Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
SageMaker Workflow component allows possibility of MD5 hash collisions
GHSA-32g6-mg92-ghm2 CVE-2025-0508 MODERATE 9 months ago
A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. ...
pypi
No PRs yet
LocalAI Cross-Site Scripting (XSS) vulnerability in its search functionality
GHSA-w6hh-w36c-vxmw CVE-2024-9900 MODERATE 9 months ago
mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. The vulnerability arises due to imp...
go
No PRs yet
composio Server-Side Request Forgery (SSRF) vulnerability
GHSA-qvg9-vp87-h3hr CVE-2024-8952 MODERATE 9 months ago
A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.2, specifically in the /api/actions/execute/WEBTOOL_S...
pypi
No PRs yet
composio allows Server-Side Request Forgery (SSRF) in BROWSERTOOL
GHSA-38mg-wm59-g64x CVE-2024-8955 MODERATE 9 months ago
A Server-Side Request Forgery (SSRF) vulnerability exists in composiohq/composio version v0.4.4. This vulnerability allows an attacker to read the ...
pypi
No PRs yet
AgentScope stored cross-site scripting (XSS) vulnerability
GHSA-6mf6-7j75-2m6f CVE-2024-8556 MODERATE 9 months ago
A stored cross-site scripting (XSS) vulnerability exists in modelscope/agentscope, as of the latest commit 21161fe on the main branch. The vulnerab...
pypi
No PRs yet
Aim Improper Access Control
GHSA-r229-5wgf-f28g CVE-2024-8238 MODERATE 9 months ago
In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. This ve...
pypi
No PRs yet
Gradio Vulnerable to Open Redirect
GHSA-7v2w-h4gh-w5cv CVE-2024-8021 MODERATE 9 months ago
An open redirect vulnerability exists in the latest version of gradio-app/gradio. The vulnerability allows an attacker to redirect users to a malic...
pypi
No PRs yet
Open WebUI Vulnerable to Cross-Site Request Forgery (CSRF)
GHSA-p5vx-9hj8-cf4h CVE-2024-7035 MODERATE 9 months ago
In version v0.3.8 of open-webui/open-webui, sensitive actions such as deleting and resetting are performed using the GET method. This vulnerability...
pypi
No PRs yet
Open WebUI Allows Viewing of Admin Details
GHSA-gv26-qw3h-8qvp CVE-2024-7046 MODERATE 9 months ago
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows an attacker to view admin details. The application does not verify ...
pypi
No PRs yet
Open WebUI Has Improper Access Control Leading to Arbitrary Prompt Read
GHSA-c7fq-p62p-wvpc CVE-2024-7045 MODERATE 9 months ago
In version v0.3.8 of open-webui/open-webui, improper access control vulnerabilities allow an attacker to view any prompts. The application does not...
pypi
No PRs yet
Open WebUI Allows Arbitrary File Write via the `/models/upload` Endpoint
GHSA-crh6-pj8c-xrhc CVE-2024-7034 MODERATE 9 months ago
In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handling of user-supplied filename...
pypi
No PRs yet
Open WebUI Vulnerable to Cross-Site Scripting (XSS) via Chat File Upload
GHSA-j274-m559-cj4j CVE-2024-7044 MODERATE 9 months ago
A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker ...
pypi
No PRs yet
Flask-CORS improper regex path matching vulnerability
GHSA-7rxf-gvfg-47g4 CVE-2024-6839 MODERATE 9 months ago
corydolphin/flask-cors version 5.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more...
pypi
1405
Dependabot PRs
20%
Merged
Flask-CORS allows for inconsistent CORS matching
GHSA-8vgw-p6qm-5gr7 CVE-2024-6844 MODERATE 9 months ago
A vulnerability in corydolphin/flask-cors version 5.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths...
pypi
1407
Dependabot PRs
20%
Merged
H2O Vulnerable to Execution of Arbitrary Files
GHSA-m37h-8r48-2cxj CVE-2024-6863 MODERATE 9 months ago
In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server with a key...
maven pypi
No PRs yet
Open WebUI Allows Arbitrary File Write via the `download_model` Endpoint
GHSA-3p9q-7w63-3f8q CVE-2024-7033 MODERATE 9 months ago
In version 0.3.8 of open-webui/open-webui, an arbitrary file write vulnerability exists in the download_model endpoint. When deployed on Windows, t...
pypi
No PRs yet
Flask-CORS vulnerable to Improper Handling of Case Sensitivity
GHSA-43qf-4rqw-9q2g CVE-2024-6866 MODERATE 9 months ago
corydolphin/flask-cors version 5.0.1 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match`...
pypi
1405
Dependabot PRs
20%
Merged
MLflow Uncontrolled Resource Consumption vulnerability
GHSA-q3gw-8236-5jw4 CVE-2024-6838 MODERATE 9 months ago
In mlflow/mlflow version v2.13.2, a vulnerability exists that allows the creation or renaming of an experiment with a large number of integers in i...
pypi
No PRs yet
TorchServe script references S3 bucket without ensuring ownership or confirming accessibility
GHSA-xx7c-j7h3-vjcq CVE-2024-6577 MODERATE 9 months ago
In the latest version of pytorch/serve, the script 'upload_results_to_s3.sh' references the S3 bucket 'benchmarkai-metrics-prod' without ensuring i...
pypi
No PRs yet
LlamaIndex Uncontrolled Resource Consumption vulnerability
GHSA-jvpf-xf32-2w4q CVE-2024-12910 MODERATE 9 months ago
A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial...
pypi
No PRs yet
Aim Relative Path Traversal vulnerability
GHSA-p6x3-v6g3-7557 CVE-2024-6483 MODERATE 9 months ago
A vulnerability in the `runs/delete-batch` endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path tra...
pypi
No PRs yet
Aim vulnerable to Synchronous Access of Remote Resource without Timeout
GHSA-v5pj-jrpv-h6g2 CVE-2024-12777 MODERATE 9 months ago
A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is...
pypi
No PRs yet
Transformers Regular Expression Denial of Service (ReDoS) vulnerability
GHSA-6rvg-6v2m-4j46 CVE-2024-12720 MODERATE 9 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file token...
pypi
No PRs yet
BentoML Open Redirect vulnerability
GHSA-564p-rx2q-4c8v MODERATE 9 months ago
An open redirect vulnerability in bentoml/bentoml v1.3.9 allows a remote unauthenticated attacker to redirect users to arbitrary websites via a spe...
pypi
No PRs yet
Gradio Path Traversal vulnerability
GHSA-prpg-p95c-32fv CVE-2024-12217 MODERATE 9 months ago
A vulnerability in the gradio-app/gradio repository, version git 67e4044, allows for path traversal on Windows OS. The implementation of the blocke...
pypi
No PRs yet
langchain-core allows unauthorized users to read arbitrary files from the host file system
GHSA-5chr-fjjv-38qv CVE-2024-10940 MODERATE 9 months ago
A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files...
pypi
No PRs yet
FastChat open redirect vulnerability
GHSA-77cj-rv5x-v6r2 CVE-2024-10908 MODERATE 9 months ago
An open redirect vulnerability in lm-sys/fastchat Release v0.2.36 allows a remote unauthenticated attacker to redirect users to arbitrary websites ...
pypi
No PRs yet
Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS)
GHSA-hrc4-p2h3-pjqw CVE-2025-2536 MODERATE 9 months ago
Cross-site scripting (XSS) vulnerability on Liferay Portal 7.4.3.82 through 7.4.3.128, and Liferay DXP 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 202...
maven
No PRs yet
OpenShift Console Has a Path Traversal Vulnerability
GHSA-69x5-hjg4-m267 CVE-2024-7631 MODERATE 9 months ago
A flaw was found in the OpenShift Console, an endpoint for plugins to serve resources in multiple languages: /locales/resources.json. This endpoint...
go
No PRs yet
OpenShift Hive Has an Uncontrolled Resource Consumption Vulnerability
GHSA-c392-wrgw-jjfw CVE-2024-25132 MODERATE 9 months ago
A flaw was found in the Hive hibernation controller component of OpenShift Dedicated. The ClusterDeployment.hive.openshift.io/v1 resource can be cr...
go
No PRs yet
Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout
GHSA-hxg4-65p5-9w37 CVE-2025-30152 MODERATE 9 months ago
A discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a ...
packagist
No PRs yet
vLLM denial of service via outlines unbounded cache on disk
GHSA-mgrm-fgjv-mhv8 CVE-2025-29770 MODERATE 9 months ago
### Impact The [outlines](https://dottxt-ai.github.io/outlines/latest/) library is one of the backends used by vLLM to support structured output (a...
pypi
No PRs yet
Fast-JWT Improperly Validates iss Claims
GHSA-gm45-q3v2-6cf8 CVE-2025-30144 MODERATE 9 months ago
### Summary The `fast-jwt` library does not properly validate the `iss` claim based on the RFC https://datatracker.ietf.org/doc/html/rfc7519#page-9...
npm
23
Dependabot PRs
13%
Merged
Mattermost Fails to Properly Perform Viewer Role Authorization
GHSA-fqrq-xmxj-v47x CVE-2025-1472 MODERATE 9 months ago
Mattermost versions 9.11.x <= 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role config...
go
No PRs yet
Apache Airflow MySQL Provider is Vulnerable to SQL Injection
GHSA-hhm6-jjf4-6pm3 CVE-2025-27018 MODERATE 9 months ago
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user tri...
pypi
No PRs yet
Clickstorm SEO Allows Cross-Site Scripting (XSS)
GHSA-vmgw-24w6-9v82 CVE-2025-30081 MODERATE 9 months ago
A cross-site scripting (XSS) vulnerability has been discovered in the Clickstorm SEO extension. This vulnerabily is exploitable by a logged in back...
packagist
No PRs yet
Additional TCA Allows Cross-Site Scripting (XSS)
GHSA-rrh3-cgmx-w62f CVE-2025-30083 MODERATE 9 months ago
A cross-site scripting (XSS) vulnerability has been discovered in the Additional TCA extension. This vulnerabily is exploitable by a logged in back...
packagist
No PRs yet
Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads
GHSA-vqqr-fgmh-f626 CVE-2025-29790 MODERATE 9 months ago
### Impact Users can upload SVG files with malicious code, which is then executed in the back end and/or front end. ### Patches Update to Contao...
packagist
No PRs yet
TastyIgniter Has an Incorrect Access Control Vulnerability
GHSA-w5h7-mw56-4v7x CVE-2024-44314 MODERATE 9 months ago
TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the Orders Management System, allowing unauthorized users to update order ...
packagist
No PRs yet
CosmWasm Allows Bypass of Capability Restrictions in Blockchains
GHSA-cg8r-jwg7-r2x4 CVE-2025-25500 MODERATE 9 months ago
An issue in CosmWasm prior to v2.2.0 allows attackers to bypass capability restrictions in blockchains by exploiting a lack of runtime capability v...
cargo
No PRs yet
buildx allows a possible credential leakage to telemetry endpoint
GHSA-m4gq-fm9h-8q75 CVE-2025-0495 MODERATE 9 months ago
### Impact Some cache backends allow configuring their credentials by setting secrets directly as attribute values in `cache-to/cache-from` configu...
go
15
Dependabot PRs
Sylius PayPal Plugin Payment Amount Manipulation Vulnerability
GHSA-pqq3-q84h-pj6x CVE-2025-29788 MODERATE 9 months ago
A vulnerability allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping car...
packagist
No PRs yet
Bare Metal Operator (BMO) can expose any secret from other namespaces via BMCEventSubscription CRD
GHSA-c98h-7hp9-v9hq CVE-2025-29781 MODERATE 9 months ago
### Impact The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. Baremetal Operator enables users t...
go
3
Dependabot PRs
containerd has an integer overflow in User ID handling
GHSA-265r-hfxg-fhmg CVE-2024-40635 MODERATE 9 months ago
### Impact A bug was found in containerd where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can...
go
321
Dependabot PRs
7%
Merged
gurk (aka gurk-rs) mishandles ANSI escape sequences
GHSA-89xp-c3mq-qj84 CVE-2025-30089 MODERATE 9 months ago
gurk (aka gurk-rs) through 0.6.3 mishandles ANSI escape sequences.
cargo
No PRs yet
Wire has Uncontrolled Recursion on Nested Groups
GHSA-pwf9-q62p-v7wc CVE-2024-58103 MODERATE 9 months ago
Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt.
maven
No PRs yet
onos-lib-go allows an index out-of-range panic
GHSA-jrqj-6vq2-7r63 CVE-2025-30077 MODERATE 9 months ago
Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.28 allows an index out-of-range panic in asn1/aper GetBitString via a zero value of numBits.
go
No PRs yet
Post-Quantum Secure Feldman's Verifiable Secret Sharing has Inadequate Fault Injection Countermeasures in `secure_redundant_execution`
GHSA-r8gc-qc2c-c7vh CVE-2025-29779 MODERATE 9 months ago
**Description:** The `secure_redundant_execution` function in feldman_vss.py attempts to mitigate fault injection attacks by executing a function ...
pypi
No PRs yet
Post-Quantum Secure Feldman's Verifiable Secret Sharing has Timing Side-Channels in Matrix Operations
GHSA-q65w-fg65-79f4 CVE-2025-29780 MODERATE 9 months ago
**Description:** The `feldman_vss` library contains timing side-channel vulnerabilities in its matrix operations, specifically within the `_find_s...
pypi
No PRs yet
JS Html Sanitizer allows XSS when used with contentEditable
GHSA-vhv4-fh94-jm5x CVE-2025-29771 MODERATE 9 months ago
### Impact XSS vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerHTML` to a sanitized string prod...
npm
No PRs yet