Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
OMERO.web uses jquery-form library, which may be vulnerable to XSS attack
GHSA-j4gv-6x9v-v23g LOW 3 days ago
### Impact OMERO.web uses the jquery-form library throughout to handle form submission and response processing. Due to some unpatched potential vul...
pypi
No PRs yet
changedetection.io: Stored XSS in Watch update via API
GHSA-4c3j-3h7v-22q9 CVE-2025-62780 LOW 15 days ago
### Summary A Stored Cross Site Scripting is present in the changedetection.io Watch update API due to unsufficient security checks. ### Details ...
pypi
No PRs yet
Open redirect endpoint in Datasette
GHSA-w832-gg5g-x44m CVE-2025-64481 LOW 21 days ago
### Impact Deployed instances of Datasette prior to `0.65.2` and `1.0a21` include an open redirect vulnerability. Hits to the path `//example.com...
pypi
No PRs yet
Weblate leaks the IP of project member inviting user to be reviewer in Audit log
GHSA-gr35-vpx2-qxhc CVE-2025-64326 LOW 22 days ago
### Summary Weblate leaks the IP address of the project member inviting the user to the project in the audit log. ### Details The audit log includ...
pypi
No PRs yet
Byaidu PDFMathTranslate vulnerable to open redirect
GHSA-pfrv-63w8-q7rq CVE-2025-50736 LOW 28 days ago
An open redirect vulnerability exists in Byaidu PDFMathTranslate v1.9.9 that allows attackers to craft URLs that cause the application to redirect ...
pypi
No PRs yet
uv has differential in tar extraction with PAX headers
GHSA-w476-p2h3-79g9 LOW about 1 month ago
### Impact In versions 0.9.4 and earlier of uv, tar archives containing PAX headers with file size overrides were not handled properly. As a resul...
pypi
No PRs yet
reflex-dev/reflex has an Open Redirect vulnerability
GHSA-rfh5-c9h5-q8jm CVE-2025-62379 LOW about 1 month ago
### Mitigation Make sure `GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN` is not set in a production environment. So the following is correct: ``` asse...
pypi
No PRs yet
DataChain Vulnerable to Deserialization of Untrusted Data from Environment Variables
GHSA-6px8-mr29-cj4r CVE-2025-61677 LOW about 2 months ago
The DataChain library reads serialized objects from environment variables (such as `DATACHAIN__METASTORE` and `DATACHAIN__WAREHOUSE`) in the `loade...
pypi
No PRs yet
Django vulnerable to partial directory traversal via archives
GHSA-q95w-c7qg-hrff CVE-2025-59682 LOW about 2 months ago
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by ...
pypi
21
Dependabot PRs
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute
GHSA-vvfj-2jqx-52jm CVE-2025-59842 LOW 2 months ago
Links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the `noopener` attri...
pypi
No PRs yet
ml-logger deserialization vulnerability
GHSA-57hm-8rjv-498w CVE-2025-10950 LOW 2 months ago
A vulnerability was determined in geyang ml-logger 0.10.36 and prior. Affected is the function log_handler of the file ml_logger/server.py of the c...
pypi
No PRs yet
Fides has a Lack of Brute-Force Protections on Authentication Endpoints
GHSA-7q62-r88r-j5gw CVE-2025-57815 LOW 3 months ago
### Summary The Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation contr...
pypi
No PRs yet
Fides' Admin UI User Password Change Does Not Invalidate Current Session
GHSA-rpw8-82v9-3q87 CVE-2025-57766 LOW 3 months ago
### Summary Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where at...
pypi
No PRs yet
Weblate has a long session expiry when verifying second factor
GHSA-377j-wj38-4728 CVE-2025-58352 LOW 3 months ago
### Impact The verification of the second factor had too long a session expiry. The long session expiry could be used to circumvent rate limiting o...
pypi
No PRs yet
MobSF Path Traversal in GET /download/<filename> using absolute filenames
GHSA-ccc3-fvfx-mw3v CVE-2025-58161 LOW 3 months ago
### Summary The GET /download/<filename> route uses string path verification via os.path.commonprefix, which allows an authenticated user to downlo...
pypi
No PRs yet
Exiv2 has quadratic performance in ICC profile parsing in JpegBase::readMetadata
GHSA-m54q-mm9w-fp6g CVE-2025-55304 LOW 3 months ago
### Impact A denial-of-service was found in Exiv2 version v0.28.5: a quadratic algorithm in the ICC profile parsing code in `jpegBase::readMetadata...
pypi
No PRs yet
Exiv2 Segmentation Faults in Exiv2::EpsImage::writeMetadata() via crafted EPS file
GHSA-496f-x7cq-cq39 CVE-2025-54080 LOW 3 months ago
### Impact An out-of-bounds read was found in Exiv2 versions v0.28.5 and earlier. Exiv2 is a command-line utility and C++ library for reading, writ...
pypi
No PRs yet
Litestar has potential log injection in exception logging
GHSA-674p-xv2x-rf3g LOW 4 months ago
### Summary Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configu...
pypi
No PRs yet
MaterialX Null Pointer Dereference in MaterialXCore Shader Generation due to Unchecked implGraphOutput
GHSA-7qw8-3vmf-gj32 CVE-2025-53011 LOW 4 months ago
### Summary When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with m...
pypi
No PRs yet
MaterialX Null Pointer Dereference in getShaderNodes due to Unchecked nodeGraph->getOutput return
GHSA-3jhf-gxhr-q4cx CVE-2025-53010 LOW 4 months ago
### Summary When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with m...
pypi
No PRs yet
MS SWIFT Remote Code Execution via unsafe PyYAML deserialization
GHSA-fm6c-f59h-7mmg CVE-2025-50460 LOW 4 months ago
## Description A Remote Code Execution (RCE) vulnerability exists in the [modelscope/ms-swift](https://github.com/modelscope/ms-swift) project due...
pypi
No PRs yet
WebSSH Cross-site Scripting vulnerability
GHSA-9cg4-9hv5-3376 CVE-2025-7885 LOW 4 months ago
A vulnerability, which was classified as problematic, has been found in Huashengdun WebSSH up to 1.6.2. Affected by this issue is some unknown func...
pypi
No PRs yet
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections
GHSA-9548-qrrj-x5pj CVE-2025-53643 LOW 5 months ago
### Summary The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. ### Impac...
pypi
32
Dependabot PRs
3%
Merged
Transformers's Improper Input Validation vulnerability can be exploited through username injection
GHSA-phhr-52qp-3mj4 CVE-2025-3777 LOW 5 months ago
Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulner...
pypi
No PRs yet
Langchain-Chatchat vulnerable to path traversal
GHSA-f823-phmg-x5fr CVE-2025-6855 LOW 5 months ago
A vulnerability, which was classified as critical, has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This issue affects some unknown...
pypi
No PRs yet
Langchain-Chatchat vulnerable to path traversal
GHSA-8v8h-4pjx-rg73 CVE-2025-6854 LOW 5 months ago
A vulnerability classified as problematic was found in chatchat-space Langchain-Chatchat up to 0.3.1. This vulnerability affects unknown code of th...
pypi
No PRs yet
Langchain-Chatchat has a Path Traversal vulnerability
GHSA-qmgv-j263-qr33 CVE-2025-6853 LOW 5 months ago
A vulnerability classified as critical has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This affects the function upload_temp_docs ...
pypi
No PRs yet
pyspur Incomplete Filtering of Special Elements allowed by SingleLLMCallNode function
GHSA-8gff-cf92-72pv CVE-2025-6518 LOW 5 months ago
A vulnerability was found in PySpur-Dev pyspur up to 0.1.18. It has been classified as critical. Affected is the function SingleLLMCallNode of the ...
pypi
No PRs yet
Upsonic has vulnerability in Pickle Handler component that can lead to deserialization
GHSA-rpfv-46xj-5984 CVE-2025-6279 LOW 5 months ago
A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the...
pypi
No PRs yet
Upsonic is vulnerable to Path Traversal attack through its os.path.join function
GHSA-8jf4-fcjr-68c2 CVE-2025-6278 LOW 5 months ago
A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown...
pypi
No PRs yet
Weblate exposes personal IP address via e-mail
GHSA-4qqf-9m5c-w2c5 CVE-2025-49134 LOW 5 months ago
### Impact The audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP...
pypi
No PRs yet
Vantage6 Server JWT secret not cryptographically secure
GHSA-m3mq-f375-5vgh CVE-2025-43866 LOW 6 months ago
### Impact The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not ...
pypi
No PRs yet
vantage6 lacks brute-force protection on change password functionality
GHSA-j6g5-p62x-58hw CVE-2025-43863 LOW 6 months ago
### Impact If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password function...
pypi
No PRs yet
Aim Vulnerable to Sandbox Escape Leading to Remote Code Execution
GHSA-gp5h-f9c5-8355 CVE-2025-5321 LOW 6 months ago
A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the...
pypi
No PRs yet
Gradio CORS Origin Validation Bypass Vulnerability
GHSA-wmjh-cpqj-4v6x CVE-2025-5320 LOW 6 months ago
A vulnerability classified as problematic has been found in gradio-app gradio up to 5.29.1. This affects the function is_valid_origin of the compon...
pypi
No PRs yet
Potential Timing Side-Channel Vulnerability in vLLM’s Chunk-Based Prefix Caching
GHSA-4qjh-9fv9-r85r CVE-2025-46570 LOW 6 months ago
This issue arises from the prefix caching mechanism, which may expose the system to a timing side-channel attack. ## Description When a new prompt...
pypi
No PRs yet
Vyper's `slice()` may elide side-effects when output length is 0
GHSA-3vcg-j39x-cwfm CVE-2025-47774 LOW 7 months ago
### Impact the `slice()` builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (`msg.data` or `<addres...
pypi
No PRs yet
Vyper's `concat()` builtin may elide side-effects for zero-length arguments
GHSA-qhr6-mgqr-mchm CVE-2025-47285 LOW 7 months ago
### Impact `concat()` may skip evaluation of side effects when the length of an argument is zero. this is due to a fastpath in the implementation w...
pypi
No PRs yet
Flask uses fallback key instead of current signing key
GHSA-4grg-w6v8-c28g CVE-2025-47278 LOW 7 months ago
In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current si...
pypi
2433
Dependabot PRs
27%
Merged
OpenStack Ironic fails to restrict paths used for file:// image URLs
GHSA-q3m2-crgq-5p3q CVE-2025-44021 LOW 7 months ago
OpenStack Ironic before 29.0.1 can write unintended files to a target node disk during image handling (if a deployment was performed via the API). ...
pypi
No PRs yet
AWorld OS Command Injection vulnerability
GHSA-jmjf-mfhm-j3gf CVE-2025-4032 LOW 7 months ago
A vulnerability was found in inclusionAI AWorld up to 8c257626e648d98d793dd9a1a950c2af4dd84c4e. It has been rated as critical. This issue affects t...
pypi
No PRs yet
markdownify allows large headline prefixes such as <h9999999>, which causes memory consumption
GHSA-7mpr-5m44-h73r CVE-2025-46656 LOW 7 months ago
python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes ...
pypi
No PRs yet
VCS credentials included in URL parameters are potentially logged and saved into browser history as plaintext
GHSA-m67m-3p5g-cw9j CVE-2025-32021 LOW 8 months ago
### Summary When creating a new component from an existing component that has a source code repository URL specified in settings, this URL is incl...
pypi
No PRs yet
PyTorch susceptible to local Denial of Service
GHSA-3749-ghw9-m3mg CVE-2025-2953 LOW 8 months ago
A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch.mkldnn_ma...
pypi
No PRs yet
Django TomSelect incomplete escaping of dangerous characters in widget attributes
GHSA-785h-76cm-cpmf LOW 8 months ago
### Summary User supplied values passed through to certain attributes in form widgets are not fully escaped for potentially dangerous tokens, and i...
pypi
No PRs yet
MLflow has Weak Password Requirements
GHSA-4rj2-9gcx-5qhx CVE-2025-1474 LOW 8 months ago
In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security ...
pypi
No PRs yet
Flask-AppBuilder Observable Response Discrepancy
GHSA-p8q5-cvwx-wvwp CVE-2025-24023 LOW 9 months ago
### Impact User enumeration in database authentication in Flask-AppBuilder <= 4.5.3 and werkzeug >= 3.0.0. Allows for a non authenticated user to e...
pypi
No PRs yet
copyparty renders unsanitized filenames as HTML when user uploads empty files
GHSA-m2jw-cj8v-937r CVE-2025-27145 LOW 9 months ago
## Summary A [DOM-Based XSS](https://capec.mitre.org/data/definitions/588.html) was discovered in [copyparty](https://github.com/9001/copyparty), ...
pypi
No PRs yet
Vyper has a double eval in For List Iter
GHSA-h33q-mhmp-8p67 CVE-2025-27104 LOW 9 months ago
Multiple evaluation of a single expression is possible in the iterator target of a for loop. While the iterator expression cannot produce multiple ...
pypi
No PRs yet
AugAssign evaluation order causing OOB write within the object in Vyper
GHSA-4w26-8p97-f4jp CVE-2025-27105 LOW 9 months ago
Vyper handles AugAssign statements by first caching the target location to avoid double evaluation. However, in the case when target is an access t...
pypi
No PRs yet