Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions vulns/airflow/PYSEC-0000-airflow-GHSA-q3p4-gw7r-wqjc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
id: PYSEC-0000-airflow-GHSA-q3p4-gw7r-wqjc
modified: '2026-07-02T14:13:09.589522Z'
published: '2026-07-02T14:13:09.589522Z'
aliases:
- CVE-2019-12417
- GHSA-q3p4-gw7r-wqjc
summary: Apache Airflow vulnerable to XSS and local file disclosure
details: A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process.
severity:
- type: CVSS_V3
score: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
- type: CVSS_V4
score: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
affected:
- package:
ecosystem: PyPI
name: airflow
purl: pkg:pypi/airflow
ranges:
- type: ECOSYSTEM
events:
- introduced: '0'
- fixed: 1.10.6
references:
- type: ADVISORY
url: https://nvd.nist.gov/vuln/detail/CVE-2019-12417
- type: WEB
url: https://github.com/apache/airflow/commit/caf1f264b845153b9a61b00b1a57acb7c320e743
- type: ADVISORY
url: https://github.com/advisories/GHSA-q3p4-gw7r-wqjc
- type: PACKAGE
url: https://github.com/apache/airflow
- type: WEB
url: https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2019-216.yaml
- type: WEB
url: https://lists.apache.org/thread.html/f3aa5ff9c7cdb5424b6463c9013f6cf5db83d26c66ea77130cbbe1bc@%3Cusers.airflow.apache.org%3E
- type: PACKAGE
url: https://pypi.org/project/airflow
46 changes: 46 additions & 0 deletions vulns/ansible/PYSEC-0000-ansible-GHSA-fh5v-5f35-2rv2.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
id: PYSEC-0000-ansible-GHSA-fh5v-5f35-2rv2
modified: '2026-07-02T14:13:16.795525Z'
published: '2026-07-02T14:13:16.795525Z'
aliases:
- CVE-2021-20180
- GHSA-fh5v-5f35-2rv2
summary: Insertion of Sensitive Information into Log File in ansible
details: A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
severity:
- type: CVSS_V3
score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
affected:
- package:
ecosystem: PyPI
name: ansible
purl: pkg:pypi/ansible
ranges:
- type: ECOSYSTEM
events:
- introduced: 2.8.0a1
- fixed: 2.8.19
- introduced: 2.9.0b1
- fixed: 2.9.18
references:
- type: ADVISORY
url: https://nvd.nist.gov/vuln/detail/CVE-2021-20180
- type: WEB
url: https://github.com/ansible/ansible/pull/73242
- type: WEB
url: https://github.com/ansible/ansible/pull/73243
- type: WEB
url: https://bugzilla.redhat.com/show_bug.cgi?id=1915808
- type: PACKAGE
url: https://github.com/ansible/ansible
- type: WEB
url: https://github.com/ansible/ansible/blob/v2.8.19/changelogs/CHANGELOG-v2.8.rst
- type: WEB
url: https://github.com/ansible/ansible/blob/v2.9.18/changelogs/CHANGELOG-v2.9.rst
- type: WEB
url: https://github.com/ansible/ansible/tree/v2.7.18/lib/ansible/modules/source_control
- type: WEB
url: https://github.com/ansible/ansible/tree/v2.8.0a1/lib/ansible/modules/source_control
- type: PACKAGE
url: https://pypi.org/project/ansible
- type: ADVISORY
url: https://github.com/advisories/GHSA-fh5v-5f35-2rv2
48 changes: 48 additions & 0 deletions vulns/aodh/PYSEC-0000-aodh-GHSA-86cv-9gpx-6hwj.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
id: PYSEC-0000-aodh-GHSA-86cv-9gpx-6hwj
modified: '2026-07-02T14:13:24.418168Z'
published: '2026-07-02T14:13:24.418168Z'
aliases:
- CVE-2017-12440
- GHSA-86cv-9gpx-6hwj
summary: Openstack Aodh can be used to launder Keystone trusts
details: Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.
severity:
- type: CVSS_V3
score: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
affected:
- package:
ecosystem: PyPI
name: aodh
purl: pkg:pypi/aodh
ranges:
- type: ECOSYSTEM
events:
- introduced: '0'
- fixed: 6.0.1
references:
- type: ADVISORY
url: https://nvd.nist.gov/vuln/detail/CVE-2017-12440
- type: WEB
url: https://github.com/openstack/aodh/commit/149d3ad2193b4d17df801f82a0a6be62dba564db
- type: WEB
url: https://github.com/openstack/aodh/commit/92182de328d1f088c5f5a68326d2b207b21e06ea
- type: WEB
url: https://access.redhat.com/errata/RHSA-2017:3227
- type: WEB
url: https://access.redhat.com/errata/RHSA-2018:0315
- type: WEB
url: https://bugs.launchpad.net/ossn/+bug/1649333
- type: WEB
url: https://review.openstack.org/#/c/493823
- type: WEB
url: https://review.openstack.org/#/c/493824
- type: WEB
url: https://review.openstack.org/#/c/493826
- type: WEB
url: http://www.debian.org/security/2017/dsa-3953
- type: WEB
url: http://www.securityfocus.com/bid/100455
- type: PACKAGE
url: https://pypi.org/project/aodh
- type: ADVISORY
url: https://github.com/advisories/GHSA-86cv-9gpx-6hwj
34 changes: 34 additions & 0 deletions vulns/calibreweb/PYSEC-0000-calibreweb-GHSA-wrp6-9w7f-3wxg.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
id: PYSEC-0000-calibreweb-GHSA-wrp6-9w7f-3wxg
modified: '2026-07-02T14:13:14.959672Z'
published: '2026-07-02T14:13:14.959672Z'
aliases:
- CVE-2021-4170
- GHSA-wrp6-9w7f-3wxg
summary: calibre-web is vulnerable to Cross-site Scripting
details: calibre-web is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
severity:
- type: CVSS_V3
score: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
affected:
- package:
ecosystem: PyPI
name: calibreweb
purl: pkg:pypi/calibreweb
ranges:
- type: ECOSYSTEM
events:
- introduced: '0'
- fixed: 0.6.15
references:
- type: ADVISORY
url: https://nvd.nist.gov/vuln/detail/CVE-2021-4170
- type: WEB
url: https://github.com/janeczku/calibre-web/commit/7ad419dc8c12180e842a82118f4866ac3d074bc5
- type: WEB
url: https://github.com/janeczku/calibre-web
- type: WEB
url: https://huntr.dev/bounties/ff395101-e392-401d-ab4f-579c63fbf6a0
- type: PACKAGE
url: https://pypi.org/project/calibreweb
- type: ADVISORY
url: https://github.com/advisories/GHSA-wrp6-9w7f-3wxg
34 changes: 34 additions & 0 deletions vulns/calibreweb/PYSEC-0000-calibreweb-GHSA-wxr6-29pv-ch68.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
id: PYSEC-0000-calibreweb-GHSA-wxr6-29pv-ch68
modified: '2026-07-02T14:13:14.881686Z'
published: '2026-07-02T14:13:14.881686Z'
aliases:
- CVE-2021-4164
- GHSA-wxr6-29pv-ch68
summary: calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)
details: calibre-web is vulnerable to Cross-Site Request Forgery (CSRF)
severity:
- type: CVSS_V3
score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
affected:
- package:
ecosystem: PyPI
name: calibreweb
purl: pkg:pypi/calibreweb
ranges:
- type: ECOSYSTEM
events:
- introduced: '0'
- fixed: 0.6.15
references:
- type: ADVISORY
url: https://nvd.nist.gov/vuln/detail/CVE-2021-4164
- type: WEB
url: https://github.com/janeczku/calibre-web/commit/785726deee13b4d56f6c3503dd57c1e3eb7d6f30
- type: PACKAGE
url: https://github.com/janeczku/calibre-web
- type: WEB
url: https://huntr.dev/bounties/2debace1-a0f3-45c1-95fa-9d0512680758
- type: PACKAGE
url: https://pypi.org/project/calibreweb
- type: ADVISORY
url: https://github.com/advisories/GHSA-wxr6-29pv-ch68
30 changes: 30 additions & 0 deletions vulns/cheetah/PYSEC-0000-cheetah-GHSA-vxf2-7rc3-pxmx.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: PYSEC-0000-cheetah-GHSA-vxf2-7rc3-pxmx
modified: '2026-07-02T14:13:19.492605Z'
published: '2026-07-02T14:13:19.492605Z'
aliases:
- CVE-2005-1632
- GHSA-vxf2-7rc3-pxmx
summary: Cheetah Path Search Order Hijacking
details: Cheetah 0.9.15 and 0.9.16 searches the `/tmp` directory for modules before using the paths in the `PYTHONPATH` variable, which allows local users to execute arbitrary code via a malicious module in `/tmp/`.
severity: []
affected:
- package:
ecosystem: PyPI
name: cheetah
purl: pkg:pypi/cheetah
ranges:
- type: ECOSYSTEM
events:
- introduced: 0.9.15
- last_affected: 0.9.16
references:
- type: ADVISORY
url: https://nvd.nist.gov/vuln/detail/CVE-2005-1632
- type: PACKAGE
url: https://github.com/cheetahtemplate/cheetah
- type: WEB
url: https://web.archive.org/web/20050430021153/http://sourceforge.net/mailarchive/forum.php?thread_id=7070332&forum_id=1542
- type: PACKAGE
url: https://pypi.org/project/cheetah
- type: ADVISORY
url: https://github.com/advisories/GHSA-vxf2-7rc3-pxmx
32 changes: 32 additions & 0 deletions vulns/cobbler/PYSEC-0000-cobbler-GHSA-4vc9-4xpq-77vm.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
id: PYSEC-0000-cobbler-GHSA-4vc9-4xpq-77vm
modified: '2026-07-02T14:13:24.191314Z'
published: '2026-07-02T14:13:24.191314Z'
aliases:
- CVE-2016-9605
- GHSA-4vc9-4xpq-77vm
summary: Cobbler Arbitrary File Read
details: A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation.
severity:
- type: CVSS_V3
score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
affected:
- package:
ecosystem: PyPI
name: cobbler
purl: pkg:pypi/cobbler
ranges:
- type: ECOSYSTEM
events:
- introduced: '0'
- last_affected: 2.6.11-1
references:
- type: ADVISORY
url: https://nvd.nist.gov/vuln/detail/CVE-2016-9605
- type: WEB
url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9605
- type: PACKAGE
url: https://github.com/cobbler/cobbler
- type: PACKAGE
url: https://pypi.org/project/cobbler
- type: ADVISORY
url: https://github.com/advisories/GHSA-4vc9-4xpq-77vm
42 changes: 42 additions & 0 deletions vulns/cobbler/PYSEC-0000-cobbler-GHSA-9fqr-pqc9-f7pj.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
id: PYSEC-0000-cobbler-GHSA-9fqr-pqc9-f7pj
modified: '2026-07-02T14:13:17.843067Z'
published: '2026-07-02T14:13:17.843067Z'
aliases:
- CVE-2011-4952
- GHSA-9fqr-pqc9-f7pj
summary: Cobbler Web Interface Lacks CSRF Protection
details: 'cobbler: Web interface lacks CSRF protection when using Django framework'
severity:
- type: CVSS_V3
score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
affected:
- package:
ecosystem: PyPI
name: cobbler
purl: pkg:pypi/cobbler
ranges:
- type: ECOSYSTEM
events:
- introduced: '0'
- fixed: 2.6.0
references:
- type: ADVISORY
url: https://nvd.nist.gov/vuln/detail/CVE-2011-4952
- type: WEB
url: https://github.com/cobbler/cobbler/commit/18eb1c06779b37d89dfb2962a08236dd1bab24a6
- type: WEB
url: https://github.com/cobbler/cobbler/commit/4bee30b4086a8d845bea5d39d6f2cba1f4a396aa
- type: WEB
url: https://access.redhat.com/security/cve/cve-2011-4952
- type: WEB
url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4952
- type: PACKAGE
url: https://github.com/cobbler/cobbler
- type: WEB
url: https://security-tracker.debian.org/tracker/CVE-2011-4952
- type: WEB
url: http://www.openwall.com/lists/oss-security/2012/04/12/10
- type: PACKAGE
url: https://pypi.org/project/cobbler
- type: ADVISORY
url: https://github.com/advisories/GHSA-9fqr-pqc9-f7pj
44 changes: 44 additions & 0 deletions vulns/codechecker/PYSEC-0000-codechecker-GHSA-fxmx-pfm2-85m2.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
id: PYSEC-0000-codechecker-GHSA-fxmx-pfm2-85m2
modified: '2026-07-02T14:13:14.739420Z'
published: '2026-07-02T14:13:14.739420Z'
aliases:
- CVE-2021-44217
- GHSA-fxmx-pfm2-85m2
summary: Cross-site Scripting in Ericsson CodeChecker
details: In Ericsson CodeChecker prior to 6.18.2, a Stored Cross-site scripting (XSS) vulnerability in the comments component of the reports viewer allows remote attackers to inject arbitrary web script or HTML via the POST JSON data of the /CodeCheckerService API.
severity: []
affected:
- package:
ecosystem: PyPI
name: codechecker
purl: pkg:pypi/codechecker
ranges:
- type: ECOSYSTEM
events:
- introduced: '0'
- fixed: 6.18.2
references:
- type: ADVISORY
url: https://nvd.nist.gov/vuln/detail/CVE-2021-44217
- type: WEB
url: https://github.com/Ericsson/codechecker/pull/3549
- type: WEB
url: https://github.com/Ericsson/codechecker/commit/72ee51158e6d81150320223b85410c179b9ee2b1
- type: WEB
url: https://codechecker-demo.eastus.cloudapp.azure.com
- type: PACKAGE
url: https://github.com/Ericsson/codechecker
- type: WEB
url: https://github.com/Ericsson/codechecker/releases
- type: WEB
url: https://github.com/Ericsson/codechecker/releases/tag/v6.18.2
- type: WEB
url: https://github.com/Hyperkopite/CVE-2021-44217/blob/main/README.md
- type: WEB
url: https://github.com/pypa/advisory-database/tree/main/vulns/codechecker-api/PYSEC-2022-43181.yaml
- type: WEB
url: https://user-images.githubusercontent.com/9525971/142965091-e118b012-a7fc-4c2f-ad0c-80aeed6f7ec9.png
- type: PACKAGE
url: https://pypi.org/project/codechecker
- type: ADVISORY
url: https://github.com/advisories/GHSA-fxmx-pfm2-85m2
30 changes: 30 additions & 0 deletions vulns/contentful/PYSEC-0000-contentful-GHSA-g5j6-r3x9-gf2m.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: PYSEC-0000-contentful-GHSA-g5j6-r3x9-gf2m
modified: '2026-07-02T14:13:10.258627Z'
published: '2026-07-02T14:13:10.258627Z'
aliases:
- CVE-2020-13258
- GHSA-g5j6-r3x9-gf2m
summary: Cross-site scripting in Contentful
details: Contentful through 2020-05-21 for Python allows reflected XSS, as demonstrated by the api parameter to the-example-app.py.
severity:
- type: CVSS_V3
score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
affected:
- package:
ecosystem: PyPI
name: contentful
purl: pkg:pypi/contentful
ranges:
- type: ECOSYSTEM
events:
- introduced: '0'
- fixed: 1.12.4
references:
- type: ADVISORY
url: https://nvd.nist.gov/vuln/detail/CVE-2020-13258
- type: WEB
url: https://github.com/contentful/the-example-app.py/issues/44
- type: PACKAGE
url: https://pypi.org/project/contentful
- type: ADVISORY
url: https://github.com/advisories/GHSA-g5j6-r3x9-gf2m
Loading