Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack
GHSA-q279-jhrf-cc6v CVE-2025-62593 CRITICAL about 6 hours ago
# Summary Developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. ...
pypi
No PRs yet
Modular Max Serve has Unsafe Deserialization vulnerability
GHSA-7xcv-9j6c-2fmc CVE-2025-60455 CRITICAL 8 days ago
Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used ...
pypi
No PRs yet
joserfc has Possible Uncontrolled Resource Consumption Vulnerability Triggered by Logging Arbitrarily Large JWT Token Payloads
GHSA-frfh-8v73-gjg4 CVE-2025-65015 CRITICAL 8 days ago
### Summary The `ExceededSizeError` exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbi...
pypi
No PRs yet
AstrBot is vulnerable to RCE with hard-coded JWT signing keys
GHSA-4m32-cjv7-f425 CVE-2025-55449 CRITICAL 12 days ago
### Summary AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin. ### Deta...
pypi
No PRs yet
pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode
GHSA-w2p4-p4rh-qcm3 CVE-2025-12762 CRITICAL 13 days ago
pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing resto...
pypi
No PRs yet
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
GHSA-frmv-pr5f-9mcr CVE-2025-64459 CRITICAL 21 days ago
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `...
pypi
78
Dependabot PRs
Keras framework vulnerable to deserialization of untrusted data
GHSA-cvhh-q5g5-qprp CVE-2025-49655 CRITICAL about 1 month ago
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a m...
pypi
No PRs yet
pyquokka is Vulnerable to Remote Code Execution by Pickle Deserialization via FlightServer
GHSA-f74j-gffq-vm9p CVE-2025-62515 CRITICAL about 1 month ago
### Description In the FlightServer class of the pyquokka framework, the do_action() method directly uses pickle.loads() to deserialize action bod...
pypi
No PRs yet
BBOT's insufficient sanitization issues in gitdumper.py can lead to RCE
GHSA-h6m2-r6h9-4c44 CVE-2025-10283 CRITICAL about 2 months ago
### Summary bbot's `gitdumper.py` insufficiently sanitises a `.git/config` file, leading to Remote Code Execution (RCE). bbot's `gitdumper.py` ca...
pypi
No PRs yet
BBOT's various issues in unarchive.py can cause arbitrary file write and RCE
GHSA-fhw8-8v9p-7jp7 CVE-2025-10284 CRITICAL about 2 months ago
### Summary Various issues in bbot's `unarchive.py` allow a malicious site to cause bbot to write arbitrary files to arbitrary locations. This can...
pypi
No PRs yet
scio is vunerable to Remote Command Execution through PyTorch
GHSA-m9mp-6x32-5rhg CRITICAL about 2 months ago
### Impact PyTorch reported a [**critical** vulnerability](https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6) when using `...
pypi
No PRs yet
Apache Pyfory python is vulnerable to deserialization of untrusted data
GHSA-538v-3wq9-4h3r CVE-2025-61622 CRITICAL about 2 months ago
Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allo...
pypi
No PRs yet
H2O affected by a deserialization vulnerability
GHSA-5w3j-gwgh-4rfv CVE-2025-6544 CRITICAL 2 months ago
A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.7, allowing attackers to read arbitrary system files and execute arbitrary...
maven pypi
No PRs yet
InvokeAI has External Control of File Name or Path
GHSA-vv9c-xxg7-wmv7 CVE-2025-6237 CRITICAL 2 months ago
### Path Traversal Vulnerability in InvokeAI A path traversal vulnerability in **InvokeAI** (versions < 6.7.0) allows an unauthenticated remote at...
pypi
No PRs yet
mcp-kubernetes-server has an OS Command Injection vulnerability
GHSA-4hqq-7q79-932p CVE-2025-59377 CRITICAL 2 months ago
`feiskyer/mcp-kubernetes-server` through **0.1.11** allows **OS command injection** via the `/mcp/kubectl` endpoint. The handler constructs a shell...
pypi
No PRs yet
Picklescan Bypass is Possible via File Extension Mismatch
GHSA-jgw4-cr84-mqxg CVE-2025-10155 CRITICAL 3 months ago
### Summary Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-re...
pypi
No PRs yet
Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check
GHSA-mjqp-26hc-grxg CVE-2025-10156 CRITICAL 3 months ago
### Summary Picklescan's ability to scan ZIP archives for malicious pickle files is compromised when the archive contains a file with a bad Cyclic ...
pypi
No PRs yet
Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports
GHSA-f7qq-56ww-84cr CVE-2025-10157 CRITICAL 3 months ago
### Summary The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. T...
pypi
No PRs yet
internetarchive Vulnerable to Directory Traversal in File.download()
GHSA-wx3r-v6h7-frjp CVE-2025-58438 CRITICAL 3 months ago
### Impact **What kind of vulnerability is it?** This is a **Critical** severity directory traversal (path traversal) vulnerability in the `File.do...
pypi
No PRs yet
TkEasyGUI Vulnerable to OS Command Injection
GHSA-hfrj-3w3g-jv32 CVE-2025-55037 CRITICAL 3 months ago
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If ...
pypi
No PRs yet
Pixar OpenUSD Sdf_PathNode Module Use-After-Free Vulnerability Leading to Potential Remote Code Execution
GHSA-58p5-r2f6-g2cj CRITICAL 3 months ago
### Summary A Use-After-Free (UAF) vulnerability has been discovered in the Sdf_PathNode module of the Pixar OpenUSD library. This issue occurs dur...
pypi
No PRs yet
DeepDiff Class Pollution in Delta class leading to DoS, Remote Code Execution, and more
GHSA-mw26-5g2v-hqw3 CVE-2025-58367 CRITICAL 3 months ago
### Summary [Python class pollution](https://blog.abdulrah33m.com/prototype-pollution-in-python/) is a novel vulnerability categorized under [CWE-9...
pypi
1
Dependabot PRs
ExecuTorch integer overflow vulnerability
GHSA-84m3-f99p-cqx5 CVE-2025-30405 CRITICAL 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potential...
pypi
No PRs yet
ExecuTorch integer overflow vulnerability
GHSA-hj95-mhgf-jxc4 CVE-2025-30404 CRITICAL 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause overlapping allocations, potentially resulting in code execution or...
pypi
No PRs yet
ExecuTorch heap buffer overflow vulnerability
GHSA-9m39-3mf3-xwch CVE-2025-54949 CRITICAL 4 months ago
A heap buffer overflow vulnerability in the loading of ExecuTorch models can potentially result in code execution or other undesirable effects. Thi...
pypi
No PRs yet
ExecuTorch out-of-bounds access vulnerability
GHSA-f9hx-c6jf-3qxm CVE-2025-54950 CRITICAL 4 months ago
An out-of-bounds access vulnerability in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution o...
pypi
No PRs yet
ExecuTorch vulnerable to Heap-based Buffer Overflow
GHSA-xc7w-r669-48pf CVE-2025-54951 CRITICAL 4 months ago
A group of related buffer overflow vulnerabilities in the loading of ExecuTorch models can cause the runtime to crash and potentially result in cod...
pypi
No PRs yet
pyLoad CNL Blueprint allows Path Traversal through `dlc_path` which leads to Remote Code Execution (RCE)
GHSA-48rp-jc79-2264 CVE-2025-54802 CRITICAL 4 months ago
### Summary **Path Traversal in pyLoad-ng CNL Blueprint via `package` parameter allows Arbitrary File Write leading to Remote Code Execution (RCE)*...
pypi
No PRs yet
num2words subjected to phishing attack, two versions published containing malware
GHSA-jxr6-qrxx-2ph2 CRITICAL 4 months ago
The `num2words` project was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected ve...
pypi
No PRs yet
BentoML SSRF Vulnerability in File Upload Processing
GHSA-mrmq-3q62-6cc8 CVE-2025-54381 CRITICAL 4 months ago
### Description There's an SSRF in the file upload processing system that allows remote attackers to make arbitrary HTTP requests from the server ...
pypi
No PRs yet
smolagents has Sandbox Escape Vulnerability in the local_python_executor.py Module
GHSA-6v92-r5mx-h5fx CVE-2025-5120 CRITICAL 4 months ago
A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution envir...
pypi
No PRs yet
pyLoad vulnerable to XSS through insecure CAPTCHA
GHSA-8w3f-4r8f-pf53 CVE-2025-53890 CRITICAL 4 months ago
#### Summary An unsafe JavaScript evaluation vulnerability in pyLoad’s CAPTCHA processing code allows **unauthenticated remote attackers** to execu...
pypi
No PRs yet
Apache Airflow Providers Snowflake package allows for Special Element Injection via CopyFromExternalStageToSnowflakeOperator
GHSA-9r64-3wmc-x8m8 CVE-2025-50213 CRITICAL 5 months ago
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This ...
pypi
No PRs yet
rfc3161-client has insufficient verification for timestamp response signatures
GHSA-6qhv-4h7r-2g9m CVE-2025-52556 CRITICAL 5 months ago
### Impact `rfc3161-client` 1.0.2 and earlier contain a flaw in their timestamp response signature verification logic. In particular, it performs ...
pypi
2
Dependabot PRs
Langflow Unauth RCE
GHSA-rvqx-wpfh-mfx7 CVE-2025-3248 CRITICAL 5 months ago
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can...
pypi
No PRs yet
Salt vulnerable to directory traversal attack in file receiving method
GHSA-8pcp-r83j-fc92 CVE-2024-38824 CRITICAL 6 months ago
Directory traversal vulnerability in recv_file method allows arbitrary files to be written to the master cache directory.
pypi
No PRs yet
BackendAI Missing Authentication for Critical Function
GHSA-ww28-4m4v-cq4j CVE-2025-49652 CRITICAL 6 months ago
Missing Authentication in the registration feature of Lablup's BackendAI allows arbitrary users to create user accounts that can access private dat...
pypi
No PRs yet
llama_index vulnerable to SQL Injection
GHSA-v3c8-3pr6-gr7p CVE-2025-1793 CRITICAL 6 months ago
Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an att...
pypi
No PRs yet
vLLM Allows Remote Code Execution via PyNcclPipe Communication Service
GHSA-hjq4-87xh-g4fv CVE-2025-47277 CRITICAL 6 months ago
### Impacted Environments This issue ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other c...
pypi
No PRs yet
Langroid has a Code Injection vulnerability in TableChatAgent
GHSA-jqq5-wc57-f8hj CVE-2025-46724 CRITICAL 6 months ago
### Summary `TableChatAgent` uses [pandas eval()](https://github.com/langroid/langroid/blob/main/langroid/agent/special/table_chat_agent.py#L216). ...
pypi
No PRs yet
Browser Use allows bypassing `allowed_domains` by putting a decoy domain in http auth username portion of a URL
GHSA-x39x-9qw5-ghrf CVE-2025-47241 CRITICAL 7 months ago
### Summary During a manual source code review, [**ARIMLABS.AI**](https://arimlabs.ai) researchers identified that the `browser_use` module inclu...
pypi
No PRs yet
vLLM Vulnerable to Remote Code Execution via Mooncake Integration
GHSA-hj4w-hm2g-p6w5 CVE-2025-32444 CRITICAL 7 months ago
## Impacted Deployments **Note that vLLM instances that do NOT make use of the mooncake integration are NOT vulnerable.** ## Description vLLM in...
pypi
No PRs yet
h11 accepts some malformed Chunked-Encoding bodies
GHSA-vqfr-h8mv-ghfj CVE-2025-43859 CRITICAL 7 months ago
### Impact A leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under ce...
pypi
83
Dependabot PRs
13%
Merged
CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0
GHSA-ggpf-24jw-3fcw CRITICAL 7 months ago
## Description https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54 reported a vulnerability where loading a malicious mod...
pypi
No PRs yet
PyTorch: `torch.load` with `weights_only=True` leads to remote code execution
GHSA-53q9-r3pm-6pq6 CVE-2025-32434 CRITICAL 7 months ago
# Description I found a Remote Command Execution (RCE) vulnerability in PyTorch. When loading model using torch.load with weights_only=True, it can...
pypi
No PRs yet
TigerVNC accessible via the network and not just via a UNIX socket as intended
GHSA-vrq4-9hc3-cgp7 CVE-2025-32428 CRITICAL 8 months ago
## Summary `jupyter-remote-desktop-proxy` was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used w...
pypi
1
Dependabot PRs
BentoML's runner server Vulnerable to Remote Code Execution (RCE) via Insecure Deserialization
GHSA-7v4r-c989-xh26 CVE-2025-32375 CRITICAL 8 months ago
### Summary There was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is...
pypi
No PRs yet
LNbits Lightning Network Payment System Vulnerable to Server-Side Request Forgery via LNURL Authentication Callback
GHSA-qp8j-p87f-c8cc CVE-2025-32013 CRITICAL 8 months ago
# Server-Side Request Forgery via LNURL Authentication Callback in LNbits Lightning Network Payment System ## Disclaimer This vulnerability was d...
pypi
No PRs yet
BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization
GHSA-33xw-247w-6hmc CVE-2025-27520 CRITICAL 8 months ago
### Summary A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version(v1.4.2) of Ben...
pypi
No PRs yet
pgAdmin 4 Vulnerable to Cross-Site Scripting (XSS) via Query Result Rendering
GHSA-2rrx-pphc-qfv9 CVE-2025-2946 CRITICAL 8 months ago
pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user...
pypi
No PRs yet