Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write
GHSA-xqpg-92fq-grfg CVE-2025-54140 HIGH 4 months ago
## Summary An **authenticated path traversal vulnerability** exists in the `/json/upload` endpoint of the `pyLoad` By **manipulating the filename o...
pypi
No PRs yet
Starlette has possible denial-of-service vector when parsing large files in multipart forms
GHSA-2c2j-9gv5-cj73 CVE-2025-54121 MODERATE 4 months ago
### Summary When parsing a multi-part form with large files (greater than the [default max spool size](https://github.com/encode/starlette/blob/fa5...
pypi
No PRs yet
Cadwyn vulnerable to XSS on the docs page
GHSA-2gxp-6r36-m97r CVE-2025-53528 HIGH 4 months ago
### Summary The `version` parameter of the `/docs` endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. ### PoC 1. Setup a min...
pypi
No PRs yet
WebSSH Cross-site Scripting vulnerability
GHSA-9cg4-9hv5-3376 CVE-2025-7885 LOW 4 months ago
A vulnerability, which was classified as problematic, has been found in Huashengdun WebSSH up to 1.6.2. Affected by this issue is some unknown func...
pypi
No PRs yet
pyLoad vulnerable to XSS through insecure CAPTCHA
GHSA-8w3f-4r8f-pf53 CVE-2025-53890 CRITICAL 5 months ago
#### Summary An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows **unauthenticated remote attackers** to execu...
pypi
No PRs yet
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
GHSA-9548-qrrj-x5pj CVE-2025-53643 LOW 5 months ago
### Summary The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. ### Impac...
pypi
32
Dependabot PRs
3%
Merged
Indico vulnerability allows attackers to bulk dump user details
GHSA-q28v-664f-q6wj CVE-2025-53640 MODERATE 5 months ago
### Impact An endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such a...
pypi
No PRs yet
py-libp2p is vulnerable to DoS attacks through use of large RSA keys
GHSA-x8c6-gj59-6rx8 CVE-2025-29606 MODERATE 5 months ago
py-libp2p before 0.2.3 allows a peer to cause a denial of service (resource consumption) via a large RSA key.
pypi
No PRs yet
Roundup is vulnerable to XSS through interactions between URLs and issue tracker templates
GHSA-qxh9-qmf2-rhwc CVE-2025-53865 MODERATE 5 months ago
In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).
pypi
No PRs yet
ExecuTorch vulnerable to Heap-based Buffer Overflow attack
GHSA-h952-963h-rv99 CVE-2025-30402 HIGH 5 months ago
A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution o...
maven pypi swift
No PRs yet
Transformers is vulnerable to ReDoS attack through its DonutProcessor class
GHSA-37mw-44qp-f5jm CVE-2025-3933 MODERATE 5 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the Donut...
pypi
No PRs yet
LlamaIndex vulnerable to data loss through hash collisions in its DocugamiReader class
GHSA-5hq9-5r78-2gjh CVE-2025-6211 MODERATE 5 months ago
A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to but excluding version 0.12.41, involves the use of MD5 h...
pypi
No PRs yet
pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages
GHSA-x698-5hjm-w2m5 CVE-2025-7346 HIGH 5 months ago
### Summary Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packag...
pypi
No PRs yet
fastapi-guard is vulnerable to ReDoS through inefficient regex
GHSA-j47q-rc62-w448 CVE-2025-53539 MODERATE 5 months ago
### Summary fastapi-guard detects penetration attempts by using regex patterns to scan incoming requests. However, some of the regex patterns used...
pypi
No PRs yet
Dagster vulnerable to Path Traversal attack through its /logs endpoint
GHSA-q93c-p2mw-p23f CVE-2023-51232 MODERATE 5 months ago
Directory Traversal vulnerability in dagster-webserver Dagster thru 1.5.10 allows remote attackers to obtain sensitive information via crafted requ...
pypi
No PRs yet
LlamaIndex vulnerable to Path Traversal attack through its encode_image function
GHSA-2rhq-96q8-4vjq CVE-2025-6209 HIGH 5 months ago
A path traversal vulnerability exists in run-llama/llama_index versions 0.11.23 through 0.12.40, specifically within the `encode_image` function in...
pypi
No PRs yet
Lord of Large Language Models vulnerable to Observable Discrepancy attack via authenticate_user function
GHSA-j5pr-vrjj-9v4h CVE-2025-6386 HIGH 5 months ago
The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.p...
pypi
No PRs yet
LlamaIndex vulnerable to DoS attack through uncontrolled recursive JSON parsing
GHSA-3wxx-q3gv-pvvv CVE-2025-5472 MODERATE 5 months ago
The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnera...
pypi
No PRs yet
LlamaIndex vulnerability in its ObsidianReader class can lead to Path Traversal exploit
GHSA-3j8r-jf9w-5cmh CVE-2025-6210 MODERATE 5 months ago
A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, before version 0.5.2 (specifically in version 0.12.27 of llama...
pypi
No PRs yet
Transformers's Improper Input Validation vulnerability can be exploited through username injection
GHSA-phhr-52qp-3mj4 CVE-2025-3777 LOW 5 months ago
Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulner...
pypi
No PRs yet
Transformers vulnerable to ReDoS attack through its get_imports() function
GHSA-jjph-296x-mrcr CVE-2025-3264 MODERATE 5 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_impo...
pypi
No PRs yet
LlamaIndex is vulnerable to Path Traversal attack through its ObsidianReader class
GHSA-fmrf-6jv9-qjc7 CVE-2025-3046 HIGH 5 months ago
A vulnerability in the `ObsidianReader` class in LlamaIndex Readers Integration: Obsidian before version 0.5.1 from the run-llama/llama_index repos...
pypi
No PRs yet
LlamaIndex has an XML Entity Expansion vulnerability in its sitemap parser
GHSA-w42r-mrx7-c633 CVE-2025-3225 HIGH 5 months ago
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repositor...
pypi
No PRs yet
Transformers vulnerable to ReDoS attack through its SETTING_RE variable
GHSA-489j-g2vx-39wf CVE-2025-3262 MODERATE 5 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.4...
pypi
No PRs yet
Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking
GHSA-q2wp-rjmx-x6x9 CVE-2025-3263 MODERATE 5 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_conf...
pypi
No PRs yet
LlamaIndex vulnerability in ArxivReader class can cause MD5 hash collisions
GHSA-p7j4-jwjf-5x9w CVE-2025-3044 MODERATE 5 months ago
A vulnerability in the ArxivReader class of the run-llama/llama_index repository allows for MD5 hash collisions when generating filenames for downl...
pypi
No PRs yet
LlamaIndex has Incomplete Documentation of Program Execution related to JsonPickleSerializer component
GHSA-m84c-4c34-28gf CVE-2025-3108 MODERATE 5 months ago
Incomplete Documentation of Program Execution exists in the run-llama/llama_index library's JsonPickleSerializer component, affecting versions v0.1...
pypi
No PRs yet
MCP Python SDK vulnerability in the FastMCP Server causes validation error, leading to DoS
GHSA-3qhf-m339-9g5v CVE-2025-53366 HIGH 5 months ago
A validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 err...
pypi
No PRs yet
MCP Python SDK has Unhandled Exception in Streamable HTTP Transport, Leading to Denial of Service
GHSA-j975-95f5-7wqh CVE-2025-53365 HIGH 5 months ago
If a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on th...
pypi
No PRs yet
Pillow vulnerability can cause write buffer overflow on BCn encoding
GHSA-xg8h-j46f-w952 CVE-2025-48379 HIGH 5 months ago
There is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into ...
pypi
No PRs yet
Langchain-Chatchat vulnerable to path traversal
GHSA-f823-phmg-x5fr CVE-2025-6855 LOW 5 months ago
A vulnerability, which was classified as critical, has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This issue affects some unknown...
pypi
No PRs yet
Langchain-Chatchat vulnerable to path traversal
GHSA-8v8h-4pjx-rg73 CVE-2025-6854 LOW 5 months ago
A vulnerability classified as problematic was found in chatchat-space Langchain-Chatchat up to 0.3.1. This vulnerability affects unknown code of th...
pypi
No PRs yet
Langchain-Chatchat has a Path Traversal vulnerability
GHSA-qmgv-j263-qr33 CVE-2025-6853 LOW 5 months ago
A vulnerability classified as critical has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This affects the function upload_temp_docs ...
pypi
No PRs yet
HKUDS LightRAG allows Path Traversal via function upload_to_input_dir
GHSA-v9w6-9hq9-33ch CVE-2025-6773 MODERATE 5 months ago
A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to...
pypi
No PRs yet
MobSF vulnerability allows SSRF due to the allow_redirects=True parameter
GHSA-m435-9v6r-v5f6 CVE-2024-54000 HIGH 5 months ago
### Summary The fix for the "SSRF Vulnerability on assetlinks_check(act_name, well_knowns)" vulnerability could potentially be bypassed. ### Detai...
pypi
No PRs yet
LLaMA-Factory allows Code Injection through improper vhead_file safeguards
GHSA-xj56-p8mm-qmxj CVE-2025-53002 HIGH 5 months ago
### Summary A critical remote code execution vulnerability was discovered during the Llama Factory training process. This vulnerability arises beca...
pypi
No PRs yet
Apache Airflow Providers Snowflake package allows for Special Element Injection via CopyFromExternalStageToSnowflakeOperator
GHSA-9r64-3wmc-x8m8 CVE-2025-50213 CRITICAL 5 months ago
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This ...
pypi
No PRs yet
pyspur Incomplete Filtering of Special Elements allowed by SingleLLMCallNode function
GHSA-8gff-cf92-72pv CVE-2025-6518 LOW 5 months ago
A vulnerability was found in PySpur-Dev pyspur up to 0.1.18. It has been classified as critical. Affected is the function SingleLLMCallNode of the ...
pypi
No PRs yet
LangChain Community SSRF vulnerability exists in RequestsToolkit component
GHSA-h5gc-rm8j-5gpr CVE-2025-2828 HIGH 5 months ago
A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langch...
pypi
No PRs yet
ChangeDetection.io XSS in watch overview
GHSA-hwpg-x5hw-vpv9 CVE-2025-52558 HIGH 5 months ago
### Impact XSS - Errors in filters from website page change detection watches were not being filtered. ### Patches 0.50.4
pypi
1
Dependabot PRs
100%
Merged
MLFlow SSRF via gateway_proxy_handler
GHSA-wxj7-3fx5-pp9m CVE-2025-52967 MODERATE 5 months ago
gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.
pypi
No PRs yet
rfc3161-client has insufficient verification for timestamp response signatures
GHSA-6qhv-4h7r-2g9m CVE-2025-52556 CRITICAL 5 months ago
### Impact `rfc3161-client` 1.0.2 and earlier contain a flaw in their timestamp response signature verification logic. In particular, it performs ...
pypi
2
Dependabot PRs
Upsonic has vulnerability in Pickle Handler component that can lead to deserialization
GHSA-rpfv-46xj-5984 CVE-2025-6279 LOW 5 months ago
A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the...
pypi
No PRs yet
Upsonic is vulnerable to Path Traversal attack through its os.path.join function
GHSA-8jf4-fcjr-68c2 CVE-2025-6278 LOW 5 months ago
A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown...
pypi
No PRs yet
urllib3 does not control redirects in browsers and Node.js
GHSA-48p4-8xcf-vxj5 CVE-2025-50182 MODERATE 5 months ago
urllib3 [supports](https://urllib3.readthedocs.io/en/2.4.0/reference/contrib/emscripten.html) being used in a Pyodide runtime utilizing the [JavaSc...
pypi
10089
Dependabot PRs
26%
Merged
urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation
GHSA-pq67-6m6q-mj2v CVE-2025-50181 MODERATE 5 months ago
urllib3 handles redirects and retries using the same mechanism, which is controlled by the `Retry` object. The most common way to disable redirects...
pypi
10077
Dependabot PRs
26%
Merged
Langflow Unauth RCE
GHSA-rvqx-wpfh-mfx7 CVE-2025-3248 CRITICAL 5 months ago
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can...
pypi
No PRs yet
Mezzanine CMS has a Stored Cross-Site Scripting (XSS) vulnerability in the displayable_links_js function
GHSA-7pr5-w74r-jjj7 CVE-2025-6050 MODERATE 5 months ago
Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in the admin interface. The vulnerability exi...
pypi
No PRs yet
python-a2a has a path traversal in the create_workflow function
GHSA-rp38-pj7h-r8q2 CVE-2025-6167 MODERATE 5 months ago
A vulnerability classified as critical has been found in themanojdesai python-a2a up to 0.5.5. Affected is the function create_workflow of the file...
pypi
14
Dependabot PRs
pycares has a Use-After-Free Vulnerability
GHSA-5qpg-rh4j-qp35 MODERATE 5 months ago
## Summary pycares is vulnerable to a use-after-free condition that occurs when a Channel object is garbage collected while DNS queries are still ...
pypi
No PRs yet