Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Werkzeug possible resource exhaustion when parsing file data in forms
GHSA-q34m-jh98-gwm2 CVE-2024-49767 MODERATE about 1 year ago
Applications using Werkzeug to parse `multipart/form-data` requests are vulnerable to resource exhaustion. A specially crafted form body can bypass...
pypi
857
Dependabot PRs
20%
Merged
Werkzeug safe_join not safe on Windows
GHSA-f9vj-2wh5-fj8j CVE-2024-49766 MODERATE about 1 year ago
On Python < 3.11 on Windows, `os.path.isabs()` does not catch UNC paths like `//server/share`. Werkzeug's `safe_join()` relies on this check, and s...
pypi
847
Dependabot PRs
20%
Merged
The Snowflake Connector for Python stores sensitive data in logs
GHSA-5vvg-pvhp-hv2m CVE-2024-49750 MODERATE about 1 year ago
### Issue Snowflake recently learned about and remediated a set of vulnerabilities in the Snowflake Connector for Python. Under specific conditions...
pypi
No PRs yet
curl_cffi bundles a version of libcurl affected by High Severity vulnerability
GHSA-3vpc-4p9p-47hc HIGH about 1 year ago
### Summary curl_cffi is potentially affected by High Severity vulnerability (CVE-2023-38545) in libcurl<8.4.0 ### Details HIGH severity vulnerabi...
pypi
No PRs yet
Flair allows arbitrary code execution
GHSA-9rw2-jf8x-cgwm CVE-2024-10073 MODERATE about 1 year ago
A vulnerability, which was classified as critical, was found in flairNLP flair 0.14.0. Affected is the function ClusteringModel of the file flair\m...
pypi
6
Dependabot PRs
50%
Merged
Exiv2 has a denial of service due to unbounded recursion in QuickTimeVideo::multipleEntriesDecoder
GHSA-crmj-qh74-2r36 CVE-2024-25112 MODERATE about 1 year ago
### Impact A denial-of-service was found in Exiv2 version v0.28.1: an unbounded recursion can cause Exiv2 to crash by exhausting the stack. The vul...
pypi
No PRs yet
Exiv2 has an out-of-bounds read in QuickTimeVideo::NikonTagsDecoder
GHSA-g9xm-7538-mq8w CVE-2024-24826 MODERATE about 1 year ago
### Impact An out-of-bounds read was found in Exiv2 version v0.28.1. The vulnerable function, `QuickTimeVideo::NikonTagsDecoder`, was new in v0.28....
pypi
No PRs yet
MySQL Connector/Python connector takeover vulnerability
GHSA-hgjp-83m4-h4fj CVE-2024-21272 HIGH about 1 year ago
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/Python). Supported versions that are affected are 9.0.0 and pr...
pypi
No PRs yet
Starlette Denial of service (DoS) via multipart/form-data
GHSA-f96h-pmfr-66vw CVE-2024-47874 HIGH about 1 year ago
### Summary Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size li...
pypi
136
Dependabot PRs
23%
Merged
changedetection.io has a Server Side Template Injection using Jinja2 which allows Remote Command Execution
GHSA-4r7v-whpg-8rx3 CVE-2024-32651 CRITICAL about 1 year ago
### Summary A Server Side Template Injection in changedetection.io caused by usage of unsafe functions of Jinja2 allows Remote Command Execution on...
pypi
No PRs yet
OpenCanary Executes Commands From Potentially Writable Config File
GHSA-pf5v-pqfv-x8jj CVE-2024-48911 MODERATE about 1 year ago
### Impact OpenCanary directly executed commands taken from its config file. Where the config file is stored in an unprivileged user directory but...
pypi
No PRs yet
Lord of Large Language Models (LoLLMs) path traversal vulnerability in the api open_personality_folder endpoint
GHSA-6h64-g7cj-hj56 CVE-2024-6985 MODERATE about 1 year ago
A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms. This vulnerability allows an attacker to read...
pypi
No PRs yet
Lord of Large Language Models (LoLLMs) Server path traversal vulnerability in lollms_file_system.py
GHSA-7pgr-32fx-c6x9 CVE-2024-6971 LOW about 1 year ago
A path traversal vulnerability exists in the ParisNeo/lollms repository, specifically in the `lollms_file_system.py` file. The functions `add_rag_d...
pypi
No PRs yet
Gradio's dropdown component pre-process step does not limit the values to those in the dropdown list
GHSA-26jh-r8g2-6fpr LOW about 1 year ago
### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability is a **data validation issue** in the Gradio `Dropdown` compo...
pypi
No PRs yet
Gradio has an XSS on every Gradio server via upload of HTML files, JS files, or SVG files
GHSA-gvv6-33j7-884g CVE-2024-47872 MODERATE about 1 year ago
### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability involves **Cross-Site Scripting (XSS)** on any Gradio serve...
pypi
No PRs yet
Gradio uses insecure communication between the FRP client and server
GHSA-279j-x4gx-hfrh CVE-2024-47871 HIGH about 1 year ago
### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability involves **insecure communication** between the FRP (Fast R...
pypi
No PRs yet
Gradio has a race condition in update_root_in_config may redirect user traffic
GHSA-xh2x-3mrm-fwqm CVE-2024-47870 HIGH about 1 year ago
### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability involves a **race condition** in the `update_root_in_config...
pypi
No PRs yet
Gradio performs a non-constant-time comparison when comparing hashes
GHSA-j757-pf57-f8r4 CVE-2024-47869 MODERATE about 1 year ago
### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability involves a **timing attack** in the way Gradio compares has...
pypi
No PRs yet
Gradio has several components with post-process steps allow arbitrary file leaks
GHSA-4q3c-cj7g-jcwf CVE-2024-47868 MODERATE about 1 year ago
### Impact **What kind of vulnerability is it? Who is impacted?** This is a **data validation vulnerability** affecting several Gradio components,...
pypi
No PRs yet
Gradio lacks integrity checking on the downloaded FRP client
GHSA-8c87-gvhj-xm8m CVE-2024-47867 HIGH about 1 year ago
### Impact This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce m...
pypi
No PRs yet
In Gradio, the `enable_monitoring` flag set to `False` does not disable monitoring
GHSA-hm3c-93pg-4cxw CVE-2024-47168 LOW about 1 year ago
### Impact What kind of vulnerability is it? Who is impacted? This vulnerability involves data exposure due to the enable_monitoring flag not prop...
pypi
No PRs yet
Gradio vulnerable to SSRF in the path parameter of /queue/join
GHSA-576c-3j53-r9jj CVE-2024-47167 MODERATE about 1 year ago
### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/...
pypi
No PRs yet
Gradio has a one-level read path traversal in `/custom_component`
GHSA-37qc-qgx6-9xjv CVE-2024-47166 MODERATE about 1 year ago
### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability involves a **one-level read path traversal** in the `/custo...
pypi
No PRs yet
Gradio's CORS origin validation accepts the null origin
GHSA-89v2-pqfv-c5r9 CVE-2024-47165 MODERATE about 1 year ago
### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability relates to **CORS origin validation accepting a null origin**...
pypi
No PRs yet
Gradio's `is_in_or_equal` function may be bypassed
GHSA-77xq-6g77-h274 CVE-2024-47164 MODERATE about 1 year ago
### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability relates to the **bypass of directory traversal checks** withi...
pypi
No PRs yet
Gradios's CORS origin validation is not performed when the request has a cookie
GHSA-3c67-5hwx-f6wx CVE-2024-47084 HIGH about 1 year ago
### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability is related to **CORS origin validation**, where the Gradio se...
pypi
No PRs yet
open-webui allows enumeration of file names and traversal of directories by observing the error messages
GHSA-mq92-jr35-ffpc CVE-2024-7038 LOW about 1 year ago
An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature unde...
pypi
No PRs yet
open-webui allows writing and deleting arbitrary files
GHSA-54f4-v6v9-9q82 CVE-2024-7037 MODERATE about 1 year ago
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized ...
pypi
No PRs yet
open-webui Insecure Direct Object Reference (IDOR) vulnerability
GHSA-xcvc-5hgv-phqg CVE-2024-7041 MODERATE about 1 year ago
An Insecure Direct Object Reference (IDOR) vulnerability exists in open-webui/open-webui version v0.3.8. The vulnerability occurs in the API endpoi...
pypi
No PRs yet
DeepSpeed Remote Code Execution Vulnerability
GHSA-8cp5-3rf8-8gfh CVE-2024-43497 HIGH about 1 year ago
DeepSpeed Remote Code Execution Vulnerability
pypi
No PRs yet
xhtml2pdf Denial of Service via crafted string
GHSA-jj5c-hhrg-vv5h CVE-2024-25885 MODERATE about 1 year ago
An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 allows attackers to cause a Regular expression Denial of Service (ReDOS) via sup...
pypi
No PRs yet
Django vulnerable to denial-of-service attack via the urlize() and urlizetrunc() template filters
GHSA-5hgc-2vfp-mqvc CVE-2024-45230 MODERATE about 1 year ago
An issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9, and 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters are su...
pypi
98
Dependabot PRs
17%
Merged
Django allows enumeration of user e-mail addresses
GHSA-rrqc-c2jx-6jgv CVE-2024-45231 MODERATE about 1 year ago
An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implement...
pypi
121
Dependabot PRs
17%
Merged
OpenStack Ironic fails to verify checksums of supplied image_source URLs
GHSA-8h22-6qwx-q4w9 CVE-2024-47211 MODERATE about 1 year ago
In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x and 24.x before 24.1.3, and 25.x and 26.x before 26.1.0, there is a lack of ch...
pypi
No PRs yet
Inventree Server-Side Request Forgery vulnerability exposes server port/internal IP
GHSA-vx3h-qwqw-r2wq MODERATE about 1 year ago
### Impact The "download image from remote URL" feature can be abused by a malicious actor to potentially extract information about server side re...
pypi
No PRs yet
RestrictedPython information leakage via `AttributeError.obj` and the `string` module
GHSA-5rfv-66g4-jr8h CVE-2024-47532 HIGH about 1 year ago
### Impact A user can gain access to protected (and potentially sensible) information indirectly via `AttributeError.obj` and the `string` module. ...
pypi
1
Dependabot PRs
Inefficient Regular Expression Complexity in langflow
GHSA-355v-2rjx-fpx7 CVE-2024-9277 MODERATE about 1 year ago
A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the fil...
pypi
No PRs yet
Gradio allows users to access arbitrary files
GHSA-m842-4qm8-7gpq CRITICAL about 1 year ago
### Impact This vulnerability allows users of Gradio applications that have a public link (such as on Hugging Face Spaces) to access files on the m...
pypi
No PRs yet
Heap-based Buffer Overflow in sqlite-vec
GHSA-vrcx-gx3g-j3h8 CVE-2024-46488 HIGH about 1 year ago
sqlite-vec v0.1.1 was discovered to contain a heap buffer overflow via the npy_token_next function. This vulnerability allows attackers to cause a ...
cargo npm pypi +1 more
No PRs yet
Cross-Site Request Forgery (CSRF) in strawberry-graphql
GHSA-79gp-q4wv-33fr CVE-2024-47082 MODERATE about 1 year ago
### Impact Multipart file upload support as defined in the [GraphQL multipart request specification](https://github.com/jaydenseric/graphql-multip...
pypi
No PRs yet
OAuth2 client ID and secret exposed through the web browser
GHSA-jm9x-rx9x-wpqj CVE-2024-9014 HIGH about 1 year ago
pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially ...
pypi
No PRs yet
Prevent XSS from Confidant API call
GHSA-rxq8-q85f-m866 CVE-2024-45793 MODERATE about 1 year ago
### Impact _What kind of vulnerability is it? Who is impacted?_ Potential XSS from API calls below: GET <app>/v1/credentials GET <app>/v1/credentia...
pypi
No PRs yet
Reverb use after free vulnerability
GHSA-w69q-w4h4-2fx8 CVE-2024-8375 MODERATE about 1 year ago
There exists a use after free vulnerability in Reverb. Reverb supports the VARIANT datatype, which is supposed to represent an arbitrary object in ...
pypi
No PRs yet
LangChain Experimental Eval Injection vulnerability
GHSA-p2qj-r53j-h3xj CVE-2024-46946 CRITICAL about 1 year ago
langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sym...
pypi
No PRs yet
Mesop has a local file Inclusion via static file serving functionality
GHSA-pmv9-3xqp-8w42 CVE-2024-45601 HIGH about 1 year ago
A vulnerability has been discovered and fixed in Mesop that could potentially allow unauthorized access to files on the server hosting the Mesop ap...
pypi
No PRs yet
Guardrails has an arbitrary code execution vulnerability
GHSA-w392-75q8-vr67 CVE-2024-45858 HIGH about 1 year ago
An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it val...
pypi
No PRs yet
sqlitedict insecure deserialization vulnerability
GHSA-g4r7-86gm-pgqc CVE-2024-35515 HIGH about 1 year ago
Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code.
pypi
No PRs yet
Heap-based Buffer Overflow in MicroPython
GHSA-74qm-4v7r-jw2f CVE-2024-8946 MODERATE about 1 year ago
A vulnerability was found in MicroPython 1.23.0. It has been classified as critical. Affected is the function mp_vfs_umount of the file extmod/vfs....
pypi
No PRs yet
Use After Free in MicroPython
GHSA-pwwp-3q7j-9mx8 CVE-2024-8947 MODERATE about 1 year ago
A vulnerability was found in MicroPython 1.22.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of th...
pypi
No PRs yet
heap-buffer-overflow in MicroPython
GHSA-vh3x-525m-jp4r CVE-2024-8948 MODERATE about 1 year ago
A vulnerability was found in MicroPython 1.23.0. It has been rated as critical. Affected by this issue is the function mpz_as_bytes of the file py/...
pypi
No PRs yet