{"vulnerability": "cve-2024-4787", "sightings": [{"uuid": "f5a092c4-bd24-4851-92bf-ed29b2670646", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47873", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113505054477519291", "content": "", "creation_timestamp": "2024-11-18T17:08:04.331299Z"}, {"uuid": "3625ae7b-1d74-4153-89a3-2e01c12a520d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47873", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113505700408685113", "content": "", "creation_timestamp": "2024-11-18T19:52:20.606809Z"}, {"uuid": "4da577f0-b2ae-4a6c-bf1a-988b61570831", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47873", "type": "seen", "source": "MISP/1c5c38d6-3401-41ac-be0e-4cf361fa6f51", "content": "", "creation_timestamp": "2025-09-25T00:36:28.000000Z"}, {"uuid": "5f1675fe-8538-4f14-9f20-ca03de65e1ff", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47875", "type": "seen", "source": "https://bsky.app/profile/beikokucyber.bsky.social/post/3ly226ri5cl2t", "content": "", "creation_timestamp": "2025-09-04T21:02:28.442448Z"}, {"uuid": "b8898f63-11a7-4796-be4b-c0f9cb0ee93c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47875", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-03", "content": "", "creation_timestamp": "2026-02-12T11:00:00.000000Z"}, {"uuid": "29d4bb5a-34fd-4dde-9b88-4f70fee7aca6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47875", "type": "published-proof-of-concept", "source": "Telegram/WY-9Xxj10-yIxNz5etQKEpBxWDUt-r9BmVVxJ6woOOCN4dI", "content": "", "creation_timestamp": "2025-09-02T19:00:08.000000Z"}, {"uuid": "4063a53d-10ad-41d9-a756-f37005ef7973", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47875", "type": "published-proof-of-concept", "source": "Telegram/ZajECAXxVemPspodPVVRmSZ4HkKXIVfRoYTrMcXgDznCg3c", "content": "", "creation_timestamp": "2025-09-02T21:00:05.000000Z"}, {"uuid": "4f90413d-df7a-44e4-a88b-eb9871907655", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47873", "type": "seen", "source": "https://t.me/cvedetector/11378", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-48917 - Apache PhpSpreadsheet XXE Encoder Bypass\", \n  \"Content\": \"CVE ID : CVE-2024-48917 \nPublished : Nov. 18, 2024, 8:15 p.m. | 16\u00a0minutes ago \nDescription : PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value `encoding=\"UTF-8\"` with `\"`, which is matched by the first regex, so that `encoding='UTF-7'` with single quotes `'` in the XML header is not matched by the second regex. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue. \nSeverity: 7.5 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"18 Nov 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-11-18T21:34:11.000000Z"}, {"uuid": "76ecd381-a6e2-427c-a312-7f5d5e21a02a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47873", "type": "seen", "source": "https://t.me/cvedetector/11368", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47873 - PhpSpreadsheet XXE Payload Bypass Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-47873 \nPublished : Nov. 18, 2024, 5:15 p.m. | 42\u00a0minutes ago \nDescription : PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be bypassed by using UCS-4 and encoding guessing. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue. \nSeverity: 7.5 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"18 Nov 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-11-18T19:03:53.000000Z"}, {"uuid": "3407f455-ba77-4d6c-be36-85475fab215e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47879", "type": "seen", "source": "https://t.me/cvedetector/8864", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47879 - OpenRefine CSRF rststem Execution Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-47879 \nPublished : Oct. 24, 2024, 9:15 p.m. | 36\u00a0minutes ago \nDescription : OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue. \nSeverity: 7.6 | HIGH \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"24 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-25T00:21:44.000000Z"}, {"uuid": "f5c99eeb-8cb0-47bf-b2be-053655b7d930", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47878", "type": "seen", "source": "https://t.me/cvedetector/8860", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47878 - OpenRefine Unvalidated Script Injection Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-47878 \nPublished : Oct. 24, 2024, 9:15 p.m. | 36\u00a0minutes ago \nDescription : OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `\",\n  \"Detection Date\": \"24 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-25T00:21:38.000000Z"}, {"uuid": "a3c0065e-5e5b-4f71-bb6d-02d6e42fc3f8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47877", "type": "seen", "source": "https://t.me/cvedetector/7712", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47877 - Extract Library Symlink Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-47877 \nPublished : Oct. 11, 2024, 5:15 p.m. | 16\u00a0minutes ago \nDescription : Extract is aA Go library to extract archives in zip, tar.gz or tar.bz2 formats. A maliciously crafted archive may allow an attacker to create a symlink outside the extraction target directory. This vulnerability is fixed in 4.0.0. If you're using the Extractor.FS interface, then upgrading to /v4 will require to implement the new methods that have been added. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-11T19:33:22.000000Z"}, {"uuid": "4c10c373-788b-4e31-8aa3-50333c0c2abf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47875", "type": "seen", "source": "https://t.me/cvedetector/7686", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47875 - DOMPurify Cross-Site Scripting\", \n  \"Content\": \"CVE ID : CVE-2024-47875 \nPublished : Oct. 11, 2024, 3:15 p.m. | 31\u00a0minutes ago \nDescription : DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3. \nSeverity: 10.0 | CRITICAL \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-11T17:51:49.000000Z"}, {"uuid": "80cc50cf-df84-43e0-957d-67871cf91375", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47872", "type": "seen", "source": "https://t.me/cvedetector/7654", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47872 - Gradio Cross-Site Scripting (XSS) Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-47872 \nPublished : Oct. 10, 2024, 11:15 p.m. | 34\u00a0minutes ago \nDescription : Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **Cross-Site Scripting (XSS)** on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scripts. When other users download or view these files, the scripts will execute in their browser, allowing attackers to perform unauthorized actions or steal sensitive information from their sessions. This impacts any Gradio server that allows file uploads, particularly those using components that process or display user-uploaded files. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can restrict the types of files that can be uploaded to the Gradio server by limiting uploads to non-executable file types such as images or text. Additionally, developers can implement server-side validation to sanitize uploaded files, ensuring that HTML, JavaScript, and SVG files are properly handled or rejected before being stored or displayed to users. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-11T01:58:10.000000Z"}, {"uuid": "27f949ee-20b9-4e65-a5b3-3bdc9e345eee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47871", "type": "seen", "source": "https://t.me/cvedetector/7653", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47871 - Gradio FRP Insecure Communication RCE\", \n  \"Content\": \"CVE ID : CVE-2024-47871 \nPublished : Oct. 10, 2024, 11:15 p.m. | 34\u00a0minutes ago \nDescription : Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-11T01:58:10.000000Z"}, {"uuid": "f0aa7ed9-5403-4ba1-a4bc-47cb3ce38940", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47870", "type": "seen", "source": "https://t.me/cvedetector/7648", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47870 - Gradio URL Hijacking Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-47870 \nPublished : Oct. 10, 2024, 11:15 p.m. | 34\u00a0minutes ago \nDescription : Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the `root` URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition. Users are advised to upgrade to `gradio>=5` to address this issue. There are no known workarounds for this issue. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-11T01:58:03.000000Z"}, {"uuid": "62475ba9-8272-489f-a7c3-76192bebab9e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47874", "type": "seen", "source": "https://t.me/cvedetector/7931", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47874 - Starlette Multipart Form Field Denial of Service Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-47874 \nPublished : Oct. 15, 2024, 4:15 p.m. | 19\u00a0minutes ago \nDescription : Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette. This Denial of service (DoS) vulnerability affects all applications built with Starlette (or FastAPI) accepting form requests. Verison 0.40.0 fixes this issue. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"15 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-15T18:36:50.000000Z"}, {"uuid": "1f2bfc9f-ce81-4440-88eb-8e5c7329728f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47876", "type": "seen", "source": "https://t.me/cvedetector/7932", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-47876 - Sakai Roleview Kernel User Authentication Bypass\", \n  \"Content\": \"CVE ID : CVE-2024-47876 \nPublished : Oct. 15, 2024, 4:15 p.m. | 19\u00a0minutes ago \nDescription : Sakai is a Collaboration and Learning Environment. Starting in version 23.0 and prior to version 23.2, kernel users created with type roleview can log in as a normal user. This can result in illegal access being granted to the system. Version 23.3 fixes this vulnerability. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"15 Oct 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-10-15T18:36:54.000000Z"}, {"uuid": "67b8b06f-6bc8-40e0-b848-12207a3dee77", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47873", "type": "seen", "source": "Telegram/XbzNykNWGXm_6ZX2UF7ghboXRUl3-qKeYhpGWT2smNTQTNvH", "content": "", "creation_timestamp": "2025-03-08T04:35:51.000000Z"}, {"uuid": "c34bbc59-6d3a-4886-876a-b1cc3f57875c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2024-47873", "type": "published-proof-of-concept", "source": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jw4x-v69f-hh5w", "content": "", "creation_timestamp": "2024-11-16T00:07:05.000000Z"}, {"uuid": "5e7ddb16-5b45-4e1d-b9e5-1cfd87fad6d4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2024-47878", "type": "published-proof-of-concept", "source": "https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-pw3x-c5vp-mfc3", "content": "", "creation_timestamp": "2024-10-24T06:01:01.000000Z"}, {"uuid": "39caf9e7-42be-49e9-bd8d-9d7a782f9306", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2024-47874", "type": "published-proof-of-concept", "source": "https://github.com/Kludex/starlette/security/advisories/GHSA-f96h-pmfr-66vw", "content": "", "creation_timestamp": "2024-10-15T06:56:14.000000Z"}, {"uuid": "6a5b491d-b2a3-4314-85b3-1a18ae0a38f4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-47874", "type": "seen", "source": "https://gist.github.com/lesnargitonga/ded68f9d3d270cc386fe7c2227970ebc", "content": "{\"dependencies\": [{\"name\": \"africastalking\", \"version\": \"1.2.9\", \"vulns\": []}, {\"name\": \"aioboto3\", \"version\": \"13.1.1\", \"vulns\": []}, {\"name\": \"aiobotocore\", \"version\": \"2.13.1\", \"vulns\": []}, {\"name\": \"aiofiles\", \"version\": \"25.1.0\", \"vulns\": []}, {\"name\": \"aiohappyeyeballs\", \"version\": \"2.6.1\", \"vulns\": []}, {\"name\": \"aiohttp\", \"version\": \"3.13.5\", \"vulns\": []}, {\"name\": \"aiohttp-retry\", \"version\": \"2.9.1\", \"vulns\": []}, {\"name\": \"aioitertools\", \"version\": \"0.13.0\", \"vulns\": []}, {\"name\": \"aiosignal\", \"version\": \"1.4.0\", \"vulns\": []}, {\"name\": \"aiosqlite\", \"version\": \"0.20.0\", \"vulns\": []}, {\"name\": \"alembic\", \"version\": \"1.13.3\", \"vulns\": []}, {\"name\": \"annotated-doc\", \"version\": \"0.0.4\", \"vulns\": []}, {\"name\": \"annotated-types\", \"version\": \"0.7.0\", \"vulns\": []}, {\"name\": \"anyio\", \"version\": \"4.13.0\", \"vulns\": []}, {\"name\": \"asyncpg\", \"version\": \"0.29.0\", \"vulns\": []}, {\"name\": \"attrs\", \"version\": \"26.1.0\", \"vulns\": []}, {\"name\": \"authlib\", \"version\": \"1.7.2\", \"vulns\": []}, {\"name\": \"bandit\", \"version\": \"1.9.4\", \"vulns\": []}, {\"name\": \"bcrypt\", \"version\": \"4.2.0\", \"vulns\": []}, {\"name\": \"boolean-py\", \"version\": \"5.0\", \"vulns\": []}, {\"name\": \"boto3\", \"version\": \"1.34.131\", \"vulns\": []}, {\"name\": \"botocore\", \"version\": \"1.34.131\", \"vulns\": []}, {\"name\": \"cachecontrol\", \"version\": \"0.14.4\", \"vulns\": []}, {\"name\": \"cachetools\", \"version\": \"5.5.2\", \"vulns\": []}, {\"name\": \"certifi\", \"version\": \"2026.4.22\", \"vulns\": []}, {\"name\": \"cffi\", \"version\": \"2.0.0\", \"vulns\": []}, {\"name\": \"charset-normalizer\", \"version\": \"3.4.7\", \"vulns\": []}, {\"name\": \"click\", \"version\": \"8.4.0\", \"vulns\": []}, {\"name\": \"cryptography\", \"version\": \"48.0.0\", \"vulns\": []}, {\"name\": \"cyclonedx-python-lib\", \"version\": \"11.7.0\", \"vulns\": []}, {\"name\": \"dataclasses-json\", \"version\": \"0.6.7\", \"vulns\": []}, {\"name\": \"defusedxml\", \"version\": \"0.7.1\", \"vulns\": []}, {\"name\": \"deprecated\", \"version\": \"1.3.1\", \"vulns\": []}, {\"name\": \"distro\", \"version\": \"1.9.0\", \"vulns\": []}, {\"name\": \"dnspython\", \"version\": \"2.8.0\", \"vulns\": []}, {\"name\": \"dparse\", \"version\": \"0.6.4\", \"vulns\": []}, {\"name\": \"email-validator\", \"version\": \"2.2.0\", \"vulns\": []}, {\"name\": \"fastapi\", \"version\": \"0.115.0\", \"vulns\": []}, {\"name\": \"filelock\", \"version\": \"3.29.0\", \"vulns\": []}, {\"name\": \"filetype\", \"version\": \"1.2.0\", \"vulns\": []}, {\"name\": \"frozenlist\", \"version\": \"1.8.0\", \"vulns\": []}, {\"name\": \"google-ai-generativelanguage\", \"version\": \"0.6.15\", \"vulns\": []}, {\"name\": \"google-api-core\", \"version\": \"2.30.3\", \"vulns\": []}, {\"name\": \"google-api-python-client\", \"version\": \"2.146.0\", \"vulns\": []}, {\"name\": \"google-auth\", \"version\": \"2.53.0\", \"vulns\": []}, {\"name\": \"google-auth-httplib2\", \"version\": \"0.4.0\", \"vulns\": []}, {\"name\": \"google-auth-oauthlib\", \"version\": \"1.2.1\", \"vulns\": []}, {\"name\": \"google-genai\", \"version\": \"1.75.0\", \"vulns\": []}, {\"name\": \"google-generativeai\", \"version\": \"0.8.6\", \"vulns\": []}, {\"name\": \"googleapis-common-protos\", \"version\": \"1.75.0\", \"vulns\": []}, {\"name\": \"greenlet\", \"version\": \"3.5.0\", \"vulns\": []}, {\"name\": \"groq\", \"version\": \"0.37.1\", \"vulns\": []}, {\"name\": \"grpcio\", \"version\": \"1.80.0\", \"vulns\": []}, {\"name\": \"grpcio-status\", \"version\": \"1.71.2\", \"vulns\": []}, {\"name\": \"h11\", \"version\": \"0.16.0\", \"vulns\": []}, {\"name\": \"httpcore\", \"version\": \"1.0.9\", \"vulns\": []}, {\"name\": \"httplib2\", \"version\": \"0.31.2\", \"vulns\": []}, {\"name\": \"httptools\", \"version\": \"0.7.1\", \"vulns\": []}, {\"name\": \"httpx\", \"version\": \"0.28.1\", \"vulns\": []}, {\"name\": \"httpx-sse\", \"version\": \"0.4.3\", \"vulns\": []}, {\"name\": \"idna\", \"version\": \"3.15\", \"vulns\": []}, {\"name\": \"iniconfig\", \"version\": \"2.3.0\", \"vulns\": []}, {\"name\": \"jinja2\", \"version\": \"3.1.6\", \"vulns\": []}, {\"name\": \"jiter\", \"version\": \"0.14.0\", \"vulns\": []}, {\"name\": \"jmespath\", \"version\": \"1.1.0\", \"vulns\": []}, {\"name\": \"joblib\", \"version\": \"1.5.3\", \"vulns\": []}, {\"name\": \"joserfc\", \"version\": \"1.6.8\", \"vulns\": []}, {\"name\": \"jsonpatch\", \"version\": \"1.33\", \"vulns\": []}, {\"name\": \"jsonpointer\", \"version\": \"3.1.1\", \"vulns\": []}, {\"name\": \"langchain\", \"version\": \"1.3.2\", \"vulns\": []}, {\"name\": \"langchain-classic\", \"version\": \"1.0.7\", \"vulns\": []}, {\"name\": \"langchain-community\", \"version\": \"0.4.2\", \"vulns\": []}, {\"name\": \"langchain-core\", \"version\": \"1.4.0\", \"vulns\": []}, {\"name\": \"langchain-google-genai\", \"version\": \"4.2.3\", \"vulns\": []}, {\"name\": \"langchain-groq\", \"version\": \"1.1.2\", \"vulns\": []}, {\"name\": \"langchain-ollama\", \"version\": \"1.1.0\", \"vulns\": []}, {\"name\": \"langchain-openai\", \"version\": \"1.2.2\", \"vulns\": []}, {\"name\": \"langchain-protocol\", \"version\": \"0.0.15\", \"vulns\": []}, {\"name\": \"langchain-text-splitters\", \"version\": \"1.1.2\", \"vulns\": []}, {\"name\": \"langgraph\", \"version\": \"1.2.2\", \"vulns\": []}, {\"name\": \"langgraph-checkpoint\", \"version\": \"4.1.1\", \"vulns\": []}, {\"name\": \"langgraph-prebuilt\", \"version\": \"1.1.0\", \"vulns\": []}, {\"name\": \"langgraph-sdk\", \"version\": \"0.3.15\", \"vulns\": []}, {\"name\": \"langsmith\", \"version\": \"0.8.6\", \"vulns\": []}, {\"name\": \"license-expression\", \"version\": \"30.4.4\", \"vulns\": []}, {\"name\": \"limits\", \"version\": \"5.8.0\", \"vulns\": []}, {\"name\": \"mako\", \"version\": \"1.3.12\", \"vulns\": []}, {\"name\": \"markdown-it-py\", \"version\": \"4.2.0\", \"vulns\": []}, {\"name\": \"markupsafe\", \"version\": \"3.0.3\", \"vulns\": []}, {\"name\": \"marshmallow\", \"version\": \"3.26.2\", \"vulns\": []}, {\"name\": \"mdurl\", \"version\": \"0.1.2\", \"vulns\": []}, {\"name\": \"msgpack\", \"version\": \"1.1.2\", \"vulns\": []}, {\"name\": \"multidict\", \"version\": \"6.7.1\", \"vulns\": []}, {\"name\": \"mypy-extensions\", \"version\": \"1.1.0\", \"vulns\": []}, {\"name\": \"nltk\", \"version\": \"3.9.4\", \"vulns\": []}, {\"name\": \"numpy\", \"version\": \"1.26.4\", \"vulns\": []}, {\"name\": \"oauthlib\", \"version\": \"3.3.1\", \"vulns\": []}, {\"name\": \"ollama\", \"version\": \"0.6.2\", \"vulns\": []}, {\"name\": \"openai\", \"version\": \"2.38.0\", \"vulns\": []}, {\"name\": \"orjson\", \"version\": \"3.11.5\", \"vulns\": [{\"id\": \"CVE-2025-67221\", \"fix_versions\": [\"3.11.6\"], \"aliases\": [\"GHSA-hx9q-6w63-j58v\"], \"description\": \"The orjson.dumps function in orjson before 3.11.6 does not limit recursion for deeply nested JSON documents.\"}]}, {\"name\": \"ormsgpack\", \"version\": \"1.12.2\", \"vulns\": []}, {\"name\": \"packageurl-python\", \"version\": \"0.17.6\", \"vulns\": []}, {\"name\": \"packaging\", \"version\": \"24.2\", \"vulns\": []}, {\"name\": \"passlib\", \"version\": \"1.7.4\", \"vulns\": []}, {\"name\": \"pgvector\", \"version\": \"0.3.4\", \"vulns\": []}, {\"name\": \"pip\", \"version\": \"26.1.1\", \"vulns\": []}, {\"name\": \"pip-api\", \"version\": \"0.0.34\", \"vulns\": []}, {\"name\": \"pip-audit\", \"version\": \"2.10.0\", \"vulns\": []}, {\"name\": \"pip-requirements-parser\", \"version\": \"32.0.1\", \"vulns\": []}, {\"name\": \"platformdirs\", \"version\": \"4.9.6\", \"vulns\": []}, {\"name\": \"pluggy\", \"version\": \"1.6.0\", \"vulns\": []}, {\"name\": \"prometheus-client\", \"version\": \"0.25.0\", \"vulns\": []}, {\"name\": \"propcache\", \"version\": \"0.5.2\", \"vulns\": []}, {\"name\": \"proto-plus\", \"version\": \"1.28.0\", \"vulns\": []}, {\"name\": \"protobuf\", \"version\": \"5.29.6\", \"vulns\": []}, {\"name\": \"psycopg\", \"version\": \"3.2.3\", \"vulns\": []}, {\"name\": \"psycopg-binary\", \"version\": \"3.2.3\", \"vulns\": []}, {\"name\": \"py-serializable\", \"version\": \"2.1.0\", \"vulns\": []}, {\"name\": \"pyasn1\", \"version\": \"0.6.3\", \"vulns\": []}, {\"name\": \"pyasn1-modules\", \"version\": \"0.4.2\", \"vulns\": []}, {\"name\": \"pycparser\", \"version\": \"3.0\", \"vulns\": []}, {\"name\": \"pydantic\", \"version\": \"2.9.2\", \"vulns\": []}, {\"name\": \"pydantic-core\", \"version\": \"2.23.4\", \"vulns\": []}, {\"name\": \"pydantic-settings\", \"version\": \"2.14.1\", \"vulns\": []}, {\"name\": \"pygments\", \"version\": \"2.20.0\", \"vulns\": []}, {\"name\": \"pyjwt\", \"version\": \"2.12.0\", \"vulns\": []}, {\"name\": \"pyparsing\", \"version\": \"3.3.2\", \"vulns\": []}, {\"name\": \"pytest\", \"version\": \"8.3.3\", \"vulns\": [{\"id\": \"CVE-2025-71176\", \"fix_versions\": [\"9.0.3\"], \"aliases\": [\"GHSA-6w46-j5rx-g56g\"], \"description\": \"pytest through 9.0.2 on UNIX relies on directories with the `/tmp/pytest-of-{user}` name pattern, which allows local users to cause a denial of service or possibly gain privileges.\"}]}, {\"name\": \"pytest-asyncio\", \"version\": \"0.24.0\", \"vulns\": []}, {\"name\": \"pytest-mock\", \"version\": \"3.14.0\", \"vulns\": []}, {\"name\": \"python-dateutil\", \"version\": \"2.9.0.post0\", \"vulns\": []}, {\"name\": \"python-dotenv\", \"version\": \"1.2.2\", \"vulns\": []}, {\"name\": \"python-multipart\", \"version\": \"0.0.27\", \"vulns\": []}, {\"name\": \"pyyaml\", \"version\": \"6.0.3\", \"vulns\": []}, {\"name\": \"redis\", \"version\": \"5.0.8\", \"vulns\": []}, {\"name\": \"regex\", \"version\": \"2026.5.9\", \"vulns\": []}, {\"name\": \"requests\", \"version\": \"2.34.2\", \"vulns\": []}, {\"name\": \"requests-oauthlib\", \"version\": \"2.0.0\", \"vulns\": []}, {\"name\": \"requests-toolbelt\", \"version\": \"1.0.0\", \"vulns\": []}, {\"name\": \"respx\", \"version\": \"0.21.1\", \"vulns\": []}, {\"name\": \"rich\", \"version\": \"15.0.0\", \"vulns\": []}, {\"name\": \"rsa\", \"version\": \"4.9.1\", \"vulns\": []}, {\"name\": \"ruamel-yaml\", \"version\": \"0.19.1\", \"vulns\": []}, {\"name\": \"s3transfer\", \"version\": \"0.10.4\", \"vulns\": []}, {\"name\": \"safety\", \"version\": \"3.8.0\", \"vulns\": []}, {\"name\": \"safety-schemas\", \"version\": \"0.0.16\", \"vulns\": []}, {\"name\": \"schema\", \"version\": \"0.7.8\", \"vulns\": []}, {\"name\": \"sentry-sdk\", \"version\": \"2.18.0\", \"vulns\": []}, {\"name\": \"shellingham\", \"version\": \"1.5.4\", \"vulns\": []}, {\"name\": \"six\", \"version\": \"1.17.0\", \"vulns\": []}, {\"name\": \"slowapi\", \"version\": \"0.1.9\", \"vulns\": []}, {\"name\": \"sniffio\", \"version\": \"1.3.1\", \"vulns\": []}, {\"name\": \"sortedcontainers\", \"version\": \"2.4.0\", \"vulns\": []}, {\"name\": \"sqlalchemy\", \"version\": \"2.0.35\", \"vulns\": []}, {\"name\": \"starlette\", \"version\": \"0.38.6\", \"vulns\": [{\"id\": \"PYSEC-2026-161\", \"fix_versions\": [\"1.0.1\"], \"aliases\": [\"GHSA-86qp-5c8j-p5mr\"], \"description\": \"Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL\\u2019s path.\"}, {\"id\": \"CVE-2024-47874\", \"fix_versions\": [\"0.40.0\"], \"aliases\": [\"GHSA-f96h-pmfr-66vw\"], \"description\": \"### Summary Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload arbitrary large form fields and cause Starlette to both slow down significantly due to excessive memory allocations and copy operations, and also consume more and more memory until the server starts swapping and grinds to a halt, or the OS terminates the server process with an OOM error. Uploading multiple such requests in parallel may be enough to render a service practically unusable, even if reasonable request size limits are enforced by a reverse proxy in front of Starlette.  ### PoC  ```python from starlette.applications import Starlette from starlette.routing import Route  async def poc(request):     async with request.form():         pass  app = Starlette(routes=[     Route('/', poc, methods=[\\\"POST\\\"]), ]) ```  ```sh curl http://localhost:8000 -F 'big= bool:         # check for SpooledTemporaryFile._rolled         rolled_to_disk = getattr(self.file, \\\"_rolled\\\", True)         return not rolled_to_disk      async def write(self, data: bytes) -> None:         if self.size is not None:             self.size += len(data)          if self._in_memory:             self.file.write(data)         else:             await run_in_threadpool(self.file.write, data) ```  I have already created a PR which fixes the problem: https://github.com/encode/starlette/pull/2962   ### PoC See the discussion [here](https://github.com/encode/starlette/discussions/2927#discussioncomment-13721403) for steps on how to reproduce.  ### Impact To be honest, very low and not many users will be impacted. Parsing large forms is already CPU intensive so the additional IO block doesn't slow down `starlette` that much on systems with modern HDDs/SSDs. If someone is running on tape they might see a greater impact.\"}]}, {\"name\": \"stevedore\", \"version\": \"5.8.0\", \"vulns\": []}, {\"name\": \"structlog\", \"version\": \"24.4.0\", \"vulns\": []}, {\"name\": \"tenacity\", \"version\": \"8.5.0\", \"vulns\": []}, {\"name\": \"tiktoken\", \"version\": \"0.7.0\", \"vulns\": []}, {\"name\": \"tomli\", \"version\": \"2.4.1\", \"vulns\": []}, {\"name\": \"tomli-w\", \"version\": \"1.2.0\", \"vulns\": []}, {\"name\": \"tomlkit\", \"version\": \"0.15.0\", \"vulns\": []}, {\"name\": \"tqdm\", \"version\": \"4.67.3\", \"vulns\": []}, {\"name\": \"truststore\", \"version\": \"0.10.4\", \"vulns\": []}, {\"name\": \"twilio\", \"version\": \"9.3.2\", \"vulns\": []}, {\"name\": \"typer\", \"version\": \"0.25.1\", \"vulns\": []}, {\"name\": \"typing-extensions\", \"version\": \"4.15.0\", \"vulns\": []}, {\"name\": \"typing-inspect\", \"version\": \"0.9.0\", \"vulns\": []}, {\"name\": \"typing-inspection\", \"version\": \"0.4.2\", \"vulns\": []}, {\"name\": \"uritemplate\", \"version\": \"4.2.0\", \"vulns\": []}, {\"name\": \"urllib3\", \"version\": \"2.7.0\", \"vulns\": []}, {\"name\": \"uuid-utils\", \"version\": \"0.15.0\", \"vulns\": []}, {\"name\": \"uvicorn\", \"version\": \"0.30.6\", \"vulns\": []}, {\"name\": \"uvloop\", \"version\": \"0.22.1\", \"vulns\": []}, {\"name\": \"watchfiles\", \"version\": \"1.1.1\", \"vulns\": []}, {\"name\": \"webrtcvad-wheels\", \"version\": \"2.0.14\", \"vulns\": []}, {\"name\": \"websockets\", \"version\": \"16.0\", \"vulns\": []}, {\"name\": \"wrapt\", \"version\": \"1.17.3\", \"vulns\": []}, {\"name\": \"xxhash\", \"version\": \"3.7.0\", \"vulns\": []}, {\"name\": \"yarl\", \"version\": \"1.23.0\", \"vulns\": []}, {\"name\": \"zstandard\", \"version\": \"0.25.0\", \"vulns\": []}], \"fixes\": []}\n\n\n# Security audit summary \u2014 branch: security/major-upgrades-finalize\n\nRun date: 2026-05-28\n\nOverview:\n\n- Bandit: 50 low-severity findings reported (no medium/high). See `logs/security/bandit.json` for details.\n- pip-audit: Found 5 known vulnerabilities across 3 packages. Notable packages:\n  - `orjson` \u2014 CVE-2025-67221 (upgrade to >= 3.11.6)\n  - `pytest` \u2014 CVE-2025-71176 (upgrade to >= 9.0.3)\n  - `starlette` \u2014 several advisories (see `logs/security/pip_audit.json`) with recommended fix versions.\n- safety: invocation failed due to CLI flag mismatch; see `logs/security/safety.json` for raw output.\n\nRecommendations / next steps:\n\n1. Prioritize fixing dependency CVEs: bump `orjson` and `starlette` (and evaluate `pytest` upgrade impact in CI).\n2. Triage Bandit low-severity findings and address obvious issues (input validation, use of assert, etc.).\n3. Fix `scripts/security_audit.sh` safety invocation (remove `--full-report` or use supported flags) so `safety` can produce JSON output.\n4. Add automated dependency upgrade PRs (dependabot or scripted pin bump) and run CI test matrix.\n\nRaw scan outputs attached as a private gist and in `logs/security/` in JSON format.\n", "creation_timestamp": "2026-05-28T19:29:34.000000Z"}]}