Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
nanopb vulnerable to invalid free() call with oneofs and PB_ENABLE_MALLOC
GHSA-7mv5-5mxh-qg88 CVE-2021-21401 HIGH about 1 year ago
### Impact Decoding a specifically formed message can cause invalid `free()` or `realloc()` calls if the message type contains an `oneof` field, an...
pypi
No PRs yet
freewvs vulnerable to denial of service through large files
GHSA-9cfv-9463-8gqv CVE-2020-15100 LOW about 1 year ago
### Impact A user could create a large file that freewvs will try to read, which will terminate a scan process. ### Patches This has been patched ...
pypi
No PRs yet
freewvs's nested directory structure can interrupt scan
GHSA-7pmh-vrww-25xx CVE-2020-15101 LOW about 1 year ago
### Impact A directory structure of more than 1000 nested directories can interrupt a freewvs scan due to Python's recursion limit and os.walk(). T...
pypi
No PRs yet
Hyperledger Indy's update process of a DID does not check who signs the request
GHSA-wh2w-39f4-rpv2 CVE-2020-11093 HIGH about 1 year ago
# Name Updating a DID with a nym transaction will be written to the ledger if neither ROLE or VERKEY are being changed, regardless of sender. # De...
pypi
No PRs yet
HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering
GHSA-9q39-rmj3-p4r2 CVE-2024-43805 HIGH over 1 year ago
### Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab pr...
pypi
No PRs yet
Taipy has a Session Cookie without Secure and HTTPOnly flags
GHSA-r3jq-4r5c-j9hp CVE-2024-47833 MODERATE over 1 year ago
### Summary Session cookie is without Secure and HTTPOnly flags. ### Details Please take a look at this part of code (PoC screenshot) or check cod...
pypi
No PRs yet
Taipy 3.1.1 affected by CVEs on flask-core and pymongo
GHSA-pp84-v3mw-gg4w HIGH over 1 year ago
### Summary Indirect CVEs affect Taipy 3.1.1 ### Details Taipy 3.1.1 is affected by two existing CVEs: CVE-2024-1681 affects flask-core <4.0.1 and...
pypi
No PRs yet
FastAPI Admin Cross-site Scripting vulnerability in the Config-Create function
GHSA-grqx-r2q2-j425 CVE-2024-42818 MODERATE over 1 year ago
A cross-site scripting (XSS) vulnerability in the Config-Create function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scri...
pypi
No PRs yet
FastAPI Admin cross-site scripting (XSS) vulnerability in the Create Product function
GHSA-22xm-w7r2-834q CVE-2024-42816 MODERATE over 1 year ago
A cross-site scripting (XSS) vulnerability in the Create Product function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scr...
pypi
No PRs yet
Mage AI Path Traversal vulnerability
GHSA-4mrc-w7jh-hx4j CVE-2024-45190 MODERATE over 1 year ago
Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Pipeline Interactio...
pypi
No PRs yet
Mage AI incorrectly gives privileges to users with deleted accounts
GHSA-jg95-r9xh-xw9c CVE-2024-45187 MODERATE over 1 year ago
Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically ...
pypi
No PRs yet
Mage AI Path Traversal vulnerability
GHSA-v9wr-8wrm-h6p7 CVE-2024-45188 MODERATE over 1 year ago
Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "File Content" request
pypi
No PRs yet
Mage AI Path Traversal vulnerability
GHSA-cgxv-795x-3vqr CVE-2024-45189 MODERATE over 1 year ago
Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Git Content" request
pypi
No PRs yet
pretix Stored Cross-site Scripting vulnerability
GHSA-45rp-q25w-4426 CVE-2024-8113 HIGH over 1 year ago
Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on s...
pypi
No PRs yet
LlamaIndex includes an exec call for `import {cls_name}`
GHSA-fxc2-8m62-m85x CVE-2024-45201 CRITICAL over 1 year ago
An issue was discovered in llama_index before 0.10.38. `download/integration.py` includes an exec call for `import {cls_name}`.
pypi
No PRs yet
Mage AI allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users
GHSA-cgrq-wvfj-v28j CVE-2024-8072 MODERATE over 1 year ago
Mage AI allows remote unauthenticated attackers to leak the terminal server command history of arbitrary users.
pypi
No PRs yet
Apache Airflow Cross-site Scripting Vulnerability
GHSA-w7cp-g8v7-r54m CVE-2024-41937 MODERATE over 1 year ago
Apache Airflow, versions before 2.10.0, have a vulnerability that allows the developer of a malicious provider to execute a cross-site scripting at...
pypi
No PRs yet
Potential access to sensitive URLs via CKAN extensions (SSRF)
GHSA-g9ph-j5vj-f8wm CVE-2024-43371 MODERATE over 1 year ago
### Impact There are a number of CKAN plugins, including [XLoader](https://github.com/ckan/ckanext-xloader), [DataPusher](https://github.com/ckan/...
pypi
No PRs yet
CKAN has Cross-site Scripting vector in the Datatables view plugin
GHSA-r3jc-vhf4-6v32 CVE-2024-41675 MODERATE over 1 year ago
The [Datatables view plugin](https://docs.ckan.org/en/2.10/maintaining/data-viewer.html#datatables-view) did not properly escape record data coming...
pypi
No PRs yet
CKAN may leak Solr credentials via error message in package_search action
GHSA-2rqw-cfhc-35fh CVE-2024-41674 MODERATE over 1 year ago
If there were connection issues with the Solr server, the internal Solr URL (potentially including credentials) could be leaked to `package_search`...
pypi
No PRs yet
Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)
GHSA-cf72-vg59-4j4h CVE-2024-43396 MODERATE over 1 year ago
### Summary The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS. ### Details Th...
pypi
No PRs yet
Mobile Security Framework (MobSF) has a Zip Slip Vulnerability in .a Static Library Files
GHSA-4hh3-vj32-gr6j CVE-2024-43399 HIGH over 1 year ago
### Summary Upon reviewing the MobSF source code, I identified a flaw in the Static Libraries analysis section. Specifically, during the extraction...
pypi
No PRs yet
Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default
GHSA-hxwh-jpp2-84pm CVE-2024-6221 HIGH over 1 year ago
A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default,...
pypi
797
Dependabot PRs
12%
Merged
WebOb's location header normalization during redirect leads to open redirect
GHSA-mg3v-6m49-jhp3 CVE-2024-42353 MODERATE over 1 year ago
### Impact When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be re...
pypi
9
Dependabot PRs
33%
Merged
Path traveral in Streamlit on windows
GHSA-rxff-vr5r-8cj5 CVE-2024-42474 MODERATE over 1 year ago
### 1. Impacted Products Streamilt Open Source versions before 1.37.0. ### 2. Introduction Snowflake Streamlit open source addressed a security vu...
pypi
No PRs yet
In aiohttp, compressed files as symlinks are not protected from path traversal
GHSA-jwhx-xcg6-8xhj CVE-2024-42367 MODERATE over 1 year ago
### Summary Static routes which contain files with compressed variants (`.gz` or `.br` extension) were vulnerable to path traversal outside the roo...
pypi
No PRs yet
JupyterHub has a privilege escalation vulnerability with the `admin:users` scope
GHSA-9x4q-3gxw-849f CVE-2024-41942 HIGH over 1 year ago
### Summary If a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. ### Deta...
pypi
No PRs yet
Open WebUI Stored Cross-Site Scripting Vulnerability
GHSA-5jp3-wp5v-5363 CVE-2024-6706 MODERATE over 1 year ago
Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.
pypi
No PRs yet
Pulp incorrectly assigns RBAC permissions in tasks that create objects
GHSA-9m5j-4xx9-44j9 CVE-2024-7143 HIGH over 1 year ago
A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses ...
pypi
No PRs yet
Django vulnerable to denial-of-service attack
GHSA-r836-hh6v-rg5g CVE-2024-41991 MODERATE over 1 year ago
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget ...
pypi
113
Dependabot PRs
16%
Merged
Django vulnerable to a denial-of-service attack
GHSA-795c-9xpc-xw6g CVE-2024-41990 MODERATE over 1 year ago
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potentia...
pypi
113
Dependabot PRs
16%
Merged
Django SQL injection vulnerability
GHSA-pv4p-cwwg-4rph CVE-2024-42005 CRITICAL over 1 year ago
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. QuerySet.values() and values_list() methods on models with a JSONField ar...
pypi
92
Dependabot PRs
15%
Merged
Django memory consumption vulnerability
GHSA-jh75-99hh-qvx9 CVE-2024-41989 MODERATE over 1 year ago
An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The floatformat template filter is subject to significant memory consumpt...
pypi
113
Dependabot PRs
16%
Merged
Apache Airflow Providers FAB Insufficient Session Expiration vulnerability
GHSA-62qf-qm3g-fvcw CVE-2024-42447 LOW over 1 year ago
Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used w...
pypi
No PRs yet
openstack-heat may disclose sensitive information
GHSA-2fqr-cx7q-3ph8 CVE-2024-7319 MODERATE over 1 year ago
An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abando...
pypi
No PRs yet
PheonixAppAPI has visible Encoding Maps
GHSA-258h-f687-4226 CVE-2024-41951 MODERATE over 1 year ago
### Impact This is a kind of moderate issue. The impact is not big for normal users but can be for users who want to secure their code/files/etc. ...
pypi
No PRs yet
MobSF vulnerable to Open Redirect in Login Redirect
GHSA-8m9j-2f32-2vx4 CVE-2024-41955 MODERATE over 1 year ago
### Impact _What kind of vulnerability is it? Who is impacted?_ An open redirect vulnerability exist in MobSF authentication view. PoC 1. Go to ...
pypi
No PRs yet
Insecure Jinja2 templates rendered in Haystack Components can lead to RCE
GHSA-hx9v-6r9f-w677 CVE-2024-41950 HIGH over 1 year ago
### Impact Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Componen...
pypi
No PRs yet
Weave server API vulnerable to arbitrary file leak
GHSA-r49h-6qxq-624f CVE-2024-7340 HIGH over 1 year ago
The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to travers...
pypi
No PRs yet
TensorFlow has segfault in array_ops.upper_bound
GHSA-gjh7-xx4r-x345 CVE-2023-33976 HIGH over 1 year ago
### Impact `array_ops.upper_bound` causes a segfault when not given a rank 2 tensor. ### Patches We have patched the issue in GitHub commit [91588...
pypi
No PRs yet
Aim Stored Cross-site Scripting Vulnerability
GHSA-p9f2-jg9w-cx69 CVE-2024-6578 MODERATE over 1 year ago
A stored cross-site scripting (XSS) vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization ...
pypi
No PRs yet
Twisted vulnerable to HTML injection in HTTP redirect body
GHSA-cf56-g6w6-pqq2 CVE-2024-41810 MODERATE over 1 year ago
### Summary The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability. If application code allows an attacker to control...
pypi
6
Dependabot PRs
33%
Merged
twisted.web has disordered HTTP pipeline response
GHSA-c8m8-j448-xjx7 CVE-2024-41671 MODERATE over 1 year ago
### Summary The HTTP 1.0 and 1.1 server provided by twisted.web could process pipelined HTTP requests out-of-order, possibly resulting in informat...
pypi
7
Dependabot PRs
42%
Merged
OpenStack Nova vulnerable to unauthorized access to potentially sensitive data
GHSA-rm86-h44c-2r2m CVE-2024-40767 MODERATE over 1 year ago
In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image wit...
pypi
No PRs yet
Sentry vulnerable to stored Cross-Site Scripting (XSS)
GHSA-fm88-hc3v-3www CVE-2024-41656 HIGH over 1 year ago
### Impact An unsanitized payload sent by an Integration platform integration allows the storage of arbitrary HTML tags on the Sentry side. This pa...
pypi
No PRs yet
ops leaking secrets if `subprocess.CalledProcessError` happens with a `secret-*` CLI command
GHSA-hcmv-jmqh-fjgm CVE-2024-41129 MODERATE over 1 year ago
### Summary The issue here is that we pass the secret content as one of the args via CLI. This issue may affect any of our charms that are using: ...
pypi
4
Dependabot PRs
Ankitects Anki LaTeX Blocklist Bypass vulnerability
GHSA-q47p-v5rw-v574 CVE-2024-32152 LOW over 1 year ago
A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specially crafted malicious flashcard can lead to an ...
pypi
No PRs yet
Anki Latex Incomplete Blocklist Vulnerability
GHSA-x3r6-ccvq-cf5v CVE-2024-29073 MODERATE over 1 year ago
An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to prevent unsafe commands, the verbatim package,...
pypi
No PRs yet
Ankitects Anki arbitrary script execution vulnerability
GHSA-9gq7-p5w9-w899 CVE-2024-26020 HIGH over 1 year ago
An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a ar...
pypi
No PRs yet
Guardrails AI vulnerable to Improper Restriction of XML External Entity Reference
GHSA-f8hx-f4xw-c646 CVE-2024-6961 HIGH over 1 year ago
RAIL documents are an XML-based format invented by Guardrails AI to enforce formatting checks on LLM outputs. Guardrails users that consume RAIL do...
pypi
No PRs yet