EUVD-2025-35304

Nautobot Single Source of Truth SSoT is an app for Nautobot. Prior to version 3.10.0, an unauthenticated attacker could access this page to view the Service Now public instance name e.g. companyname.service-now.com. This is considered low-value information. This does not expose the Secret, the...

CVE-2025-60511

Moodle OpenAI Chat Block plugin 3.0.1 2025021700 suffers from an Insecure Direct Object Reference IDOR vulnerability due to insufficient validation of the blockId parameter in /blocks/openaichat/api/completion.php. An authenticated student can impersonate another user's block e.g., administrator...

CVE-2024-32979

Nautobot (a Django-based network automation platform) is affected by a Reflected Cross-Site Scripting (XSS) vulnerability due to improper handling and escaping of user-supplied query parameters. All filterable object-list views are susceptible to injecting malicious scripts via crafted URLs, pote...

CVE-2024-29199

CVE-2024-29199 affects Nautobot, where multiple URL endpoints were accessible to unauthenticated users due to default EXEMPT_VIEW_PERMISSIONS behavior. The root cause is improper access control exposing data unless permissions are explicitly granted. The vulnerability is mitigated by fixes in Nau...

Cross site scripting

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable fields that suppo...

CVE-2024-23345

Nautobot (Network Source of Truth and Network Automation Platform) versions prior to 1.6.10 and 2.1.2 are vulnerable to cross-site scripting (XSS) in any user-editable field that supports Markdown rendering due to inadequate input sanitization. The issue affects Markdown-enabled fields across the...

Make Git Your Single Source of Truth for Application and Infrastructure Delivery

...

CVE-2023-51649

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level extras.runjob permission is checked i.e., does the user have...

CVE-2023-51649

CVE-2023-51649 affects Nautobot, a Django-based network automation platform. The issue: when submitting a Job via a Job Button, only the model-level extras.run_job permission is enforced; object-level permissions (permission to run a specific Job) are not checked by the relevant URL/view. Result:...

CVE-2023-50263

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs /files/get/?name=... and /files/download/?name=... are used to provid...

Cross site scripting

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected by a cross-site scripting vulnerability. Due to incorrect usage of Django's marksafe API when rendering certain type...

CVE-2023-48705

Nautobot CVE-2023-48705 affects all Nautobot versions before 1.6.6 and before 2.0.5. Root cause: incorrect usage of Django’s mark_safe() when rendering certain user-authored content (e.g., custom links, job buttons, computed fields). Impact: attackers with permission to create or edit such conten...

CVE-2023-25657

Summary: CVE-2023-25657 affects Nautobot before 1.5.7, where the Jinja2 template engine was not sandboxed, potentially enabling remote code execution. In Nautobot 1.5.7 and later, sandboxed environments are enabled for Jinja2 rendering for objects such as extras.ComputedField, extras.CustomLink, ...

CVE-2023-25657 Remote code execution in Jinja2 template rendering in Nautobot

Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions earlier than 1.5.7 are impacted by a remote code execution vulnerability. Nautobot did not properly sandbox Jinja2 template rendering. In Nautobot 1.5.7 has enabled sandboxed environments for the...

Top 5 Threat Hunting Myths: “Threat Hunting Isn’t Worth My Time”

The cybersecurity landscape is in a constant state of change and, as many organizations have learned, it’s no longer a matter of if you’ll face a cyberattack, but when. In today’s world, attackers intentionally look normal to evade automated defenses. With the rise of ransomware, fileless and...