Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,793

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
LangChain Server Side Request Forgery vulnerability
GHSA-655w-fm8m-m478 CVE-2023-46229 HIGH about 2 years ago
LangChain before 0.0.317 allows SSRF via `document_loaders/recursive_url_loader.py` because crawling can proceed from an external server to an inte...
pypi
No PRs yet
urllib3's request body not stripped after redirect from 303 status changes request method to GET
GHSA-g4mx-q9vg-27p4 CVE-2023-45803 MODERATE about 2 years ago
urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 "See Other" after the request had its meth...
pypi
670
Dependabot PRs
9%
Merged
vantage6 does not properly delete linked resources when deleting a collaboration
GHSA-rf54-7qrr-96j6 CVE-2023-41881 LOW about 2 years ago
When a collaboration is deleted in vantage6, the linked resources (such as tasks from that collaboration) are not properly deleted. This is partly...
pypi
No PRs yet
Authorization Header forwarded on redirect
GHSA-gwvm-45gx-3cf8 CVE-2018-25091 MODERATE about 2 years ago
urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, ...
pypi
No PRs yet
Apache Airflow vulnerable to sensitive information exposure
GHSA-32wr-qqw6-5mfp CVE-2023-42663 MODERATE about 2 years ago
Apache Airflow, versions before 2.7.2, has a vulnerability that allows an authorized user with access to read specific DAGs _only_ to read informat...
pypi
No PRs yet
Apache Airflow vulnerable to sensitive information exposure when users list warnings for all DAGs
GHSA-cgx2-rrmr-jx43 CVE-2023-42780 MODERATE about 2 years ago
Apache Airflow, versions prior to 2.7.2, contains a security vulnerability that allows authenticated users of Airflow to list warnings for all DAGs...
pypi
No PRs yet
Apache Airflow vulnerable to privilege escalation
GHSA-j3w8-2p2h-mrr9 CVE-2023-42792 MODERATE about 2 years ago
Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, t...
pypi
No PRs yet
Apache Airflow vulnerable to sensitive information exposure when expose-config is set to non-sensitive-only
GHSA-fpxx-xv4c-gxqp CVE-2023-45348 MODERATE about 2 years ago
Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration info...
pypi
No PRs yet
pyminizip affected by zlib's integer overflow/heap based buffer overflow vulnerability due to vulnerable dependency
GHSA-mq29-j5xf-cjwr CVE-2023-45853 CRITICAL about 2 years ago
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, commen...
pypi
No PRs yet
Defining resource name as integer may give unintended access in vantage6
GHSA-7x94-6g2m-3hp2 CVE-2023-28635 MODERATE about 2 years ago
### Impact Malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One examp...
pypi
No PRs yet
Improper Access Control in vantage6
GHSA-gc57-xhh5-m94r CVE-2023-41882 MODERATE about 2 years ago
### Impact The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should ha...
pypi
No PRs yet
Pickle serialization vulnerable to Deserialization of Untrusted Data
GHSA-5m22-cfq9-86x6 CVE-2023-23930 HIGH about 2 years ago
### What We are using pickle as default serialization module but that has known security issues (see e.g. https://medium.com/ochrona/python-pickle-...
pypi
No PRs yet
matrix-synapse vulnerable to denial of service due to malicious server ACL events
GHSA-5chr-wjw5-3gq4 CVE-2023-45129 MODERATE about 2 years ago
### Impact A malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers r...
pypi
No PRs yet
OctoPrint vulnerable to Improper Neutralization of Special Elements Used in a Template Engine
GHSA-fwfg-vprh-97ph CVE-2023-41047 HIGH about 2 years ago
### Impact OctoPrint versions up until and including 1.9.2 contain a vulnerability that allows malicious admins to configure a specially crafted [...
pypi
No PRs yet
Microsoft Common Data Model SDK Denial of Service Vulnerability
GHSA-vm2m-7hpw-fpmq CVE-2023-36566 MODERATE about 2 years ago
Microsoft Common Data Model SDK Denial of Service Vulnerability
maven nuget pypi
No PRs yet
langchain_experimental vulnerable to arbitrary code execution via PALChain in the python exec method
GHSA-gjjr-63x4-v8cq CVE-2023-44467 CRITICAL about 2 years ago
langchain_experimental (aka LangChain Experimental) in LangChain before 0.0.306 allows an attacker to bypass the CVE-2023-36258 fix and execute arb...
pypi
No PRs yet
Bundled libwebp in pywebp vulnerable
GHSA-f9pm-4g9p-6vm3 HIGH about 2 years ago
### Impact pywebp versions before v0.3.0 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-4863. The vulnerability was a heap buff...
pypi
No PRs yet
NI MeasurementLink Python Services Improper Access Restriction vulnerability
GHSA-3f48-9j7q-q2gv CVE-2023-4570 HIGH about 2 years ago
### Impact An improper access restriction in NI MeasurementLink Python services could allow an attacker on an adjacent network to reach services ex...
pypi
No PRs yet
Bundled libwebp in imagecodecs vulnerable
GHSA-94vc-p8w7-5p49 HIGH about 2 years ago
imagecodecs versions before v2023.9.18 bundled libwebp binaries in wheels that are vulnerable to CVE-2023-5129 (previously CVE-2023-4863). imagecod...
pypi
No PRs yet
Zope management interface vulnerable to stored cross site scripting via the title property
GHSA-m755-gxxg-r5qh CVE-2023-44389 LOW about 2 years ago
### Impact The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object ...
pypi
No PRs yet
Ansible may expose private key
GHSA-ww3m-ffrm-qvqv CVE-2023-4237 MODERATE about 2 years ago
A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the sta...
pypi
No PRs yet
asyncua Improper Authentication vulnerability
GHSA-2894-qcqf-g23g CVE-2023-26150 HIGH about 2 years ago
Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without en...
pypi
No PRs yet
asyncua vulnerable to denial of service via infinite loop
GHSA-gfvq-mxw3-mfq3 CVE-2023-26151 HIGH about 2 years ago
Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a ...
pypi
No PRs yet
opentelemetry-instrumentation Denial of Service vulnerability due to unbound cardinality metrics
GHSA-5rv5-6h4r-h22v CVE-2023-43810 HIGH about 2 years ago
### Summary Autoinstrumentation out of the box adds the label `http_method` that has unbound cardinality. It leads to the server's potential memory...
pypi
No PRs yet
`Cookie` HTTP header isn't stripped on cross-origin redirects
GHSA-v845-jxx5-vc9f CVE-2023-43804 HIGH about 2 years ago
urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the use...
pypi
659
Dependabot PRs
8%
Merged
pretix potential IP address spoofing vulnerability
GHSA-j9gq-w73w-9h6c CVE-2023-44463 MODERATE about 2 years ago
An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-F...
pypi
No PRs yet
TorchServe Server-Side Request Forgery vulnerability
GHSA-8fxr-qfr9-p34w CVE-2023-43654 CRITICAL about 2 years ago
## Impact **Remote Server-Side Request Forgery (SSRF)** **Issue**: TorchServe default configuration lacks proper input validation, enabling thi...
pypi
No PRs yet
TorchServe Pre-Auth Remote Code Execution
GHSA-4mqg-h5jf-j9m7 CRITICAL about 2 years ago
## Impact **Use of Open Source Library potentially exposed to RCE** **Issue**: Use of a version of the SnakeYAML `v1.31 `open source library w...
pypi
No PRs yet
Rdiffweb Allocation of Resources Without Limits or Throttling vulnerability
GHSA-c4rv-2j6x-pq7x CVE-2023-5289 HIGH about 2 years ago
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.8.4.
pypi
No PRs yet
pretix allows Pillow to parse EPS files
GHSA-9jvx-p6mq-fw4v CVE-2023-44464 HIGH about 2 years ago
pretix before 2023.7.2 allows Pillow to parse EPS files.
pypi
No PRs yet
pydash Command Injection vulnerability
GHSA-8mjr-6c96-39w8 CVE-2023-26145 CRITICAL about 2 years ago
This affects versions of the package pydash before 6.0.0. A number of pydash methods such as pydash.objects.invoke() and pydash.collections.invoke_...
pypi
No PRs yet
Vyper's `_abi_decode` input not validated in complex expressions
GHSA-cx2q-hfxr-rj97 CVE-2023-42460 MODERATE about 2 years ago
### Impact `_abi_decode()` does not validate input when it is nested in an expression. the following example gets correctly validated (bounds check...
pypi
No PRs yet
matrix-synapse vulnerable to improper validation of receipts allows forged read receipts
GHSA-7565-cq32-vx2x CVE-2023-42453 MODERATE about 2 years ago
### Impact Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view ...
pypi
No PRs yet
matrix-synapse vulnerable to temporary storage of plaintext passwords during password changes
GHSA-4f74-84v3-j9q5 CVE-2023-41335 LOW about 2 years ago
### Impact When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server ...
pypi
No PRs yet
Searchor CLI's Search vulnerable to Arbitrary Code using Eval
GHSA-66m2-493m-crh2 CVE-2023-43364 CRITICAL about 2 years ago
An issue in Arjun Sharda's Searchor before version v.2.4.2 allows an attacker to execute arbitrary code via a crafted script to the eval() functi...
pypi
No PRs yet
yt-dlp on Windows vulnerable to `--exec` command injection when using `%q`
GHSA-42h4-v29r-42qg CVE-2023-40581 HIGH about 2 years ago
### Impact [`yt-dlp`](https://github.com/yt-dlp/yt-dlp) allows the user to provide shell commands to be executed at various stages in its download ...
pypi
No PRs yet
Gevent allows remote attacker to escalate privileges
GHSA-x7m3-jprg-wc5g CVE-2023-41419 CRITICAL about 2 years ago
An issue in Gevent before version 23.9.0 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.
pypi
No PRs yet
OpenStack Barbican information disclosure vulnerability
GHSA-6rx9-c2rh-3qv4 CVE-2023-1636 MODERATE about 2 years ago
A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configu...
pypi
No PRs yet
OpenStack Barbican credential leak flaw
GHSA-6qqp-4vm3-359v CVE-2023-1633 MODERATE about 2 years ago
A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining ac...
pypi
No PRs yet
OpenStack Heat information leak vulnerability
GHSA-5836-grcc-8j89 CVE-2023-1625 HIGH about 2 years ago
An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to re...
pypi
No PRs yet
pgAdmin failed to properly control the server code
GHSA-ghp8-52vx-77j4 CVE-2023-5002 MODERATE about 2 years ago
A flaw was found in pgAdmin. This issue occurs when the pgAdmin server HTTP API validates the path a user selects to external PostgreSQL utilities ...
pypi
No PRs yet
plone.restapi vulnerable to Stored Cross Site Scripting with SVG image in user portrait
GHSA-hc5c-r8m5-2gfh LOW about 2 years ago
### Impact There is a stored cross site scripting vulnerability for SVG images uploaded in user portraits. Note that a page that uses an image tag...
pypi
No PRs yet
plone.namedfile vulnerable to Stored Cross Site Scripting with SVG images
GHSA-jj7c-jrv4-c65x CVE-2023-41048 LOW about 2 years ago
### Impact There is a stored cross site scripting vulnerability for SVG images. A [security hotfix from 2021](https://github.com/plone/Products.Plo...
pypi
No PRs yet
Vulnerable OpenSSL included in cryptography wheels
GHSA-v8gr-m533-ghj9 LOW about 2 years ago
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 2.5-41.0.3 are vulnerable ...
pypi
No PRs yet
plone.rest vulnerable to Denial of Service when ++api++ is used many times
GHSA-h6rp-mprm-xgcq CVE-2023-42457 MODERATE about 2 years ago
### Impact When the `++api++` traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less...
pypi
No PRs yet
Zope vulnerable to Stored Cross Site Scripting with SVG images
GHSA-wm8q-9975-xh5v CVE-2023-42458 LOW about 2 years ago
### Impact There is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulner...
pypi
No PRs yet
Vyper vulnerable to memory corruption in certain builtins utilizing `msize`
GHSA-c647-pxm2-c52w CVE-2023-42443 HIGH about 2 years ago
### Impact In certain conditions, the memory used by the builtins `raw_call`, `create_from_blueprint` and `create_copy_of` can be corrupted. - For...
pypi
No PRs yet
GeoNode vulnerable to SSRF Bypass to return internal host data
GHSA-pxg5-h34r-7q8p CVE-2023-42439 HIGH about 2 years ago
A SSRF vulnerability exists, bypassing existing controls on the software. This can allow a user to request internal services for a full read SSRF, ...
pypi
No PRs yet
ReportLab vulnerable to remote code execution via paraparser
GHSA-pj98-2xf6-cff5 CVE-2019-19450 CRITICAL about 2 years ago
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unich...
pypi
No PRs yet
Vyper has incorrect re-entrancy lock when key is empty string
GHSA-3hg2-r75x-g69m CVE-2023-42441 MODERATE about 2 years ago
### Impact Locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. ```Vyper @nonreentrant("") #...
pypi
No PRs yet