Security Advisories
Browse security advisories and track which Dependabot PRs address them.
24,785
Total Advisories
1,792
With Dependabot PRs
3,506
Critical Severity
8,617
High Severity
Sentry vulnerable to leaking superuser cleartext password in logs
GHSA-6cjm-4pxw-7xp9 CVE-2024-32474 HIGH over 1 year ago
### Impact
When authenticating as a superuser to a self-hosted Sentry instance with a username and password, the password is leaked as cleartext in...
pypi
No PRs yet
aiohttp Cross-site Scripting vulnerability on index pages for static file handling
GHSA-7gpw-8wmc-pm8g CVE-2024-27306 MODERATE over 1 year ago
### Summary
A XSS vulnerability exists on index pages for static file handling.
### Details
When using `web.static(..., show_index=True)`, the r...
pypi
No PRs yet
Apache Airflow: Sensitive configuration for providers displayed when "non-sensitive-only" config used
GHSA-2522-mrjc-m688 CVE-2024-31869 MODERATE over 1 year ago
Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the "config...
pypi
No PRs yet
Pytorch use-after-free vulnerability
GHSA-pg7h-5qx3-wjr3 CVE-2024-31583 HIGH over 1 year ago
Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.
pypi
No PRs yet
PyTorch heap buffer overflow vulnerability
GHSA-5pcm-hx3q-hm94 CVE-2024-31580 HIGH over 1 year ago
PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerabi...
pypi
No PRs yet
Keras code injection vulnerability
GHSA-x4wf-678h-2pmq CVE-2024-3660 CRITICAL over 1 year ago
A arbitrary code injection vulnerability in TensorFlow's Keras framework (<2.13) allows attackers to execute arbitrary code with the same permissio...
pypi
No PRs yet
langchain vulnerable to path traversal
GHSA-rgp8-pm28-3759 CVE-2024-3571 MODERATE over 1 year ago
langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its...
pypi
No PRs yet
mlflow vulnerable to Path Traversal
GHSA-hq88-wg7q-gp4g CVE-2024-3573 CRITICAL over 1 year ago
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary f...
pypi
No PRs yet
llama-index-core Command Injection vulnerability
GHSA-r6gp-rff2-p3hf CVE-2024-3271 CRITICAL over 1 year ago
A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass ...
pypi
No PRs yet
Cross-site Scripting (XSS) in mindsdb/mindsdb
GHSA-93c5-rj2p-w52x CVE-2024-3575 MODERATE over 1 year ago
When a user uploads a csv file that contains an javascript payload a Cross-site Scripting (XSS) is triggered when the file is viewed. This is true ...
pypi
No PRs yet
zenml Session Fixation vulnerability
GHSA-g3r5-72hf-p7p2 CVE-2024-2260 MODERATE over 1 year ago
A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon l...
pypi
No PRs yet
Directory traversal in zenml
GHSA-6h3f-43vq-53hj CVE-2024-2083 CRITICAL over 1 year ago
A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit ...
pypi
No PRs yet
gradio vulnerable to Path Traversal
GHSA-g9cj-cfpp-4g2x CVE-2024-1561 HIGH over 1 year ago
An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component...
pypi
No PRs yet
mlflow vulnerable to Path Traversal
GHSA-j62r-wxqq-f3gf CVE-2024-1558 HIGH over 1 year ago
A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to...
pypi
No PRs yet
mlflow vulnerable to Path Traversal
GHSA-f42m-mvfv-cgw5 CVE-2024-1593 HIGH over 1 year ago
A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal seque...
pypi
No PRs yet
mlflow vulnerable to Path Traversal
GHSA-m49c-5c52-6696 CVE-2024-1594 HIGH over 1 year ago
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when c...
pypi
No PRs yet
Insecure deserialization in BentoML
GHSA-hvj5-mvw9-93j3 CVE-2024-2912 CRITICAL over 1 year ago
An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST...
pypi
No PRs yet
mlflow vulnerable to Path Traversal
GHSA-5mvj-wmgj-7q8c CVE-2024-1560 HIGH over 1 year ago
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the artifact deletion functionality. Attackers can bypas...
pypi
No PRs yet
mlflow Path Traversal vulnerability
GHSA-f82r-jj5r-6g97 CVE-2024-1483 HIGH over 1 year ago
A path traversal vulnerability exists in mlflow/mlflow version 2.9.2, allowing attackers to access arbitrary files on the server. By crafting a ser...
pypi
No PRs yet
Request smuggling leading to endpoint restriction bypass in Gunicorn
GHSA-w3h3-4rj7-4ph4 CVE-2024-1135 HIGH over 1 year ago
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with c...
pypi
1476
Dependabot PRs
22%
Merged
gradio Server-Side Request Forgery vulnerability
GHSA-qh6x-j82h-vpf9 CVE-2024-1183 MODERATE over 1 year ago
An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports ...
pypi
No PRs yet
sqlparse parsing heavily nested list leads to Denial of Service
GHSA-2m57-hf25-phgg CVE-2024-4340 HIGH over 1 year ago
### Summary
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
### Details + PoC
Running the fo...
pypi
191
Dependabot PRs
24%
Merged
Pydantic regular expression denial of service
GHSA-mr82-8j83-vxmv CVE-2024-3772 MODERATE over 1 year ago
Regular expression denial of service in Pydantic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.
pypi
No PRs yet
NiceGUI allows potential access to local file system
GHSA-mwc7-64wg-pgvj CVE-2024-32005 HIGH over 1 year ago
NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource fi...
pypi
No PRs yet
OpenStack magnum vulnerable to time-of-check to time-of-use (TOCTOU) attack
GHSA-jx7x-9r98-h5xr CVE-2024-28718 MODERATE over 1 year ago
An issue in OpenStack magnum yoga-eom version allows a remote attacker to execute arbitrary code via the cert_manager.py. component.
pypi
No PRs yet
Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode
GHSA-jjg7-2v4v-x38h CVE-2024-3651 MODERATE over 1 year ago
### Impact
A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service.
...
pypi
1179
Dependabot PRs
16%
Merged
Potential DoS via the Tudoor mechanism in eventlet and dnspython
GHSA-3rq5-2g8h-59hc CVE-2023-29483 MODERATE over 1 year ago
eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an inva...
pypi
259
Dependabot PRs
11%
Merged
Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations
GHSA-99w2-67h8-5948 CVE-2024-2196 HIGH over 1 year ago
aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and st...
pypi
No PRs yet
Gradio Local File Inclusion vulnerability
GHSA-3f95-mxq2-2f63 CVE-2024-1728 HIGH over 1 year ago
gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton compo...
pypi
No PRs yet
LiteLLM has Server-Side Template Injection vulnerability in /completions endpoint
GHSA-46cm-pfwv-cgf8 CVE-2024-2952 CRITICAL over 1 year ago
BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) via the `/completions` endpoint. The vulnerability arises from the `hf_chat_...
pypi
No PRs yet
Transformers Deserialization of Untrusted Data vulnerability
GHSA-37q5-v5qm-c9v8 CVE-2024-3568 LOW over 1 year ago
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_chec...
pypi
No PRs yet
Aim Web API vulnerable to Remote Code Execution
GHSA-mxvw-cj37-8g2h CVE-2024-2195 CRITICAL over 1 year ago
A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` en...
pypi
No PRs yet
llama-index-core Prompt Injection vulnerability leading to Arbitrary Code Execution
GHSA-wvpx-g427-q9wc CVE-2024-3098 CRITICAL over 1 year ago
A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for p...
pypi
No PRs yet
yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)
GHSA-hjq6-52gw-2g7p CVE-2024-22423 HIGH over 1 year ago
### Summary
The [patch that addressed CVE-2023-40581](https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e) attempted t...
pypi
1
Dependabot PRs
DIRAC: Unauthorized users can read proxy contents during generation
GHSA-v6f3-gh5h-mqwx CVE-2024-29905 HIGH over 1 year ago
### Impact
During the proxy generation process (e.g., when using `dirac-proxy-init`) it is possible for unauthorized users on the same machine to ...
pypi
No PRs yet
Ryu Infinite Loop vulnerability
GHSA-p28x-hj68-7vfp CVE-2024-28732 HIGH over 1 year ago
An issue was discovered in OFPMatch in parser.py in Faucet SDN Ryu version 4.34, allows remote attackers to cause a denial of service (DoS) (infini...
pypi
No PRs yet
pgAdmin Remote Code Execution (RCE) vulnerability
GHSA-27jx-ffw8-xrqv CVE-2024-3116 HIGH over 1 year ago
pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE) vulnerability through the validate binary path API. This vulnerability allows attacker...
pypi
No PRs yet
Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check
GHSA-wpff-wm84-x5cx CVE-2024-31215 MODERATE over 1 year ago
### Impact
_What kind of vulnerability is it? Who is impacted?_
SSRF vulnerability in firebase database check logic. The attacker can cause the ser...
pypi
No PRs yet
Voilà Local file inclusion
GHSA-2q59-h24c-w6fg CVE-2024-30265 HIGH over 1 year ago
### Impact
Any deployment of voilà dashboard allow local file inclusion, that is to say any file on a filesystem that is readable by the user that...
pypi
No PRs yet
Pillow buffer overflow vulnerability
GHSA-44wm-f244-xhp3 CVE-2024-28219 HIGH over 1 year ago
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
pypi
906
Dependabot PRs
20%
Merged
Piccolo Admin's raw SVG loading may lead to complete data compromise from admin page
GHSA-pmww-v6c9-7p83 CVE-2024-30248 HIGH over 1 year ago
### Summary
Piccolo's admin panel provides the ability to upload media files and view them within the admin panel. If SVG is an allowed file type ...
pypi
No PRs yet
aliyundrive-webdav vulnerable to Command Injection
GHSA-73v2-rxqp-7q4f CVE-2024-29640 HIGH over 1 year ago
An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in ...
cargo
pypi
No PRs yet
Saleor: Customers' addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method
GHSA-mrj3-f2h4-7w45 CVE-2024-29888 MODERATE over 1 year ago
### Summary
Using `Pickup: Local stock only` as a click-and-collect points could cause a leak of customer addresses
### Details
When using `Pickup...
pypi
No PRs yet
Cross site scripting (XSS) in JupyterHub via Self-XSS leveraged by Cookie Tossing
GHSA-7r3h-4ph8-w38g CVE-2024-28233 HIGH over 1 year ago
### Impact
Affected configurations:
- Single-origin JupyterHub deployments
- JupyterHub deployments with user-controlled applications running on ...
pypi
No PRs yet
Lektor does not sanitize database path traversal
GHSA-wv28-7fpw-fj49 CVE-2024-28335 CRITICAL over 1 year ago
Lektor before 3.3.11 does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates director...
pypi
No PRs yet
gradio Server-Side Request Forgery vulnerability
GHSA-r364-m2j9-mf4h CVE-2024-2206 HIGH over 1 year ago
An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exp...
pypi
No PRs yet
Apache Airflow Improper Preservation of Permissions vulnerability
GHSA-cff3-5qrp-hqx7 CVE-2024-29735 MODERATE over 1 year ago
Improper Preservation of Permissions vulnerability in Apache Airflow. This issue affects Apache Airflow from 2.8.2 through 2.8.3.
Airflow's local ...
pypi
No PRs yet
LangChain's XMLOutputParser vulnerable to XML Entity Expansion
GHSA-q84m-rmw3-4382 CVE-2024-1455 MODERATE over 1 year ago
The XMLOutputParser in LangChain uses the etree module from the XML parser in the standard python library which has some XML vulnerabilities; see: ...
pypi
No PRs yet
Unauthenticated views may expose information to anonymous users
GHSA-m732-wvh2-7cq4 CVE-2024-29199 LOW over 1 year ago
### Impact
A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users, including the following...
pypi
1
Dependabot PRs
ansys-geometry-core OS Command Injection vulnerability
GHSA-38jr-29fh-w9vm CVE-2024-29189 HIGH over 1 year ago
subprocess call with shell=True identified, security issue.
#### Code
On file [src/ansys/geometry/core/connection/product_instance.py](https://gi...
pypi
No PRs yet