Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Dash apps vulnerable to Cross-site Scripting
GHSA-547x-748v-vp6p CVE-2024-21485 MODERATE almost 2 years ago
Versions of the package dash-core-components before 2.13.0; versions of the package dash-core-components before 2.0.0; versions of the package dash...
npm pypi
No PRs yet
Vyper's bounds check on built-in `slice()` function can be overflowed
GHSA-9x7f-gwxq-6f2c CVE-2024-24561 CRITICAL almost 2 years ago
## Summary [The bounds check for slices](https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions...
pypi
No PRs yet
glance-store logs s3 access keys
GHSA-wgpq-p2hm-56v9 CVE-2024-1141 MODERATE almost 2 years ago
A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log lev...
pypi
No PRs yet
OctoPrint Unverified Password Change via Access Control Settings
GHSA-5626-pw9c-hmjr CVE-2024-23637 MODERATE almost 2 years ago
### Impact OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other ad...
pypi
No PRs yet
Label Studio SSRF on Import Bypassing `SSRF_PROTECTION_ENABLED` Protections
GHSA-p59w-9gqw-wj8r CVE-2023-47116 MODERATE almost 2 years ago
# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source...
pypi
No PRs yet
vantage6 may create unencrypted tasks in encrypted collaboration
GHSA-rjmv-52mp-gjrr CVE-2024-22193 LOW almost 2 years ago
### Impact There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accident...
pypi
No PRs yet
vantage6 vulnerable to username timing attack
GHSA-45gq-q4xh-cp53 CVE-2024-21671 LOW almost 2 years ago
### Impact It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks ### Worka...
pypi
No PRs yet
vantage6 has insecure SSH configuration for node and server containers
GHSA-2wgc-48g2-cj5w CVE-2024-21653 MODERATE almost 2 years ago
### Impact Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH serv...
pypi
No PRs yet
vantage6 remote code execution vulnerability
GHSA-w9h2-px87-74vx CVE-2024-21649 HIGH almost 2 years ago
### Impact Authenticated users could inject code into algorithm environment variables ### Workarounds No
pypi
No PRs yet
Vyper's raw_call `value=` kwargs not disabled for static and delegate calls
GHSA-x2c2-q32w-4w6m CVE-2024-24567 MODERATE almost 2 years ago
### Summary Vyper compiler allows passing a value in builtin `raw_call` even if the call is a `delegatecall` or a `staticcall`. But in the context ...
pypi
No PRs yet
aiohttp is vulnerable to directory traversal
GHSA-5h86-8mv2-jq9f CVE-2024-23334 HIGH almost 2 years ago
### Summary Improperly configuring static resource resolution in aiohttp when used as a web server can result in the unauthorized reading of arbitr...
pypi
No PRs yet
aiohttp's HTTP parser (the python one, not llhttp) still overly lenient about separators
GHSA-8qpw-xqxj-h4r2 CVE-2024-23829 MODERATE almost 2 years ago
### Summary Security-sensitive parts of the *Python HTTP parser* retained minor differences in allowable character sets, that must trigger error ha...
pypi
No PRs yet
ai-flow Deserialization of Untrusted Data vulnerability
GHSA-7mgg-3rq2-hff4 CVE-2024-0960 MODERATE almost 2 years ago
A vulnerability was found in flink-extended ai-flow 0.3.1. It has been declared as critical. Affected by this vulnerability is the function cloudpi...
pypi
No PRs yet
Deserialization of untrusted data in synthcity
GHSA-4957-7vhp-7v59 CVE-2024-0937 CRITICAL almost 2 years ago
A vulnerability, which was classified as critical, has been found in van_der_Schaar LAB synthcity 0.2.9. Affected by this issue is the function loa...
pypi
No PRs yet
Null pointer dereference in PKCS12 parsing
GHSA-9v9h-cgj8-h64p CVE-2024-0727 MODERATE almost 2 years ago
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact sum...
pypi
1
Dependabot PRs
Apache Airflow: pickle deserialization vulnerability in XComs
GHSA-c3c6-f2ww-xfr2 CVE-2023-50943 HIGH almost 2 years ago
Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of...
pypi
No PRs yet
Apache Airflow: Bypass permission verification to read code of other dags
GHSA-vm5m-qmrx-fw8w CVE-2023-50944 HIGH almost 2 years ago
Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don'...
pypi
No PRs yet
Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service
GHSA-mg2x-mggj-6955 CVE-2023-51702 MODERATE almost 2 years ago
Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes ...
pypi
No PRs yet
Cross-site Scripting Vulnerability on Data Import
GHSA-fq23-g58m-799r CVE-2024-23633 MODERATE almost 2 years ago
# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source...
pypi
No PRs yet
Cross-site Scripting Vulnerability on Avatar Upload
GHSA-q68h-xwq5-mm7x CVE-2023-47115 HIGH almost 2 years ago
# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source...
pypi
No PRs yet
Cross-site Scripting in Apache superset
GHSA-rwhh-6x83-84v6 CVE-2023-49657 CRITICAL almost 2 years ago
A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions ...
pypi
No PRs yet
XSS potential in rendered Markdown fields (comments, description, notes, etc.)
GHSA-v4xv-795h-rv4h CVE-2024-23345 HIGH almost 2 years ago
### Impact All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted. Due to inadequate input sanitization, any user-e...
pypi
1
Dependabot PRs
changedetection.io API endpoint is not secured with API token
GHSA-hcvp-2cc7-jrwr CVE-2024-23329 LOW almost 2 years ago
### Summary API endpoint `/api/v1/watch/<uuid>/history` can be accessed by any unauthorized user. ### Details WatchHistory resource does not hav...
pypi
No PRs yet
Minerva timing attack on P-256 in python-ecdsa
GHSA-wj6h-64fc-37mp CVE-2024-23342 HIGH almost 2 years ago
python-ecdsa has been found to be subject to a Minerva timing attack on the P-256 curve. Using the `ecdsa.SigningKey.sign_digest()` API function an...
pypi
No PRs yet
html injection vulnerability in the `tuitse_html` function.
GHSA-m4m5-j36m-8x72 CVE-2024-23341 MODERATE almost 2 years ago
### Impact When using `tuitse_html` without quoting the input, there is a html injection vulnerability. It should use the django version `django.u...
pypi
No PRs yet
Code execution in pandasai
GHSA-5g73-69p4-7gvx CVE-2024-23752 CRITICAL almost 2 years ago
GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Pytho...
pypi
No PRs yet
SQL injection in llama-index
GHSA-2jxw-4hm4-6w87 CVE-2024-23751 CRITICAL almost 2 years ago
LlamaIndex (aka llama_index) through 0.9.35 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine...
pypi
No PRs yet
Code execution in metagpt
GHSA-g7ph-8423-pf4j CVE-2024-23750 HIGH almost 2 years ago
MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.P...
pypi
No PRs yet
Unsafe yaml deserialization in llama-hub
GHSA-297x-2qf3-jrj3 CVE-2024-23730 CRITICAL almost 2 years ago
The OpenAPI and ChatGPT plugin loaders in LlamaHub (aka llama-hub) before 0.0.67 allow attackers to execute arbitrary code because safe_load is not...
pypi
No PRs yet
ReDoS in Embedchain
GHSA-r67w-f99w-mgxj CVE-2024-23732 MODERATE almost 2 years ago
The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py.
pypi
No PRs yet
Code execution in Embedchain
GHSA-rhhj-5436-95vf CVE-2024-23731 CRITICAL almost 2 years ago
The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.
pypi
No PRs yet
Code Injection in paddlepaddle
GHSA-chj7-w3f6-cvfj CVE-2024-0521 CRITICAL almost 2 years ago
The vulnerability arises from the way the url parameter is incorporated into the command string without proper validation or sanitization. If the u...
pypi
No PRs yet
Arbitrary Code Execution in Pillow
GHSA-3f63-hfp8-52jq CVE-2023-50447 CRITICAL almost 2 years ago
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-228...
pypi
No PRs yet
JupyterLab vulnerable to potential authentication and CSRF tokens leak
GHSA-44cc-43rp-5947 CVE-2024-22421 HIGH almost 2 years ago
### Impact Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when run...
pypi
52
Dependabot PRs
10%
Merged
JupyterLab vulnerable to SXSS in Markdown Preview
GHSA-4m77-cmpx-vjc4 CVE-2024-22420 MODERATE almost 2 years ago
### Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab pr...
pypi
1
Dependabot PRs
concat built-in can corrupt memory in vyper
GHSA-2q8v-3gqq-4f8p CVE-2024-22419 HIGH almost 2 years ago
### Summary `concat` built-in can write over the bounds of the memory buffer that was allocated for it and thus overwrite existing valid data. The...
pypi
No PRs yet
Cross-Site Request Forgery on any API call in pyLoad may lead to admin privilege escalation
GHSA-pgpj-v85q-h5fm CVE-2024-22416 CRITICAL almost 2 years ago
### Summary The `pyload` API allows any API call to be made using GET requests. Since the session cookie is not set to `SameSite: strict`, this ope...
pypi
No PRs yet
Unsecured endpoints in the jupyter-lsp server extension
GHSA-4qhp-652w-c22x CVE-2024-22415 HIGH almost 2 years ago
### Impact Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and ...
pypi
2
Dependabot PRs
50%
Merged
Cross-Frame Scripting vulnerability has been found on Plone CMS
GHSA-5xfx-55x4-j223 CVE-2024-0669 HIGH almost 2 years ago
A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting version below 6.0.5. An attacker could store a malicious URL to be open...
pypi
No PRs yet
readthedocs-sphinx-search vulnerable to cross-site scripting when including search results from malicious projects
GHSA-xgfm-fjx6-62mj MODERATE almost 2 years ago
### Impact This vulnerability could have allowed an attacker to include arbitrary HTML content in search results by having a user search a malicio...
pypi
12
Dependabot PRs
25%
Merged
Privilege escalation for users that can access mock configuration
GHSA-7j98-74jh-cjxh CVE-2023-6395 MODERATE almost 2 years ago
The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege escalation, enabling the execution of arbitrary ...
pypi
No PRs yet
Path traversal in flaskcode
GHSA-v3rg-qm46-xrg9 CVE-2023-52289 HIGH almost 2 years ago
An issue was discovered in the flaskcode package through 0.0.8 for Python. An unauthenticated directory traversal, exploitable with a POST request ...
pypi
No PRs yet
Path traversal in flaskcode
GHSA-6h4q-63c5-qfqf CVE-2023-52288 HIGH almost 2 years ago
An issue was discovered in the flaskcode package through 0.0.8 for Python. An unauthenticated directory traversal, exploitable with a GET request t...
pypi
No PRs yet
Minor fix to previous patch for CVE-2022-35918
GHSA-8qw9-gf7w-42x5 LOW almost 2 years ago
### Impact The initial vulnerability identified in Streamlit apps using custom components, allowing for directory traversal attacks, was addressed...
pypi
No PRs yet
Gentoo Portage missing PGP validation of executed code
GHSA-pw5x-x5jw-ccmh CVE-2016-20021 HIGH almost 2 years ago
In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does...
pypi
No PRs yet
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
GHSA-h5c8-rqwp-cp95 CVE-2024-22195 MODERATE almost 2 years ago
The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be...
pypi
1199
Dependabot PRs
16%
Merged
cdo-local-uuid vulnerable to insertion of artifact derived from developer's Present Working Directory into demonstration code
GHSA-rgrf-6mf5-m882 CVE-2024-22194 LOW almost 2 years ago
### Impact _What kind of vulnerability is it? Who is impacted?_ An information leakage vulnerability is present in [`cdo-local-uuid`](https://pypi...
pypi
No PRs yet
Untrusted search path under some conditions on Windows allows arbitrary code execution
GHSA-2mqj-m65w-jghx CVE-2024-22190 HIGH almost 2 years ago
### Summary This issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a sh...
pypi
101
Dependabot PRs
14%
Merged
Hyperledger Aries Cloud Agent Python result of presentation verification not checked for LDP-VC
GHSA-97x9-59rv-q5pm CVE-2024-21669 CRITICAL almost 2 years ago
### Impact When verifying W3C Format Verifiable Credentials using JSON-LD with Linked Data Proofs (LDP-VCs), the result of verifying the presentat...
pypi
No PRs yet
fonttools XML External Entity Injection (XXE) Vulnerability
GHSA-6673-4983-2vx5 CVE-2023-45139 HIGH almost 2 years ago
### Summary As of `fonttools>=4.28.2` the subsetting module has a XML External Entity Injection (XXE) vulnerability which allows an attacker to re...
pypi
No PRs yet