Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Cross-site Scripting in djangorestframework
GHSA-gw84-84pc-xp82 CVE-2024-21520 LOW over 1 year ago
Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter d...
pypi
No PRs yet
pdoc embeds link to malicious CDN if math mode is enabled
GHSA-5vgj-ggm4-fg62 CVE-2024-38526 HIGH over 1 year ago
### Impact Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serve...
pypi
7
Dependabot PRs
14%
Merged
CodeChecker has a Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`
GHSA-h26w-r4m5-8rrf CVE-2023-49793 MODERATE over 1 year ago
## Summary ZIP files uploaded to the server-side endpoint handling a `CodeChecker store` are not properly sanitized. An attacker can exercise a pa...
pypi
No PRs yet
Improper line feed handling in zenml
GHSA-7gjr-hcc3-xfr4 CVE-2024-4460 MODERATE over 1 year ago
A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (`\n`) characters in componen...
pypi
No PRs yet
Remote Code Execution in create_conda_env function in lollms
GHSA-79h8-gxhq-q3jg CVE-2024-3121 MODERATE over 1 year ago
A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository. The vulnerability arises from the ...
pypi
No PRs yet
Remote Code Execution via path traversal bypass in lollms
GHSA-mvrm-fh8q-6wr2 CVE-2024-5443 CRITICAL over 1 year ago
CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the `ExtensionBuilder().build_extension()` function. T...
pypi
No PRs yet
Open redirect in gradio
GHSA-g6c9-f4xm-9j4x CVE-2024-4940 MODERATE over 1 year ago
An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect user...
pypi
No PRs yet
js2py allows remote code execution
GHSA-h95x-26f3-88hr CVE-2024-28397 HIGH over 1 year ago
An issue in the component `js2py.disable_pyimport()` of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
pypi
No PRs yet
Apache Superset server arbitrary file read
GHSA-hcr7-cqwc-q5gq CVE-2024-34693 MODERATE over 1 year ago
Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile e...
pypi
No PRs yet
urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
GHSA-34jh-p97f-mpxf CVE-2024-37891 MODERATE over 1 year ago
When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. Howeve...
pypi
1065
Dependabot PRs
11%
Merged
LNbits improperly handles potential network and payment failures when using Eclair backend
GHSA-3j4h-h3fp-vwww CVE-2024-34694 HIGH over 1 year ago
### Summary Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, e...
pypi
No PRs yet
langchain_experimental Code Execution via Python REPL access
GHSA-wmvm-9vqv-5qpp CVE-2024-38459 HIGH over 1 year ago
langchain_experimental (aka LangChain Experimental) before 0.0.61 for LangChain provides Python REPL access without an opt-in step. NOTE; this issu...
pypi
No PRs yet
Apache Airflow does not return the "Cache-Control" header for dynamic content
GHSA-9xpj-62mm-24h2 CVE-2024-25142 LOW over 1 year ago
Use of Web Browser Cache Containing Sensitive Information vulnerability in Apache Airflow.  Airflow did not return "Cache-Control" header for dyna...
pypi
No PRs yet
Invenio-Communities has a Cross-Site Scripting (XSS) vulnerability in React components
GHSA-hjx6-f647-mvf9 MODERATE over 1 year ago
# Impact We have identified a Cross-Site Scripting (XSS) vulnerability within certain React components related to community members in the Invenio...
pypi
No PRs yet
Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
GHSA-gprj-3p75-f996 CVE-2024-37300 HIGH over 1 year ago
### Impact JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. The...
pypi
No PRs yet
Apache Submarine Server Core Incorrect Authorization vulnerability
GHSA-6q97-8v3g-rpxw CVE-2024-36265 CRITICAL over 1 year ago
Incorrect Authorization vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: from 0.8.0. As this proje...
maven pypi
No PRs yet
parisneo/lollms Local File Inclusion (LFI) attack
GHSA-vqwr-q6cc-c242 CVE-2024-4315 CRITICAL over 1 year ago
parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endp...
pypi
No PRs yet
Jupyter Server Proxy has a reflected XSS issue in host parameter
GHSA-fvcq-4x64-hqxr CVE-2024-35225 CRITICAL over 1 year ago
### Impact There is a reflected cross-site scripting (XSS) issue in `jupyter-server-proxy`[1]. The `/proxy` endpoint accepts a `host` path segment...
pypi
3
Dependabot PRs
33%
Merged
document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection
GHSA-v5gf-r78h-55q6 CVE-2024-37301 CRITICAL over 1 year ago
### Impact A remote code execution (RCE) via server-side template injection (SSTI) allows for user supplied code to be executed in the server's co...
pypi
No PRs yet
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
GHSA-m5vv-6r4h-3vj9 CVE-2024-35255 MODERATE over 1 year ago
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.
maven npm nuget +1 more
14
Dependabot PRs
21%
Merged
Langflow remote code execution vulnerability
GHSA-qg33-x2c5-6p44 CVE-2024-37014 HIGH over 1 year ago
Langflow allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.
pypi
No PRs yet
Authlib has algorithm confusion with asymmetric public keys
GHSA-5357-c2jx-v7qh CVE-2024-37568 HIGH over 1 year ago
lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verif...
pypi
No PRs yet
zenml-io/zenml does not expire the session after password reset
GHSA-99hm-86h7-gr3g CVE-2024-4680 LOW over 1 year ago
A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expir...
pypi
No PRs yet
ebookmeta XML External Entity vulnerability
GHSA-hx54-pf28-7xch CVE-2024-37388 HIGH over 1 year ago
An XML External Entity (XXE) vulnerability in the `ebookmeta.get_metadata` function via lxml dependency allows attackers to access sensitive inform...
pypi
No PRs yet
ebookmeta XML External Entity vulnerability
GHSA-whf4-fpj8-pgg8 CVE-2024-36827 HIGH over 1 year ago
An XML External Entity (XXE) vulnerability in the `ebookmeta.get_metadata` function of ebookmeta before v1.2.8 allows attackers to access sensitive...
pypi
No PRs yet
Tornado has a CRLF injection in CurlAsyncHTTPClient headers
GHSA-w235-7p84-xx57 MODERATE over 1 year ago
### Summary Tornado’s `curl_httpclient.CurlAsyncHTTPClient` class is vulnerable to CRLF (carriage return/line feed) injection in the request header...
pypi
No PRs yet
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in tornado
GHSA-753j-mpmx-qq6g MODERATE over 1 year ago
### Summary When Tornado receives a request with two `Transfer-Encoding: chunked` headers, it ignores them both. This enables request smuggling whe...
pypi
No PRs yet
LoLLMS Path Traversal vulnerability
GHSA-3x47-w4rx-6pm7 CVE-2024-3429 HIGH over 1 year ago
A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path`...
pypi
No PRs yet
Authentication bypass in dtale
GHSA-v9q6-fm48-rx74 CVE-2024-3408 HIGH over 1 year ago
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vuln...
pypi
No PRs yet
SQL injection in litellm
GHSA-h6m6-jj8v-94jj CVE-2024-5225 MODERATE over 1 year ago
An SQL Injection vulnerability exists in the berriai/litellm repository, specifically within the `/global/spend/logs` endpoint. The vulnerability a...
pypi
No PRs yet
LoLLMS Path Traversal vulnerability
GHSA-p8h7-c8gw-6x8c CVE-2024-4881 HIGH over 1 year ago
A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in ve...
pypi
No PRs yet
scikit-learn sensitive data leakage vulnerability
GHSA-jw8x-6495-233v CVE-2024-5206 MODERATE over 1 year ago
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, ...
pypi
No PRs yet
Arbitrary system path lookup in h20
GHSA-x234-r5fg-x52m CVE-2024-5550 MODERATE over 1 year ago
In h2oai/h2o-3 version 3.40.0.4, an exposure of sensitive information vulnerability exists due to an arbitrary system path lookup feature. This vul...
pypi
No PRs yet
onnx allows Arbitrary File Overwrite in download_model_with_test_data
GHSA-6rq9-53c3-f7vj CVE-2024-5187 HIGH over 1 year ago
A vulnerability in the `download_model_with_test_data` function of the onnx/onnx framework, versions before 1.16.2, allow for arbitrary file overwr...
pypi
No PRs yet
Arbitrary file deletion in litellm
GHSA-3xr8-qfvj-9p9j CVE-2024-4888 HIGH over 1 year ago
BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` ...
pypi
No PRs yet
SQL injection in litellm
GHSA-8j42-pcfm-3467 CVE-2024-4890 MODERATE over 1 year ago
A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability ar...
pypi
5
Dependabot PRs
20%
Merged
Undefined Behavior in mlflow
GHSA-8f8q-q2j7-7j2m CVE-2024-3099 MODERATE over 1 year ago
A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw...
pypi
No PRs yet
Cross site scripting in zenml
GHSA-vwgf-7f9h-h499 CVE-2024-2171 LOW over 1 year ago
A stored Cross-Site Scripting (XSS) vulnerability was identified in the zenml-io/zenml repository, specifically within the 'logo_url' field. By inj...
pypi
No PRs yet
Race condition in zenml
GHSA-c546-8jmq-hprj CVE-2024-2032 LOW over 1 year ago
A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with t...
pypi
No PRs yet
Improper authorization in zenml
GHSA-9x88-4jg8-4vf7 CVE-2024-2035 MODERATE over 1 year ago
An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vu...
pypi
No PRs yet
Local File Inclusion in mlflow
GHSA-j46q-5pxx-8vmw CVE-2024-2928 HIGH over 1 year ago
A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This ...
pypi
No PRs yet
Server-Side Request Forgery in langchain-community.retrievers.web_research.WebResearchRetriever
GHSA-q25c-c977-4cmh CVE-2024-3095 MODERATE over 1 year ago
A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component in langchain-community (langchain-community.retri...
pypi
35
Dependabot PRs
9%
Merged
Denial of service in langchain-community
GHSA-3hjh-jh2h-vrg6 CVE-2024-2965 MODERATE over 1 year ago
Denial of service in `SitemapLoader` Document Loader in the `langchain-community` package, affecting versions below 0.2.5. The `parse_sitemap` meth...
pypi
3
Dependabot PRs
33%
Merged
Improper authentication in zenml
GHSA-j527-v579-m98h CVE-2024-2213 LOW over 1 year ago
An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access t...
pypi
No PRs yet
Clickjacking in zenml
GHSA-mq73-g4qr-fgcq CVE-2024-2383 MODERATE over 1 year ago
A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Fra...
pypi
No PRs yet
Remote code execution in mlflow
GHSA-5q6c-ffvg-xcm9 CVE-2024-0520 CRITICAL over 1 year ago
A vulnerability in mlflow/mlflow version 8.2.1 allows for remote code execution due to improper neutralization of special elements used in an OS co...
pypi
No PRs yet
Jupyter server on Windows discloses Windows user password hash
GHSA-hrw6-wg82-cm62 CVE-2024-35178 HIGH over 1 year ago
### Summary Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user ru...
pypi
No PRs yet
Local file inclusion in gradio
GHSA-6v6g-j5fq-hpvw CVE-2024-4941 HIGH over 1 year ago
A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio and was discovered in version 4.25. The vulnerability arises...
pypi
No PRs yet
Remote code execution in pytorch lightning
GHSA-cgwc-qvrx-rf7f CVE-2024-5452 CRITICAL over 1 year ago
A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserial...
pypi
No PRs yet
Server-Side Request Forgery in gradio
GHSA-973g-55hp-3frw CVE-2024-4325 HIGH over 1 year ago
A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio and was discovered in version 4.21.0, specifically within the `/...
pypi
No PRs yet