Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack
GHSA-q279-jhrf-cc6v CVE-2025-62593 CRITICAL 1 day ago
# Summary Developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. ...
pypi
No PRs yet
Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer
GHSA-xv5p-fjw5-vrj6 CVE-2025-62703 HIGH 2 days ago
### Summary The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server i...
pypi
No PRs yet
OMERO.web uses jquery-form library, which may be vulnerable to XSS attack
GHSA-j4gv-6x9v-v23g LOW 3 days ago
### Impact OMERO.web uses the jquery-form library throughout to handle form submission and response processing. Due to some unpatched potential vul...
pypi
No PRs yet
pypdf's LZWDecode streams be manipulated to exhaust RAM
GHSA-m449-cwjh-6pw7 CVE-2025-66019 MODERATE 3 days ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing t...
pypi
No PRs yet
Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices
GHSA-xh5w-g8gq-r3v9 CVE-2025-13609 HIGH 3 days ago
A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platfor...
pypi
No PRs yet
MLX has Wild Pointer Dereference in load_gguf()
GHSA-j842-xgm4-wf88 CVE-2025-62609 MODERATE 6 days ago
## Summary Segmentation fault in `mlx::core::load_gguf()` when loading malicious GGUF files. Untrusted pointer from external gguflib library is de...
pypi
No PRs yet
MLX has heap-buffer-overflow in load()
GHSA-w6vg-jg77-2qg6 CVE-2025-62608 MODERATE 6 days ago
## Summary Heap buffer overflow in `mlx::core::load()` when parsing malicious NumPy `.npy` files. Attacker-controlled file causes 13-byte out-of-b...
pypi
No PRs yet
vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
GHSA-69j4-grxj-j64p CVE-2025-62426 MODERATE 7 days ago
### Summary The /v1/chat/completions and /tokenize endpoints allow a `chat_template_kwargs` request parameter that is used in the code before it is...
pypi
No PRs yet
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
GHSA-pmqf-x6x8-p7qw CVE-2025-62372 HIGH 7 days ago
### Summary Users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct `ndim` but incorrect `sh...
pypi
No PRs yet
vLLM deserialization vulnerability leading to DoS and potential RCE
GHSA-mrw7-hf4f-83pf CVE-2025-62164 HIGH 7 days ago
### Summary A memory corruption vulnerability that leading to a crash (denial-of-service) and potentially remote code execution (RCE) exists in vLL...
pypi
No PRs yet
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
GHSA-6qv9-48xg-fc7f CVE-2025-65106 HIGH 7 days ago
## Context A template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals...
pypi
33
Dependabot PRs
Modular Max Serve has Unsafe Deserialization vulnerability
GHSA-7xcv-9j6c-2fmc CVE-2025-60455 CRITICAL 9 days ago
Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used ...
pypi
No PRs yet
joserfc has Possible Uncontrolled Resource Consumption Vulnerability Triggered by Logging Arbitrarily Large JWT Token Payloads
GHSA-frfh-8v73-gjg4 CVE-2025-65015 CRITICAL 9 days ago
### Summary The `ExceededSizeError` exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbi...
pypi
No PRs yet
OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization.
GHSA-hcqg-5g63-7j9h CVE-2025-65073 HIGH 11 days ago
OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone ...
pypi
No PRs yet
AstrBot is vulnerable to RCE with hard-coded JWT signing keys
GHSA-4m32-cjv7-f425 CVE-2025-55449 CRITICAL 13 days ago
### Summary AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin. ### Deta...
pypi
No PRs yet
AWS Advanced Python Wrapper: Privilege Escalation in Aurora PostgreSQL instance
GHSA-4jvf-wx3f-2x8q CVE-2025-12967 HIGH 14 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. ...
pypi
No PRs yet
pgAdmin 4 has command injection vulnerability on Windows systems
GHSA-rm79-x4g6-hvg5 CVE-2025-12763 MODERATE 14 days ago
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True du...
pypi
No PRs yet
pgAdmin has vulnerability in LDAP authentication mechanism that allows bypassing TLS certificate verification
GHSA-g4r8-3qmh-pmch CVE-2025-12765 HIGH 14 days ago
pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification.
pypi
No PRs yet
pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode
GHSA-w2p4-p4rh-qcm3 CVE-2025-12762 CRITICAL 14 days ago
pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing resto...
pypi
No PRs yet
pgAdmin is affected by an LDAP injection vulnerability
GHSA-cvf4-f829-762v CVE-2025-12764 HIGH 14 days ago
pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP charac...
pypi
No PRs yet
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)
GHSA-rrx3-2x4g-mq2h CVE-2025-64509 HIGH 15 days ago
### Impact In affected versions, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, le...
pypi
No PRs yet
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input
GHSA-fc2v-vcwj-269v CVE-2025-64508 HIGH 15 days ago
### Impact In affected versions, brotli "bombs" (highly compressed brotli streams, such as many zeros) can be sent to the server. Since the server...
pypi
No PRs yet
changedetection.io: Stored XSS in Watch update via API
GHSA-4c3j-3h7v-22q9 CVE-2025-62780 LOW 15 days ago
### Summary A Stored Cross Site Scripting is present in the changedetection.io Watch update API due to unsufficient security checks. ### Details ...
pypi
No PRs yet
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc
GHSA-f83h-ghpp-7wcc HIGH 20 days ago
### 🚀 Overview This report **demonstrates a real-world privilege escalation** vulnerability in [pdfminer.six](https://github.com/pdfminer/pdfminer...
pypi
No PRs yet
Arbitrary Code Execution in pdfminer.six via Crafted PDF Input
GHSA-wf5f-4jwr-ppcp CVE-2025-64512 HIGH 20 days ago
### Summary pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()`...
pypi
1
Dependabot PRs
AstrBot has an arbitrary file read vulnerability in function _encode_image_bs64
GHSA-vm2f-46xc-5jc3 CVE-2025-57697 MODERATE 20 days ago
AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Since the _encode_image_bs64 function defined in e...
pypi
No PRs yet
AstrBot contains a directory traversal vulnerability
GHSA-xrj9-mw57-j34v CVE-2025-57698 HIGH 20 days ago
AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-...
pypi
No PRs yet
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
GHSA-cm35-v4vp-5xvx CVE-2025-64496 HIGH 20 days ago
### Summary Open WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external m...
npm pypi
No PRs yet
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
GHSA-w7xj-8fx7-wfch CVE-2025-64495 HIGH 20 days ago
### Summary The functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabl...
npm pypi
No PRs yet
Open redirect endpoint in Datasette
GHSA-w832-gg5g-x44m CVE-2025-64481 LOW 21 days ago
### Impact Deployed instances of Datasette prior to `0.65.2` and `1.0a21` include an open redirect vulnerability. Hits to the path `//example.com...
pypi
No PRs yet
LangGraph Checkpoint affected by RCE in "json" mode of JsonPlusSerializer
GHSA-wwqv-p2pp-99h5 CVE-2025-64439 HIGH 22 days ago
# Summary Prior to `langgraph-checkpoint` version `3.0` , LangGraph’s `JsonPlusSerializer` (used as the default serialization protocol for all che...
pypi
No PRs yet
Weblate leaks the IP of project member inviting user to be reviewer in Audit log
GHSA-gr35-vpx2-qxhc CVE-2025-64326 LOW 22 days ago
### Summary Weblate leaks the IP address of the project member inviting the user to the project in the audit log. ### Details The audit log includ...
pypi
No PRs yet
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
GHSA-frmv-pr5f-9mcr CVE-2025-64459 CRITICAL 22 days ago
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `...
pypi
79
Dependabot PRs
Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows
GHSA-qw25-v68c-qjf3 CVE-2025-64458 HIGH 22 days ago
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a conseq...
pypi
79
Dependabot PRs
Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode
GHSA-m35w-xx8c-6xc7 CVE-2025-58337 MODERATE 22 days ago
An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that...
pypi
No PRs yet
OctoPrint vulnerable to XSS in Action Commands Notification and Prompt
GHSA-crvm-xjhm-9h29 CVE-2025-64187 MODERATE 23 days ago
### Impact OctoPrint versions up to and including 1.11.3 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript in...
pypi
No PRs yet
Dosage vulnerable to a Directory Traversal through crafted HTTP responses
GHSA-4vcx-3pj3-44m7 CVE-2025-64184 HIGH 23 days ago
### Impact When downloadinging comic images, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, ...
pypi
No PRs yet
DSPy does not properly restrict file reads
GHSA-vvw2-h478-xwr3 CVE-2025-12695 MODERATE 23 days ago
The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes ...
pypi
No PRs yet
motionEye vulnerable to RCE via unsanitized motion config parameter
GHSA-j945-qm58-4gjx CVE-2025-60787 HIGH 24 days ago
## Summary A command injection vulnerability in MotionEye allows attackers to achieve Remote Code Execution (RCE) by supplying malicious values in ...
pypi
No PRs yet
Agno session state overwrites between different sessions/users
GHSA-vw84-hprm-cxmm CVE-2025-64168 HIGH 27 days ago
### Impact Under certain conditions (under high concurrency), when `session_state` is passed to an Agent or Team during run or arun calls, a race c...
pypi
No PRs yet
Ansible does not collect garbage after playbook run
GHSA-f556-49jc-4rvc CVE-2020-25635 MODERATE 27 days ago
A flaw was found in Ansible Base when using the aws_ssm connection plugin as its garbage collector is not happening after the playbook run is compl...
pypi
No PRs yet
cryptidy allows code execution via untrusted data due to pickle.loads
GHSA-97w9-v595-3h5q CVE-2025-63675 MODERATE 28 days ago
cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encry...
pypi
No PRs yet
Scrapy is vulnerable to a denial of service (DoS) attack due to flaws in brotli decompression implementation
GHSA-2qfp-q593-8484 CVE-2025-6176 HIGH 28 days ago
Scrapy versions up to 2.13.3 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The prote...
pypi
5
Dependabot PRs
Keras keras.utils.get_file API is vulnerable to a path traversal attack
GHSA-28jp-44vh-q42h CVE-2025-12060 HIGH 28 days ago
The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path traversal attack. The utili...
pypi
No PRs yet
Byaidu PDFMathTranslate vulnerable to open redirect
GHSA-pfrv-63w8-q7rq CVE-2025-50736 LOW 28 days ago
An open redirect vulnerability exists in Byaidu PDFMathTranslate v1.9.9 that allows attackers to craft URLs that cause the application to redirect ...
pypi
No PRs yet
Apache Airflow has a command injection vulnerability in "example_dag_decorator"
GHSA-v3c9-j6h9-66v4 CVE-2025-54941 MODERATE 28 days ago
An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execu...
pypi
No PRs yet
Apache Airflow's create action can upsert existing Pools/Connections/Variables
GHSA-gp5f-cx7h-8q6f CVE-2025-62503 MODERATE 28 days ago
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
pypi
No PRs yet
Apache Airflow `/api/v2/dagReports` executes DAG Python in API
GHSA-273c-4g26-4jpm CVE-2025-62402 MODERATE 28 days ago
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environm...
pypi
No PRs yet
LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore
GHSA-7p73-8jqx-23r8 CVE-2025-64104 HIGH 29 days ago
### Summary LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper paramet...
pypi
No PRs yet
OpenUSD File Parsing Use-After-Free Remote Code Execution Vulnerability
GHSA-grjp-54v3-c442 MODERATE 29 days ago
# Patch This is fixed with [commit b953092](https://github.com/PixarAnimationStudios/OpenUSD/commit/b9530922b6a8ea72cd43661226b693fff8abbe4c), with...
pypi
No PRs yet