST stuff (https://github.com/ethereum/eth-abi/security/advisories/GHSA-rqr8-pxh7-cq3g), but it's a different one. Basica...
pypi
No PRs yet
LangChain directory traversal vulnerability
GHSA-h59x-p739-982c CVE-2024-28088 LOW almost 2 years ago
LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain cal...
pypi
1
Dependabot PRs
ESPHome vulnerable to remote code execution via arbitrary file write
GHSA-8p25-3q46-8q2p CVE-2024-27081 HIGH almost 2 years ago
### Summary Security misconfiguration in edit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation...
pypi
No PRs yet
Apache Airflow: Incorrect Default Permissions in audit logs for Ops and Viewers users
GHSA-6xwf-xvf3-v459 CVE-2024-26280 MODERATE almost 2 years ago
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, i...
pypi
No PRs yet
Docassemble HTML and javascript injection
GHSA-pcfx-g2j2-f6f6 CVE-2024-27290 MODERATE almost 2 years ago
### Impact A user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTM...
pypi
No PRs yet
Docassemble open redirect
GHSA-7wxf-r2qv-9xwr CVE-2024-27291 MODERATE almost 2 years ago
### Impact It is possible to create a URL that acts as an open redirect. ### Patches The vulnerability has been patched in version 1.4.97 of the m...
pypi
No PRs yet
Docassemble unauthorized access through URL manipulation
GHSA-jq57-3w7p-vwvv CVE-2024-27292 HIGH almost 2 years ago
### Impact The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects version...
pypi
No PRs yet
Apache Airflow: DAG Code and Import Error Permissions Ignored
GHSA-6v6w-h8m6-7mv2 CVE-2024-27906 MODERATE almost 2 years ago
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not h...
pypi
No PRs yet
Mezzanine allows attackers to bypass access control mechanisms
GHSA-qp56-82vp-xqgv CVE-2024-25169 MODERATE almost 2 years ago
An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request.
pypi
No PRs yet
Mezzanine allows attackers to bypass access controls via manipulating the Host header
GHSA-22cc-w7xm-rfhx CVE-2024-25170 MODERATE almost 2 years ago
An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header.
pypi
No PRs yet
Flask-AppBuilder vulnerable to incorrect authentication when using auth type OpenID
GHSA-j2pw-vp55-fqqj CVE-2024-25128 CRITICAL almost 2 years ago
### Impact When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, allows an attacker to forge an HTTP request, that could deceive the backend into usi...
pypi
No PRs yet
Flask-AppBuilder's OAuth login page subject to Cross Site Scripting (XSS)
GHSA-fqxj-46wg-9v84 CVE-2024-27083 MODERATE almost 2 years ago
### Impact A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a speci...
pypi
No PRs yet
Apache Superset: Improper authorization validation on dashboards and charts import
GHSA-3v9r-885j-762g CVE-2024-26016 MODERATE almost 2 years ago
A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereb...
pypi
No PRs yet
Apache Superset: Improper data authorization when creating a new dataset
GHSA-wr6g-9wcr-cmqj CVE-2024-24779 MODERATE almost 2 years ago
Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual d...
pypi
No PRs yet
Apache Superset: Improper Neutralization of custom SQL on embedded context
GHSA-m6jm-3v38-76j4 CVE-2024-24772 MODERATE almost 2 years ago
A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analyti...
pypi
No PRs yet
Apache Superset: Improper validation of SQL statements allows for unauthorized access to data
GHSA-5474-f7g5-273q CVE-2024-24773 MODERATE almost 2 years ago
Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects A...
pypi
No PRs yet
Apache Superset: Improper error handling on alerts
GHSA-h7r6-8qmm-hj5r CVE-2024-27315 MODERATE almost 2 years ago
An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that tr...
pypi
No PRs yet
ZenML Server Remote Privilege Escalation Vulnerability
GHSA-vf7j-cmrj-pmmm CVE-2024-25723 HIGH almost 2 years ago
ZenML Server in the ZenML package before 0.46.7 for Python allows remote privilege escalation because the `/api/v1/users/{user_name_or_id}/activate...
pypi
No PRs yet
diffoscope Path Traversal vulnerability
GHSA-33w6-hvmq-gh4x CVE-2024-25711 MODERATE almost 2 years ago
diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be discl...
pypi
No PRs yet
Vyper's `extract32` can ready dirty memory
GHSA-4hwq-4cpm-8vmx CVE-2024-24564 LOW almost 2 years ago
### Summary When using the built-in `extract32(b, start)`, if the `start` index provided has for side effect to update `b`, the byte array to extr...
pypi
No PRs yet
Vyper's `_abi_decode` vulnerable to Memory Overflow
GHSA-9p8r-4xp4-gw5w CVE-2024-26149 LOW almost 2 years ago
## Summary If an excessively large value is specified as the starting index for an array in `_abi_decode`, it can cause the read position to overf...
pypi
No PRs yet
PyPop C extensions possible vulnerability: missing arguments and redundant null pointers
GHSA-p4m5-32pr-2hqr LOW almost 2 years ago
### Impact Code scanning revealed possible vulnerability in C extensions for PyPop: incorrect function calls (missing arguments or wrongly typed ar...
pypi
No PRs yet
orjson does not limit recursion for deeply nested JSON documents
GHSA-pwr2-4v36-6qpr CVE-2024-27454 HIGH almost 2 years ago
orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
pypi
2
Dependabot PRs
pretix mishandles file validation
GHSA-672r-97r7-vx2q CVE-2024-27447 MODERATE almost 2 years ago
pretix before 2024.1.1 mishandles file validation.
pypi
No PRs yet
LangChain Experimental vulnerable to arbitrary code execution
GHSA-v8vj-cv27-hjv8 CVE-2024-27444 CRITICAL almost 2 years ago
langchain_experimental (aka LangChain Experimental) before 0.0.52, part of LangChain before 0.1.8, allows an attacker to bypass the CVE-2023-44467 ...
pypi
No PRs yet
langchain Server-Side Request Forgery vulnerability
GHSA-h9j7-5xvc-qhg5 CVE-2024-0243 LOW almost 2 years ago
With the following crawler configuration: ```python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader...
pypi
No PRs yet
Uninitialized Variable in fastecdsa
GHSA-ph86-g9r3-5qw4 CVE-2024-21502 HIGH almost 2 years ago
Versions of the package fastecdsa before 2.3.2 use an Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due t...
pypi
No PRs yet
Cross-site Scripting in MLFlow
GHSA-6749-m5cp-6cg7 CVE-2024-27132 CRITICAL almost 2 years ago
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted...
pypi
No PRs yet
MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution
GHSA-3v79-q7ph-j75h CVE-2024-27133 CRITICAL almost 2 years ago
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when r...
pypi
No PRs yet
Onnx Directory Traversal vulnerability
GHSA-whh8-fjgc-qp73 CVE-2024-27318 HIGH almost 2 years ago
Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can h...
pypi
2
Dependabot PRs
Onnx Out-of-bounds Read vulnerability
GHSA-h8wv-9h96-m4hr CVE-2024-27319 MODERATE almost 2 years ago
Versions of the package onnx before and including 1.15.0 are vulnerable to Out-of-bounds Read as the ONNX_ASSERT and ONNX_ASSERTM functions have an...
pypi
2
Dependabot PRs
Gradio apps vulnerable to timing attacks to guess password
GHSA-hmx6-r76c-85g9 CVE-2024-1729 MODERATE almost 2 years ago
### Impact This security policy is with regards to a timing attack that allows users of Gradio apps to potentially guess the password of password-p...
pypi
No PRs yet
Label Studio vulnerable to Cross-site Scripting if `<Choices>` or `<Labels>` are used in labeling config
GHSA-6xv9-957j-qfhg CVE-2024-26152 MODERATE almost 2 years ago
### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered w...
pypi
No PRs yet
pypqc private key retrieval vulnerability
GHSA-rc4p-p3j9-6577 HIGH almost 2 years ago
### Impact `kyber512`, `kyber768`, and `kyber1024` only: An attacker able to submit many decapsulation requests against a single private key, and t...
pypi
No PRs yet
Potentially untrusted input is rendered as HTML in final output
GHSA-578p-fxmm-6229 CVE-2024-26151 HIGH almost 2 years ago
### Impact All users of mjml-python who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input ...
pypi
No PRs yet
cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override
GHSA-6vqw-3v5j-54x4 CVE-2024-26130 HIGH almost 2 years ago
If `pkcs12.serialize_key_and_certificates` is called with both: 1. A certificate whose public key did not match the provided private key 2. An `en...
pypi
56
Dependabot PRs
14%
Merged
pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
GHSA-vgv8-5cpj-qj2f CVE-2024-23346 CRITICAL almost 2 years ago
### Summary A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` li...
pypi
1
Dependabot PRs
Potential buffer overflow in CBOR2 decoder
GHSA-375g-39jq-vq7m CVE-2024-26134 HIGH almost 2 years ago
### Summary Ever since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a47...
pypi
No PRs yet
Improper Certificate Validation in apache airflow mongo hook
GHSA-x5pm-h33q-cjrw CVE-2024-25141 CRITICAL almost 2 years ago
When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpec...
pypi
No PRs yet
Cross-site Scripting in Pyhtml2pdf
GHSA-p3rv-qj56-2fqx CVE-2024-1647 HIGH almost 2 years ago
Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not ...
pypi
No PRs yet