Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
LoLLMS vulnerable to Expected Behavior Violation
GHSA-8mrm-r7h3-c3hj CVE-2024-6281 HIGH over 1 year ago
A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function doe...
pypi
No PRs yet
Calibre-Web Cross Site Scripting (XSS)
GHSA-j22r-3rf3-cv25 CVE-2024-39123 MODERATE over 1 year ago
In janeczku Calibre-Web 0.6.0 to 0.6.21, the edit_book_comments function is vulnerable to Cross Site Scripting (XSS) due to improper sanitization p...
pypi
No PRs yet
[PUNCIA] [CWE-319] Cleartext Transmission of Sensitive Information via HTTP urls in `API_URLS`
GHSA-rwcj-7jjp-4w38 CVE-2024-41124 LOW over 1 year ago
### Impact `API_URLS` is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized...
pypi
No PRs yet
TorchServe gRPC Port Exposure
GHSA-hhpg-v63p-wp7w CVE-2024-35199 HIGH over 1 year ago
### Impact The two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two ...
pypi
No PRs yet
TorchServe vulnerable to bypass of allowed_urls configuration
GHSA-wxcx-gg9c-fwp2 CVE-2024-35198 CRITICAL over 1 year ago
### Impact TorchServe's check on allowed_urls configuration can be by-passed if the URL contains characters such as ".." but it does not prevent th...
pypi
No PRs yet
Sentry's Python SDK unintentionally exposes environment variables to subprocesses
GHSA-g92j-qhmh-64v2 CVE-2024-40647 LOW over 1 year ago
### Impact The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the `env={...
pypi
137
Dependabot PRs
8%
Merged
Roundup Cross-site Scripting Vulnerability
GHSA-w8vc-cwv9-wx67 CVE-2024-39124 MODERATE over 1 year ago
In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.
pypi
No PRs yet
Roundup Cross-site Scripting Vulnerability
GHSA-x37x-qf4v-f54f CVE-2024-39126 MODERATE over 1 year ago
Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.
pypi
No PRs yet
Roundup Cross-site Scripting Vulnerability
GHSA-xjgw-ghrx-wfff CVE-2024-39125 MODERATE over 1 year ago
Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.
pypi
No PRs yet
BlastRADIUS also affects eduMFA
GHSA-vhmj-5q9r-mm9g MODERATE over 1 year ago
### Summary BlastRADIUS (see blastradius.fail for details) also affects eduMFA prior version 2.2.0, because the Message-Authenticator attributes we...
pypi
No PRs yet
dbt has an implicit override for built-in materializations from installed packages
GHSA-p3f3-5ccg-83xq CVE-2024-40637 LOW over 1 year ago
### Impact _What kind of vulnerability is it? Who is impacted?_ When a user installs a [package](https://docs.getdbt.com/docs/build/packages) in d...
pypi
No PRs yet
Apache Airflow has DAG Author Code Execution possibility in airflow-scheduler
GHSA-g5hv-r743-v8pm CVE-2024-39877 HIGH over 1 year ago
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way tha...
pypi
No PRs yet
Apache Airflow Potential Cross-site Scripting Vulnerability
GHSA-j482-47xf-p25c CVE-2024-39863 MODERATE over 1 year ago
Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provid...
pypi
No PRs yet
Fiona affected by CVE-2023-45853 related to MiniZip madler-zlib
GHSA-q5fm-55c2-v6j9 CRITICAL over 1 year ago
### Summary Vulnerability scan of fiona shows [CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853). The vulnerability is in GDAL, a de...
pypi
No PRs yet
Fiona affected by CVE-2020-14152 related to madler-zlib
GHSA-g4m4-9q4c-mfw6 HIGH over 1 year ago
### Summary Vulnerability scan of fiona shows [CVE-2020-14152](https://nvd.nist.gov/vuln/detail/CVE-2020-14152). The vulnerability is in libjpeg, a...
pypi
No PRs yet
Apache Superset vulnerable to improper SQL authorization
GHSA-2q6j-vpvr-6pvj CVE-2024-39887 MODERATE over 1 year ago
An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, cer...
pypi
No PRs yet
OpaMiddleware does not filter HTTP OPTIONS requests
GHSA-5f5c-8rvc-j8wf CVE-2024-40627 MODERATE over 1 year ago
### Summary HTTP `OPTIONS` requests are always allowed by `OpaMiddleware`, even when they lack authentication, and are passed through directly to ...
pypi
No PRs yet
langchain-experimental vulnerable to Arbitrary Code Execution
GHSA-cgcg-p68q-3w7v CVE-2024-21513 CRITICAL over 1 year ago
Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from...
pypi
No PRs yet
setuptools vulnerable to Command Injection via package URL
GHSA-cx63-2mw6-8hw5 CVE-2024-6345 HIGH over 1 year ago
A vulnerability in the `package_index` module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions....
pypi
No PRs yet
Malware package cipherbcrypt
GHSA-5grr-72f9-678v HIGH over 1 year ago
Malicious package. Exfiltrated secrets to a target server.
pypi
No PRs yet
Local File Inclusion in Solara
GHSA-9794-pc4r-438w CVE-2024-39903 HIGH over 1 year ago
A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerabi...
pypi
No PRs yet
Red-DiscordBot vulnerable to Incorrect Authorization in commands API
GHSA-5jq8-q6rj-9gq4 CVE-2024-39905 MODERATE over 1 year ago
### Impact Due to a bug in Red's Core API, 3rd-party cogs using the [`@commands.can_manage_channel()`](https://docs.discord.red/en/stable/framewor...
pypi
No PRs yet
Wagtail regular expression denial-of-service via search query parsing
GHSA-jmp3-39vp-fwg8 CVE-2024-39317 HIGH over 1 year ago
### Impact A bug in Wagtail's [`parse_query_string`](https://docs.wagtail.org/en/stable/topics/search/searching.html#wagtailsearch-query-string-pa...
pypi
4
Dependabot PRs
Django vulnerable to Denial of Service
GHSA-qg2p-9jwr-mmqf CVE-2024-38875 HIGH over 1 year ago
An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0.7. urlize and urlizetrunc were subject to a potential denial of service atta...
pypi
20
Dependabot PRs
11%
Merged
Django Path Traversal vulnerability
GHSA-9jmf-237g-qf46 CVE-2024-39330 HIGH over 1 year ago
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. Derived classes of the `django.core.files.storage.Storage` base class, wh...
pypi
62
Dependabot PRs
14%
Merged
Django vulnerable to Denial of Service
GHSA-f6f8-9mx6-9mx2 CVE-2024-39614 HIGH over 1 year ago
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. `get_supported_language_variant()` was subject to a potential denial-of-s...
pypi
7
Dependabot PRs
14%
Merged
Django vulnerable to user enumeration attack
GHSA-x7q2-wr7g-xqmf CVE-2024-39329 MODERATE over 1 year ago
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. The `django.contrib.auth.backends.ModelBackend.authenticate()` method all...
pypi
20
Dependabot PRs
11%
Merged
zipp Denial of Service vulnerability
GHSA-jfmj-5v4g-7637 CVE-2024-5569 MODERATE over 1 year ago
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered w...
pypi
No PRs yet
Aim denial of service vulnerability
GHSA-36h2-g4c8-9xcm CVE-2024-6227 HIGH over 1 year ago
A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tracking server to point at i...
pypi
No PRs yet
Khoj Open Redirect Vulnerability in Login Page
GHSA-564j-v29w-rqr6 MODERATE over 1 year ago
### Summary An attacker can use the `next` parameter on the login page to redirect a victim to a malicious page, while masking this using a legit-l...
pypi
No PRs yet
yt-dlp has dependency on potentially malicious third-party code in Douyu extractors
GHSA-3v33-3wmw-3785 LOW over 1 year ago
### Impact yt-dlp's DouyuTV and DouyuShow extractors used a `cdn.bootcdn.net` URL as a fallback for fetching a component of the crypto-js JavaScrip...
pypi
27
Dependabot PRs
7%
Merged
Vanna vulnerable to SQL Injection
GHSA-mwxm-35f8-6vg2 CVE-2024-5753 HIGH over 1 year ago
vanna-ai/vanna version v0.3.4 is vulnerable to SQL injection in some file-critical functions such as `pg_read_file()`. This vulnerability allows un...
pypi
No PRs yet
Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL
GHSA-53q7-4874-24qg CVE-2024-31223 MODERATE over 1 year ago
`SERVER_SIDE_FIDES_API_URL` is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webs...
pypi
No PRs yet
Certifi removes GLOBALTRUST root certificate
GHSA-248v-346w-9cwc CVE-2024-39689 LOW over 1 year ago
Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust...
pypi
No PRs yet
OpenStack Cinder, Glance, and Nova vulnerable to arbitrary file access
GHSA-r4v4-w9pv-6fph CVE-2024-32498 HIGH over 1 year ago
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custo...
pypi
No PRs yet
Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js
GHSA-cvw4-c69g-7v7m CVE-2024-38537 LOW over 1 year ago
### Note On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not re...
pypi
No PRs yet
yt-dlp File system modification and RCE through improper file-extension sanitization
GHSA-79w7-vh3h-8g4j CVE-2024-38519 HIGH over 1 year ago
### Summary `yt-dlp` does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folde...
pypi
1
Dependabot PRs
Weblate vulnerable to improper sanitization of project backups
GHSA-jfgp-674x-6q4p CVE-2024-39303 LOW over 1 year ago
### Impact Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on th...
pypi
No PRs yet
Reflected Cross-Site Scripting (XSS) in zenml
GHSA-3434-hc3m-8mmm CVE-2024-5062 MODERATE over 1 year ago
A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neut...
pypi
No PRs yet
ntlk unsafe deserialization vulnerability
GHSA-cgvx-9447-vcch CVE-2024-39705 HIGH over 1 year ago
NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functional...
pypi
275
Dependabot PRs
17%
Merged
lollms vulnerable to path traversal due to unauthenticated root folder settings change
GHSA-9chm-m6x2-6fvc CVE-2024-6085 HIGH over 1 year ago
A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability t...
pypi
No PRs yet
pytorch-lightning vulnerable to Arbitrary File Write via /v1/runs API endpoint
GHSA-mr7h-w2qc-ffc2 CVE-2024-5980 CRITICAL over 1 year ago
A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting ta...
pypi
9
Dependabot PRs
22%
Merged
vanna vulnerable to remote code execution caused by prompt injection
GHSA-rrqq-fv6m-692m CVE-2024-5826 CRITICAL over 1 year ago
In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is...
pypi
No PRs yet
lollms path traversal vulnerability allows overriding of config.yaml file, leading to RCE
GHSA-m45c-v46h-c788 CVE-2024-5824 HIGH over 1 year ago
A path traversal vulnerability in the `/set_personality_config` endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the `conf...
pypi
No PRs yet
h2o vulnerable to unexpected POST request shutting down server
GHSA-58m3-rcvp-f9ww CVE-2024-5979 HIGH over 1 year ago
In h2oai/h2o-3 version 3.46.0, the `run_tool` command in the `rapids` component allows the `main` function of any class under the `water.tools` nam...
pypi
No PRs yet
litellm vulnerable to improper access control in team management
GHSA-qqcv-vg9f-5rr3 CVE-2024-5710 MODERATE over 1 year ago
berriai/litellm version 1.34.34 is vulnerable to improper access control in its team management functionality. This vulnerability allows attackers ...
pypi
No PRs yet
lollms vulnerable to dot-dot-slash path traversal in XTTS server
GHSA-w9qf-83jg-2x6c CVE-2024-6139 HIGH over 1 year ago
A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to writ...
pypi
No PRs yet
litellm vulnerable to remote code execution based on using eval unsafely
GHSA-gppg-gqw8-wh9g CVE-2024-5751 CRITICAL over 1 year ago
BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_...
pypi
No PRs yet
Directory creation by malicious user in saltstack
GHSA-q27c-j6j9-53w3 CVE-2024-22231 MODERATE over 1 year ago
Syndic cache directory creation is vulnerable to a directory traversal attack in salt project which can lead a malicious attacker to create an arbi...
pypi
No PRs yet
Path traversal in saltstack
GHSA-2qw3-2wv6-p64x CVE-2024-22232 HIGH over 1 year ago
A specially crafted url can be created which leads to a directory traversal in the salt file server. A malicious user can read an arbitrary file fr...
pypi
No PRs yet