Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
PaddlePaddle allows arbitrary file read via paddle.vision.ops.read_file
GHSA-jwrc-3v3f-5cq5 CVE-2024-1603 HIGH over 1 year ago
paddlepaddle/paddle 2.6.0 allows arbitrary file read via paddle.vision.ops.read_file.
pypi
No PRs yet
SSRF Vulnerability on assetlinks_check(act_name, well_knowns)
GHSA-wfgj-wrgh-h3r3 CVE-2024-29190 HIGH over 1 year ago
### Summary While examining the "App Link assetlinks.json file could not be found" vulnerability detected by MobSF, we, as the Trendyol Application...
pypi
No PRs yet
ESPHome vulnerable to Authentication bypass via Cross site request forgery
GHSA-5925-88xh-6h99 CVE-2024-29019 HIGH over 1 year ago
### Summary API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forg...
pypi
No PRs yet
GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace
GHSA-55m3-44xf-hg4h CVE-2024-29033 HIGH over 1 year ago
## Summary and impact [`GoogleOAuthenticator.hosted_domain`] is used to restrict what Google accounts can be authorized to access a JupyterHub. Th...
pypi
No PRs yet
`qiskit_ibm_runtime.RuntimeDecoder` can execute arbitrary code
GHSA-x4x5-jv3x-9c7m CVE-2024-29032 MODERATE over 1 year ago
### Summary deserializing json data using `qiskit_ibm_runtime.RuntimeDecoder` can be made to execute arbitrary code given a correctly formatted in...
pypi
1
Dependabot PRs
Dynamic Variable Evaluation in qiskit-ibm-runtime
GHSA-cq96-9974-v8hm LOW over 1 year ago
### Summary An `eval()` method exists `Options._get_program_inputs`. This is bad in any case, but especially bad because `Options` are also used s...
pypi
No PRs yet
Jupyter Server Proxy's Websocket Proxying does not require authentication
GHSA-w3vc-fx9p-wp4v CVE-2024-28179 CRITICAL over 1 year ago
## Summary `jupyter-server-proxy` is used to expose ports local to a Jupyter server listening to web traffic to the Jupyter server's _authenticate...
pypi
3
Dependabot PRs
33%
Merged
Black vulnerable to Regular Expression Denial of Service (ReDoS)
GHSA-fj7x-q9j7-g6q6 CVE-2024-21503 MODERATE over 1 year ago
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded...
pypi
771
Dependabot PRs
16%
Merged
Denial of service via regular expression
GHSA-wj85-w4f4-xh8h CVE-2024-28865 HIGH over 1 year ago
### Impact All historical installations of django-wiki are vulnerable to maliciously crafted article content, that can cause severe use of server ...
pypi
No PRs yet
XSS via the "Snapshot Test" feature in Classic Webcam plugin settings
GHSA-x7mf-wrh9-r76c CVE-2024-28237 MODERATE over 1 year ago
### Impact OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to configure or talk a victim with...
pypi
No PRs yet
RCE in TranformGraph().to_dot_graph function
GHSA-h2x6-5jx5-46hf CVE-2023-41334 HIGH over 1 year ago
### Summary RCE due to improper input validation in TranformGraph().to_dot_graph function ### Details Due to improper input validation a maliciou...
pypi
No PRs yet
Information leakage in YAQL
GHSA-mvf6-hwxh-7v76 CVE-2024-29156 MODERATE over 1 year ago
YAQL before 3.0.0 is used in Murano, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leadi...
pypi
No PRs yet
Improper Privilege Management in djangorestframework-simplejwt
GHSA-5vcc-86wm-547q CVE-2024-22513 LOW over 1 year ago
djangorestframework-simplejwt before version 5.5.1 is vulnerable to information disclosure. A user can access web application resources even after ...
pypi
No PRs yet
Regular expression denial-of-service in Django
GHSA-vm8q-m57g-pff3 CVE-2024-27351 MODERATE over 1 year ago
In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the trunc...
pypi
30
Dependabot PRs
23%
Merged
fgr Vulnerable to Insecure Default Variable Initialization
GHSA-879p-8gw4-mcpw LOW over 1 year ago
### Impact Any users whom would not desire a traceback to be included in their logs whenever an error is raised in their code will be affected. If...
pypi
No PRs yet
vantage6 vulnerable to a username timing attack on recover password/MFA token
GHSA-5h3x-6gwf-73jm CVE-2024-24770 MODERATE over 1 year ago
### Impact Much like https://github.com/vantage6/vantage6/security/advisories/GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in ...
pypi
No PRs yet
vantage6's CORS settings overly permissive
GHSA-4946-85pr-fvxh CVE-2024-23823 MODERATE over 1 year ago
### Impact The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. T...
pypi
No PRs yet
Whoogle Search Cross-site Scripting vulnerability
GHSA-phg6-44m7-hx3h CVE-2024-22417 MODERATE over 1 year ago
Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `element` method in `app/routes.py` does not validate the user-...
pypi
No PRs yet
Whoogle Search Path Traversal vulnerability
GHSA-q97g-c29h-x2p7 CVE-2024-22203 CRITICAL over 1 year ago
Whoogle Search is a self-hosted metasearch engine. In versions prior to 0.8.4, the `element` method in `app/routes.py` does not validate the user-c...
pypi
No PRs yet
Whoogle Search Path Traversal vulnerability
GHSA-hh2q-qv66-jcqg CVE-2024-22204 MODERATE over 1 year ago
Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and prior have a limited file write vulnerability when the configuration options ...
pypi
No PRs yet
Whoogle Search Server-Side Request Forgery vulnerability
GHSA-3q6g-qmpx-rqw4 CVE-2024-22205 CRITICAL over 1 year ago
Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `window` endpoint does not sanitize user-supplied input from th...
pypi
No PRs yet
Apache Airflow: Ignored Airflow Permission
GHSA-h574-6646-vfxx CVE-2024-28746 MODERATE over 1 year ago
Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources su...
pypi
No PRs yet
aiosmtpd vulnerable to SMTP smuggling
GHSA-pr2m-px7j-xg65 CVE-2024-27305 MODERATE over 1 year ago
### Summary aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differen...
pypi
No PRs yet
Potential log injection in reset user endpoint in CKAN
GHSA-8g38-3m6v-232j CVE-2024-27097 MODERATE over 1 year ago
A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker ...
pypi
No PRs yet
Remote Code Execution Vulnerability in Microsoft Django Backend for SQL Server
GHSA-vmqv-47j8-gwv8 CVE-2024-26164 HIGH over 1 year ago
Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability
pypi
No PRs yet
WeasyPrint allows the attachment of arbitrary files and URLs to a PDF
GHSA-35jj-wx47-4w8r CVE-2024-28184 HIGH over 1 year ago
### Impact Since version 61.0, there's a vulnerability which allows attaching content of arbitrary files and URLs to a generated PDF document, even...
pypi
No PRs yet
LibOSDP RMAC revert to the beginning of the session
GHSA-xhjw-7vh5-qxqm CVE-2024-52288 MODERATE over 1 year ago
- Issues: - SCS_14 is allowed on encrypted connection (osdp_phy.c) - No validation for RMAC_I is only in response to osdp_SCRYPT (osdp_cp.c) ...
pypi
No PRs yet
LibOSDP vulnerable to a null pointer deref in osdp_reply_name
GHSA-7945-5mcv-f2pp CVE-2024-52296 MODERATE over 1 year ago
### Issue: At ospd_common.c, on the osdp_reply_name function, any reply id between REPLY_ACK and REPLY_XRD is valid, but names array do not declare...
pypi
No PRs yet
Django MarkdownX Cross-Site Scripting (XSS) vulnerability
GHSA-fvx8-79hx-x82f CVE-2024-2319 MODERATE over 1 year ago
Cross-Site Scripting (XSS) vulnerability in the Django MarkdownX project, affecting version 4.0.2. An attacker could store a specially crafted Java...
pypi
No PRs yet
pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user
GHSA-rj98-crf4-g69w CVE-2024-2044 CRITICAL over 1 year ago
pgAdmin prior to version 8.4 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the...
pypi
No PRs yet
PaddlePaddle Path Traversal vulnerability
GHSA-2rp8-hff9-c5wr CVE-2024-0818 CRITICAL over 1 year ago
Arbitrary File Overwrite Via Path Traversal in paddlepaddle/paddle before 2.6
pypi
No PRs yet
PaddlePaddle vulnerable to remote code execution
GHSA-mrmm-qmrj-xgp6 CVE-2024-0917 CRITICAL over 1 year ago
remote code execution in paddlepaddle/paddle 2.6.0
pypi
No PRs yet
PaddlePaddle command injection in paddle.utils.download._wget_download
GHSA-qqv2-35q8-p2g2 CVE-2024-0815 HIGH over 1 year ago
Command injection in paddle.utils.download._wget_download (bypass filter) in paddlepaddle/paddle 2.6.0
pypi
No PRs yet
PaddlePaddle command injection vulnerability
GHSA-fh54-3vhg-mpc2 CVE-2024-0817 HIGH over 1 year ago
Command injection in IrGraph.draw in paddlepaddle/paddle 2.6.0
pypi
No PRs yet
JWCrypto vulnerable to JWT bomb Attack in `deserialize` function
GHSA-j857-7rvv-vj97 CVE-2024-28102 MODERATE over 1 year ago
## Affected version Vendor: https://github.com/latchset/jwcrypto Version: 1.5.5 ## Description An attacker can cause a DoS attack by passing in a ...
pypi
No PRs yet
RPyC's missing security check results in code execution when using numpy.array on the server-side.
GHSA-h5cg-53g7-gqjw CVE-2024-27758 HIGH over 1 year ago
An issue in Open Source: RPyC v.4.00 thru v.5.3.1 allows a remote attacker to execute arbitrary code via a crafted script to the `__array__` attrib...
pypi
No PRs yet
esphome vulnerable to stored Cross-site Scripting in edit configuration file API
GHSA-9p43-hj5j-96h5 CVE-2024-27287 MODERATE over 1 year ago
### Summary Edit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) s...
pypi
No PRs yet
Phone information disclosure vulnerability
GHSA-xg5p-8wg5-rhxm CVE-2024-22889 MODERATE over 1 year ago
Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted r...
pypi
No PRs yet
eth-abi is vulnerable to recursive DoS
GHSA-3qwc-47jf-5rf7 MODERATE over 1 year ago
This is related to recent ZST stuff (https://github.com/ethereum/eth-abi/security/advisories/GHSA-rqr8-pxh7-cq3g), but it's a different one. Basica...
pypi
No PRs yet
LangChain directory traversal vulnerability
GHSA-h59x-p739-982c CVE-2024-28088 LOW over 1 year ago
LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain cal...
pypi
1
Dependabot PRs
ESPHome vulnerable to remote code execution via arbitrary file write
GHSA-8p25-3q46-8q2p CVE-2024-27081 HIGH over 1 year ago
### Summary Security misconfiguration in edit configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation...
pypi
No PRs yet
Apache Airflow: Incorrect Default Permissions in audit logs for Ops and Viewers users
GHSA-6xwf-xvf3-v459 CVE-2024-26280 MODERATE almost 2 years ago
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated Ops and Viewers users to view all information on audit logs, i...
pypi
No PRs yet
Docassemble HTML and javascript injection
GHSA-pcfx-g2j2-f6f6 CVE-2024-27290 MODERATE over 1 year ago
### Impact A user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTM...
pypi
No PRs yet
Docassemble open redirect
GHSA-7wxf-r2qv-9xwr CVE-2024-27291 MODERATE over 1 year ago
### Impact It is possible to create a URL that acts as an open redirect. ### Patches The vulnerability has been patched in version 1.4.97 of the m...
pypi
No PRs yet
Docassemble unauthorized access through URL manipulation
GHSA-jq57-3w7p-vwvv CVE-2024-27292 HIGH over 1 year ago
### Impact The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects version...
pypi
No PRs yet
Apache Airflow: DAG Code and Import Error Permissions Ignored
GHSA-6v6w-h8m6-7mv2 CVE-2024-27906 MODERATE almost 2 years ago
Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not h...
pypi
No PRs yet
Mezzanine allows attackers to bypass access control mechanisms
GHSA-qp56-82vp-xqgv CVE-2024-25169 MODERATE almost 2 years ago
An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request.
pypi
No PRs yet
Mezzanine allows attackers to bypass access controls via manipulating the Host header
GHSA-22cc-w7xm-rfhx CVE-2024-25170 MODERATE almost 2 years ago
An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header.
pypi
No PRs yet
Flask-AppBuilder vulnerable to incorrect authentication when using auth type OpenID
GHSA-j2pw-vp55-fqqj CVE-2024-25128 CRITICAL almost 2 years ago
### Impact When Flask-AppBuilder is set to AUTH_TYPE AUTH_OID, allows an attacker to forge an HTTP request, that could deceive the backend into usi...
pypi
No PRs yet
Flask-AppBuilder's OAuth login page subject to Cross Site Scripting (XSS)
GHSA-fqxj-46wg-9v84 CVE-2024-27083 MODERATE almost 2 years ago
### Impact A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a speci...
pypi
No PRs yet