Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Copier's safe template has arbitrary filesystem read/write access
GHSA-3xw7-v6cj-5q8h CVE-2025-55201 HIGH 3 months ago
### Impact Copier's current security model shall restrict filesystem access through Jinja: - Files can only be read using `{% include ... %}`, wh...
pypi
No PRs yet
Apache Superset data query improperly discloses database schema information to low-privileged guest user
GHSA-9g5x-mm39-wg9r CVE-2025-55673 MODERATE 4 months ago
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This f...
pypi
No PRs yet
Apache Superset's chart visualization has a stored Cross-Site Scripting (XSS) vulnerability
GHSA-fj97-2v9x-w5m4 CVE-2025-55672 MODERATE 4 months ago
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit c...
pypi
No PRs yet
Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions
GHSA-fxgf-3xh6-m2pp CVE-2025-55674 MODERATE 4 months ago
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use...
pypi
No PRs yet
Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access
GHSA-mhpq-m962-mg92 CVE-2025-55675 MODERATE 4 months ago
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated u...
pypi
No PRs yet
PyPDF's Manipulated FlateDecode streams can exhaust RAM
GHSA-7hfw-26vp-jp8m CVE-2025-55197 MODERATE 4 months ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a...
pypi
16
Dependabot PRs
OMERO.web displays unecessary user information when requesting password reset
GHSA-gpmg-4x4g-mr5r CVE-2025-54791 MODERATE 4 months ago
### Background If an error occurred when resetting a user's password using the ``Forgot Password`` option in OMERO.web, the error message displaye...
pypi
No PRs yet
Keras vulnerable to CVE-2025-1550 bypass via reuse of internal functionality
GHSA-c9rc-mg46-23w3 CVE-2025-8747 HIGH 4 months ago
### Summary It is possible to bypass the mitigation introduced in response to [CVE-2025-1550](https://github.com/keras-team/keras/security/advisori...
pypi
No PRs yet
Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass
GHSA-9gvj-pp9x-gcfr HIGH 4 months ago
### Details There's a parsing logic error in picklescan and modelscan while trying to deal with opcode `STACK_GLOBAL`. Function `_list_globals` whe...
pypi
2
Dependabot PRs
50%
Merged
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
GHSA-pwh4-6r3m-j2rf CVE-2025-55156 HIGH 4 months ago
### Summary The parameter `add_links` in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensit...
pypi
No PRs yet
Litestar has potential log injection in exception logging
GHSA-674p-xv2x-rf3g LOW 4 months ago
### Summary Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configu...
pypi
No PRs yet
TinyScientist has Path Traversal Vulnerability in PDF Review Function (CWE-22)
GHSA-rrgf-hcr9-jq6h CVE-2025-55149 MODERATE 4 months ago
## Description A critical path traversal vulnerability (CWE-22) has been identified in the `review_paper` function in `backend/app.py`. The vulnera...
pypi
No PRs yet
ExecuTorch integer overflow vulnerability
GHSA-84m3-f99p-cqx5 CVE-2025-30405 CRITICAL 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potential...
pypi
No PRs yet
ExecuTorch integer overflow vulnerability
GHSA-hj95-mhgf-jxc4 CVE-2025-30404 CRITICAL 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause overlapping allocations, potentially resulting in code execution or...
pypi
No PRs yet
ExecuTorch heap buffer overflow vulnerability
GHSA-9m39-3mf3-xwch CVE-2025-54949 CRITICAL 4 months ago
A heap buffer overflow vulnerability in the loading of ExecuTorch models can potentially result in code execution or other undesirable effects. Thi...
pypi
No PRs yet
ExecuTorch out-of-bounds access vulnerability
GHSA-f9hx-c6jf-3qxm CVE-2025-54950 CRITICAL 4 months ago
An out-of-bounds access vulnerability in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution o...
pypi
No PRs yet
ExecuTorch integer overflow vulnerability leads to code execution
GHSA-33r8-vrx9-rmcv CVE-2025-54952 MODERATE 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause smaller-than-expected memory regions to be allocated, potentially r...
pypi
No PRs yet
ExecuTorch vulnerable to Heap-based Buffer Overflow
GHSA-xc7w-r669-48pf CVE-2025-54951 CRITICAL 4 months ago
A group of related buffer overflow vulnerabilities in the loading of ExecuTorch models can cause the runtime to crash and potentially result in cod...
pypi
No PRs yet
uv allows ZIP payload obfuscation through parsing differentials
GHSA-8qf3-x8v5-2pj8 CVE-2025-54368 MODERATE 4 months ago
## Impact In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled agai...
pypi
260
Dependabot PRs
18%
Merged
SKOPS Card.get_model happily allows arbitrary code execution
GHSA-378x-6p4f-8jgm CVE-2025-54886 HIGH 4 months ago
## Summary The `Card` class of `skops`, used for model documentation and sharing, allows arbitrary code execution. When a file other than `.zip` i...
pypi
No PRs yet
Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability
GHSA-9356-575x-2w9m CVE-2025-5197 MODERATE 4 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weigh...
pypi
16
Dependabot PRs
pyLoad CNL Blueprint allows Path Traversal through `dlc_path` which leads to Remote Code Execution (RCE)
GHSA-48rp-jc79-2264 CVE-2025-54802 CRITICAL 4 months ago
### Summary **Path Traversal in pyLoad-ng CNL Blueprint via `package` parameter allows Arbitrary File Write leading to Remote Code Execution (RCE)*...
pypi
No PRs yet
copyparty allows Regex Denial of Service (ReDoS) in the upload listing
GHSA-5662-2rj7-f2v6 CVE-2025-54796 HIGH 4 months ago
### Summary The `filter` parameter for the "Recent uploads" page allows arbitrary Regexes. If this feature is enabled (which is the default), an at...
pypi
No PRs yet
MaterialX Lack of MTLX Import Depth Limit Leads to DoS (Denial-Of-Service) Via Stack Exhaustion
GHSA-qc2h-74x3-4v3w CVE-2025-53012 MODERATE 4 months ago
### Summary Nested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the "import chain" dep...
pypi
No PRs yet
MaterialX Stack Overflow via Lack of MTLX XML Parsing Recursion Limit
GHSA-wx6g-fm6f-w822 CVE-2025-53009 MODERATE 4 months ago
### Summary When parsing an MTLX file with multiple nested `nodegraph` implementations, the MaterialX XML parsing logic can potentially crash due ...
pypi
No PRs yet
num2words subjected to phishing attack, two versions published containing malware
GHSA-jxr6-qrxx-2ph2 CRITICAL 4 months ago
The `num2words` project was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected ve...
pypi
No PRs yet
OpenEXR Out-Of-Memory via Unbounded File Header Values
GHSA-x22w-82jp-8rvf CVE-2025-48074 MODERATE 4 months ago
### Summary The OpenEXR file format defines many information about the final image inside of the file header, such as the size of data/display wind...
pypi
No PRs yet
OpenEXR ScanLineProcess::run_fill NULL Pointer Write In "reduceMemory" Mode
GHSA-qhpm-86v7-phmm CVE-2025-48073 MODERATE 4 months ago
### Summary When reading a deep scanline image with a large sample count in `reduceMemory` mode, it is possible to crash a target application with...
pypi
No PRs yet
OpenEXR Out of Bounds Heap Read due to Bad Pointer Arithmetic in LossyDctDecoder_execute
GHSA-4r7w-q3jg-ff43 CVE-2025-48072 MODERATE 4 months ago
### Summary The OpenEXRCore code is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing D...
pypi
No PRs yet
OpenEXR Heap-Based Buffer Overflow in Deep Scanline Parsing via Forged Unpacked Size
GHSA-h45x-qhg2-q375 CVE-2025-48071 HIGH 4 months ago
### Summary The OpenEXRCore code is vulnerable to a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-l...
pypi
No PRs yet
MaterialX Null Pointer Dereference in MaterialXCore Shader Generation due to Unchecked implGraphOutput
GHSA-7qw8-3vmf-gj32 CVE-2025-53011 LOW 4 months ago
### Summary When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with m...
pypi
No PRs yet
MaterialX Null Pointer Dereference in getShaderNodes due to Unchecked nodeGraph->getOutput return
GHSA-3jhf-gxhr-q4cx CVE-2025-53010 LOW 4 months ago
### Summary When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with m...
pypi
No PRs yet
MS SWIFT Deserialization RCE Vulnerability
GHSA-r54c-2xmf-2cf3 MODERATE 4 months ago
This appears to be a security vulnerability report describing a remote code execution (RCE) exploit in the ms-swift framework through malicious pic...
pypi
No PRs yet
MS SWIFT WEB-UI RCE Vulnerability
GHSA-7c78-rm87-5673 CVE-2025-41419 MODERATE 4 months ago
**I. Detailed Description:** This includes scenarios, screenshots, vulnerability reproduction methods. For account-related vulnerabilities, pleas...
pypi
No PRs yet
MS SWIFT Remote Code Execution via unsafe PyYAML deserialization
GHSA-fm6c-f59h-7mmg CVE-2025-50460 LOW 4 months ago
## Description A Remote Code Execution (RCE) vulnerability exists in the [modelscope/ms-swift](https://github.com/modelscope/ms-swift) project due...
pypi
No PRs yet
copyparty Reflected XSS via Filter Parameter
GHSA-8mx2-rjh8-q3jq CVE-2025-54589 MODERATE 4 months ago
### Summary Unauthorized reflected Cross-Site-Scripting when accessing the URL for recent uploads with the `filter` parameter containing JavaScript...
pypi
No PRs yet
Pyload log Injection via API /json/add_package in add_name parameter
GHSA-3wwm-hjv7-23r3 MODERATE 4 months ago
### Summary A log injection vulnerability was identified in `pyload` in API `/json/add_package`. This vulnerability allows user with add packages p...
pypi
No PRs yet
Bugsink path traversal via event_id in ingestion
GHSA-q78p-g86f-jg6q CVE-2025-54433 HIGH 4 months ago
## Summary In affected versions, ingestion paths construct file locations directly from untrusted `event_id` input without validation. A specially...
pypi
No PRs yet
BentoML SSRF Vulnerability in File Upload Processing
GHSA-mrmq-3q62-6cc8 CVE-2025-54381 CRITICAL 4 months ago
### Description There's an SSRF in the file upload processing system that allows remote attackers to make arbitrary HTTP requests from the server ...
pypi
No PRs yet
copyparty has DOM-Based XSS vulnerability when displaying multimedia metadata
GHSA-9q4r-x2hj-jmvr CVE-2025-54423 MODERATE 4 months ago
### Summary An unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multime...
pypi
No PRs yet
smolagents has Sandbox Escape Vulnerability in the local_python_executor.py Module
GHSA-6v92-r5mx-h5fx CVE-2025-5120 CRITICAL 4 months ago
A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution envir...
pypi
No PRs yet
Skops may allow MethodNode to access unexpected object fields through dot notation, leading to arbitrary code execution at load time
GHSA-4v6w-xpmh-gfgp CVE-2025-54413 HIGH 4 months ago
## Summary An inconsistency in `MethodNode` can be exploited to access unexpected object fields through dot notation. This can be used to achieve ...
pypi
No PRs yet
Skops has Inconsistent Trusted Type Validation that Enables Hidden `operator` Methods Execution
GHSA-m7f4-hrc6-fwg3 CVE-2025-54412 HIGH 4 months ago
## Summary An inconsistency in `OperatorFuncNode` can be exploited to hide the execution of untrusted `operator.xxx` methods. This can then be used...
pypi
No PRs yet
Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code
GHSA-75jv-vfxf-3865 CVE-2025-55013 MODERATE 4 months ago
**Path-Traversal -> Arbitrary File Write in Assemblyline Service Client** **IMPORTANT**: This vulnerability is valid if you decide to use the asse...
pypi
No PRs yet
Calibre Web and Autocaliweb have OS Command Injection vulnerability
GHSA-qc4j-v7h6-xr5h CVE-2025-7404 MODERATE 4 months ago
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind O...
pypi
No PRs yet
Calibre Web and Autocaliweb have a ReDoS vulnerability
GHSA-2g7m-ph9x-7q7m CVE-2025-6998 HIGH 4 months ago
ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denia...
pypi
No PRs yet
Mezzanine CMS vulnerable to Cross-site Scripting
GHSA-269j-37ww-cmh3 CVE-2025-50481 MODERATE 4 months ago
A cross-site scripting (XSS) vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web sc...
pypi
No PRs yet
FastAPI Guard has a regex bypass
GHSA-rrf6-pxg8-684g CVE-2025-54365 HIGH 4 months ago
### Summary The regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch inputs that exceed ...
pypi
No PRs yet
Aim vulnerable to Cross-site Scripting
GHSA-gmvv-rj92-9w35 CVE-2025-51464 MODERATE 4 months ago
Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python ...
pypi
No PRs yet
Dagster Local File Inclusion vulnerability
GHSA-h7x8-jv97-fvvm CVE-2025-51481 MODERATE 4 months ago
Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary f...
pypi
No PRs yet