Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,006

Total Advisories

1,832

With Dependabot PRs

3,531

Critical Severity

8,688

High Severity

Clear All Filters
Django Denial-of-service in django.utils.text.Truncator
GHSA-h8gc-pgj2-vjm3 CVE-2023-43665 HIGH about 2 years ago
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with h...
pypi
12
Dependabot PRs
25%
Merged
Pillow Denial of Service vulnerability
GHSA-8ghj-p4vj-mr35 CVE-2023-44271 HIGH about 2 years ago
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentiall...
pypi
No PRs yet
Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
GHSA-7h4p-27mh-hmrw CVE-2023-41164 MODERATE about 2 years ago
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of s...
pypi
12
Dependabot PRs
25%
Merged
transmute-core unsafe YAML deserialization vulnerability
GHSA-w9cp-3x79-2p8p CVE-2023-47204 CRITICAL about 2 years ago
Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code.
pypi
No PRs yet
Django potential denial of service vulnerability in UsernameField on Windows
GHSA-qmf9-6jqf-j8fq CVE-2023-46695 HIGH about 2 years ago
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a conse...
pypi
58
Dependabot PRs
15%
Merged
Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF
GHSA-wjcc-cq79-p63f CVE-2023-46250 MODERATE about 2 years ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process a...
pypi
No PRs yet
Synapse vulnerable to leak of remote user device information
GHSA-mp92-3jfm-3575 CVE-2023-43796 MODERATE about 2 years ago
### Impact Cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeser...
pypi
No PRs yet
Apache Airflow Celery provider Insertion of Sensitive Information into Log File vulnerability
GHSA-666g-rfc5-c9jv CVE-2023-46215 HIGH about 2 years ago
Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as ...
pypi
No PRs yet
Home Assistant vulnerable to account takeover via auth_callback login
GHSA-qhhj-7hrc-gqj5 CVE-2023-41893 MODERATE about 2 years ago
[_Part of the Cure53 security audit of Home Assistant._](https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/) The aud...
pypi
No PRs yet
twisted.web has disordered HTTP pipeline response
GHSA-xc8x-vp79-p3wm CVE-2023-46137 MODERATE about 2 years ago
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, ...
pypi
No PRs yet
Command Injection in pip when used with Mercurial
GHSA-mq26-g339-26xf CVE-2023-5752 MODERATE about 2 years ago
When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be u...
pypi
No PRs yet
Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
GHSA-hrfv-mqp8-q5rw CVE-2023-46136 MODERATE about 2 years ago
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline ...
pypi
No PRs yet
dtale vulnerable to Remote Code Execution through the Custom Filter Input
GHSA-jq6c-r9xf-qxjm CVE-2023-46134 MODERATE about 2 years ago
### Impact Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. ### Pa...
pypi
No PRs yet
Nautobot vulnerable to exposure of hashed user passwords via REST API
GHSA-r2hw-74xv-4gqp CVE-2023-46128 HIGH about 2 years ago
### Impact In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=<N>` query parameter, can expose hashed user passwords a...
pypi
No PRs yet
Fides JavaScript Injection Vulnerability in Privacy Center URL
GHSA-fgjj-5jmr-gh83 CVE-2023-46126 LOW about 2 years ago
### Impact The Fides web application allows users to edit consent and privacy notices such as cookie banners. These privacy notices can then be ser...
pypi
No PRs yet
Fides Information Disclosure Vulnerability in Config API Endpoint
GHSA-rjxg-rpg3-9r89 CVE-2023-46125 MODERATE about 2 years ago
### Impact The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is fil...
pypi
No PRs yet
Fides Server-Side Request Forgery Vulnerability in Custom Integration Upload
GHSA-jq3w-9mgf-43m4 CVE-2023-46124 HIGH about 2 years ago
### Impact The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in ...
pypi
No PRs yet
Apache Airflow vulnerable to Exposure of Sensitive Information
GHSA-9qqg-mh7c-chfq CVE-2023-46288 MODERATE about 2 years ago
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow. This issue affects Apache Airflow from 2.4.0 to 2.7.0. ...
pypi
No PRs yet
Django Grappelli Open Redirect vulnerability
GHSA-9x43-5qcq-h79q CVE-2021-46898 MODERATE about 2 years ago
views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this doe...
pypi
No PRs yet
Wagtail CRX CodeRed Extensions vulnerable to Path Traversal
GHSA-h454-rq3m-89rc CVE-2021-46897 MODERATE about 2 years ago
views.py in Wagtail CRX CodeRed Extensions (formerly CodeRed CMS or coderedcms) before 0.22.3 allows upward protected/..%2f..%2f path traversal whe...
pypi
No PRs yet
Langchain SQL Injection vulnerability
GHSA-8h5w-f6q9-wg35 CVE-2023-32785 CRITICAL about 2 years ago
In Langchain before 0.0.247, prompt injection allows execution of arbitrary code against the SQL service provided by the chain.
pypi
No PRs yet
Langchain Server-Side Request Forgery vulnerability
GHSA-6h8p-4hx9-w66c CVE-2023-32786 HIGH about 2 years ago
In Langchain before 0.0.329, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing...
pypi
2
Dependabot PRs
PDM Trojan Lockfile
GHSA-j44v-mmf2-xvm9 CVE-2023-45805 HIGH about 2 years ago
### Summary It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source project to appear to dep...
pypi
No PRs yet
modoboa Cross-Site Request Forgery vulnerability
GHSA-57cr-rq3f-ppmx CVE-2023-5690 MODERATE about 2 years ago
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.
pypi
No PRs yet
modoboa Cross-site Scripting vulnerability
GHSA-pqgm-9g82-wcm7 CVE-2023-5688 CRITICAL about 2 years ago
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
pypi
No PRs yet
modoboa Cross-site Scripting vulnerability
GHSA-9wj3-cfq8-wpvj CVE-2023-5689 HIGH about 2 years ago
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
pypi
No PRs yet
mycli has Inadequate Encryption Strength
GHSA-v9vj-9pxv-mr2w CVE-2023-44690 MODERATE about 2 years ago
Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via `/mycli/config.py`.
pypi
No PRs yet
Viewing wget extractor output while logged in as an admin allows archived JS to execute in the admins context
GHSA-cr45-98w9-gwqx CVE-2023-45815 HIGH about 2 years ago
### Impact Any users who are using the `wget` or `dom` extractors and view the content they output. The impact is potentially severe if you are ...
pypi
No PRs yet
Wagtail vulnerable to disclosure of user names via admin bulk action views
GHSA-fc75-58r8-rm3h CVE-2023-45809 LOW about 2 years ago
### Impact A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk...
pypi
1
Dependabot PRs
TorBot vulnerable to Inefficient Regular Expression Complexity in validate_link
GHSA-72qw-p7hh-m3ff CVE-2023-45813 MODERATE about 2 years ago
### Summary _The torbot.modules.validators.validate_link function uses the python-validators URL validation regex. This particular regular expressi...
pypi
No PRs yet
LangChain Server Side Request Forgery vulnerability
GHSA-655w-fm8m-m478 CVE-2023-46229 HIGH about 2 years ago
LangChain before 0.0.317 allows SSRF via `document_loaders/recursive_url_loader.py` because crawling can proceed from an external server to an inte...
pypi
No PRs yet
urllib3's request body not stripped after redirect from 303 status changes request method to GET
GHSA-g4mx-q9vg-27p4 CVE-2023-45803 MODERATE about 2 years ago
urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 "See Other" after the request had its meth...
pypi
692
Dependabot PRs
8%
Merged
vantage6 does not properly delete linked resources when deleting a collaboration
GHSA-rf54-7qrr-96j6 CVE-2023-41881 LOW about 2 years ago
When a collaboration is deleted in vantage6, the linked resources (such as tasks from that collaboration) are not properly deleted. This is partly...
pypi
No PRs yet
Authorization Header forwarded on redirect
GHSA-gwvm-45gx-3cf8 CVE-2018-25091 MODERATE about 2 years ago
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, ...
pypi
No PRs yet
Apache Airflow vulnerable to sensitive information exposure
GHSA-32wr-qqw6-5mfp CVE-2023-42663 MODERATE about 2 years ago
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user with access to read specific DAGs _only_ to read informat...
pypi
No PRs yet
Apache Airflow vulnerable to sensitive information exposure when users list warnings for all DAGs
GHSA-cgx2-rrmr-jx43 CVE-2023-42780 MODERATE about 2 years ago
Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs...
pypi
No PRs yet
Apache Airflow vulnerable to privilege escalation
GHSA-j3w8-2p2h-mrr9 CVE-2023-42792 MODERATE about 2 years ago
Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, t...
pypi
No PRs yet
Apache Airflow vulnerable to sensitive information exposure when expose-config is set to non-sensitive-only
GHSA-fpxx-xv4c-gxqp CVE-2023-45348 MODERATE about 2 years ago
Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration info...
pypi
No PRs yet
pyminizip affected by zlib's integer overflow/heap based buffer overflow vulnerability due to vulnerable dependency
GHSA-mq29-j5xf-cjwr CVE-2023-45853 CRITICAL about 2 years ago
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, commen...
pypi
No PRs yet
Defining resource name as integer may give unintended access in vantage6
GHSA-7x94-6g2m-3hp2 CVE-2023-28635 MODERATE about 2 years ago
### Impact Malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One examp...
pypi
No PRs yet
Improper Access Control in vantage6
GHSA-gc57-xhh5-m94r CVE-2023-41882 MODERATE about 2 years ago
### Impact The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should ha...
pypi
No PRs yet
Pickle serialization vulnerable to Deserialization of Untrusted Data
GHSA-5m22-cfq9-86x6 CVE-2023-23930 HIGH about 2 years ago
### What We are using pickle as default serialization module but that has known security issues (see e.g. https://medium.com/ochrona/python-pickle-...
pypi
No PRs yet
matrix-synapse vulnerable to denial of service due to malicious server ACL events
GHSA-5chr-wjw5-3gq4 CVE-2023-45129 MODERATE about 2 years ago
### Impact A malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers r...
pypi
No PRs yet
OctoPrint vulnerable to Improper Neutralization of Special Elements Used in a Template Engine
GHSA-fwfg-vprh-97ph CVE-2023-41047 HIGH about 2 years ago
### Impact OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted [...
pypi
No PRs yet
Microsoft Common Data Model SDK Denial of Service Vulnerability
GHSA-vm2m-7hpw-fpmq CVE-2023-36566 MODERATE about 2 years ago
Microsoft Common Data Model SDK Denial of Service Vulnerability
maven nuget pypi
No PRs yet
langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method
GHSA-gjjr-63x4-v8cq CVE-2023-44467 CRITICAL about 2 years ago
langchain_experimental (aka LangChain Experimental) in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arb...
pypi
No PRs yet
Bundled libwebp in pywebp vulnerable
GHSA-f9pm-4g9p-6vm3 HIGH about 2 years ago
### Impact pywebp versions before v0.3.0 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. The vulnerability was a heap buff...
pypi
No PRs yet
NI MeasurementLink Python Services Improper Access Restriction vulnerability
GHSA-3f48-9j7q-q2gv CVE-2023-4570 HIGH about 2 years ago
### Impact An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services ex...
pypi
No PRs yet
Bundled libwebp in imagecodecs vulnerable
GHSA-94vc-p8w7-5p49 HIGH about 2 years ago
imagecodecs versions before v2023.9.18 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). imagecod...
pypi
No PRs yet
Zope management interface vulnerable to stored cross site scripting via the title property
GHSA-m755-gxxg-r5qh CVE-2023-44389 LOW about 2 years ago
### Impact The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object ...
pypi
No PRs yet