CVE: GHSA-frmv-pr5f-9mcr Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. (CRITICAL)

Affected versions: >= 5.2a1 < 5.2.8; >= 5.0a1 < 5.1.14; < 4.2.26

Patched version: 5.2.8

From: pyproject.toml → pypi/django@5.2.4

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-frmv-pr5f-9mcr Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects. (CRITICAL)

Affected versions: >= 5.2a1 < 5.2.8; >= 5.0a1 < 5.1.14; < 4.2.26

Patched version: 5.2.8

From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-2ww3-72rp-wpp4 Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK (CRITICAL)

Affected versions: < 1.39.3

Patched version: 1.39.3

From: examples/example-ai-semantic-kernel/pyproject.toml → pypi/semantic-kernel@1.36.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/semantic-kernel@1.36.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-xjw9-4gw8-4rqx Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution (CRITICAL)

Affected versions: < 1.39.4

Patched version: 1.39.4

From: examples/example-ai-semantic-kernel/pyproject.toml → pypi/semantic-kernel@1.36.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/semantic-kernel@1.36.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-6w2r-r2m5-xq5w Django is subject to SQL injection through its column aliases (HIGH)

Affected versions: < 4.2.24; >= 5.0a1 < 5.1.12; >= 5.2a1 < 5.2.6

Patched version: 5.2.6

From: pyproject.toml → pypi/django@5.2.4

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-gvg8-93h5-g6qq Django has an SQL Injection issue (HIGH)

Affected versions: >= 6.0a1 < 6.0.2; >= 5.2a1 < 5.2.11; >= 4.2a1 < 4.2.28

Patched version: 5.2.11

From: pyproject.toml → pypi/django@5.2.4

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-mwm9-4648-f68q Django has an SQL Injection issue (HIGH)

Affected versions: >= 6.0a1 < 6.0.2; >= 5.2a1 < 5.2.11; >= 4.2a1 < 4.2.28

Patched version: 5.2.11

From: pyproject.toml → pypi/django@5.2.4

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-mvfq-ggxm-9mc5 Django vulnerable to ASGI header spoofing via underscore/hyphen conflation (HIGH)

Affected versions: >= 6.0 < 6.0.4; >= 5.2 < 5.2.13; >= 4.2 < 4.2.30

Patched version: 5.2.13

From: pyproject.toml → pypi/django@5.2.4

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-8p8v-wh79-9r56 Django vulnerable to Uncontrolled Resource Consumption (HIGH)

Affected versions: >= 6.0 < 6.0.3; >= 5.2 < 5.2.12; >= 4.2 < 4.2.29

Patched version: 5.2.12

From: pyproject.toml → pypi/django@5.2.4

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-933h-hp56-hf7m Django: SGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit (HIGH)

Affected versions: >= 6.0 < 6.0.4; >= 5.2 < 5.2.13; >= 4.2 < 4.2.30

Patched version: 5.2.13

From: pyproject.toml → pypi/django@5.2.4

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-hpr9-3m2g-3j9p Django vulnerable to SQL injection in column aliases (HIGH)

Affected versions: >= 4.2 < 4.2.25; >= 5.1 < 5.1.13; >= 5.2 < 5.2.7

Patched version: 5.2.7

From: pyproject.toml → pypi/django@5.2.4

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-qw25-v68c-qjf3 Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows (HIGH)

Affected versions: >= 5.2a1 < 5.2.8; >= 5.0a1 < 5.1.14; < 4.2.26

Patched version: 5.2.8

From: pyproject.toml → pypi/django@5.2.4

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-gvg8-93h5-g6qq Django has an SQL Injection issue (HIGH)

Affected versions: >= 6.0a1 < 6.0.2; >= 5.2a1 < 5.2.11; >= 4.2a1 < 4.2.28

Patched version: 5.2.11

From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-mwm9-4648-f68q Django has an SQL Injection issue (HIGH)

Affected versions: >= 6.0a1 < 6.0.2; >= 5.2a1 < 5.2.11; >= 4.2a1 < 4.2.28

Patched version: 5.2.11

From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-8p8v-wh79-9r56 Django vulnerable to Uncontrolled Resource Consumption (HIGH)

Affected versions: >= 6.0 < 6.0.3; >= 5.2 < 5.2.12; >= 4.2 < 4.2.29

Patched version: 5.2.12

From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-mvfq-ggxm-9mc5 Django vulnerable to ASGI header spoofing via underscore/hyphen conflation (HIGH)

Affected versions: >= 6.0 < 6.0.4; >= 5.2 < 5.2.13; >= 4.2 < 4.2.30

Patched version: 5.2.13

From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-933h-hp56-hf7m Django: SGI requests with a missing or understated Content-Length header could bypass the DATA_UPLOAD_MAX_MEMORY_SIZE limit (HIGH)

Affected versions: >= 6.0 < 6.0.4; >= 5.2 < 5.2.13; >= 4.2 < 4.2.30

Patched version: 5.2.13

From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-qw25-v68c-qjf3 Django has a denial-of-service vulnerability in HttpResponseRedirect and HttpResponsePermanentRedirect on Windows (HIGH)

Affected versions: >= 5.2a1 < 5.2.8; >= 5.0a1 < 5.1.14; < 4.2.26

Patched version: 5.2.8

From: integration_tests/django5/pyproject.toml → pypi/django@5.2.7

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/django@5.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-pjwx-r37v-7724 LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists (HIGH)

Affected versions: >= 1.0.0 < 1.3.3; < 0.3.85

Patched version: 1.3.3

From: pyproject.toml → pypi/langchain-core@1.2.22

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/langchain-core@1.2.22. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-pjwx-r37v-7724 LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad load() allowlists (HIGH)

Affected versions: >= 1.0.0 < 1.3.3; < 0.3.85

Patched version: 1.3.3

From: examples/example-ai-langchain/uv.lock → pypi/langchain-core@1.2.23

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/langchain-core@1.2.23. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-wxxx-gvqv-xp7p LiteLLM has a sandbox escape in custom-code guardrail (HIGH)

Affected versions: >= 1.81.8 < 1.83.10

Patched version: 1.83.10

From: examples/example-ai-crewai/pyproject.toml → pypi/litellm@1.83.7

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/litellm@1.83.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-vfmq-68hx-4jfw lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files (HIGH)

Affected versions: < 6.1.0

Patched version: 6.1.0

From: pyproject.toml → pypi/lxml@6.0.0

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/lxml@6.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-8rrh-rw8j-w5fx Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack (HIGH)

Affected versions: >= 0.40.0 < 0.46.2

Patched version: 0.46.2

From: pyproject.toml → pypi/wheel@0.45.1

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/wheel@0.45.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.