Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
MLflow's excessive directory permissions allow local privilege escalation
GHSA-qpgc-w4mg-6v92 CVE-2024-27134 HIGH about 1 year ago
Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attac...
pypi
No PRs yet
OpenStack Neutron can use an incorrect ID during policy enforcement
GHSA-f27h-g923-68hw CVE-2024-53916 MODERATE about 1 year ago
In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper p...
pypi
No PRs yet
virtualenv allows command injection through activation scripts for a virtual environment
GHSA-rqc4-2hc7-8c8v CVE-2024-53899 HIGH about 1 year ago
virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted ...
pypi
1
Dependabot PRs
100%
Merged
Deserialization of Untrusted Data in Hugging Face Transformers
GHSA-hxxf-235m-72v3 CVE-2024-11394 HIGH about 1 year ago
Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attack...
pypi
No PRs yet
Deserialization of Untrusted Data in Hugging Face Transformers
GHSA-qxrp-vhvm-j765 CVE-2024-11392 HIGH about 1 year ago
Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attac...
pypi
No PRs yet
Deserialization of Untrusted Data in Hugging Face Transformers
GHSA-wrfc-pvp9-mr9g CVE-2024-11393 HIGH about 1 year ago
Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote ...
pypi
No PRs yet
Sentry improper error handling leaks Application Integration Client Secret
GHSA-v5h2-q2w4-gpcx CVE-2024-53253 MODERATE about 1 year ago
### Impact During routine testing, we identified a scenario where a specific error message generated by our platform could include a plaintext Clie...
pypi
No PRs yet
Tornado has an HTTP cookie parsing DoS vulnerability
GHSA-8w49-h785-mj3c CVE-2024-52804 HIGH about 1 year ago
The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consump...
pypi
No PRs yet
GeoNode Server Side Request forgery
GHSA-rmxg-6qqf-x8mr CVE-2023-40017 HIGH about 1 year ago
### Summary A server side request forgery vuln was found within geonode when testing on a bug bounty program. Server side request forgery allows a ...
pypi
No PRs yet
LLama Factory Remote OS Command Injection Vulnerability
GHSA-hj3w-wrh4-44vp CVE-2024-52803 HIGH about 1 year ago
## Summary A critical remote OS command injection vulnerability has been identified in the Llama Factory training process. This vulnerability aris...
pypi
No PRs yet
Litestar allows unbounded resource consumption (DoS vulnerability)
GHSA-gjcc-jvgw-wvwj CVE-2024-52581 HIGH about 1 year ago
### Summary Litestar offers multiple methods to return a parsed representation of the request body, as well as extractors that rely on those parser...
pypi
No PRs yet
Django Filer Unrestricted Upload of File with Dangerous Type
GHSA-j4v3-wwwx-5gqv CVE-2024-11404 MODERATE about 1 year ago
Unrestricted Upload of File with Dangerous Type, Improper Input Validation, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basi...
pypi
No PRs yet
django CMS Attributes Field Cross-site Scripting
GHSA-vxcv-4xvf-pc22 CVE-2024-11406 MODERATE about 1 year ago
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django CMS Attr...
pypi
No PRs yet
HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through
GHSA-5jfw-gq64-q45f CVE-2024-52595 HIGH about 1 year ago
### Impact The HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `<svg>`, `<math>` and `<noscript>`. Th...
pypi
No PRs yet
aiohttp allows request smuggling due to incorrect parsing of chunk extensions
GHSA-8495-4g3g-x7pr CVE-2024-52304 MODERATE about 1 year ago
### Summary The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain con...
pypi
No PRs yet
aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method
GHSA-27mf-ghqm-j3j8 CVE-2024-52303 MODERATE about 1 year ago
### Summary A memory leak can occur when a request produces a `MatchInfoError`. This was caused by adding an entry to a cache on each request, due...
pypi
No PRs yet
cobbler allows anyone to connect to cobbler XML-RPC server with known password and make changes
GHSA-m26c-fcgh-cp6h CVE-2024-47533 CRITICAL about 1 year ago
### Summary utils.get_shared_secret() always returns -1 - allows anyone to connect to cobbler XML-RPC as user '' password -1 and make any changes....
pypi
No PRs yet
django CMS Cross-Site Scripting (XSS)
GHSA-gv5h-5655-h4mv CVE-2024-11319 MODERATE about 1 year ago
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django-cms allo...
pypi
No PRs yet
OpenStack improperly deletes access rules
GHSA-2ppf-2m6f-6v6f CVE-2023-6110 MODERATE about 1 year ago
A flaw was found in OpenStack. When a user tries to delete a non-existing access rule in it's scope, it deletes other existing access rules which a...
pypi
No PRs yet
Cross-site Scripting (XSS) - DOM in janeczku/calibre-web
GHSA-r735-9gc6-2hvq CVE-2021-3988 MODERATE about 1 year ago
A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. The vulnerability occurs when ...
pypi
No PRs yet
Generation of Error Message Containing Sensitive Information in janeczku/calibre-web
GHSA-m982-h4f8-g4hf CVE-2021-3986 MODERATE about 1 year ago
A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. This issue occurs ...
pypi
No PRs yet
Improper Access Control in janeczku/calibre-web
GHSA-fj5v-w2jp-wqvj CVE-2021-3987 MODERATE about 1 year ago
An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to crea...
pypi
No PRs yet
Apache Airflow: Sensitive configuration values are not masked in the logs by default
GHSA-46c3-5xc5-wwhv CVE-2024-45784 HIGH about 1 year ago
Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability ...
pypi
No PRs yet
ReDoS in giskard's transformation.py (GHSL-2024-324)
GHSA-pjwm-cr36-mwv3 CVE-2024-52524 MODERATE about 1 year ago
# ReDoS in Giskard text perturbation detector A Remote Code Execution (ReDoS) vulnerability was discovered in Giskard component by the [GitHub Sec...
pypi
No PRs yet
Missing ratelimit on passwrod resets in zenml
GHSA-j3vq-pmp5-r5xj CVE-2024-4311 MODERATE about 1 year ago
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker ca...
pypi
No PRs yet
Salt preflight script could be attacker controlled
GHSA-4277-m35q-7c9w CVE-2023-34049 MODERATE about 1 year ago
The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their scrip...
pypi
No PRs yet
TorchGeo Remote Code Execution Vulnerability
GHSA-g5vp-j278-8pjh CVE-2024-49048 HIGH about 1 year ago
TorchGeo Remote Code Execution Vulnerability
pypi
No PRs yet
LightGBM Remote Code Execution Vulnerability
GHSA-2586-f3p4-hq84 CVE-2024-43598 HIGH about 1 year ago
LightGBM Remote Code Execution Vulnerability
pypi
No PRs yet
Ansible-Core vulnerable to content protections bypass
GHSA-99w6-3xph-cx78 CVE-2024-11079 LOW about 1 year ago
A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference a...
pypi
26
Dependabot PRs
30%
Merged
wasm3 uncontrolled memory allocation vulnerability
GHSA-fmq6-4w57-2w3v CVE-2024-27529 MODERATE about 1 year ago
wasm3 at commit 139076a contains a memory leak in the Read_utf8 function.
cargo pypi swift
No PRs yet
Apache Airflow vulnerable to Insertion of Sensitive Information Into Sent Data
GHSA-j857-2pwm-jjmm CVE-2024-50378 LOW about 1 year ago
Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs whi...
pypi
No PRs yet
changedetection.io path traversal using file URI scheme without supplying hostname
GHSA-6jrf-rcjf-245r CVE-2024-51998 HIGH about 1 year ago
### Summary The validation for the file URI scheme falls short, and results in an attacker being able to read any file on the system. This issue o...
pypi
No PRs yet
Gradio vulnerable to arbitrary file read with File and UploadButton components
GHSA-rhm9-gp5p-5248 CVE-2024-51751 MODERATE about 1 year ago
### Summary If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the app...
pypi
No PRs yet
codechecker authentication method confusion vulnerability allows logging in as the built-in root user from an external service
GHSA-fpm5-2wcj-vfr7 CVE-2024-10082 CRITICAL about 1 year ago
### Summary Authentication method confusion allows logging in as the built-in root user from an external service. The built-in root user is generat...
pypi
No PRs yet
codechecker vulnerable to authentication bypass when using specifically crafted URLs
GHSA-f3f8-vx3w-hp5q CVE-2024-10081 CRITICAL about 1 year ago
### Summary Authentication bypass occurs when the API URL ends with Authentication, Configuration or ServerInfo. This bypass allows superuser acces...
pypi
No PRs yet
ansible-core Incorrect Authorization vulnerability
GHSA-32p4-gm2c-wmch CVE-2024-9902 MODERATE about 1 year ago
A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file o...
pypi
No PRs yet
OctoPrint has API key access in settings without reauthentication
GHSA-cc6x-8cc7-9953 CVE-2024-51493 MODERATE about 1 year ago
### Impact OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over...
pypi
No PRs yet
OctoPrint Vulnerable to Reflected XSS in Jinja2 Templates
GHSA-xvxq-g8hw-fx4g CVE-2024-49377 MODERATE about 1 year ago
### Impact OctoPrint versions up until and including 1.10.2 are vulnerable to reflected XSS vulnerabilities through its Jinja2 template system, as...
pypi
No PRs yet
gradio Server Side Request Forgery vulnerability
GHSA-3gf9-wv65-gwh9 CVE-2024-48052 MODERATE about 1 year ago
In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the sav...
pypi
No PRs yet
AgentScope uses `eval`
GHSA-6p55-qr3j-mpgq CVE-2024-48050 HIGH about 1 year ago
In agentscope <=v0.0.4, the file `agentscope\web\workstation\workflow_utils.py` has the function `is_callable_expression`. Within this function, th...
pypi
No PRs yet
Langflow vulnerable to remote code execution
GHSA-5p5r-57fx-pmfr CVE-2024-48061 MODERATE about 1 year ago
langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local...
pypi
No PRs yet
Access control vulnerable to user data deletion by anonynmous users
GHSA-g5vw-3h65-2q3v CVE-2024-51734 MODERATE about 1 year ago
### Impact Anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access....
pypi
No PRs yet
changedetection.io Path Traversal
GHSA-cwgg-57xj-g77r CVE-2024-51483 MODERATE about 1 year ago
### Summary When a WebDriver is used to fetch files source:file:///etc/passwd can be used to retrieve local system files, where the more traditiona...
pypi
No PRs yet
langflow has vulnerability in PythonCodeTool component
GHSA-56m6-4mhw-h3g5 CVE-2024-42835 HIGH about 1 year ago
langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.
pypi
No PRs yet
Lollms vulnerable to Cross-site Scripting
GHSA-cm59-8rmv-f2cj CVE-2024-6581 MODERATE about 1 year ago
A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to inco...
pypi
No PRs yet
Langchain SQL Injection vulnerability
GHSA-45pg-36p6-83v9 CVE-2024-8309 LOW about 1 year ago
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vul...
pypi
70
Dependabot PRs
13%
Merged
Waitress has request processing race condition in HTTP pipelining with invalid first request
GHSA-9298-4cf8-g4wj CVE-2024-49768 CRITICAL about 1 year ago
### Impact A remote client may send a request that is exactly `recv_bytes` (defaults to 8192) long, followed by a secondary request using HTTP pip...
pypi
54
Dependabot PRs
31%
Merged
Waitress vulnerable to DoS leading to high CPU usage/resource exhaustion
GHSA-3f84-rpwh-47g6 CVE-2024-49769 HIGH about 1 year ago
### Impact When a remote client closes the connection before waitress has had the opportunity to call `getpeername()` waitress won't correctly cle...
pypi
54
Dependabot PRs
31%
Merged
MPXJ has a Potential Path Traversal Vulnerability
GHSA-j945-c44v-97g6 CVE-2024-49771 MODERATE about 1 year ago
### Impact The patch for the historical vulnerability CVE-2020-35460 in MPXJ is incomplete as there is still a possibility that a malicious path co...
maven nuget pypi +1 more
No PRs yet
pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
GHSA-w7hq-f2pj-c53g CVE-2024-47821 HIGH about 1 year ago
### Summary The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloa...
pypi
No PRs yet