Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,795

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Gradio arbitrary file upload vulnerability
GHSA-v4q9-qgqf-7jwp CVE-2023-41626 MODERATE about 2 years ago
Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the `/upload` interface.
pypi
No PRs yet
Apache HDFS Provider error message suggested
GHSA-5hj9-m76g-xrc8 CVE-2023-41267 HIGH about 2 years ago
In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this packa...
pypi
No PRs yet
Denial of Service Vulnerability in gRPC TCP Server (Posix-compatible platforms)
GHSA-p25m-jpj4-qcrr CVE-2023-4785 HIGH about 2 years ago
Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms (ex. Linux) allows an attacker to cau...
pypi rubygems
No PRs yet
Apache Airflow information exposure vulnerability
GHSA-mjqh-v5f2-g2mw CVE-2023-40712 HIGH about 2 years ago
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI...
pypi
No PRs yet
Apache Airflow Incorrect Authorization vulnerability
GHSA-wpg8-mf6h-gm92 CVE-2023-40611 MODERATE about 2 years ago
Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG ru...
pypi
No PRs yet
Piccolo's current `BaseUser.login` implementation is vulnerable to time based user enumeration
GHSA-h7cm-mrvq-wcfr CVE-2023-41885 MODERATE about 2 years ago
### Summary _Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability ...
pypi
No PRs yet
Domain restrictions bypass via DNS Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes
GHSA-pmxq-pj47-j8j4 CVE-2023-41329 LOW about 2 years ago
### Impact The proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in [Preventing proxying to and re...
maven pypi
47
Dependabot PRs
20%
Merged
Remote Code Execution in Custom Integration Upload
GHSA-p6p2-qq95-vq5h CVE-2023-41319 HIGH about 2 years ago
### Impact The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML files, but Fides can be...
pypi
No PRs yet
Information disclosure in AccessControl
GHSA-8xv7-89vj-q48c CVE-2023-41050 MODERATE about 2 years ago
### Impact Python's "format" functionality allows someone controlling the format string to "read" objects accessible (recursively) via attribute ac...
pypi
No PRs yet
Apache Superset has incorrect authorization check
GHSA-95ch-p3gw-23qg CVE-2023-32672 MODERATE about 2 years ago
An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user t...
pypi
No PRs yet
Apache Superset Deserialization of Untrusted Data vulnerability
GHSA-fj4x-m62j-wvwg CVE-2023-37941 MODERATE about 2 years ago
If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead t...
pypi
No PRs yet
Apache Superset Improper Input Validation vulnerability
GHSA-fm4q-j8g4-c9j4 CVE-2023-39265 MODERATE about 2 years ago
Apache Superset would allow for SQLite database connections to be incorrectly registered when an attacker uses alternative driver names like sqlite...
pypi
No PRs yet
Apache Superset may expose internal traces on REST API endpoints
GHSA-cpvx-2365-466c CVE-2023-39264 MODERATE about 2 years ago
By default, stack traces for errors were enabled, which resulted in the exposure of internal traces on REST API endpoints to users. This vulnerabil...
pypi
No PRs yet
Apache Superset Server Side Request Forgery vulnerability
GHSA-4fg9-5w46-xmrj CVE-2023-36388 MODERATE about 2 years ago
Improper REST API permission in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma users to test network connections, poss...
pypi
No PRs yet
Apache Superset has improper default REST API permission for Gamma users
GHSA-9832-mgg4-3gr6 CVE-2023-36387 MODERATE about 2 years ago
An improper default REST API permission for Gamma users in Apache Superset up to and including 2.1.0 allows for an authenticated Gamma user to test...
pypi
No PRs yet
Apache Superset vulnerable to improper data authorization
GHSA-v594-2c97-hx38 CVE-2023-27523 MODERATE about 2 years ago
Improper data authorization check on Jinja templated queries in Apache Superset up to and including 2.1.0 allows for an authenticated user to issue...
pypi
No PRs yet
Apache Superset users may incorrectly create resources using the import charts feature
GHSA-9qc3-p9jq-2x27 CVE-2023-27526 MODERATE about 2 years ago
A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0. 
pypi
No PRs yet
Keylime registrar and (untrusted) Agent can be bypassed by an attacker
GHSA-f4r5-q63f-gcww CVE-2023-38201 HIGH about 2 years ago
### Impact A security issue was found in the Keylime `registrar` code which allows an attacker to effectively bypass the challenge-response protoc...
pypi
No PRs yet
Salt can cause Git Providers to get wrong data
GHSA-qvh6-3j7x-3hq7 CVE-2023-20898 MODERATE about 2 years ago
Git Providers can read from the wrong environment because they get the same cache directory base name in Salt masters prior to 3005.2 or 3006.2. An...
pypi
No PRs yet
Salt vulnerable to denial of service
GHSA-vpjg-wmf8-29h9 CVE-2023-20897 MODERATE about 2 years ago
Salt masters prior to 3005.2 or 3006.2 contain a DOS in minion return. After receiving several bad packets on the request server equal to the numbe...
pypi
No PRs yet
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in hyper-bump-it
GHSA-xc27-f9q3-4448 CVE-2023-41057 LOW about 2 years ago
### Summary `hyper-bump-it` reads a file glob pattern from the configuration file. That is combined with the project root directory to construct a ...
pypi
No PRs yet
incorrect order of evaluation of side effects for some builtins
GHSA-4hg4-9mf5-wxxq CVE-2023-41052 MODERATE about 2 years ago
### Impact The order of evaluation of the arguments of the builtin functions `uint256_addmod`, `uint256_mulmod`, `ecadd` and `ecmul` does not follo...
pypi
No PRs yet
Vyper: reversed order of side effects for some operations
GHSA-g2xh-c426-v8mf CVE-2023-40015 MODERATE about 2 years ago
### Impact For the following (probably non-exhaustive) list of expressions, the compiler evaluates the arguments from right to left instead of lef...
pypi
No PRs yet
Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library
GHSA-f73w-4m7g-ch9x CVE-2023-39631 CRITICAL about 2 years ago
An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library. P...
pypi
No PRs yet
Sandbox escape via various forms of "format".
GHSA-xjw2-6jm9-rf67 CVE-2023-41039 HIGH over 2 years ago
### Impact Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribut...
pypi
1
Dependabot PRs
GitPython blind local file inclusion
GHSA-cwvm-v4w8-q58c CVE-2023-41040 MODERATE over 2 years ago
### Summary In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being re...
pypi
33
Dependabot PRs
6%
Merged
Archive spoofing vulnerability in borgbackup
GHSA-8fjr-hghr-4m99 CVE-2023-36811 MODERATE over 2 years ago
### Impact A flaw in the cryptographic authentication scheme in borgbackup allowed an attacker to fake archives and potentially indirectly cause ba...
pypi
No PRs yet
Open Redirect Vulnerability in jupyter-server
GHSA-r726-vmfq-j9j3 CVE-2023-39968 MODERATE over 2 years ago
### Impact Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-...
pypi
13
Dependabot PRs
cross-site inclusion (XSSI) of files in jupyter-server
GHSA-64x5-55rw-9974 CVE-2023-40170 MODERATE over 2 years ago
### Impact Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening ...
pypi
13
Dependabot PRs
GitPython untrusted search path on Windows systems leading to arbitrary code execution
GHSA-wfm5-v35h-vwf4 CVE-2023-40590 HIGH over 2 years ago
### Summary When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment (see big warning ...
pypi
3
Dependabot PRs
66%
Merged
Heap-based buffer overflow in ZBar
GHSA-mhp6-jvpx-2p4m CVE-2023-40889 CRITICAL over 2 years ago
A heap-based buffer overflow exists in the qr_reader_match_centers function of ZBar 0.23.90. Specially crafted QR codes may lead to information dis...
pypi
No PRs yet
Airflow Sqoop Provider RCE Vulnerability
GHSA-g3m9-pr5m-4cvp CVE-2023-27604 HIGH over 2 years ago
Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, ...
pypi
No PRs yet
Apache Airflow vulnerable arbitrary code execution via Spark server
GHSA-8q28-pw9g-w82c CVE-2023-40195 HIGH over 2 years ago
Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airf...
pypi
No PRs yet
Pyramid static view path traversal up one directory
GHSA-j8g2-6fc7-q8f8 CVE-2023-40587 MODERATE over 2 years ago
### Impact This impacts users of Python 3.11 that are using a Pyramid static view with a full filesystem path and have a `index.html` file that is...
pypi
No PRs yet
Apache Airflow Session Fixation vulnerability
GHSA-pm87-24wq-r8w9 CVE-2023-40273 HIGH over 2 years ago
The session fixation vulnerability allowed the authenticated user to continue accessing Airflow webserver even after the password of the user has b...
pypi
No PRs yet
Apache Airflow denial of service vulnerability
GHSA-x2mh-8fmc-rqgh CVE-2023-37379 HIGH over 2 years ago
Apache Airflow, in versions prior to 2.7.0, contains a security vulnerability that can be exploited by an authenticated user possessing Connection ...
pypi
No PRs yet
Apache Airflow missing Certificate Validation
GHSA-5f35-pq34-c87q CVE-2023-39441 MODERATE over 2 years ago
Apache Airflow SMTP Provider before 1.3.0, Apache Airflow IMAP Provider before 3.3.0, and Apache Airflow before 2.7.0 are affected by the Validatio...
pypi
No PRs yet
json2xml Uncaught Exception vulnerability
GHSA-8rj5-2857-877j CVE-2022-25024 HIGH over 2 years ago
The json2xml package for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of se...
pypi
No PRs yet
langchain vulnerable to arbitrary code execution
GHSA-7gfq-f96f-g85j CVE-2023-36281 CRITICAL over 2 years ago
An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via the via the a json file to the `load_prompt` parameter. This...
pypi
No PRs yet
Horizon Web Dashboard Open Redirect vulnerability
GHSA-5pv6-rprw-82wv CVE-2022-45582 MODERATE over 2 years ago
Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1.4 via the success_url parameter.
pypi
No PRs yet
Datasette 1.0 alpha series leaks names of databases and tables to unauthenticated users
GHSA-7ch3-7pp7-7cpq CVE-2023-40570 MODERATE over 2 years ago
### Impact This bug affects Datasette instances running a Datasette 1.0 alpha - 1.0a0, 1.0a1, 1.0a2 or 1.0a3 - in an online accessible location bu...
pypi
No PRs yet
pandasai vulnerable to prompt injection
GHSA-w832-v3c6-m6rg CVE-2023-39660 HIGH over 2 years ago
An issue in Gaberiele Venturi pandasai v.0.8.0 and before allows a remote attacker to execute arbitrary code via a crafted request to the prompt fu...
pypi
No PRs yet
Apache Airflow Spark Provider Improper Input Validation vulnerability
GHSA-r2f6-6928-fh8f CVE-2023-40272 HIGH over 2 years ago
Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when e...
pypi
No PRs yet
Scancode.io Reflected Cross-Site Scripting (XSS) in license endpoint
GHSA-6xcx-gx7r-rccj CVE-2023-40024 MODERATE over 2 years ago
### Summary In the `/license/` endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site ...
pypi
No PRs yet
LangChain vulnerable to arbitrary code execution
GHSA-prgp-w7vf-ch62 CVE-2023-39659 CRITICAL over 2 years ago
An issue in langchain langchain-ai before version 0.0.325 allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstR...
pypi
No PRs yet
LangChain vulnerable to arbitrary code execution
GHSA-fj32-q626-pjjc CVE-2023-38860 CRITICAL over 2 years ago
An issue in LangChain prior to v.0.0.247 allows a remote attacker to execute arbitrary code via the prompt parameter.
pypi
No PRs yet
llama-index vulnerable to arbitrary code execution
GHSA-2xxc-73fv-36f7 CVE-2023-39662 CRITICAL over 2 years ago
An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter in PandasQueryEngine function.
pypi
No PRs yet
PandasAI vulnerable to arbitrary code execution
GHSA-8fp9-43pw-56vw CVE-2023-39661 CRITICAL over 2 years ago
An issue in pandas-ai v.0.8.1 and before allows a remote attacker to execute arbitrary code via the `_is_jailbreak` function.
pypi
No PRs yet
LangChain vulnerable to arbitrary code execution
GHSA-92j5-3459-qgp4 CVE-2023-38896 CRITICAL over 2 years ago
An issue in Harrison Chase langchain before version 0.0.236 allows a remote attacker to execute arbitrary code via the `from_math_prompt` and `from...
pypi
No PRs yet
Tornado vulnerable to HTTP request smuggling via improper parsing of `Content-Length` fields and chunk lengths
GHSA-qppv-j76h-2rpx MODERATE over 2 years ago
## Summary Tornado interprets `-`, `+`, and `_` in chunk length and `Content-Length` values, which are not allowed by the HTTP RFCs. This can resul...
pypi
No PRs yet