Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
HTTPie allows attackers to eavesdrop on communications between the host and server via a man-in-the-middle attack
GHSA-8r96-8889-qg2x CVE-2023-48052 HIGH about 2 years ago
Missing SSL certificate validation in HTTPie v3.2.2 allows attackers to eavesdrop on communications between the host and server via a man-in-the-mi...
pypi
No PRs yet
Ray OS Command Injection vulnerability
GHSA-h3xg-wv58-5p43 CVE-2023-6019 CRITICAL about 2 years ago
A command injection exists in Ray's cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard rem...
pypi
No PRs yet
Missing SSL certificate validation in localstack
GHSA-8633-g3ph-97rp CVE-2023-48054 HIGH about 2 years ago
Missing SSL certificate validation in localstack allows attackers to eavesdrop on communications between the host and server via a man-in-the-middl...
pypi
No PRs yet
Ethyca Fides Cryptographically Weak Generation of One-Time Codes for Identity Verification
GHSA-82vr-5769-6358 CVE-2023-48224 HIGH about 2 years ago
### Impact The Fides Privacy Center allows data subject users to submit privacy and consent requests to data controller users of the Fides web app...
pypi
No PRs yet
yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection
GHSA-3ch3-jhc6-5r8x CVE-2023-46121 MODERATE about 2 years ago
### Impact The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the ...
pypi
1
Dependabot PRs
Ansible galaxy-importer Path Traversal vulnerability
GHSA-55g2-vm3q-7w52 CVE-2023-5189 MODERATE about 2 years ago
A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galax...
pypi
No PRs yet
vantage6-server node accepts non-whitelisted algorithms from malicious server
GHSA-vc3v-ppc7-v486 CVE-2023-47631 HIGH about 2 years ago
### Impact A node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the server may modify it to...
pypi
No PRs yet
AIOHTTP has problems in HTTP parser (the python one, not llhttp)
GHSA-gfw2-4jvh-wgfg CVE-2023-47627 MODERATE about 2 years ago
# Summary The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used whe...
pypi
18
Dependabot PRs
Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks
GHSA-xx9p-xxvh-7g8j CVE-2023-47641 LOW about 2 years ago
### Impact Aiohttp has a security vulnerability regarding the inconsistent interpretation of the http protocol. As we know that HTTP/1.1 is persis...
pypi
No PRs yet
Label Studio Object Relational Mapper Leak Vulnerability in Filtering Task
GHSA-6hjj-gq77-j4qw CVE-2023-47117 HIGH about 2 years ago
# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source...
pypi
No PRs yet
Remarshal expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack
GHSA-gw7g-qr8w-3448 CVE-2023-47163 HIGH about 2 years ago
Remarshal prior to v0.17.1 expands YAML alias nodes unlimitedly, hence Remarshal is vulnerable to Billion Laughs Attack. Processing untrusted YAML ...
pypi
No PRs yet
piccolo SQL Injection via named transaction savepoints
GHSA-xq59-7jf3-rjc6 CVE-2023-47128 CRITICAL about 2 years ago
### Summary The handling of named transaction savepoints in all database implementations is vulnerable to [SQL Injection](https://owasp.org/www-com...
pypi
No PRs yet
Apache Airflow allows authenticated and DAG-view authorized users to modify some DAG run detail values when submitting notes
GHSA-hm9r-7f84-25c9 CVE-2023-47037 MODERATE about 2 years ago
Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG ru...
pypi
No PRs yet
Apache Airflow vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
GHSA-r7x6-xfcm-3mxv CVE-2023-42781 HIGH about 2 years ago
Apache Airflow, versions before 2.7.3, has a vulnerability that allows an authorized user who has access to read specific DAGs only, to read inform...
pypi
No PRs yet
AsyncSSH Rogue Session Attack
GHSA-c35q-ffpf-5qpm CVE-2023-46446 HIGH about 2 years ago
### Summary An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/remo...
pypi
2
Dependabot PRs
esptool allows attackers to view sensitive information via weak cryptographic algorithm
GHSA-3f38-96qm-r3fw CVE-2023-46894 HIGH about 2 years ago
An issue discovered in esptool 4.6.2 allows attackers to view sensitive information via weak cryptographic algorithm.
pypi
No PRs yet
AsyncSSH Rogue Extension Negotiation
GHSA-cfc2-wr2v-gxm5 CVE-2023-46445 MODERATE about 2 years ago
### Summary An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle att...
pypi
2
Dependabot PRs
Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens
GHSA-f475-x83m-rx5m CVE-2023-43791 CRITICAL about 2 years ago
# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source...
pypi
No PRs yet
PyArrow: Arbitrary code execution when loading a malicious data file
GHSA-5wvp-7f3h-6wmm CVE-2023-47248 CRITICAL about 2 years ago
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application i...
pypi
No PRs yet
Ethyca Fides HTML Injection Vulnerability in HTML-Formatted DSR Packages
GHSA-3vpf-mcj7-5h38 CVE-2023-47114 MODERATE about 2 years ago
### Impact The Fides web application allows data subject users to request access to their personal data. If the request is approved by the data co...
pypi
No PRs yet
Django Denial-of-service in django.utils.text.Truncator
GHSA-h8gc-pgj2-vjm3 CVE-2023-43665 HIGH about 2 years ago
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with h...
pypi
12
Dependabot PRs
25%
Merged
Pillow Denial of Service vulnerability
GHSA-8ghj-p4vj-mr35 CVE-2023-44271 HIGH about 2 years ago
An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentiall...
pypi
No PRs yet
Django Denial of service vulnerability in django.utils.encoding.uri_to_iri
GHSA-7h4p-27mh-hmrw CVE-2023-41164 MODERATE about 2 years ago
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of s...
pypi
12
Dependabot PRs
25%
Merged
transmute-core unsafe YAML deserialization vulnerability
GHSA-w9cp-3x79-2p8p CVE-2023-47204 CRITICAL about 2 years ago
Unsafe YAML deserialization in yaml.Loader in transmute-core before 1.13.5 allows attackers to execute arbitrary Python code.
pypi
No PRs yet
Django potential denial of service vulnerability in UsernameField on Windows
GHSA-qmf9-6jqf-j8fq CVE-2023-46695 HIGH about 2 years ago
An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a conse...
pypi
58
Dependabot PRs
15%
Merged
Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF
GHSA-wjcc-cq79-p63f CVE-2023-46250 MODERATE about 2 years ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process a...
pypi
No PRs yet
Synapse vulnerable to leak of remote user device information
GHSA-mp92-3jfm-3575 CVE-2023-43796 MODERATE about 2 years ago
### Impact Cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeser...
pypi
No PRs yet
Apache Airflow Celery provider Insertion of Sensitive Information into Log File vulnerability
GHSA-666g-rfc5-c9jv CVE-2023-46215 HIGH about 2 years ago
Insertion of Sensitive Information into Log File vulnerability in Apache Airflow Celery provider, Apache Airflow. Sensitive information logged as ...
pypi
No PRs yet
Home Assistant vulnerable to account takeover via auth_callback login
GHSA-qhhj-7hrc-gqj5 CVE-2023-41893 MODERATE about 2 years ago
[_Part of the Cure53 security audit of Home Assistant._](https://www.home-assistant.io/blog/2023/10/19/security-audits-of-home-assistant/) The aud...
pypi
No PRs yet
twisted.web has disordered HTTP pipeline response
GHSA-xc8x-vp79-p3wm CVE-2023-46137 MODERATE about 2 years ago
Twisted is an event-based framework for internet applications. Prior to version 23.10.0rc1, when sending multiple HTTP requests in one TCP packet, ...
pypi
No PRs yet
Command Injection in pip when used with Mercurial
GHSA-mq26-g339-26xf CVE-2023-5752 MODERATE about 2 years ago
When installing a package from a Mercurial VCS URL, e.g. `pip install hg+...`, with pip prior to v23.3, the specified Mercurial revision could be u...
pypi
No PRs yet
Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
GHSA-hrfv-mqp8-q5rw CVE-2023-46136 MODERATE about 2 years ago
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline ...
pypi
No PRs yet
dtale vulnerable to Remote Code Execution through the Custom Filter Input
GHSA-jq6c-r9xf-qxjm CVE-2023-46134 MODERATE about 2 years ago
### Impact Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. ### Pa...
pypi
No PRs yet
Nautobot vulnerable to exposure of hashed user passwords via REST API
GHSA-r2hw-74xv-4gqp CVE-2023-46128 HIGH about 2 years ago
### Impact In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=<N>` query parameter, can expose hashed user passwords a...
pypi
No PRs yet
Fides JavaScript Injection Vulnerability in Privacy Center URL
GHSA-fgjj-5jmr-gh83 CVE-2023-46126 LOW about 2 years ago
### Impact The Fides web application allows users to edit consent and privacy notices such as cookie banners. These privacy notices can then be ser...
pypi
No PRs yet
Fides Information Disclosure Vulnerability in Config API Endpoint
GHSA-rjxg-rpg3-9r89 CVE-2023-46125 MODERATE about 2 years ago
### Impact The Fides webserver API allows users to retrieve its configuration using the `GET api/v1/config` endpoint. The configuration data is fil...
pypi
No PRs yet
Fides Server-Side Request Forgery Vulnerability in Custom Integration Upload
GHSA-jq3w-9mgf-43m4 CVE-2023-46124 HIGH about 2 years ago
### Impact The Fides web application allows a custom integration to be uploaded as a ZIP file containing configuration and dataset definitions in ...
pypi
No PRs yet
Apache Airflow vulnerable to Exposure of Sensitive Information
GHSA-9qqg-mh7c-chfq CVE-2023-46288 MODERATE about 2 years ago
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow. This issue affects Apache Airflow from 2.4.0 to 2.7.0. ...
pypi
No PRs yet
Django Grappelli Open Redirect vulnerability
GHSA-9x43-5qcq-h79q CVE-2021-46898 MODERATE about 2 years ago
views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this doe...
pypi
No PRs yet
Wagtail CRX CodeRed Extensions vulnerable to Path Traversal
GHSA-h454-rq3m-89rc CVE-2021-46897 MODERATE about 2 years ago
views.py in Wagtail CRX CodeRed Extensions (formerly CodeRed CMS or coderedcms) before 0.22.3 allows upward protected/..%2f..%2f path traversal whe...
pypi
No PRs yet
Langchain SQL Injection vulnerability
GHSA-8h5w-f6q9-wg35 CVE-2023-32785 CRITICAL about 2 years ago
In Langchain before 0.0.247, prompt injection allows execution of arbitrary code against the SQL service provided by the chain.
pypi
No PRs yet
Langchain Server-Side Request Forgery vulnerability
GHSA-6h8p-4hx9-w66c CVE-2023-32786 HIGH about 2 years ago
In Langchain before 0.0.329, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing...
pypi
2
Dependabot PRs
PDM Trojan Lockfile
GHSA-j44v-mmf2-xvm9 CVE-2023-45805 HIGH about 2 years ago
### Summary It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source project to appear to dep...
pypi
No PRs yet
modoboa Cross-Site Request Forgery vulnerability
GHSA-57cr-rq3f-ppmx CVE-2023-5690 MODERATE about 2 years ago
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.
pypi
No PRs yet
modoboa Cross-site Scripting vulnerability
GHSA-pqgm-9g82-wcm7 CVE-2023-5688 CRITICAL about 2 years ago
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
pypi
No PRs yet
modoboa Cross-site Scripting vulnerability
GHSA-9wj3-cfq8-wpvj CVE-2023-5689 HIGH about 2 years ago
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
pypi
No PRs yet
mycli has Inadequate Encryption Strength
GHSA-v9vj-9pxv-mr2w CVE-2023-44690 MODERATE about 2 years ago
Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via `/mycli/config.py`.
pypi
No PRs yet
Viewing wget extractor output while logged in as an admin allows archived JS to execute in the admins context
GHSA-cr45-98w9-gwqx CVE-2023-45815 HIGH about 2 years ago
### Impact Any users who are using the `wget` or `dom` extractors and view the content they output. The impact is potentially severe if you are ...
pypi
No PRs yet
Wagtail vulnerable to disclosure of user names via admin bulk action views
GHSA-fc75-58r8-rm3h CVE-2023-45809 LOW about 2 years ago
### Impact A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk...
pypi
1
Dependabot PRs
TorBot vulnerable to Inefficient Regular Expression Complexity in validate_link
GHSA-72qw-p7hh-m3ff CVE-2023-45813 MODERATE about 2 years ago
### Summary _The torbot.modules.validators.validate_link function uses the python-validators URL validation regex. This particular regular expressi...
pypi
No PRs yet