Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,791

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
protobuf-python has a potential Denial of Service issue
GHSA-8qvm-5x2c-j2w7 CVE-2025-4565 HIGH 5 months ago
### Summary Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of **recursi...
pypi
No PRs yet
Weblate exposes personal IP address via e-mail
GHSA-4qqf-9m5c-w2c5 CVE-2025-49134 LOW 5 months ago
### Impact The audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP...
pypi
No PRs yet
Weblate lacks rate limiting when verifying second factor
GHSA-57jg-m997-cx3q CVE-2025-47951 MODERATE 5 months ago
### Impact The verification of the second factor was not subject to rate limiting. The absence of rate limiting on the second factor endpoint allo...
pypi
No PRs yet
Salt vulnerable to directory traversal attack in file receiving method
GHSA-8pcp-r83j-fc92 CVE-2024-38824 CRITICAL 6 months ago
Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory.
pypi
No PRs yet
Salt's worker process vulnerable to denial of service through file read operation
GHSA-989c-m532-p2hv CVE-2025-22242 MODERATE 6 months ago
Worker process denial of service through file read operation. .A vulnerability exists in the Master's “pub_ret” method which is exposed to all mini...
pypi
No PRs yet
Salt's file contents overwrite the VirtKey class
GHSA-7f3f-x5f5-79gw CVE-2025-22241 MODERATE 6 months ago
File contents overwrite the VirtKey class is called when “on-demand pillar” data is requested and uses un-validated input to create paths to the “p...
pypi
No PRs yet
Salt vulnerable to directory traversal attack in minion file cache creation
GHSA-r546-h3ff-q585 CVE-2025-22238 MODERATE 6 months ago
Directory traversal attack in minion file cache creation. The master's default cache is vulnerable to a directory traversal attack. Which could be ...
pypi
No PRs yet
Salt vulnerable to arbitrary event injection
GHSA-c46w-gr7f-jm2p CVE-2025-22239 HIGH 6 months ago
Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto th...
pypi
No PRs yet
Salt has minion event bus authorization bypass vulnerability
GHSA-jh7c-xh74-h76f CVE-2025-22236 HIGH 6 months ago
Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other mini...
pypi
No PRs yet
Salt allows arbitrary directory creation or file deletion
GHSA-xh32-3m67-qjgf CVE-2025-22240 MODERATE 6 months ago
Arbitrary directory creation or file deletion. In the find_file method of the GitFS class, a path is created using os.path.join using unvalidated i...
pypi
No PRs yet
Salt's salt.auth.pki module does not properly authenticate callers
GHSA-4j59-vv55-q6h3 CVE-2024-38825 MODERATE 6 months ago
The salt.auth.pki module does not properly authenticate callers. The "password" field contains a public certificate which is validated against a CA...
pypi
No PRs yet
Salt's on demand pillar functionality vulnerable to arbitrary command injections
GHSA-fcr4-h6c4-rvvp CVE-2025-22237 MODERATE 6 months ago
An attacker with access to a minion key can exploit the 'on demand' pillar functionality with a specially crafted git url which could cause and arb...
pypi
No PRs yet
Vantage6 Server JWT secret not cryptographically secure
GHSA-m3mq-f375-5vgh CVE-2025-43866 LOW 6 months ago
### Impact The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not ...
pypi
No PRs yet
vantage6 lacks brute-force protection on change password functionality
GHSA-j6g5-p62x-58hw CVE-2025-43863 LOW 6 months ago
### Impact If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password function...
pypi
No PRs yet
Nautobot may allows uploaded media files to be accessible without authentication
GHSA-rh67-4c8j-hjjh CVE-2025-49143 MODERATE 6 months ago
### Impact Files uploaded by users to Nautobot's `MEDIA_ROOT` directory, including DeviceType image attachments as well as images attached to a Lo...
pypi
2
Dependabot PRs
Nautobot vulnerable to secrets exposure and data manipulation through Jinja2 templating
GHSA-wjw6-95h5-4jpx CVE-2025-49142 MODERATE 6 months ago
### Impact _What kind of vulnerability is it? Who is impacted?_ All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially ...
pypi
2
Dependabot PRs
OctoPrint Vulnerable to Denial of Service through malformed HTTP request in OctoPrint
GHSA-9wj4-8h85-pgrw CVE-2025-48879 MODERATE 6 months ago
### Impact OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated...
pypi
No PRs yet
OctoPrint vulnerable to possible file extraction via upload endpoints
GHSA-m9jh-jf9h-x3h2 CVE-2025-48067 MODERATE 6 months ago
### Impact OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the `FILE_UPLOAD` permission to e...
pypi
No PRs yet
Requests vulnerable to .netrc credentials leak via malicious URLs
GHSA-9hjg-9r4m-mvj7 CVE-2024-47081 MODERATE 6 months ago
### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-cra...
pypi
16965
Dependabot PRs
26%
Merged
BackendAI vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
GHSA-hxvr-gg2w-j48x CVE-2025-49653 HIGH 6 months ago
Exposure of sensitive data in active sessions in Lablup's BackendAI allows attackers to retrieve credentials for users on the management platform.
pypi
No PRs yet
Backend.AI Missing Authorization vulnerability
GHSA-h889-475r-wfmm CVE-2025-49651 HIGH 6 months ago
Missing Authorization in Lablup's BackendAI allows attackers to takeover all active sessions; Accessing, stealing, or altering any data accessible ...
pypi
No PRs yet
BackendAI Missing Authentication for Critical Function
GHSA-ww28-4m4v-cq4j CVE-2025-49652 CRITICAL 6 months ago
Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private dat...
pypi
No PRs yet
Skyvern has a Jinja runtime leak
GHSA-h92g-3xc3-ww2r CVE-2025-49619 HIGH 6 months ago
Skyvern through 0.2.0 has a Jinja runtime leak in sdk/workflow/models/block.py.
pypi
No PRs yet
llama_index vulnerable to SQL Injection
GHSA-v3c8-3pr6-gr7p CVE-2025-1793 CRITICAL 6 months ago
Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an att...
pypi
No PRs yet
Django Improper Output Neutralization for Logs vulnerability
GHSA-7xr5-9hcq-chf9 CVE-2025-48432 MODERATE 6 months ago
An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape reques...
pypi
4294
Dependabot PRs
20%
Merged
SignXML's signature verification with HMAC is vulnerable to an algorithm confusion attack
GHSA-6vx8-pcwv-xhf4 CVE-2025-48994 MODERATE 6 months ago
When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, h...
pypi
9
Dependabot PRs
33%
Merged
SignXML's signature verification with HMAC is vulnerable to a timing attack
GHSA-gmhf-gg8w-jw42 CVE-2025-48995 MODERATE 6 months ago
When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, h...
pypi
9
Dependabot PRs
33%
Merged
AstrBot Has Path Traversal Vulnerability in /api/chat/get_file
GHSA-cq37-g2qp-3c2p CVE-2025-48957 HIGH 6 months ago
### Impact This vulnerability may lead to: * Information disclosure, such as API keys for LLM providers, account passwords, and other sensitive d...
pypi
No PRs yet
Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
GHSA-33p9-3p43-82vq CVE-2025-30167 HIGH 6 months ago
## Impact On Windows, the shared `%PROGRAMDATA%` directory is searched for configuration files (`SYSTEM_CONFIG_PATH` and `SYSTEM_JUPYTER_PATH`), w...
pypi
43
Dependabot PRs
46%
Merged
django-helpdesk Allows Sensitive Data Exposure
GHSA-m4jx-m5hg-qrxx CVE-2018-25111 MODERATE 6 months ago
django-helpdesk before 1.0.0 allows Sensitive Data Exposure because of os.umask(0) in models.py.
pypi
No PRs yet
Apache Superset: Improper authorization bypass on row level security via SQL Injection
GHSA-8w7f-8pr9-xgwj CVE-2025-48912 HIGH 6 months ago
An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpressio...
pypi
No PRs yet
Gradio Allows Unauthorized File Copy via Path Manipulation
GHSA-8jw3-6x8j-v96g CVE-2025-48889 MODERATE 6 months ago
An arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's file...
pypi
No PRs yet
Aim Vulnerable to Sandbox Escape Leading to Remote Code Execution
GHSA-gp5h-f9c5-8355 CVE-2025-5321 LOW 6 months ago
A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the...
pypi
No PRs yet
Gradio CORS Origin Validation Bypass Vulnerability
GHSA-wmjh-cpqj-4v6x CVE-2025-5320 LOW 6 months ago
A vulnerability classified as problematic has been found in gradio-app gradio up to 5.29.1. This affects the function is_valid_origin of the compon...
pypi
No PRs yet
multicast in source builds from vulnerable setuptools dependency
GHSA-94v7-wxj6-r2q5 MODERATE 6 months ago
### Impact * Some source-builds may be impacted by a CWE-1395 (eg. vulnerable `setuptools` dependency). * Multicast prior to v2.0.9a3 on system...
pypi
No PRs yet
vLLM Tool Schema allows DoS via Malformed pattern and type Fields
GHSA-vrq3-r879-7m65 CVE-2025-48944 MODERATE 6 months ago
### Summary The vLLM backend used with the /v1/chat/completions OpenAPI endpoint fails to validate unexpected or malformed input in the "pattern" a...
pypi
No PRs yet
vLLM allows clients to crash the openai server with invalid regex
GHSA-9hcf-v7m4-6m2j CVE-2025-48943 MODERATE 6 months ago
### Impact A denial of service bug caused the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerabil...
pypi
No PRs yet
vLLM DOS: Remotely kill vllm over http with invalid JSON schema
GHSA-6qc9-v4r8-22xg CVE-2025-48942 MODERATE 6 months ago
### Summary Hitting the /v1/completions API with a invalid json_schema as a Guided Param will kill the vllm server ### Details The following API...
pypi
No PRs yet
vLLM has a Weakness in MultiModalHasher Image Hashing Implementation
GHSA-c65p-x677-fgj6 CVE-2025-46722 MODERATE 6 months ago
## Summary In the file `vllm/multimodal/hasher.py`, the `MultiModalHasher` class has a security and data integrity issue in its image hashing meth...
pypi
No PRs yet
Potential Timing Side-Channel Vulnerability in vLLM’s Chunk-Based Prefix Caching
GHSA-4qjh-9fv9-r85r CVE-2025-46570 LOW 6 months ago
This issue arises from the prefix caching mechanism, which may expose the system to a timing side-channel attack. ## Description When a new prompt...
pypi
No PRs yet
vLLM vulnerable to Regular Expression Denial of Service
GHSA-j828-28rj-hfhp MODERATE 6 months ago
### Summary A recent review identified several regular expressions in the vllm codebase that are susceptible to Regular Expression Denial of Servic...
pypi
No PRs yet
vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py`
GHSA-w6q7-j642-7c25 CVE-2025-48887 MODERATE 6 months ago
## Summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in the file [`vllm/entrypoints/openai/tool_parsers/pythonic_tool_pa...
pypi
No PRs yet
Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin
GHSA-r244-wg5g-6w2r CVE-2025-5279 HIGH 6 months ago
### Summary [Amazon Redshift Python Connector](https://docs.aws.amazon.com/redshift/latest/mgmt/python-redshift-driver.html) is a pure Python conne...
pypi
23
Dependabot PRs
13%
Merged
LLama-Index CLI OS command injection vulnerability
GHSA-g99h-56mw-8263 CVE-2025-1753 HIGH 6 months ago
LLama-Index CLI prior to v0.4.1, corresponding to LLama-Index prior to v0.12.21, contains an OS command injection vulnerability. The vulnerability ...
pypi
No PRs yet
Django-Select2 Vulnerable to Widget Instance Secret Cache Key Leaking
GHSA-wjrh-hj83-3wh7 CVE-2025-48383 HIGH 6 months ago
### Impact Instances of `HeavySelect2Mixin` subclasses like the `ModelSelect2MultipleWidget` and `ModelSelect2Widget` can secret access tokens acr...
pypi
14
Dependabot PRs
21%
Merged
pypickle unsafe deserialization vulnerability
GHSA-5qwj-342r-h886 CVE-2025-5174 MODERATE 6 months ago
A vulnerability was found in erdogant pypickle up to 1.1.5 and classified as problematic. Affected by this issue is the function load of the file p...
pypi
No PRs yet
pypickle Incorrect Privilege Assignment vulnerability
GHSA-qpxx-2cwh-r5vh CVE-2025-5175 MODERATE 6 months ago
A vulnerability was found in erdogant pypickle up to 1.1.5. It has been classified as critical. This affects the function Save of the file pypickle...
pypi
No PRs yet
HumanSignal label-studio-ml-backend Deserialization of Untrusted Data vulnerability
GHSA-55g9-6c2x-gf8q CVE-2025-5173 MODERATE 6 months ago
A vulnerability has been found in HumanSignal label-studio-ml-backend up to 9fb7f4aa186612806af2becfb621f6ed8d9fdbaf and classified as problematic....
pypi
No PRs yet
docarray prototype pollution
GHSA-j9wp-865g-rf48 CVE-2025-5150 MODERATE 6 months ago
A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function __getitem__ of the file /...
pypi
No PRs yet
FunAudioLLM InspireMusic deserialization vulnerability
GHSA-pgp9-g5q8-j3wp CVE-2025-5148 MODERATE 6 months ago
A vulnerability was found in FunAudioLLM InspireMusic up to bf32364bcb0d136497ca69f9db622e9216b029dd. It has been classified as critical. Affected ...
pypi
No PRs yet