Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
imaginAIry Denial of Service (DoS) vulnerability
GHSA-x5xw-28w4-53j5 CVE-2024-12761 HIGH 8 months ago
A Denial of Service (DoS) vulnerability exists in the brycedrennan/imaginairy repository, version 15.0.0. The vulnerability is present in the `/api...
pypi
No PRs yet
Open WebUI Uncontrolled Resource Consumption vulnerability
GHSA-chf7-q7m5-fq92 CVE-2024-12537 HIGH 8 months ago
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/util...
npm pypi
No PRs yet
Aim vulnerable to Synchronous Access of Remote Resource without Timeout
GHSA-v5pj-jrpv-h6g2 CVE-2024-12777 MODERATE 8 months ago
A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is...
pypi
No PRs yet
LlamaIndex Improper Handling of Exceptional Conditions vulnerability
GHSA-j3wr-m6xh-64hg CVE-2024-12704 HIGH 8 months ago
A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. Th...
pypi
No PRs yet
FastChat Server-Side Request Forgery vulnerability
GHSA-g44m-hpf4-vmrp CVE-2024-12376 HIGH 8 months ago
A Server-Side Request Forgery (SSRF) vulnerability was identified in the lm-sys/fastchat web server, specifically in the affected version git 2c68a...
pypi
No PRs yet
BentoML vulnerable to Uncontrolled Resource Consumption
GHSA-hh3j-9m59-p8vc HIGH 8 months ago
In bentoml/bentoml version 1.3.9, the `/login` endpoint of the newly integrated Gradio app is vulnerable to a Denial of Service (DoS) attack. This ...
pypi
No PRs yet
Transformers Regular Expression Denial of Service (ReDoS) vulnerability
GHSA-6rvg-6v2m-4j46 CVE-2024-12720 MODERATE 8 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file token...
pypi
No PRs yet
BentoML Open Redirect vulnerability
GHSA-564p-rx2q-4c8v MODERATE 8 months ago
An open redirect vulnerability in bentoml/bentoml v1.3.9 allows a remote unauthenticated attacker to redirect users to arbitrary websites via a spe...
pypi
No PRs yet
Kedro allows Remote Code Execution by Pulling Micro Packages
GHSA-rm69-wvpv-r2w7 CVE-2024-12215 HIGH 8 months ago
In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However...
pypi
1
Dependabot PRs
FastChat Server-Side Request Forgery vulnerability
GHSA-h254-g997-685c CVE-2024-11603 HIGH 8 months ago
A Server-Side Request Forgery (SSRF) vulnerability exists in lm-sys/fastchat version 0.2.36. The vulnerability is present in the `/queue/join?` end...
pypi
No PRs yet
LlamaIndex Retrievers Integration: DuckDBRetriever SQL Injection
GHSA-339r-cjv9-x78g CVE-2024-11958 CRITICAL 8 months ago
A SQL injection vulnerability exists in the `duckdb_retriever` component of the run-llama/llama_index repository, specifically in llama-index-retri...
pypi
No PRs yet
Feast Cross-Origin Resource Sharing vulnerability
GHSA-wxpc-2674-rxvw CVE-2024-11602 HIGH 8 months ago
A Cross-Origin Resource Sharing (CORS) vulnerability exists in feast-dev/feast version 0.40.0. The CORS configuration on the agentscope server does...
pypi
No PRs yet
Gradio Path Traversal vulnerability
GHSA-prpg-p95c-32fv CVE-2024-12217 MODERATE 8 months ago
A vulnerability in the gradio-app/gradio repository, version git 67e4044, allows for path traversal on Windows OS. The implementation of the blocke...
pypi
No PRs yet
GluonCV Arbitrary File Write via TarSlip
GHSA-m724-hqmc-ggpx CVE-2024-12216 HIGH 8 months ago
A vulnerability in the `ImageClassificationDataset.from_csv()` API of the `dmlc/gluon-cv` repository, version 0.10.0, allows for arbitrary file wri...
pypi
No PRs yet
vLLM Deserialization of Untrusted Data vulnerability
GHSA-5vqr-wprc-cpp7 CVE-2024-11041 CRITICAL 8 months ago
vllm-project vllm version v0.6.2 contains a vulnerability in the MessageQueue.dequeue() API function. The function uses pickle.loads to parse recei...
pypi
No PRs yet
InvokeAI Uncontrolled Resource Consumption vulnerability
GHSA-ffh5-w482-c7m5 CVE-2024-11043 HIGH 8 months ago
A Denial of Service (DoS) vulnerability was discovered in the /api/v1/boards/{board_id} endpoint of invoke-ai/invokeai version v5.0.2. This vulnera...
pypi
No PRs yet
FastChat Denial of Service vulnerability
GHSA-79rp-v9rm-gxm8 CVE-2024-10912 HIGH 8 months ago
A Denial of Service (DoS) vulnerability exists in the file upload feature of lm-sys/fastchat version 0.2.36. The vulnerability is due to improper h...
pypi
No PRs yet
FastChat Uncontrolled Resource Consumption vulnerability
GHSA-qg86-f892-m4hj CVE-2024-10907 HIGH 8 months ago
In lm-sys/fastchat Release v0.2.36, the server fails to handle excessive characters appended to the end of multipart boundaries. This flaw can be e...
pypi
No PRs yet
langchain-core allows unauthorized users to read arbitrary files from the host file system
GHSA-5chr-fjjv-38qv CVE-2024-10940 MODERATE 8 months ago
A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files...
pypi
No PRs yet
InvokeAI Arbitrary File Deletion vulnerability
GHSA-227r-w5j2-6243 CVE-2024-11042 CRITICAL 8 months ago
In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows ...
pypi
No PRs yet
FastChat open redirect vulnerability
GHSA-77cj-rv5x-v6r2 CVE-2024-10908 MODERATE 8 months ago
An open redirect vulnerability in lm-sys/fastchat Release v0.2.36 allows a remote unauthenticated attacker to redirect users to arbitrary websites ...
pypi
No PRs yet
DB-GPT Arbitrary File Write vulnerability
GHSA-7gj6-22m4-qfhx CVE-2024-10901 CRITICAL 8 months ago
In eosphoros-ai/db-gpt version v0.6.3 and earlier, the web API `POST /api/v1/editor/chart/run` allows execution of arbitrary SQL queries without an...
pypi
No PRs yet
DB-GPT is vulnerable to SQL Injection attacks from unauthenticated users
GHSA-qccg-9m4q-xfm6 CVE-2024-10835 CRITICAL 8 months ago
In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /api/v1/editor/sql/run` allows execution of arbitrary SQL queries without any access contr...
pypi
No PRs yet
DB-GPT Path Traversal vulnerability
GHSA-8pwp-phcg-h36g CVE-2024-10830 HIGH 8 months ago
A Path Traversal vulnerability exists in the eosphoros-ai/db-gpt version 0.6.0 at the API endpoint `/v1/resource/file/delete`. This vulnerability a...
pypi
No PRs yet
DB-GPT Absolute Path Traversal vulnerability
GHSA-hhw5-29f6-hf4x CVE-2024-10831 CRITICAL 8 months ago
In eosphoros-ai/db-gpt version 0.6.0, the endpoint for uploading files is vulnerable to absolute path traversal. This vulnerability allows an attac...
pypi
No PRs yet
DB-GPT vulnerable to Cross-Site Request Forgery
GHSA-3248-f932-c76p CVE-2024-10906 HIGH 8 months ago
In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which s...
pypi
No PRs yet
DB-GPT vulnerable to Arbitrary File Upload with Path Traversal
GHSA-3xq5-x4fj-rff7 CVE-2024-10902 CRITICAL 8 months ago
In eosphoros-ai/db-gpt version v0.6.0, the web API `POST /v1/personal/agent/upload` is vulnerable to Arbitrary File Upload with Path Traversal. Thi...
pypi
No PRs yet
DB-GPT Uncontrolled Resource Consumption vulnerability
GHSA-6xgj-c5fx-5v57 CVE-2024-10829 HIGH 8 months ago
A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of eosphoros-ai/db-gpt v0.6.0 allows unauthenticated...
pypi
No PRs yet
InvokeAI has Denial of Service (DoS) vulnerability in `/api/v1/images/upload`
GHSA-6f6x-f56q-5xgv CVE-2024-10821 HIGH 8 months ago
A Denial of Service (DoS) vulnerability in the multipart request boundary processing mechanism of the Invoke-AI server (version v5.0.1) allows unau...
pypi
No PRs yet
HyperLPR Denial of Service vulnerability
GHSA-cg4p-5qfm-pjjj CVE-2024-10713 HIGH 8 months ago
A vulnerability in szad670401/hyperlpr v3.0 allows for a Denial of Service (DoS) attack. The server fails to handle excessive characters appended t...
pypi
No PRs yet
DB-GPT Absolute Path Traversal in knowledge/{space_name}/document/upload
GHSA-j9g7-mqhh-9hxf CVE-2024-10833 CRITICAL 8 months ago
eosphoros-ai/db-gpt version 0.6.0 is vulnerable to an arbitrary file write through the knowledge API. The endpoint for uploading files as 'knowledg...
pypi
No PRs yet
H2O Vulnerable to Denial of Service (DoS) and File Write
GHSA-wjpv-64v2-2qpq CVE-2024-10572 HIGH 8 months ago
In h2oai/h2o-3 version 3.46.0.1, the `run_tool` command exposes classes in the `water.tools` package through the `ast` parser. This includes the `X...
maven pypi
No PRs yet
H2O Vulnerable to Denial of Service (DoS) via `/3/Parse` Endpoint
GHSA-wwr9-4gmr-xvq9 CVE-2024-10549 HIGH 8 months ago
A vulnerability in the `/3/Parse` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint uses a user-sp...
maven pypi
No PRs yet
H2O Deserialization of Untrusted Data Vulnerability
GHSA-h7xg-cmpp-48hf CVE-2024-10553 CRITICAL 8 months ago
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization...
maven pypi
No PRs yet
Gradio Vulnerable to Arbitrary File Deletion
GHSA-pgfv-gvc5-prfg CVE-2024-10648 HIGH 8 months ago
A path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of version git 98cbcae. This vulnerability allows an a...
pypi
No PRs yet
Gradio Vulnerable to Denial of Service (DoS) via Crafted HTTP Request
GHSA-rvgh-pr46-x7gg CVE-2024-10624 HIGH 8 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The a...
pypi
No PRs yet
H2O Vulnerable to Denial of Service (DoS) via `/3/ParseSetup` Endpoint
GHSA-7qq7-pvm9-x8rf CVE-2024-10550 HIGH 8 months ago
A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint applies a...
maven pypi
No PRs yet
Gradio Vulnerable to Denial of Service (DoS) via Crafted Zip Bomb
GHSA-7xmc-vhjp-qv5q CVE-2024-10569 HIGH 8 months ago
A vulnerability in the dataframe component of gradio-app/gradio (version git 98cbcae) allows for a zip bomb attack. The component uses pd.read_csv ...
pypi
No PRs yet
Horovod Vulnerable to Command Injection
GHSA-mrhh-3ggq-23p2 CVE-2024-10190 CRITICAL 8 months ago
Horovod versions up to and including v0.28.1 are vulnerable to unauthenticated remote code execution. The vulnerability is due to improper handling...
pypi
No PRs yet
LiteLLM Vulnerable to Denial of Service (DoS)
GHSA-gw2q-qw9j-rgv7 CVE-2024-10188 HIGH 8 months ago
A vulnerability in BerriAI/litellm, as of commit 26c03c9, allows unauthenticated users to cause a Denial of Service (DoS) by exploiting the use of ...
pypi
No PRs yet
Aim Vulnerable to Denial of Service (DoS)
GHSA-fx47-jpv9-7hxr CVE-2024-10110 HIGH 8 months ago
In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server, leading...
pypi
No PRs yet
vLLM Allows Remote Code Execution via Mooncake Integration
GHSA-x3m8-f7g5-qhm7 CVE-2025-29783 CRITICAL 8 months ago
### Summary When vLLM is configured to use Mooncake, unsafe deserialization exposed directly over ZMQ/TCP will allow attackers to execute remote co...
pypi
No PRs yet
vLLM denial of service via outlines unbounded cache on disk
GHSA-mgrm-fgjv-mhv8 CVE-2025-29770 MODERATE 8 months ago
### Impact The [outlines](https://dottxt-ai.github.io/outlines/latest/) library is one of the backends used by vLLM to support structured output (a...
pypi
No PRs yet
Apache Airflow MySQL Provider is Vulnerable to SQL Injection
GHSA-hhm6-jjf4-6pm3 CVE-2025-27018 MODERATE 9 months ago
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user tri...
pypi
No PRs yet
PostQuantum-Feldman-VSS'S Dependency Vulnerability in gmpy2 Leading to Interpreter Crash
GHSA-v432-7f47-9g94 HIGH 9 months ago
**Description:** PostQuantum-Feldman-VSS, a Python library implementing Feldman's Verifiable Secret Sharing scheme with post-quantum security, was...
pypi
No PRs yet
Qiskit allows arbitrary code execution decoding QPY format versions < 13
GHSA-6m2c-76ff-6vrf CVE-2025-2000 CRITICAL 9 months ago
### Impact A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deseria...
pypi
No PRs yet
Post-Quantum Secure Feldman's Verifiable Secret Sharing has Inadequate Fault Injection Countermeasures in `secure_redundant_execution`
GHSA-r8gc-qc2c-c7vh CVE-2025-29779 MODERATE 9 months ago
**Description:** The `secure_redundant_execution` function in feldman_vss.py attempts to mitigate fault injection attacks by executing a function ...
pypi
No PRs yet
Post-Quantum Secure Feldman's Verifiable Secret Sharing has Timing Side-Channels in Matrix Operations
GHSA-q65w-fg65-79f4 CVE-2025-29780 MODERATE 9 months ago
**Description:** The `feldman_vss` library contains timing side-channel vulnerabilities in its matrix operations, specifically within the `_find_s...
pypi
No PRs yet
XPixelGroup BasicSR Command Injection
GHSA-86w8-vhw6-q9qq CVE-2024-27763 MODERATE 9 months ago
XPixelGroup BasicSR through 1.4.2 might locally allow code execution in contrived situations where "scontrol show hostname" is executed in the pres...
pypi
No PRs yet
Rembg CORS misconfiguration
GHSA-59qh-fmm7-3g9q CVE-2025-25302 HIGH 9 months ago
Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, whic...
pypi
No PRs yet