Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,820

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Unsafe yaml deserialization in llama-hub
GHSA-297x-2qf3-jrj3 CVE-2024-23730 CRITICAL almost 2 years ago
The OpenAPI and ChatGPT plugin loaders in LlamaHub (aka llama-hub) before 0.0.67 allow attackers to execute arbitrary code because safe_load is not...
pypi
No PRs yet
ReDoS in Embedchain
GHSA-r67w-f99w-mgxj CVE-2024-23732 MODERATE almost 2 years ago
The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py.
pypi
No PRs yet
Code execution in Embedchain
GHSA-rhhj-5436-95vf CVE-2024-23731 CRITICAL almost 2 years ago
The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.
pypi
No PRs yet
Code Injection in paddlepaddle
GHSA-chj7-w3f6-cvfj CVE-2024-0521 CRITICAL almost 2 years ago
The vulnerability arises from the way the url parameter is incorporated into the command string without proper validation or sanitization. If the u...
pypi
No PRs yet
Arbitrary Code Execution in Pillow
GHSA-3f63-hfp8-52jq CVE-2023-50447 CRITICAL almost 2 years ago
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-228...
pypi
No PRs yet
JupyterLab vulnerable to potential authentication and CSRF tokens leak
GHSA-44cc-43rp-5947 CVE-2024-22421 HIGH almost 2 years ago
### Impact Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when run...
pypi
52
Dependabot PRs
10%
Merged
JupyterLab vulnerable to SXSS in Markdown Preview
GHSA-4m77-cmpx-vjc4 CVE-2024-22420 MODERATE almost 2 years ago
### Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab pr...
pypi
1
Dependabot PRs
concat built-in can corrupt memory in vyper
GHSA-2q8v-3gqq-4f8p CVE-2024-22419 HIGH almost 2 years ago
### Summary `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The...
pypi
No PRs yet
Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
GHSA-pgpj-v85q-h5fm CVE-2024-22416 CRITICAL almost 2 years ago
### Summary The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this ope...
pypi
No PRs yet
Unsecured endpoints in the jupyter-lsp server extension
GHSA-4qhp-652w-c22x CVE-2024-22415 HIGH almost 2 years ago
### Impact Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and ...
pypi
2
Dependabot PRs
50%
Merged
Cross-Frame Scripting vulnerability has been found on Plone CMS
GHSA-5xfx-55x4-j223 CVE-2024-0669 HIGH almost 2 years ago
A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting version below 6.0.5. An attacker could store a malicious URL to be open...
pypi
No PRs yet
readthedocs-sphinx-search vulnerable to cross-site scripting when including search results from malicious projects
GHSA-xgfm-fjx6-62mj MODERATE almost 2 years ago
### Impact This vulnerability could have allowed an attacker to include arbitrary HTML content in search results by having a user search a malicio...
pypi
12
Dependabot PRs
25%
Merged
Privilege escalation for users that can access mock configuration
GHSA-7j98-74jh-cjxh CVE-2023-6395 MODERATE almost 2 years ago
The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege escalation, enabling the execution of arbitrary ...
pypi
No PRs yet
Path traversal in flaskcode
GHSA-6h4q-63c5-qfqf CVE-2023-52288 HIGH almost 2 years ago
An issue was discovered in the flaskcode package through 0.0.8 for Python. An unauthenticated directory traversal, exploitable with a GET request t...
pypi
No PRs yet
Path traversal in flaskcode
GHSA-v3rg-qm46-xrg9 CVE-2023-52289 HIGH almost 2 years ago
An issue was discovered in the flaskcode package through 0.0.8 for Python. An unauthenticated directory traversal, exploitable with a POST request ...
pypi
No PRs yet
Minor fix to previous patch for CVE-2022-35918
GHSA-8qw9-gf7w-42x5 LOW almost 2 years ago
### Impact The initial vulnerability identified in Streamlit apps using custom components, allowing for directory traversal attacks, was addressed...
pypi
No PRs yet
Gentoo Portage missing PGP validation of executed code
GHSA-pw5x-x5jw-ccmh CVE-2016-20021 HIGH almost 2 years ago
In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does...
pypi
No PRs yet
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
GHSA-h5c8-rqwp-cp95 CVE-2024-22195 MODERATE almost 2 years ago
The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be...
pypi
1214
Dependabot PRs
16%
Merged
cdo-local-uuid vulnerable to insertion of artifact derived from developer's Present Working Directory into demonstration code
GHSA-rgrf-6mf5-m882 CVE-2024-22194 LOW almost 2 years ago
### Impact _What kind of vulnerability is it? Who is impacted?_ An information leakage vulnerability is present in [`cdo-local-uuid`](https://pypi...
pypi
No PRs yet
Untrusted search path under some conditions on Windows allows arbitrary code execution
GHSA-2mqj-m65w-jghx CVE-2024-22190 HIGH almost 2 years ago
### Summary This issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a sh...
pypi
102
Dependabot PRs
14%
Merged
Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC
GHSA-97x9-59rv-q5pm CVE-2024-21669 CRITICAL almost 2 years ago
### Impact When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentat...
pypi
No PRs yet
fonttools XML External Entity Injection (XXE) Vulnerability
GHSA-6673-4983-2vx5 CVE-2023-45139 HIGH almost 2 years ago
### Summary As of `fonttools>=4.28.2` the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to re...
pypi
No PRs yet
pyload Unauthenticated Flask Configuration Leakage vulnerability
GHSA-mqpq-2p68-46fv CVE-2024-21644 HIGH almost 2 years ago
### Summary Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. ### Details Any...
pypi
No PRs yet
pyload Log Injection vulnerability
GHSA-ghmw-rwh8-6qmr CVE-2024-21645 MODERATE almost 2 years ago
### Summary A log injection vulnerability was identified in `pyload`. This vulnerability allows any unauthenticated actor to inject arbitrary messa...
pypi
No PRs yet
D-Tale server-side request forgery through Web uploads
GHSA-7hfx-h3j3-rwq4 CVE-2024-21642 HIGH almost 2 years ago
### Impact Users hosting D-Tale publicly can be vulnerable to server-side request forgery (SSRF) allowing attackers to access files on the server. ...
pypi
No PRs yet
PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption
GHSA-j225-cvw7-qrx7 CVE-2023-52323 HIGH almost 2 years ago
PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.
pypi
78
Dependabot PRs
16%
Merged
PaddlePaddle command injection in _wget_download
GHSA-rf7p-79xq-8xwm CVE-2023-52311 CRITICAL almost 2 years ago
PaddlePaddle before 2.6.0 has a command injection in _wget_download. This resulted in the ability to execute arbitrary commands on the operating sy...
pypi
No PRs yet
PaddlePaddle stack overflow in paddle.searchsorted
GHSA-4rrv-8gcp-24v8 CVE-2023-52304 HIGH almost 2 years ago
Stack overflow in paddle.searchsorted in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.topk
GHSA-rx2r-q96c-w5cc CVE-2023-52305 MODERATE almost 2 years ago
FPE in paddle.topk in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle command injection in get_online_pass_interval
GHSA-j5h9-9r39-43q5 CVE-2023-52310 CRITICAL almost 2 years ago
PaddlePaddle before 2.6.0 has a command injection in get_online_pass_interval. This resulted in the ability to execute arbitrary commands on the op...
pypi
No PRs yet
PaddlePaddle command injection in convert_shape_compare
GHSA-3cr5-2446-8pg3 CVE-2023-52314 CRITICAL almost 2 years ago
PaddlePaddle before 2.6.0 has a command injection in convert_shape_compare. This resulted in the ability to execute arbitrary commands on the opera...
pypi
No PRs yet
PaddlePaddle stack overflow in paddle.linalg.lu_unpack
GHSA-g57v-2687-jx33 CVE-2023-52307 HIGH almost 2 years ago
Stack overflow in paddle.linalg.lu_unpack in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage.
pypi
No PRs yet
PaddlePaddle heap buffer overflow in paddle.repeat_interleave
GHSA-8fp7-jwv2-49x9 CVE-2023-52309 HIGH almost 2 years ago
Heap buffer overflow in paddle.repeat_interleave in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, information disclosure, o...
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.argmin and paddle.argmax
GHSA-275c-w5mq-v5m2 CVE-2023-52313 MODERATE almost 2 years ago
FPE in paddle.argmin and paddle.argmax in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle nullptr dereference in paddle.crop
GHSA-qppw-c37g-xwcc CVE-2023-52312 MODERATE almost 2 years ago
Nullptr dereference in paddle.crop in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.lerp
GHSA-rg9q-m8hv-xxr6 CVE-2023-52306 MODERATE almost 2 years ago
FPE in paddle.lerp in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.amin
GHSA-v9pg-qw6x-w5r2 CVE-2023-52308 MODERATE almost 2 years ago
FPE in paddle.amin in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle segfault in paddle.dot
GHSA-x3q9-c788-j7c8 CVE-2023-38676 MODERATE almost 2 years ago
Nullptr in paddle.dot in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.linalg.eig
GHSA-c6ph-m8cw-rfqh CVE-2023-38677 MODERATE almost 2 years ago
FPE in paddle.linalg.eig in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle null pointer dereference in paddle.nextafter
GHSA-547m-23x7-cxg5 CVE-2023-52302 MODERATE almost 2 years ago
Nullptr in paddle.nextafter in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle segfault in paddle.put_along_axis
GHSA-2wcj-qr76-9768 CVE-2023-52303 MODERATE almost 2 years ago
Nullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.linalg.matrix_rank
GHSA-jm68-fpmr-8j2g CVE-2023-38675 MODERATE almost 2 years ago
FPE in paddle.linalg.matrix_rank in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle segfault in paddle.mode
GHSA-mr78-v55p-7777 CVE-2023-38678 MODERATE almost 2 years ago
OOB access in paddle.mode in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
PaddlePaddle floating point exception in paddle.nanmedian
GHSA-xjpw-hx47-rccv CVE-2023-38674 MODERATE almost 2 years ago
FPE in paddle.nanmedian in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service.
pypi
No PRs yet
Hail relies on OIDC email claims to verify the validity of a user's domain.
GHSA-487p-qx68-5vjw CVE-2023-51663 MODERATE almost 2 years ago
### Impact All Hail Batch clusters are affected. An attacker is able to: 1. Create one or more accounts with Hail Batch without corresponding rea...
pypi
No PRs yet
Ansible symlink attack vulnerability
GHSA-jpvw-p8pr-9g2x CVE-2023-5115 MODERATE almost 2 years ago
An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and mak...
pypi
No PRs yet
DoS with algorithms that use PBKDF2 due to unbounded PBES2 Count value
GHSA-cw2r-4p82-qv79 CVE-2023-6681 MODERATE almost 2 years ago
### Impact Denial of Service, Applications that allow the use of the PBKDF2 algorithm. ### Patches A [patch](https://github.com/latchset/jwcrypto/...
pypi
No PRs yet
Open redirect vulnerability in Flask-Security-Too
GHSA-672h-6x89-76m5 CVE-2023-49438 MODERATE almost 2 years ago
An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites ...
pypi
1
Dependabot PRs
Nautobot missing object-level permissions enforcement when running Job Buttons
GHSA-vf5m-xrhm-v999 CVE-2023-51649 LOW almost 2 years ago
### Impact When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have pe...
pypi
No PRs yet
Gradio makes the `/file` secure against file traversal and server-side request forgery attacks
GHSA-6qm2-wpxq-7qh2 CVE-2023-51449 HIGH almost 2 years ago
Older versions of `gradio` contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacke...
pypi
No PRs yet