Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Observable Timing Discrepancy in pypqc
GHSA-hvh4-5qr6-3v7r HIGH over 1 year ago
### Impact `kyber512`, `kyber768`, and `kyber1024` on Mac OS \(or when compiled with clang\) only: An attacker able to submit many decapsulation re...
pypi
No PRs yet
PyMongo Out-of-bounds Read in the bson module
GHSA-m87m-mmvp-v9qm CVE-2024-5629 MODERATE over 1 year ago
Versions of the package pymongo before 4.6.3 are vulnerable to Out-of-bounds Read in the bson module. Using the crafted payload the attacker could ...
pypi
No PRs yet
Arbitrary JavaScript execution due to using outdated libraries
GHSA-4m3g-6r7g-jv4f LOW over 1 year ago
### Summary gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript executio...
pypi
No PRs yet
Skops unsafe deserialization
GHSA-q49c-6v6g-wgq3 CVE-2024-37065 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbit...
pypi
No PRs yet
ydata unsafe deserialization
GHSA-cg49-hrj4-3rpr CVE-2024-37064 HIGH over 1 year ago
Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously craft...
pypi
No PRs yet
MLFlow improper input validation
GHSA-pqcv-qw2r-r859 CVE-2024-37061 HIGH over 1 year ago
Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to exe...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-cv6c-7963-wxcg CVE-2024-37060 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Reci...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-cwgg-w6mp-w9hg CVE-2024-37058 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Lang...
pypi
No PRs yet
ydata unsafe deserialization
GHSA-fpvj-m2h6-6wc5 CVE-2024-37062 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a malicously crafte...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-j8mg-pqc5-x9gj CVE-2024-37057 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded T...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-wf7f-8fxf-xfxc CVE-2024-37059 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTo...
pypi
No PRs yet
ydata cross-site scripting
GHSA-2r57-2mrh-ggjv CVE-2024-37063 HIGH over 1 year ago
A cross-site scripting (XSS) vulnerability in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library allows for payloads to be run ...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-43c4-9qgj-x742 CVE-2024-37053 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scik...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-76cg-cfhx-373f CVE-2024-37052 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling a maliciously uploaded scik...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-7p8j-qv6x-f4g4 CVE-2024-37056 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded Lig...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-x38x-g6gr-jqff CVE-2024-37055 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmd...
pypi
No PRs yet
MLFlow unsafe deserialization
GHSA-ghv6-9r9j-wh4j CVE-2024-37054 HIGH over 1 year ago
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFu...
pypi
No PRs yet
qdrant input validation failure
GHSA-7m75-x27w-r52r CVE-2024-3829 CRITICAL over 1 year ago
qdrant/qdrant version 1.9.0-dev is vulnerable to arbitrary file read and write during the snapshot recovery process. Attackers can exploit this vul...
pypi
No PRs yet
path traversal vulnerability was identified in the parisneo/lollms-webui
GHSA-9p73-x86v-jw57 CVE-2024-4330 MODERATE over 1 year ago
A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises du...
pypi
No PRs yet
code injection vulnerability exists in the huggingface/text-generation-inference repository
GHSA-qq99-p57r-g3v7 CVE-2024-3924 MODERATE over 1 year ago
A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file...
pypi
No PRs yet
Improper Handling of Insufficient Permissions in `wagtail.contrib.settings`
GHSA-xxfm-vmcf-g33f CVE-2024-35228 MODERATE over 1 year ago
### Impact Due to an improperly applied permission check in the `wagtail.contrib.settings` module, a user with access to the Wagtail admin and know...
pypi
1
Dependabot PRs
Slack integration leaks sensitive information in logs
GHSA-c2g2-gx4j-rj3j CVE-2024-35196 LOW over 1 year ago
### Impact Sentry's Slack integration incorrectly records the incoming request body in logs. This request data can contain sensitive information, i...
pypi
No PRs yet
Sensitive Data Disclosure Vulnerability in Connection Configuration Endpoints
GHSA-rcvg-jj3g-rj7c CVE-2024-35189 MODERATE over 1 year ago
The Fides webserver has a number of endpoints that retrieve `ConnectionConfiguration` records and their associated `secrets` which _can_ contain se...
pypi
No PRs yet
Vanna prompt injection code execution
GHSA-7735-w2jp-gvg6 CVE-2024-5565 CRITICAL over 1 year ago
The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and...
pypi
No PRs yet
Nautobot dynamic-group-members doesn't enforce permission restrictions on member objects
GHSA-qmjf-wc2h-6x3q CVE-2024-36112 MODERATE over 1 year ago
### Impact _What kind of vulnerability is it? Who is impacted?_ A user with permissions to view Dynamic Group records (`extras.view_dynamicgroup` ...
pypi
1
Dependabot PRs
Fides Webserver Logs Hosted Database Password Partial Exposure Vulnerability
GHSA-8cm5-jfj2-26q7 CVE-2024-34715 LOW over 1 year ago
The Fides webserver requires a connection to a hosted PostgreSQL database for persistent storage of application data. If the password used by the w...
pypi
No PRs yet
ansibleguy-webui Cross-site Scripting vulnerability
GHSA-927p-xrc2-x2gj CVE-2024-36110 HIGH over 1 year ago
### Impact Multiple forms in version <0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thu...
pypi
No PRs yet
rockhopper Buffer Overflow vulnerability
GHSA-4r4c-66gf-g9g5 CVE-2022-4969 MODERATE over 1 year ago
A vulnerability, which was classified as critical, has been found in bwoodsend rockhopper up to 0.1.2. Affected by this issue is the function `coun...
pypi
No PRs yet
dbt allows Binding to an Unrestricted IP Address via socketsocket
GHSA-pmrx-695r-4349 CVE-2024-36105 MODERATE over 1 year ago
### Summary Binding to `INADDR_ANY (0.0.0.0)` or `IN6ADDR_ANY (::)` exposes an application on all network interfaces, increasing the risk of unaut...
pypi
No PRs yet
Mocodo vulnerable to SQL injection in `/web/generate.php`
GHSA-j6cv-98jx-mrwr CVE-2024-35374 CRITICAL over 1 year ago
Mocodo Mocodo Online 4.2.6 and below does not properly sanitize the `sql_case` input field in `/web/generate.php`, allowing remote attackers to exe...
pypi
No PRs yet
jupyter-scheduler's endpoint is missing authentication
GHSA-v9g2-g7j4-4jxc CVE-2024-28188 MODERATE over 1 year ago
### Impact `jupyter_scheduler` is missing an authentication check in Jupyter Server on an API endpoint (`GET /scheduler/runtime_environments`) whi...
pypi
No PRs yet
vantage6 collaboration admins can extend their influence by expanding the collaboration
GHSA-99r4-cjp4-3hmx CVE-2024-32969 LOW over 1 year ago
### Impact Collaboration administrators can add extra organizations to their collaboration. When doing that, they extend their influence: for insta...
pypi
No PRs yet
NASA AIT-Core vulnerable to remote code execution
GHSA-jqff-8g2v-642h CVE-2024-35059 CRITICAL over 1 year ago
An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary commands.
pypi
No PRs yet
NASA AIT-Core uses unencrypted channels to exchange data over the network
GHSA-qv6x-53jj-vw59 CVE-2024-35061 HIGH over 1 year ago
NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exchange data over the network, allowing attackers to execute a man-in-the-middl...
pypi
No PRs yet
NASA AIT-Core vulnerable to remote code execution
GHSA-4gxj-5mmr-7pxq CVE-2024-35058 CRITICAL over 1 year ago
An issue in the API wait function of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via supplying a crafted string.
pypi
No PRs yet
NASA AIT-Core vulnerable to remote code execution
GHSA-jf28-v5f6-cvpr CVE-2024-35057 CRITICAL over 1 year ago
An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via a crafted packet.
pypi
No PRs yet
NASA AIT-Core vulnerable to SQL Injection
GHSA-gpgj-xrgw-8mx2 CVE-2024-35056 CRITICAL over 1 year ago
NASA AIT-Core v2.5.2 was discovered to contain multiple SQL injection vulnerabilities via the `query_packets` and `insert` functions.
pypi
No PRs yet
PyMySQL SQL Injection vulnerability
GHSA-v9hf-5j83-6xpp CVE-2024-36039 CRITICAL over 1 year ago
PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON input because keys are not escaped by `escape_dict`.
pypi
116
Dependabot PRs
17%
Merged
Gradio applications running locally vulnerable to 3rd party websites accessing routes and uploading files
GHSA-48cq-79qq-6f7x CVE-2024-1727 MODERATE over 1 year ago
### Impact This CVE covers the ability of 3rd party websites to access routes and upload files to users running Gradio applications locally. For e...
pypi
No PRs yet
OMERO.web must check that the JSONP callback is a valid function
GHSA-vr85-5pwx-c6gq CVE-2024-35180 MODERATE over 1 year ago
### Background There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that hav...
pypi
No PRs yet
Requests `Session` object does not verify requests after making first request with verify=False
GHSA-9wx4-h78v-vm56 CVE-2024-35195 MODERATE over 1 year ago
When making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent re...
pypi
7170
Dependabot PRs
20%
Merged
aiosmtpd STARTTLS unencrypted commands injection
GHSA-wgjv-9j3q-jhg8 CVE-2024-34083 MODERATE over 1 year ago
### Summary Servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted con...
pypi
No PRs yet
litellm passes untrusted data to `eval` function without sanitization
GHSA-7ggm-4rjg-594w CVE-2024-4264 HIGH over 1 year ago
A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the ...
pypi
No PRs yet
ConsoleMe has an Arbitrary File Read Vulnerability via Limited Git command
GHSA-3783-62vc-jr7x CVE-2024-5023 CRITICAL over 1 year ago
## ID: NFLX-2024-002 ### Impact Authenticated users can achieve limited RCE in ConsoleMe, restricted to flag inputs on a single CLI command. Due t...
pypi
No PRs yet
RunGptLLM class in LlamaIndex has a command injection
GHSA-pw38-xv9x-h8ch CVE-2024-4181 HIGH over 1 year ago
A command injection vulnerability exists in the RunGptLLM class of the llama_index library, version 0.9.47, used by the RunGpt framework from JinaA...
pypi
7
Dependabot PRs
28%
Merged
MLflow has a Local File Read/Path Traversal bypass
GHSA-rfqq-wq6w-72jm CVE-2024-3848 HIGH over 1 year ago
A path traversal vulnerability exists in mlflow/mlflow version 2.11.0, identified as a bypass for the previously addressed CVE-2023-6909. The vulne...
pypi
No PRs yet
LoLLMS Command Injection vulnerability
GHSA-pwc9-q4hj-pg8g CVE-2024-4078 HIGH over 1 year ago
A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient ...
pypi
No PRs yet
MLflow allows low privilege users to delete any artifact
GHSA-p4jx-q62p-x5jr CVE-2024-4263 MODERATE over 1 year ago
A broken access control vulnerability exists in mlflow/mlflow versions before 2.10.1, where low privilege users with only EDIT permissions on an ex...
pypi
No PRs yet
Scrapy allows redirect following in protocols other than HTTP
GHSA-23j4-mw76-5v7h MODERATE over 1 year ago
### Impact Scrapy was following redirects regardless of the URL protocol, so redirects were working for `data://`, `file://`, `ftp://`, `s3://`, a...
pypi
28
Dependabot PRs
14%
Merged
Scrapy's redirects ignoring scheme-specific proxy settings
GHSA-jm3v-qxmh-hxwv MODERATE over 1 year ago
### Impact When using system proxy settings, which are scheme-specific (i.e. specific to `http://` or `https://` URLs), Scrapy was not accounting ...
pypi
28
Dependabot PRs
14%
Merged