Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Scrapy leaks the authorization header on same-domain but cross-origin redirects
GHSA-4qqq-9vqf-3h3f CVE-2024-1968 MODERATE over 1 year ago
### Impact Since version 2.11.1, Scrapy drops the `Authorization` header when a request is redirected to a different domain. However, it keeps the...
pypi
28
Dependabot PRs
14%
Merged
OctoPrint has an Authentication Bypass via X-Forwarded-For Header when autologinLocal is enabled
GHSA-2vjq-hg5w-5gm7 CVE-2024-32977 HIGH over 1 year ago
### Impact OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass t...
pypi
No PRs yet
Apache Airflow: XSS vulnerability in Task Instance Log/Log Details
GHSA-52gm-qmg3-r4qp CVE-2024-32077 MODERATE over 1 year ago
Apache Airflow version 2.9.0 has a vulnerability that allows an authenticated attacker to inject malicious data into the task instance logs.  Users...
pypi
No PRs yet
Nautobot's BANNER_* configuration can be used to inject arbitrary HTML content into Nautobot pages
GHSA-r2hr-4v48-fjv3 CVE-2024-34707 HIGH over 1 year ago
### Impact A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `...
pypi
No PRs yet
llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata
GHSA-56xg-wfcc-g829 CVE-2024-34359 CRITICAL over 1 year ago
## Description `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. The `__init...
pypi
72
Dependabot PRs
23%
Merged
Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
GHSA-w4h6-9wrp-v5jq CVE-2024-32874 CRITICAL over 1 year ago
**Important: Exploiting this vulnerability requires the attacker to have access to your Frigate instance, which means they could also just delete a...
pypi
No PRs yet
Apache Superset Incorrect Authorization vulnerability
GHSA-299q-3p96-5898 CVE-2024-28148 MODERATE over 1 year ago
An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request....
pypi
No PRs yet
Arbitrary HTML present after sanitization because of unicode normalization
GHSA-wvhx-q427-fgh3 CVE-2024-34078 HIGH over 1 year ago
### Impact If using `keep_typographic_whitespace=False` (which is the default), the sanitizer normalizes unicode to the NFKC form at the end. Some...
pypi
No PRs yet
Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain
GHSA-2g68-c3qc-8985 CVE-2024-34069 HIGH over 1 year ago
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This require...
pypi
699
Dependabot PRs
19%
Merged
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
GHSA-h75v-3vvj-5mfj CVE-2024-34064 MODERATE over 1 year ago
The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`...
pypi
1478
Dependabot PRs
16%
Merged
Litestar and Starlite vulnerable to Path Traversal
GHSA-83pv-qr33-2vcf CVE-2024-32982 HIGH over 1 year ago
# Summary **Local File Inclusion via Path Traversal in LiteStar Static File Serving** A Local File Inclusion (LFI) vulnerability has been discover...
pypi
No PRs yet
WordOps has TOCTOU race condition
GHSA-23qq-p4gq-gc2g CVE-2024-34528 MODERATE over 1 year ago
WordOps through 3.20.0 has a `wo/cli/plugins/stack_pref.py` TOCTOU race condition because the `conf_path` `os.open` does not use a mode parameter d...
pypi
No PRs yet
Nebari prints temporary Keycloak root password
GHSA-vjc4-3vgx-pq9h CVE-2024-34529 MODERATE over 1 year ago
Nebari through 2024.4.1 prints the temporary Keycloak root password.
pypi
No PRs yet
Gradio's Component Server does not properly consider` _is_server_fn` for functions
GHSA-34rf-p3r3-58x2 CVE-2024-34511 MODERATE over 1 year ago
Component Server in Gradio before 4.13 does not properly consider` _is_server_fn` for functions.
pypi
No PRs yet
Gradio allows credential leakage on Windows
GHSA-rvfh-h6c7-fc3c CVE-2024-34510 HIGH over 1 year ago
Gradio before 4.20 allows credential leakage on Windows.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-c7w6-33j3-j3mx CVE-2024-34484 MODERATE over 1 year ago
`OFPBucket` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `action.len=0`.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-ffp9-pfq9-g2ww CVE-2024-34488 HIGH over 1 year ago
`OFPMultipartReply` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `b.length=0`.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-7hmm-wg23-2w7m CVE-2024-34483 HIGH over 1 year ago
`OFPGroupDescStats` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `OFPBucket.len=0`.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-m9vm-8mv9-v5v3 CVE-2024-34487 MODERATE over 1 year ago
`OFPFlowStats` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `inst.length=0`.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-59p2-v62x-gxj8 CVE-2024-34489 HIGH over 1 year ago
`OFPHello` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `length=0`.
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-fgpw-cx3v-wj95 CVE-2024-34486 HIGH over 1 year ago
`OFPPacketQueue` in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via `OFPQueueProp.len=0`.
pypi
No PRs yet
sagemaker-python-sdk Command Injection vulnerability
GHSA-7pc3-pr3q-58vg CVE-2024-34073 HIGH over 1 year ago
### Impact The capture_dependencies function in `sagemaker.serve.save_retrive.version_1_0_0.save.utils` module before version 2.214.3 allows for p...
pypi
No PRs yet
sagemaker-python-sdk vulnerable to Deserialization of Untrusted Data
GHSA-wjvx-jhpj-r54r CVE-2024-34072 HIGH over 1 year ago
### Impact sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is ...
pypi
No PRs yet
tqdm CLI arguments injection attack
GHSA-g7vv-2v7x-gj9p CVE-2024-34062 LOW over 1 year ago
### Impact Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrar...
pypi
476
Dependabot PRs
17%
Merged
LIEF obtain sensitive information via the name parameter
GHSA-377p-g8gr-5wpg CVE-2024-31636 LOW over 1 year ago
An issue in LIEF v.0.14.1 allows a local attacker to obtain sensitive information via the name parameter of the machd_reader.c component.
pypi
No PRs yet
changedetection.io Cross-site Scripting vulnerability
GHSA-pwgc-w4x9-gw67 CVE-2024-34061 MODERATE over 1 year ago
### Summary Input in parameter notification_urls is not processed resulting in javascript execution in the application ### Details changedetectio...
pypi
No PRs yet
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests
GHSA-5m98-qgg9-wh84 CVE-2024-30251 HIGH over 1 year ago
### Summary An attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will ente...
pypi
No PRs yet
pgAdmin Cross-site Scripting vulnerability in /settings/store API response json payload
GHSA-xv64-8p4r-94gq CVE-2024-4216 HIGH over 1 year ago
pgAdmin <= 8.5 is affected by XSS vulnerability in /settings/store API response json payload. This vulnerability allows attackers to execute malici...
pypi
No PRs yet
pgAdmin is affected by a multi-factor authentication bypass vulnerability
GHSA-2mvc-557g-5638 CVE-2024-4215 MODERATE over 1 year ago
pgAdmin <= 8.5 is affected by a multi-factor authentication bypass vulnerability. This vulnerability allows an attacker with knowledge of a legitim...
pypi
No PRs yet
CraftBeerPi 4 allows arbitrary code execution
GHSA-4f92-w438-f484 CVE-2024-3955 CRITICAL over 1 year ago
URL GET parameter "logtime" utilized within the "downloadlog" function from "cbpi/http_endpoints/http_system.py" is subsequently passed to the "os....
pypi
No PRs yet
Wagtail has permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet`
GHSA-w2v8-php4-p8hc CVE-2024-32882 LOW over 1 year ago
### Impact If a model has been made available for editing through the [`wagtail.contrib.settings`](https://docs.wagtail.org/en/stable/reference/con...
pypi
No PRs yet
nautobot has reflected Cross-site Scripting potential in all object list views
GHSA-jxgr-gcj5-cqqg CVE-2024-32979 HIGH over 1 year ago
### Impact It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL coul...
pypi
No PRs yet
PyPXE Buffer Overflow vulnerability
GHSA-82wx-rxf8-fxch CVE-2023-46960 HIGH over 1 year ago
Buffer Overflow vulnerability in PyPXE v.1.8.4 allows a remote attacker to cause a denial of service via the handle function in the tftp module.
pypi
No PRs yet
dcnnt-py is vulnerable to command injection via Notification Handler
GHSA-8p42-7597-p2f6 CVE-2023-1000 MODERATE over 1 year ago
A vulnerability was found in cyanomiko dcnnt-py up to 0.9.0. It has been classified as critical. Affected is the function main of the file dcnnt/pl...
pypi
No PRs yet
python-jose denial of service via compressed JWE content
GHSA-cjwg-qfpm-7377 CVE-2024-33664 MODERATE over 1 year ago
python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (J...
pypi
237
Dependabot PRs
13%
Merged
python-jose algorithm confusion with OpenSSH ECDSA keys
GHSA-6c5p-j8vq-pqhj CVE-2024-33663 CRITICAL over 1 year ago
python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.
pypi
237
Dependabot PRs
13%
Merged
vyper's range(start, start + N) reverts for negative numbers
GHSA-ppx5-q359-pvwj CVE-2024-32481 MODERATE over 1 year ago
### Summary When looping over a `range` of the form `range(start, start + N)`, if `start` is negative, the execution will always revert. ### Det...
pypi
No PRs yet
vyper performs incorrect topic logging in raw_log
GHSA-xchq-w5r3-4wg3 CVE-2024-32645 MODERATE over 1 year ago
### Summary Incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract sear...
pypi
No PRs yet
vyper performs double eval of the slice start/length args in certain cases
GHSA-r56x-j438-vw5m CVE-2024-32646 MODERATE over 1 year ago
### Summary Using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<add...
pypi
No PRs yet
vyper performs double eval of raw_args in create_from_blueprint
GHSA-3whq-64q2-qfj6 CVE-2024-32647 MODERATE over 1 year ago
### Summary Using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has si...
pypi
No PRs yet
vyper default functions don't respect nonreentrancy keys
GHSA-m2v9-w374-5hj9 CVE-2024-32648 MODERATE over 1 year ago
### Summary Prior to v0.3.0, `__default__()` functions did not respect the `@nonreentrancy` decorator and the lock was not emitted. This is a known...
pypi
No PRs yet
vyper performs multiple eval of `sqrt()` argument built in
GHSA-5jrj-52x8-m64h CVE-2024-32649 MODERATE over 1 year ago
### Summary Using the `sqrt` builtin can result in multiple eval evaluation of side effects when the argument has side-effects. The bug is more dif...
pypi
No PRs yet
pyLoad allows upload to arbitrary folder lead to RCE
GHSA-3f7w-p8vr-4v5f CVE-2024-32880 CRITICAL over 1 year ago
### Summary An authenticated user can change the download folder and upload a crafted template to the specified folder lead to remote code executio...
pypi
No PRs yet
social-auth-app-django affected by Improper Handling of Case Sensitivity
GHSA-2gr8-3wc7-xhj3 CVE-2024-32879 MODERATE over 1 year ago
### Impact Due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and ...
pypi
11
Dependabot PRs
9%
Merged
Synapse V2 state resolution weakness allows Denial of Service (DoS)
GHSA-3h7q-rfh9-xm4v CVE-2024-31208 MODERATE over 1 year ago
### Impact A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events...
pypi
No PRs yet
cg vulnerable to an Open Redirect Vulnerability on Referer Header
GHSA-w228-rfpx-fhm4 MODERATE over 1 year ago
### Summary A vulnerability has been discovered in the handling of the referrer header in the application, which could allow an attacker to conduc...
pypi
No PRs yet
dbt uses a SQLparse version with a high vulnerability
GHSA-p72q-h37j-3hq7 HIGH over 1 year ago
### Summary Using a version of `sqlparse` that has a security vulnerability and no way to update in current version of dbt core. Snyk recommends u...
pypi
No PRs yet
OpenStack Storlets arbitrary code execution vulnerability
GHSA-rfm2-f94j-qhjp CVE-2024-28717 HIGH over 1 year ago
An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component.
pypi
No PRs yet
Improper Certificate Validation vulnerability in Apache Airflow FTP Provider
GHSA-3gg8-mc87-cq3h CVE-2024-29733 LOW over 1 year ago
Improper Certificate Validation vulnerability in Apache Airflow FTP Provider. The FTP hook lacks complete certificate validation in FTP_TLS connec...
pypi
No PRs yet
flask-cors vulnerable to log injection when the log level is set to debug
GHSA-84pr-m4jr-85g5 CVE-2024-1681 MODERATE over 1 year ago
corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file...
pypi
701
Dependabot PRs
9%
Merged