Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Sentry's improper authentication on SAML SSO process allows user impersonation
GHSA-7pq6-v88g-wf3w CVE-2025-22146 CRITICAL 11 months ago
### Impact A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty progr...
pypi
No PRs yet
Django has a potential denial-of-service vulnerability in IPv6 validation
GHSA-qcgg-j2x8-h9g8 CVE-2024-56374 MODERATE 11 months ago
An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings pass...
pypi
333
Dependabot PRs
6%
Merged
Vyper Does Not Check the Success of Certain Precompile Calls
GHSA-vgf2-gvx8-xwc3 CVE-2025-21607 LOW 11 months ago
### Summary When the Vyper Compiler uses the precompiles EcRecover (0x1) and Identity (0x4), the success flag of the call is not checked. As a con...
pypi
No PRs yet
Gradio Blocked Path ACL Bypass Vulnerability
GHSA-j2jg-fq62-7c3h CVE-2025-23042 CRITICAL 11 months ago
## Summary Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This...
pypi
No PRs yet
Rasa Allows Remote Code Execution via Remote Model Loading
GHSA-cpv4-ggrr-7j9v CVE-2024-49375 CRITICAL 11 months ago
## Vulnerability A vulnerability has been identified in Rasa Pro and Rasa Open Source that enables an attacker who has the ability to load a malici...
pypi
No PRs yet
Strawberry GraphQL has type resolution vulnerability in node interface that allows potential data leakage through incorrect type resolution
GHSA-5xh2-23cc-5jc6 CVE-2025-22151 LOW 11 months ago
**Vulnerability Summary** A type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (D...
pypi
No PRs yet
pgAdmin has Incorrect Default Permissions
GHSA-7w6r-748w-mh52 CVE-2023-1907 HIGH 11 months ago
A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's...
pypi
No PRs yet
GHSL-2024-288: SickChill open redirect in login
GHSA-6gf2-ffq8-gcww CVE-2024-53995 LOW 11 months ago
SickChill is an automatic video library manager for TV shows. A user-controlled `login` endpoint's `next_` parameter takes arbitrary content. Prior...
pypi
No PRs yet
Composio Command Execution vulnerability
GHSA-8h93-28hg-fj84 CVE-2024-53526 MODERATE 11 months ago
composio >=0.5.40 is vulnerable to Command Execution in composio_openai, composio_claude, and composio_julep via the handle_tool_calls function.
pypi
No PRs yet
keras Path Traversal vulnerability
GHSA-cjgq-5qmw-rcj6 CVE-2024-55459 MODERATE 11 months ago
An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file fun...
pypi
No PRs yet
Apache Airflow Fab Provider Insufficient Session Expiration vulnerability
GHSA-8863-4qmg-fr45 CVE-2024-45033 LOW 11 months ago
Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When ...
pypi
No PRs yet
NiceGUI On Air authentication issue
GHSA-v6jv-p6r8-j78w CVE-2025-21618 HIGH 11 months ago
### Summary Once a user logins to one browser, all other browsers are logged in without entering password. Even incognito mode. ### Impact high
pypi
5
Dependabot PRs
20%
Merged
khoj has an IDOR in subscription management allows unauthorized subscription modifications
GHSA-hq4h-w933-jm6c CVE-2024-52294 MODERATE 11 months ago
### Summary An Insecure Direct Object Reference (IDOR) vulnerability in the update_subscription endpoint allows any authenticated user to manipulat...
pypi
No PRs yet
Letta (previously MemGPT) incorrect access control vulnerability
GHSA-7p2g-2vxc-5g55 CVE-2024-39025 HIGH 11 months ago
Incorrect access control in the /users endpoint of Cpacker MemGPT v0.3.17 allows attackers to access sensitive data.
pypi
No PRs yet
changedetection.io Vulnerable to Improper Input Validation Leading to LFR/Path Traversal
GHSA-j5vv-6wjg-cfr8 CVE-2024-56509 HIGH 11 months ago
### Summary Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vuln...
pypi
No PRs yet
python-sql SQL injection vulnerability
GHSA-pq9p-pc3p-9hm4 CVE-2024-9774 MODERATE 11 months ago
A vulnerability was found in python-sql where unary operators do not escape non-Expression (like `And` and `Or`) which makes any system exposing th...
pypi
No PRs yet
Amazon Redshift Python Connector vulnerable to SQL Injection
GHSA-8gc2-vq6m-rwjw CVE-2024-12745 HIGH 11 months ago
### Summary A SQL injection in the Amazon Redshift Python Connector in version 2.1.4 allows a user to gain escalated privileges via schema injectio...
pypi
18
Dependabot PRs
5%
Merged
Koji Cross-site Scripting
GHSA-g2vg-8hfg-79vj CVE-2024-9427 MODERATE 11 months ago
A vulnerability in Koji was found. An unsanitized input allows for an XSS attack. Javascript code from a malicious link could be reflected in the r...
pypi
No PRs yet
Jinja has a sandbox breakout through indirect reference to format method
GHSA-q2x7-8rv6-6q7h CVE-2024-56326 MODERATE 11 months ago
An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker that controls the content of a template to exe...
pypi
2181
Dependabot PRs
19%
Merged
Jinja has a sandbox breakout through malicious filenames
GHSA-gmj6-6f8f-6699 CVE-2024-56201 MODERATE 11 months ago
A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardle...
pypi
2181
Dependabot PRs
19%
Merged
pyrage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution
GHSA-47h8-jmp3-9f28 CVE-2024-56327 HIGH 11 months ago
`pyrage` uses the Rust `age` crate for its underlying operations, and `age` is vulnerable to GHSA-4fg7-vxc8-qx5w. All details of GHSA-4fg7-vxc8-qx...
pypi
No PRs yet
PGHoard Path Traversal vulnerability
GHSA-m9hc-vxjj-4x6q CVE-2024-56142 MODERATE 12 months ago
A vulnerability has been discovered that could allow an attacker to acquire disk access with privileges equivalent to those of pghoard, allowing fo...
pypi
No PRs yet
D-Tale allows Remote Code Execution through the Custom Filter Input
GHSA-832w-fhmw-w4f4 CVE-2024-55890 MODERATE 12 months ago
### Impact Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. ### Pa...
pypi
No PRs yet
djoser Authentication Bypass
GHSA-v49p-m6gh-747c CVE-2024-21543 HIGH 12 months ago
Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the sys...
pypi
No PRs yet
Apache Superset: SQLLab Improper readonly query validation allows unauthorized write access
GHSA-787v-v9vq-4rgv CVE-2024-55633 HIGH 12 months ago
Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially design...
pypi
No PRs yet
python-libarchive directory traversal
GHSA-75mx-hw5q-pvx3 CVE-2024-55587 HIGH 12 months ago
python-libarchive through 4.2.1 allows directory traversal (to create files) in extract in zip.py for ZipFile.extractall and ZipFile.extract.
pypi
No PRs yet
sigstore has insufficient validation of integration timestamp during verification
GHSA-hhfg-fwrw-87w7 CVE-2024-55655 LOW 12 months ago
### Summary Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "...
pypi
No PRs yet
luigi Arbitrary File Write via Archive Extraction (Zip Slip)
GHSA-8qch-vj6m-2694 CVE-2024-21542 HIGH 12 months ago
Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination fil...
pypi
No PRs yet
unstructured XML External Entity (XXE)
GHSA-32r8-54hf-c9p3 CVE-2024-46455 MODERATE 12 months ago
unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser.
pypi
No PRs yet
Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions
GHSA-92qf-8gh3-gwcm CVE-2024-53947 LOW 12 months ago
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine...
pypi
No PRs yet
Apache Superset: Error verbosity exposes metadata in analytics databases
GHSA-2cx9-54hp-r698 CVE-2024-53948 MODERATE 12 months ago
Generation of Error Message Containing analytics metadata Information in Apache Superset. This issue affects Apache Superset: before 4.1.0. Users...
pypi
No PRs yet
Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled
GHSA-35fc-9hrj-3585 CVE-2024-53949 HIGH 12 months ago
Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege user...
pypi
No PRs yet
Django denial-of-service in django.utils.html.strip_tags()
GHSA-8498-2h75-472j CVE-2024-53907 MODERATE 12 months ago
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter...
pypi
73
Dependabot PRs
18%
Merged
Django SQL injection in HasKey(lhs, rhs) on Oracle
GHSA-m9g8-fxxm-xg86 CVE-2024-53908 HIGH 12 months ago
An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasK...
pypi
351
Dependabot PRs
5%
Merged
pyspider Cross-Site Request Forgery (CSRF) via the Flask endpoints
GHSA-pqj8-xhcx-prxm CVE-2024-39163 HIGH 12 months ago
binux pyspider up to v0.3.10 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Flask endpoints.
pypi
No PRs yet
Mobile Security Framework (MobSF) Stored Cross-Site Scripting Vulnerability in "Diff or Compare" Functionality
GHSA-5jc6-h9w7-jm3p CVE-2024-53999 MODERATE 12 months ago
### Summary The application allows users to upload files with scripts in the filename parameter. As a result, a malicious user can upload a script ...
pypi
No PRs yet
Synapse Matrix has a partial room state leak via Sliding Sync
GHSA-56w4-5538-8v8h CVE-2024-53867 MODERATE 12 months ago
### Impact The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a ...
pypi
No PRs yet
Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders
GHSA-vp6v-whfm-rv3g CVE-2024-53863 HIGH 12 months ago
### Impact In Synapse versions before 1.120.1, enabling the `dynamic_thumbnails` option or processing a specially crafted request could trigger th...
pypi
No PRs yet
Synapse allows a a malformed invite to break the invitee's `/sync`
GHSA-f3r3-h2mq-hx2h CVE-2024-52815 HIGH 12 months ago
### Impact Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious serve...
pypi
No PRs yet
Synapse allows unsupported content types to lead to memory exhaustion
GHSA-rfq8-j7rh-8hf2 CVE-2024-52805 HIGH 12 months ago
### Impact In Synapse before 1.120.1, `multipart/form-data` requests can in certain configurations transiently increase memory consumption beyond ...
pypi
No PRs yet
Synapse's unauthenticated writes to the media repository allow planting of problematic content
GHSA-gjgr-7834-rhxr CVE-2024-37303 MODERATE 12 months ago
### Impact Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media f...
pypi
No PRs yet
Synapse denial of service through media disk space consumption
GHSA-4mhg-xv73-xq2x CVE-2024-37302 HIGH 12 months ago
### Impact Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download a...
pypi
No PRs yet
Denial of service (DoS) via deformation `multipart/form-data` boundary
GHSA-59g5-xgcq-4qw3 CVE-2024-53981 HIGH 12 months ago
### Summary When parsing form data, `python-multipart` skips line breaks (CR `\r` or LF `\n`) in front of the first boundary and any tailing bytes...
pypi
No PRs yet
Python package "zhmcclient" stores passwords in clear text in its HMC and API logs
GHSA-p57h-3cmc-xpjq CVE-2024-53865 MODERATE 12 months ago
### Impact The Python package "zhmcclient" writes password-like properties in clear text into its HMC and API logs in the following cases: * The ...
pypi
No PRs yet
PyJWT Issuer field partial matches allowed
GHSA-75c5-xw7c-p5pm CVE-2024-53861 LOW 12 months ago
### Summary The wrong string if check is run for `iss` checking, resulting in `"acb"` being accepted for `"_abc_"`. ### Details This is a bug intr...
pypi
209
Dependabot PRs
12%
Merged
check-jsonschema default caching for remote schemas allows for cache confusion
GHSA-q6mv-284r-mp36 CVE-2024-53848 MODERATE 12 months ago
### Impact The default cache strategy uses the basename of a remote schema as the name of the file in the cache, e.g. `https://example.org/schema....
pypi
3
Dependabot PRs
66%
Merged
pyspider Cross-site Scripting vulnerability
GHSA-x4x5-jx9j-mmv7 CVE-2024-39162 MODERATE about 1 year ago
pyspider through 0.3.10 allows /update XSS. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
pypi
No PRs yet
Password Policy Bypass Vulnerability in Fides Webserver User Accept Invite API
GHSA-v7vm-rhmg-8j2r CVE-2024-52008 LOW about 1 year ago
### Summary The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak password...
pypi
No PRs yet
aiocpa contains credential harvesting code
GHSA-486g-47cc-8wxf HIGH about 1 year ago
aiocpa is a user-facing library for generating color gradients of text. Version 0.1.13 introduced obfuscated, malicious code targeting Crypto Pay u...
pypi
No PRs yet
libre-chat Path Traversal vulnerability
GHSA-3864-rp2m-2qfj CVE-2024-52787 MODERATE about 1 year ago
An issue in the upload_documents method of libre-chat v0.0.6 allows attackers to execute a path traversal via supplying a crafted filename in an up...
pypi
No PRs yet