Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Apache Superset: Improper authorization validation on dashboards and charts import
GHSA-3v9r-885j-762g CVE-2024-26016 MODERATE almost 2 years ago
A low privilege authenticated user could import an existing dashboard or chart that they do not have access to and then modify its metadata, thereb...
pypi
No PRs yet
Apache Superset: Improper data authorization when creating a new dataset
GHSA-wr6g-9wcr-cmqj CVE-2024-24779 MODERATE almost 2 years ago
Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual d...
pypi
No PRs yet
Apache Superset: Improper Neutralization of custom SQL on embedded context
GHSA-m6jm-3v38-76j4 CVE-2024-24772 MODERATE almost 2 years ago
A guest user could exploit a chart data REST API and send arbitrary SQL statements that on error could leak information from the underlying analyti...
pypi
No PRs yet
Apache Superset: Improper validation of SQL statements allows for unauthorized access to data
GHSA-5474-f7g5-273q CVE-2024-24773 MODERATE almost 2 years ago
Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects A...
pypi
No PRs yet
Apache Superset: Improper error handling on alerts
GHSA-h7r6-8qmm-hj5r CVE-2024-27315 MODERATE almost 2 years ago
An authenticated user with privileges to create Alerts on Alerts & Reports has the capability to generate a specially crafted SQL statement that tr...
pypi
No PRs yet
ZenML Server Remote Privilege Escalation Vulnerability
GHSA-vf7j-cmrj-pmmm CVE-2024-25723 HIGH almost 2 years ago
ZenML Server in the ZenML package before 0.46.7 for Python allows remote privilege escalation because the `/api/v1/users/{user_name_or_id}/activate...
pypi
No PRs yet
diffoscope Path Traversal vulnerability
GHSA-33w6-hvmq-gh4x CVE-2024-25711 MODERATE almost 2 years ago
diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be discl...
pypi
No PRs yet
Vyper's `extract32` can ready dirty memory
GHSA-4hwq-4cpm-8vmx CVE-2024-24564 LOW almost 2 years ago
### Summary When using the built-in `extract32(b, start)`, if the `start` index provided has for side effect to update `b`, the byte array to extr...
pypi
No PRs yet
Vyper's `_abi_decode` vulnerable to Memory Overflow
GHSA-9p8r-4xp4-gw5w CVE-2024-26149 LOW almost 2 years ago
## Summary If an excessively large value is specified as the starting index for an array in `_abi_decode`, it can cause the read position to overf...
pypi
No PRs yet
PyPop C extensions possible vulnerability: missing arguments and redundant null pointers
GHSA-p4m5-32pr-2hqr LOW almost 2 years ago
### Impact Code scanning revealed possible vulnerability in C extensions for PyPop: incorrect function calls (missing arguments or wrongly typed ar...
pypi
No PRs yet
orjson does not limit recursion for deeply nested JSON documents
GHSA-pwr2-4v36-6qpr CVE-2024-27454 HIGH almost 2 years ago
orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
pypi
2
Dependabot PRs
LangChain Experimental vulnerable to arbitrary code execution
GHSA-v8vj-cv27-hjv8 CVE-2024-27444 CRITICAL almost 2 years ago
langchain_experimental (aka LangChain Experimental) before 0.0.52, part of LangChain before 0.1.8, allows an attacker to bypass the CVE-2023-44467 ...
pypi
No PRs yet
pretix mishandles file validation
GHSA-672r-97r7-vx2q CVE-2024-27447 MODERATE almost 2 years ago
pretix before 2024.1.1 mishandles file validation.
pypi
No PRs yet
langchain Server-Side Request Forgery vulnerability
GHSA-h9j7-5xvc-qhg5 CVE-2024-0243 LOW almost 2 years ago
With the following crawler configuration: ```python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader...
pypi
No PRs yet
Uninitialized Variable in fastecdsa
GHSA-ph86-g9r3-5qw4 CVE-2024-21502 HIGH almost 2 years ago
Versions of the package fastecdsa before 2.3.2 use an Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due t...
pypi
No PRs yet
Cross-site Scripting in MLFlow
GHSA-6749-m5cp-6cg7 CVE-2024-27132 CRITICAL almost 2 years ago
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted...
pypi
No PRs yet
MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution
GHSA-3v79-q7ph-j75h CVE-2024-27133 CRITICAL almost 2 years ago
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when r...
pypi
No PRs yet
Onnx Directory Traversal vulnerability
GHSA-whh8-fjgc-qp73 CVE-2024-27318 HIGH almost 2 years ago
Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can h...
pypi
2
Dependabot PRs
Onnx Out-of-bounds Read vulnerability
GHSA-h8wv-9h96-m4hr CVE-2024-27319 MODERATE almost 2 years ago
Versions of the package onnx before and including 1.15.0 are vulnerable to Out-of-bounds Read as the ONNX_ASSERT and ONNX_ASSERTM functions have an...
pypi
2
Dependabot PRs
Gradio apps vulnerable to timing attacks to guess password
GHSA-hmx6-r76c-85g9 CVE-2024-1729 MODERATE almost 2 years ago
### Impact This security policy is with regards to a timing attack that allows users of Gradio apps to potentially guess the password of password-p...
pypi
No PRs yet
Label Studio vulnerable to Cross-site Scripting if `<Choices>` or `<Labels>` are used in labeling config
GHSA-6xv9-957j-qfhg CVE-2024-26152 MODERATE almost 2 years ago
### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered w...
pypi
No PRs yet
pypqc private key retrieval vulnerability
GHSA-rc4p-p3j9-6577 HIGH almost 2 years ago
### Impact `kyber512`, `kyber768`, and `kyber1024` only: An attacker able to submit many decapsulation requests against a single private key, and t...
pypi
No PRs yet
Potentially untrusted input is rendered as HTML in final output
GHSA-578p-fxmm-6229 CVE-2024-26151 HIGH almost 2 years ago
### Impact All users of mjml-python who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input ...
pypi
No PRs yet
cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override
GHSA-6vqw-3v5j-54x4 CVE-2024-26130 HIGH almost 2 years ago
If `pkcs12.serialize_key_and_certificates` is called with both: 1. A certificate whose public key did not match the provided private key 2. An `en...
pypi
55
Dependabot PRs
14%
Merged
pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
GHSA-vgv8-5cpj-qj2f CVE-2024-23346 CRITICAL almost 2 years ago
### Summary A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` li...
pypi
1
Dependabot PRs
Potential buffer overflow in CBOR2 decoder
GHSA-375g-39jq-vq7m CVE-2024-26134 HIGH almost 2 years ago
### Summary Ever since https://github.com/agronholm/cbor2/pull/204 (or specifically https://github.com/agronholm/cbor2/commit/387755eacf0be35591a47...
pypi
No PRs yet
Improper Certificate Validation in apache airflow mongo hook
GHSA-x5pm-h33q-cjrw CVE-2024-25141 CRITICAL almost 2 years ago
When ssl was enabled for Mongo Hook, default settings included "allow_insecure" which caused that certificates were not validated. This was unexpec...
pypi
No PRs yet
Cross-site Scripting in Pyhtml2pdf
GHSA-p3rv-qj56-2fqx CVE-2024-1647 HIGH almost 2 years ago
Pyhtml2pdf version 0.0.6 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not ...
pypi
No PRs yet
tuf's Metadata API: Targets.get_delegated_role() is missing input validation
GHSA-77hh-43cm-v8j6 LOW almost 2 years ago
The security of both a TUF client and repository implementations depend on the concept of trusted Metadata objects verifying the signatures over ot...
pypi
1
Dependabot PRs
Scrapy decompression bomb vulnerability
GHSA-7j7m-v7m3-jqm7 CVE-2024-3572 HIGH almost 2 years ago
### Impact Scrapy limits allowed response sizes by default through the [`DOWNLOAD_MAXSIZE`](https://docs.scrapy.org/en/latest/topics/settings.html...
pypi
2
Dependabot PRs
Scrapy authorization header leakage on cross-domain redirect
GHSA-cw9j-q3vf-hrrv CVE-2024-3574 HIGH almost 2 years ago
### Impact When you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Scrapy’...
pypi
2
Dependabot PRs
Scrapy vulnerable to ReDoS via XMLFeedSpider
GHSA-cc65-xxvf-f7r9 CVE-2024-1892 HIGH almost 2 years ago
### Impact The following parts of the Scrapy API were found to be vulnerable to a [ReDoS attack](https://owasp.org/www-community/attacks/Regular_e...
pypi
2
Dependabot PRs
python-multipart vulnerable to Content-Type Header ReDoS
GHSA-2jv5-9r88-3w3p CVE-2024-24762 HIGH almost 2 years ago
### Summary When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An att...
pypi
No PRs yet
commonground-api-common unexploitable privilege escalation in JWT authentication middleware
GHSA-c4cm-r9fh-jgj9 LOW almost 2 years ago
### Impact This is a privilege escalation vulnerability. The impact is negligible and entirely theoretical. A non-exploitable weakness was found ...
pypi
No PRs yet
NoneBot Potential Information Leak in User-Constructed Message Templates
GHSA-59j8-776v-xxxg CVE-2024-21624 MODERATE almost 2 years ago
### Impact This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `Mes...
pypi
No PRs yet
Kinto Attachment's attachments can be replaced on read-only records
GHSA-hvp4-vrv2-8wrq CVE-2024-1314 HIGH almost 2 years ago
### Impact The attachment file of an existing record can be replaced if the user has `"read"` permission on one of the parent (collection or bucke...
pypi
No PRs yet
DIRAC's TokenManager does not check permissions on cached tokens
GHSA-59qj-jcjv-662j CVE-2024-24825 CRITICAL almost 2 years ago
### Impact Any user could get a token that has been requested by another user/agent ### Patches The vulnerability is fixed in version 8.0.37. ##...
pypi
No PRs yet
SQLAlchemyDA unauthenticated arbitrary SQL query execution
GHSA-r3jc-3qmm-w3pw CVE-2024-24811 CRITICAL almost 2 years ago
### Impact The vulnerability allows unauthenticated execution of arbitrary SQL statements on the database the SQLAlchemyDA instance is connected to...
pypi
No PRs yet
Vyper negative array index bounds checks
GHSA-52xq-j7v9-v4v2 CVE-2024-24563 CRITICAL almost 2 years ago
### Summary Arrays can be keyed by a signed integer, while they are defined for unsigned integers only. The typechecker doesn't throw when spotting...
pypi
No PRs yet
Django denial-of-service attack in the intcomma template filter
GHSA-xxj9-f6rv-m3x4 CVE-2024-24680 HIGH almost 2 years ago
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10, and Django 5.0 before 5.0.2. The intcomma template filter was subject to a ...
pypi
66
Dependabot PRs
19%
Merged
Allegro AI ClearML path traversal vulnerability
GHSA-m95h-p4gg-wfw3 CVE-2024-24591 HIGH almost 2 years ago
A path traversal vulnerability in versions 1.4.0 to 1.14.1 of the client SDK of Allegro AI’s ClearML platform enables a maliciously uploaded datase...
pypi
No PRs yet
Allegro AI ClearML vulnerable to deserialization of untrusted data
GHSA-cpcw-9h9m-wqw9 CVE-2024-24590 HIGH almost 2 years ago
Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s ClearML platform, enabling a maliciously...
pypi
No PRs yet
Ansible-core information disclosure flaw
GHSA-h24r-m9qc-pvpg CVE-2024-0690 MODERATE almost 2 years ago
An information disclosure flaw was found in ansible-core due to a failure to respect the `ANSIBLE_NO_LOG` configuration in some scenarios. It was d...
pypi
2
Dependabot PRs
Allegro AI ClearML Stores Credentials in Plaintext in MongoDB Instance
GHSA-gvqv-h7hh-6fcc CVE-2024-24595 MODERATE almost 2 years ago
Allegro AI’s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulting in a compromised server leaking al...
pypi
No PRs yet
Gradio Path Traversal vulnerability
GHSA-f3h9-8phc-6gvh CVE-2024-0964 HIGH almost 2 years ago
A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.
pypi
No PRs yet
pyLoad open redirect vulnerability due to improper validation of the is_safe_url function
GHSA-g3cm-qg2v-2hj5 CVE-2024-24808 MODERATE almost 2 years ago
### Summary Open redirect vulnerability due to incorrect validation of input values when redirecting users after login. ### Details pyload is vali...
pypi
No PRs yet
Python Cryptography package vulnerable to Bleichenbacher timing oracle attack
GHSA-3ww4-gg4f-jr7f CVE-2023-50782 HIGH almost 2 years ago
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RS...
pypi
No PRs yet
m2crypto Bleichenbacher timing attack - incomplete fix for CVE-2020-25657
GHSA-944j-8ch6-rf6x CVE-2023-50781 MODERATE almost 2 years ago
A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which ...
pypi
No PRs yet
Vyper sha3 codegen bug
GHSA-6845-xw22-ffxv CVE-2024-24559 LOW almost 2 years ago
### Summary There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. Th...
pypi
No PRs yet
Vyper's external calls can overflow return data to return input buffer
GHSA-gp3w-2v2m-p686 CVE-2024-24560 LOW almost 2 years ago
## Summary When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at by...
pypi
No PRs yet