Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
vLLM Denial of Service via the best_of parameter
GHSA-wc36-9694-f9rf CVE-2024-8939 MODERATE about 1 year ago
A vulnerability was found in the ilab model serve component, where improper handling of the best_of parameter in the vllm JSON web API can lead to ...
pypi
No PRs yet
vLLM denial of service vulnerability
GHSA-w2r7-9579-27hf CVE-2024-8768 HIGH about 1 year ago
A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service.
pypi
No PRs yet
Sentry improperly authorizes muting of alert rules
GHSA-v345-w9f2-mpm5 CVE-2024-45606 HIGH about 1 year ago
### Impact An authenticated user can mute alert rules from arbitrary organizations and projects given a known given rule ID. The user does not need...
pypi
No PRs yet
Sentry improperly authorizes deletion of user issue alert notifications
GHSA-54m3-95j9-v89j CVE-2024-45605 HIGH about 1 year ago
### Impact An authenticated user may delete user issue alert notifications for arbitrary users given a known alert ID. ### Patches A patch was is...
pypi
No PRs yet
LangChain pickle deserialization of untrusted data
GHSA-f2jm-rw3h-6phg CVE-2024-5998 HIGH about 1 year ago
A vulnerability in the `FAISS.deserialize_from_bytes` function of langchain-ai/langchain allows for pickle deserialization of untrusted data. This ...
pypi
No PRs yet
Aim Stored XSS through TEXT EXPLORER
GHSA-pmhg-f7wc-c97m CVE-2024-8863 MODERATE about 1 year ago
A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the...
pypi
No PRs yet
Composio Path Traversal vulnerability
GHSA-66r2-xm28-74w9 CVE-2024-8865 MODERATE about 1 year ago
A vulnerability was found in composiohq composio up to 0.5.8 and classified as problematic. Affected by this issue is the function path of the file...
pypi
No PRs yet
D-Tale Command Execution Vulnerability
GHSA-fg5m-m723-7mv6 CVE-2024-8862 MODERATE about 1 year ago
D-Tale is the combination of a Flask back-end and a React front-end to bring you an easy way to view & analyze Pandas data structures. In dtale\vie...
pypi
No PRs yet
Composio Code Injection Vulnerability
GHSA-mrmh-3hqh-pfw7 CVE-2024-8864 MODERATE about 1 year ago
A vulnerability has been found in composiohq composio up to 0.5.6 and classified as critical. Affected by this vulnerability is the function Calcul...
pypi
No PRs yet
Ansible vulnerable to Insertion of Sensitive Information into Log File
GHSA-jpxc-vmjf-9fcj CVE-2024-8775 HIGH about 1 year ago
A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbo...
pypi
No PRs yet
LiteLLM Server-Side Request Forgery (SSRF) vulnerability
GHSA-g26j-5385-hhw3 CVE-2024-6587 HIGH about 1 year ago
A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_b...
pypi
No PRs yet
MindsDB Deserialization of Untrusted Data vulnerability
GHSA-7vhj-pfwv-hx3w CVE-2024-45852 HIGH about 1 year ago
Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run ar...
pypi
No PRs yet
Cleanlab Deserialization of Untrusted Data vulnerability
GHSA-8cm9-rrgc-4pcj CVE-2024-45857 HIGH about 1 year ago
Deserialization of untrusted data can occur in versions 2.4.0 or newer of the Cleanlab project, enabling a maliciously crafted datalab.pkl file to ...
pypi
No PRs yet
MindsDB Deserialization of Untrusted Data vulnerability
GHSA-7vhh-gfjc-x8rm CVE-2024-45854 HIGH about 1 year ago
Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ mode...
pypi
No PRs yet
MindsDB Cross-site Scripting vulnerability
GHSA-32fj-r8qw-r8w8 CVE-2024-45856 MODERATE about 1 year ago
A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever ...
pypi
No PRs yet
MindsDB Deserialization of Untrusted Data vulnerability
GHSA-fr9q-rgwq-g5r5 CVE-2024-45855 HIGH about 1 year ago
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ mode...
pypi
No PRs yet
MindsDB Deserialization of Untrusted Data vulnerability
GHSA-q9r8-89xr-4xv4 CVE-2024-45853 HIGH about 1 year ago
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ mode...
pypi
No PRs yet
MindsDB Eval Injection vulnerability
GHSA-wf9g-c67g-h4ch CVE-2024-45851 HIGH about 1 year ago
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integr...
pypi
No PRs yet
Refuel Autolab Eval Injection vulnerability
GHSA-g2m8-f3x2-qprw CVE-2024-27320 HIGH about 1 year ago
An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification ...
pypi
No PRs yet
Refuel Autolab Eval Injection vulnerability
GHSA-4fgp-7vvm-m4jf CVE-2024-27321 HIGH about 1 year ago
An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel clas...
pypi
No PRs yet
MindsDB Eval Injection vulnerability
GHSA-crmg-rp64-5cm3 CVE-2024-45847 HIGH about 1 year ago
An arbitrary code execution vulnerability exists in versions 23.11.4.2 up to 24.7.4.1 of the MindsDB platform, when one of several integrations is ...
pypi
No PRs yet
MindsDB Eval Injection vulnerability
GHSA-v6g6-3cm3-vf6c CVE-2024-45850 HIGH about 1 year ago
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integr...
pypi
No PRs yet
MindsDB Eval Injection vulnerability
GHSA-c85f-pcx6-2ghm CVE-2024-45849 HIGH about 1 year ago
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integr...
pypi
No PRs yet
MindsDB Eval Injection vulnerability
GHSA-wcjw-3v6p-4v3r CVE-2024-45846 HIGH about 1 year ago
An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is ins...
pypi
No PRs yet
MindsDB Eval Injection vulnerability
GHSA-9gq6-6936-885w CVE-2024-45848 HIGH about 1 year ago
An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is ins...
pypi
No PRs yet
Sensitive Information Exposure Through Insecure Logging For Secrets Like Metadata.DockerBuildArgs
GHSA-rjc6-vm4h-85cg MODERATE about 1 year ago
### Summary The AWS Serverless Application Model (SAM) CLI is an open source tool that allows customers to build, deploy and test their serverless ...
pypi
No PRs yet
AWS SageMaker Training Toolkit logs CodeArtifact Authorization token
GHSA-635v-pc42-fr74 MODERATE about 1 year ago
## Description For SageMaker Training Toolkit[1] versions 4.7.4; 4.7.3; 4.7.2; 4.7.1; 4.7.0, the authorization tokens for CodeArtifact (temporary t...
pypi
No PRs yet
AutoGPT bypass of the shell commands denylist settings
GHSA-g84q-54hf-36rg CVE-2024-6091 CRITICAL about 1 year ago
A vulnerability in significant-gravitas/autogpt version 0.5.1 allows an attacker to bypass the shell commands denylist settings. The issue arises w...
pypi
No PRs yet
D-Tale vulnerable to Remote Code Execution through the Query input on Chart Builder
GHSA-pw44-4h99-wqff CVE-2024-45595 MODERATE about 1 year ago
### Impact Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. ### Pa...
pypi
No PRs yet
pyload-ng vulnerable to RCE with js2py sandbox escape
GHSA-r9pp-r4xf-597r CVE-2024-39205 CRITICAL about 1 year ago
### Summary Any pyload-ng running under python3.11 or below are vulnerable under RCE. Attacker can send a request containing any shell command and ...
pypi
No PRs yet
Apache Airflow vulnerable to Improper Encoding or Escaping of Output
GHSA-c392-whpc-vfpr CVE-2024-45498 HIGH about 1 year ago
Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with...
pypi
No PRs yet
Apache Airflow vulnerable to Execution with Unnecessary Privileges
GHSA-92xg-gmrq-5c3w CVE-2024-45034 HIGH about 1 year ago
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by t...
pypi
No PRs yet
HTML injection in JupyterLite leading to DOM Clobbering
GHSA-gj55-2xf9-67rq MODERATE about 1 year ago
### Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab pr...
pypi
No PRs yet
H2O.ai H2O vulnerable to deserialization attacks via a JDBC Connection URL
GHSA-hrmc-jmp7-mpm2 CVE-2024-45758 CRITICAL about 1 year ago
H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution...
maven pypi
No PRs yet
MindsDB Vulnerable to Bypass of SSRF Protection with DNS Rebinding
GHSA-4jcv-vp96-94xr CVE-2024-24759 HIGH about 1 year ago
### Summary DNS rebinding is a method of manipulating resolution of domain names to let the initial DNS query hits an address and the second hits ...
pypi
No PRs yet
Flask-AppBuilder's login form allows browser to cache sensitive fields
GHSA-fw5r-6m3x-rh7p CVE-2024-45314 MODERATE about 1 year ago
### Impact Auth DB login form default cache directives allows browser to locally store sensitive data. This can be an issue on environments using s...
pypi
No PRs yet
Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
GHSA-c34r-238x-f7qx CVE-2024-45053 HIGH about 1 year ago
### Summary The Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-S...
pypi
No PRs yet
Timing-Based Username Enumeration Vulnerability in Fides Webserver Authentication
GHSA-2h46-8gf5-fmxv CVE-2024-45052 LOW about 1 year ago
A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticat...
pypi
No PRs yet
Indico has a Cross-Site-Scripting during account creation
GHSA-rrqf-w74j-24ff CVE-2024-45399 MODERATE about 1 year ago
### Impact There is a Cross-Site-Scripting vulnerability during account creation when redirecting after the account has been successfully created. ...
pypi
No PRs yet
pyca/cryptography has a vulnerable OpenSSL included in cryptography wheels
GHSA-h4gh-qq45-vh27 MODERATE about 1 year ago
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-43.0.0 are vulnerab...
pypi
No PRs yet
`spam` project on PyPI compromised, malicious releases made
GHSA-2r6g-7r83-jg72 HIGH about 1 year ago
The `spam` project on PyPI was taken over via user account compromise via a phishing attack and a new malicious release made which contained code w...
pypi
No PRs yet
opencv-python bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863
GHSA-qr4w-53vh-m672 HIGH about 1 year ago
opencv-python versions before v4.8.1.78 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. opencv-python v4.8.1.78 upgrades t...
pypi
No PRs yet
opencv-contrib-python bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863
GHSA-cxjf-x6jp-p7mc HIGH about 1 year ago
opencv-contrib-python versions before v4.8.1.78 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. opencv-contrib-python v4.8...
pypi
No PRs yet
opencv-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863
GHSA-jh2j-j4j9-crg3 HIGH about 1 year ago
opencv-python-headless versions before v4.8.1.78 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. opencv-python-headless v4...
pypi
No PRs yet
opencv-contrib-python-headless bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863
GHSA-w2pj-9cgh-mq2c HIGH about 1 year ago
opencv-contrib-python-headless versions before v4.8.1.78 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. opencv-contrib-py...
pypi
No PRs yet
gratient 0.5 contains credential harvesting code
GHSA-xm4r-5rj9-2pg3 HIGH about 1 year ago
gratient is a user-facing library for generating color gradients of text. Version 0.5 contained obfuscated, malicious code targeting Windows platfo...
pypi
No PRs yet
`exotel` project on PyPI compromised, malicious release made
GHSA-x6xg-3fj2-4pq3 HIGH about 1 year ago
The exotel project on PyPI was taken over via user account compromise via a phishing attack and a new malicious release made which contained code w...
pypi
No PRs yet
Adyen APIs Library for Python timing attack vulnerability
GHSA-f3q4-ggfp-jv34 MODERATE about 1 year ago
Adyen has utility methods for validating notification HMAC signatures. The `is_valid_hmac` and `is_valid_hmac_notification` methods are vulnerable ...
pypi
No PRs yet
GeoServer style upload functionality vulnerable to XML External Entity (XXE) injection
GHSA-mcmc-c59m-pqq8 CVE-2023-26043 HIGH about 1 year ago
### Summary GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary Fil...
pypi
No PRs yet
LTI 1.3 Grade Pass Back Implementation has Missing Authorization Vulnerability
GHSA-7j9p-67mm-5g87 CVE-2023-23611 LOW about 1 year ago
### Problem TL;DR: Any LTI tool that is integrated with on the Open edX platform can post a grade back for any LTI XBlock so long as it knows or ca...
pypi
No PRs yet