Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
FunAudioLLM InspireMusic deserialization vulnerability
GHSA-pgp9-g5q8-j3wp CVE-2025-5148 MODERATE 6 months ago
A vulnerability was found in FunAudioLLM InspireMusic up to bf32364bcb0d136497ca69f9db622e9216b029dd. It has been classified as critical. Affected ...
pypi
No PRs yet
vLLM Allows Remote Code Execution via PyNcclPipe Communication Service
GHSA-hjq4-87xh-g4fv CVE-2025-47277 CRITICAL 6 months ago
### Impacted Environments This issue ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other c...
pypi
No PRs yet
Langroid has a Code Injection vulnerability in LanceDocChatAgent through vector_store
GHSA-22c2-9gwg-mj59 CVE-2025-46725 HIGH 6 months ago
### Summary [LanceDocChatAgent](https://github.com/langroid/langroid/blob/main/langroid/agent/special/lance_doc_chat_agent.py#L158) uses pandas eva...
pypi
No PRs yet
Langroid has a Code Injection vulnerability in TableChatAgent
GHSA-jqq5-wc57-f8hj CVE-2025-46724 CRITICAL 6 months ago
### Summary `TableChatAgent` uses [pandas eval()](https://github.com/langroid/langroid/blob/main/langroid/agent/special/table_chat_agent.py#L216). ...
pypi
No PRs yet
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
GHSA-5rjg-fvgr-3xxf CVE-2025-47273 HIGH 6 months ago
### Summary A path traversal vulnerability in `PackageIndex` was fixed in setuptools version 78.1.1 ### Details ``` def _download_url(self, u...
pypi
8
Dependabot PRs
Hugging Face Transformers Regular Expression Denial of Service
GHSA-qq3j-4f4f-9583 CVE-2025-2099 MODERATE 6 months ago
A Regular Expression Denial of Service (ReDoS) exists in the `preprocess_string()` function of the `transformers.testing_utils` module. In versions...
pypi
No PRs yet
Flask-AppBuilder open redirect vulnerability using HTTP host injection
GHSA-99pm-ch96-ccp2 CVE-2025-32962 MODERATE 7 months ago
### Impact Flask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host h...
pypi
No PRs yet
Vyper's `slice()` may elide side-effects when output length is 0
GHSA-3vcg-j39x-cwfm CVE-2025-47774 LOW 7 months ago
### Impact the `slice()` builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (`msg.data` or `<addres...
pypi
No PRs yet
Tornado vulnerable to excessive logging caused by malformed multipart form data
GHSA-7cx3-6m66-7c5m CVE-2025-47287 HIGH 7 months ago
### Summary When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder...
pypi
3
Dependabot PRs
33%
Merged
Vyper's `concat()` builtin may elide side-effects for zero-length arguments
GHSA-qhr6-mgqr-mchm CVE-2025-47285 LOW 7 months ago
### Impact `concat()` may skip evaluation of side effects when the length of an argument is zero. this is due to a fastpath in the implementation w...
pypi
No PRs yet
label-studio vulnerable to Cross-Site Scripting (Reflected) via the label_config parameter.
GHSA-8jhr-wpcm-hh4h CVE-2025-47783 HIGH 7 months ago
### Summary The vulnerability allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, unautho...
pypi
No PRs yet
Reflex vulnerable to private state fields modification
GHSA-rf8x-9mhr-49wg CVE-2025-47425 HIGH 7 months ago
### Summary A user on the website can modify any private field on their own state. ### Details An event meant to modify client side storage had ...
pypi
No PRs yet
motionEye vulnerable to RCE in add_camera Function Due to unsafe command execution
GHSA-g5mq-prx7-c588 CVE-2025-47782 HIGH 7 months ago
### Summary Using a constructed (camera) device path with the `config/add`/`add_camera` motionEye web API allows an attacker with motionEye admin u...
pypi
No PRs yet
Flask uses fallback key instead of current signing key
GHSA-4grg-w6v8-c28g CVE-2025-47278 LOW 7 months ago
In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current si...
pypi
2433
Dependabot PRs
27%
Merged
Apache Superset Allows Ownership Takeover
GHSA-w6c7-j32f-rq8j CVE-2025-27696 MODERATE 7 months ago
Improper Authorization vulnerability in Apache Superset allows ownership takeover of dashboards, charts or datasets by authenticated users with rea...
pypi
No PRs yet
LlamaIndex Vulnerable to Denial of Service (DoS)
GHSA-7c85-87cp-mr6g CVE-2025-1752 HIGH 7 months ago
A Denial of Service (DoS) vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llama_index project, affecting ver...
pypi
No PRs yet
OpenStack Ironic fails to restrict paths used for file:// image URLs
GHSA-q3m2-crgq-5p3q CVE-2025-44021 LOW 7 months ago
OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). ...
pypi
No PRs yet
Django has a denial-of-service possibility in strip_tags()
GHSA-8j24-cjrq-gr2m CVE-2025-32873 MODERATE 7 months ago
An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnera...
pypi
4096
Dependabot PRs
24%
Merged
Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration
GHSA-9pcc-gvx5-r5wm CVE-2025-30165 HIGH 7 months ago
### Affected Environments Note that this issue only affects the V0 engine, which has been off by default since v0.8.0. Further, the issue only app...
pypi
No PRs yet
Mezzanine CMS Cross-Site Scripting (XSS) vulnerability
GHSA-2544-hpcq-6g27 CVE-2025-29573 MODERATE 7 months ago
Cross-Site Scripting (XSS) vulnerability exists in Mezzanine CMS 6.0.0 in the "View Entries" feature within the Forms module.
pypi
No PRs yet
Langroid Allows XXE Injection via XMLToolMessage
GHSA-pw95-88fg-3j6f CVE-2025-46726 HIGH 7 months ago
### Summary A LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing loca...
pypi
No PRs yet
Mobile Security Framework (MobSF) Allows Web Server Resource Exhaustion via ZIP of Death Attack
GHSA-c5vg-26p8-q8cr CVE-2025-46730 MODERATE 7 months ago
**Vulnerable MobSF Versions:** <= v4.3.2 **Details:** MobSF is a widely adopted mobile application security testing tool used by security teams ac...
pypi
No PRs yet
Browser Use allows bypassing `allowed_domains` by putting a decoy domain in http auth username portion of a URL
GHSA-x39x-9qw5-ghrf CVE-2025-47241 CRITICAL 7 months ago
### Summary During a manual source code review, [**ARIMLABS.AI**](https://arimlabs.ai) researchers identified that the `browser_use` module inclu...
pypi
No PRs yet
Mobile Security Framework (MobSF) Allows Stored Cross Site Scripting (XSS) via malicious SVG Icon Upload
GHSA-mwfg-948f-2cc5 CVE-2025-46335 MODERATE 7 months ago
**Vulnerable MobSF Versions:** <= v4.3.2 **CVSS V4.0 Score:** 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N) **Details:**...
pypi
No PRs yet
phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service
GHSA-vc6m-hm49-g9qg CVE-2025-46560 MODERATE 7 months ago
### Summary A critical performance vulnerability has been identified in the input preprocessing logic of the multimodal tokenizer. The code dynamic...
pypi
No PRs yet
vLLM Vulnerable to Remote Code Execution via Mooncake Integration
GHSA-hj4w-hm2g-p6w5 CVE-2025-32444 CRITICAL 7 months ago
## Impacted Deployments **Note that vLLM instances that do NOT make use of the mooncake integration are NOT vulnerable.** ## Description vLLM in...
pypi
No PRs yet
Data exposure via ZeroMQ on multi-node vLLM deployment
GHSA-9f8f-2vmf-885j CVE-2025-30202 HIGH 7 months ago
### Impact In a multi-node vLLM deployment, vLLM uses ZeroMQ for some multi-node communication purposes. The primary vLLM host opens an `XPUB` Zero...
pypi
No PRs yet
Transformers Regular Expression Denial of Service (ReDoS) vulnerability
GHSA-fpwr-67px-3qhx CVE-2025-1194 MODERATE 7 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file `toke...
pypi
No PRs yet
AWorld OS Command Injection vulnerability
GHSA-jmjf-mfhm-j3gf CVE-2025-4032 LOW 7 months ago
A vulnerability was found in inclusionAI AWorld up to 8c257626e648d98d793dd9a1a950c2af4dd84c4e. It has been rated as critical. This issue affects t...
pypi
No PRs yet
markdownify allows large headline prefixes such as <h9999999>, which causes memory consumption
GHSA-7mpr-5m44-h73r CVE-2025-46656 LOW 7 months ago
python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes ...
pypi
No PRs yet
h11 accepts some malformed Chunked-Encoding bodies
GHSA-vqfr-h8mv-ghfj CVE-2025-43859 CRITICAL 7 months ago
### Impact A leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under ce...
pypi
83
Dependabot PRs
13%
Merged
LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py
GHSA-f2f7-gj54-6vpv CVE-2025-46567 MODERATE 7 months ago
### Description A critical vulnerability exists in the `llamafy_baichuan2.py` script of the [LLaMA-Factory](https://github.com/hiyouga/LLaMA-Facto...
pypi
No PRs yet
CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0
GHSA-ggpf-24jw-3fcw CRITICAL 7 months ago
## Description https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54 reported a vulnerability where loading a malicious mod...
pypi
No PRs yet
OctoPrint Authenticated Reverse Proxy Page Authentication Bypass
GHSA-qw93-h6pf-226x CVE-2025-32788 MODERATE 7 months ago
### Impact OctoPrint versions up until and including 1.10.3 contain a vulnerability that allows an attacker to bypass the login redirect and direc...
pypi
No PRs yet
Crawl4AI SSRF vulnerability
GHSA-445m-27cf-gr3x CVE-2025-28197 MODERATE 7 months ago
Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py.
pypi
No PRs yet
youtube-dl vulnerable to file system modification and RCE through improper file-extension sanitization
GHSA-22fp-mf44-f2mq HIGH 7 months ago
#### Description This advisory follows the security advisory [GHSA-79w7-vh3h-8g4j published by the _yt-dlp/yt-dlp_ project](https://github.com/yt-d...
pypi
No PRs yet
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
GHSA-53q9-r3pm-6pq6 CVE-2025-32434 CRITICAL 7 months ago
# Description I found a Remote Command Execution (RCE) vulnerability in PyTorch. When loading model using torch.load with weights_only=True, it can...
pypi
No PRs yet
Rasa Pro Missing Authentication For Voice Connector APIs
GHSA-7xq5-54jp-2mfg CVE-2025-32377 MODERATE 8 months ago
## Vulnerability A vulnerability has been identified in Rasa Pro where voice connectors in Rasa Pro do not properly implement authentication even w...
pypi
No PRs yet
Pycel allows code injection via a crafted formula
GHSA-pw67-xjhq-389w CVE-2024-53924 HIGH 8 months ago
Pycel through 1.0b30, when operating on an untrusted spreadsheet, allows code execution via a crafted formula in a cell, such as one beginning with...
pypi
No PRs yet
PyTorch Improper Resource Shutdown or Release vulnerability
GHSA-887c-mr87-cxwp CVE-2025-3730 MODERATE 8 months ago
A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctc_loss of the file...
pypi
No PRs yet
Whoogle allows attackers to execute arbitrary code via supplying a crafted search query
GHSA-2689-cw26-6cpj CVE-2024-53305 HIGH 8 months ago
An issue in the component /models/config.py of Whoogle search v0.9.0 allows attackers to execute arbitrary code via supplying a crafted search query.
pypi
No PRs yet
vLLM vulnerable to Denial of Service by abusing xgrammar cache
GHSA-hf3c-wxg2-49q9 MODERATE 8 months ago
### Impact This report is to highlight a vulnerability in XGrammar, a library used by the structured output feature in vLLM. The XGrammar advisory...
pypi
No PRs yet
VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext
GHSA-m67m-3p5g-cw9j CVE-2025-32021 LOW 8 months ago
### Summary When creating a new component from an existing component that has a source code repository URL specified in settings, this URL is incl...
pypi
No PRs yet
TigerVNC accessible via the network and not just via a UNIX socket as intended
GHSA-vrq4-9hc3-cgp7 CVE-2025-32428 CRITICAL 8 months ago
## Summary `jupyter-remote-desktop-proxy` was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used w...
pypi
1
Dependabot PRs
xgrammar Vulnerable to Denial of Service (DoS) by abusing unbounded cache in memory
GHSA-389x-67px-mjg3 CVE-2025-32381 MODERATE 8 months ago
### Summary Xgrammar includes a cache for compiled grammars to increase performance with repeated use of the same grammar. This cache is held in m...
pypi
No PRs yet
BentoML's runner server Vulnerable to Remote Code Execution (RCE) via Insecure Deserialization
GHSA-7v4r-c989-xh26 CVE-2025-32375 CRITICAL 8 months ago
### Summary There was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is...
pypi
No PRs yet
Picklescan missing detection when calling built-in python library function timeit.timeit()
GHSA-v7x6-rv5q-mhwc MODERATE 8 months ago
### Summary Using timeit.timeit() function, which is a built-in python library function to execute remote pickle file. ### Details Pickle’s deseri...
pypi
4
Dependabot PRs
25%
Merged
Picklescan failed to detect to some unsafe global function in Numpy library
GHSA-fj43-3qmq-673f MODERATE 8 months ago
### Summary An unsafe deserialization vulnerability in Python’s pickle module allows an attacker to bypass static analysis tools like Picklescan an...
pypi
4
Dependabot PRs
25%
Merged
Picklescan Vulnerable to Exfiltration via DNS via linecache and ssl.get_server_certificate
GHSA-93mv-x874-956g CVE-2025-46417 HIGH 8 months ago
### Summary Picklescan does not detect malicious pickles that exfiltrate sensitive information via DNS after deserialization. ### Details pickl...
pypi
4
Dependabot PRs
25%
Merged
LNbits Lightning Network Payment System Vulnerable to Server-Side Request Forgery via LNURL Authentication Callback
GHSA-qp8j-p87f-c8cc CVE-2025-32013 CRITICAL 8 months ago
# Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System ## Disclaimer This vulnerability was d...
pypi
No PRs yet