Lucene search
K
NetworktocodeNautobot

17 matches found

CVE
CVE
added 2024/01/22 11:14 p.m.203 views

CVE-2024-23345

Nautobot (Network Source of Truth and Network Automation Platform) versions prior to 1.6.10 and 2.1.2 are vulnerable to cross-site scripting (XSS) in any user-editable field that supports Markdown rendering due to inadequate input sanitization. The issue affects Markdown-enabled fields across the...

7.1CVSS5.1AI score0.00433EPSS
CVE
CVE
added 2025/06/10 3:40 p.m.132 views

CVE-2025-49142

CVE-2025-49142 affects Nautobot prior to 2.4.10 and prior to 1.6.32. The issue arises from misconfigurations in the Jinja2 templating used in computed fields, custom links, etc., allowing a malicious user to expose secret values or to invoke Python APIs to modify data when templated content is re...

7.1CVSS6.4AI score0.00303EPSS
CVE
CVE
added 2023/10/24 2:17 p.m.106 views

CVE-2023-46128

CVE-2023-46128 affects Nautobot (network automation platform built on Django) prior to version 2.0.3. In Nautobot 2.0.x, certain REST API endpoints, when used with the query parameter ?depth=, can cause authenticated users to retrieve hashed (not plaintext) passwords stored in the database. This ...

6.5CVSS6.2AI score0.00529EPSS
CVE
CVE
added 2024/05/28 10:26 p.m.97 views

CVE-2024-36112

CVE-2024-36112 affects Nautobot: in 1.3.0–1.6.22 and 2.0.0–2.2.4, listing members of Dynamic Groups via the UI or API does not enforce member-object permissions, enabling a user with extras.view_dynamicgroup to see all Group members regardless of dcim.view_device. Fixed in Nautobot 1.6.23 and 2.2...

6.5CVSS6.2AI score0.00398EPSS
CVE
CVE
added 2024/05/01 10:49 a.m.74 views

CVE-2024-32979

Nautobot (a Django-based network automation platform) is affected by a Reflected Cross-Site Scripting (XSS) vulnerability due to improper handling and escaping of user-supplied query parameters. All filterable object-list views are susceptible to injecting malicious scripts via crafted URLs, pote...

7.5CVSS7.2AI score0.00491EPSS
CVE
CVE
added 2023/11/22 3:15 p.m.70 views

CVE-2023-48705

Nautobot CVE-2023-48705 affects all Nautobot versions before 1.6.6 and before 2.0.5. Root cause: incorrect usage of Django’s mark_safe() when rendering certain user-authored content (e.g., custom links, job buttons, computed fields). Impact: attackers with permission to create or edit such conten...

7.1CVSS5.8AI score0.00543EPSS
CVE
CVE
added 2024/05/13 7:22 p.m.61 views

CVE-2024-34707

CVE-2024-34707 affects Nautobot where an admin user can modify BANNER_TOP, BANNER_BOTTOM, and BANNER_LOGIN via the /admin/constance/config/ endpoint, enabling insertion of arbitrary HTML and potentially stored XSS across Nautobot pages. Multiple connected sources confirm this risk and describe th...

7.5CVSS6.2AI score0.00606EPSS
CVE
CVE
added 2024/03/26 3:8 a.m.57 views

CVE-2024-29199

CVE-2024-29199 affects Nautobot, where multiple URL endpoints were accessible to unauthenticated users due to default EXEMPT_VIEW_PERMISSIONS behavior. The root cause is improper access control exposing data unless permissions are explicitly granted. The vulnerability is mitigated by fixes in Nau...

5.3CVSS4AI score0.00628EPSS
CVE
CVE
added 2023/02/21 8:51 p.m.56 views

CVE-2023-25657

Summary: CVE-2023-25657 affects Nautobot before 1.5.7, where the Jinja2 template engine was not sandboxed, potentially enabling remote code execution. In Nautobot 1.5.7 and later, sandboxed environments are enabled for Jinja2 rendering for objects such as extras.ComputedField, extras.CustomLink, ...

9.8CVSS9.1AI score0.01526EPSS
CVE
CVE
added 2023/12/22 4:48 p.m.56 views

CVE-2023-51649

CVE-2023-51649 affects Nautobot, a Django-based network automation platform. The issue: when submitting a Job via a Job Button, only the model-level extras.run_job permission is enforced; object-level permissions (permission to run a specific Job) are not checked by the relevant URL/view. Result:...

4.3CVSS4.1AI score0.00448EPSS
CVE
CVE
added 2025/06/10 3:43 p.m.55 views

CVE-2025-49143

Summary: CVE-2025-49143 affects Nautobot before v2.4.10 and v1.6.32. The issue is improper access control on files stored in Nautobot’s MEDIA_ROOT, including DeviceType images and other attachments, which could be retrieved by anonymous users via guessed URLs. Affected versions: Nautobot 2.x vers...

6.3CVSS6.7AI score0.00383EPSS
CVE
CVE
added 2023/12/12 10:17 p.m.50 views

CVE-2023-50263

CVE-2023-50263 (Nautobot) describes an information disclosure vulnerability where unauthenticated access to file storage URLs /files/get/?name=… and /files/download/?name=… is possible in Nautobot 1.x and 2.0.x before 1.6.7 and 2.0.6. The issue stems from the default Django-db-file-storage implem...

5.3CVSS5.1AI score0.00748EPSS
Web
CVE
CVE
added 2026/05/28 4:57 p.m.24 views

CVE-2026-44798

CVE-2026-44798 affects Nautobot before versions 2.4.33 and 3.1.2, where a user with access to add/change a GitRepository could misuse the REST API to directly set the repository’s current_head field, which was not intended to be user-editable. This could cause local clones to checkout a non-lates...

7.1CVSS5.8AI score0.00277EPSS
CVE
CVE
added 2026/05/28 5:0 p.m.20 views

CVE-2026-44796

Nautobot contains a DoS vulnerability in UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) where maliciously crafted regular expressions in the find field, when used with the use_regex flag, can cause an application-wide denial of service. The issue affects pre-fix versions ...

6.5CVSS5.8AI score0.00312EPSS
CVE
CVE
added 2026/05/28 5:1 p.m.19 views

CVE-2026-44794

Summary of CVE-2026-44794 Nautobot’s REST API, prior to versions 2.4.33 and 3.1.2, failed to enforce user permissions when validating inter-object references made via GenericForeignKey during create/update of objects containing such references. This could allow a user to reference an object they ...

5.4CVSS5.8AI score0.00177EPSS
CVE
CVE
added 2026/05/28 4:59 p.m.19 views

CVE-2026-44797

Nautobot fixes CVE-2026-44797: the Webhook data model could be configured by users with sufficient access to issue requests to internal hosts/IPs, enabling SSRF-like behavior. Affected versions prior to 2.4.33 and 3.1.2 are impacted; remediation is to upgrade Nautobot to 2.4.33 or 3.1.2 or newer....

8.5CVSS5.8AI score0.00235EPSS
CVE
CVE
added 2026/03/31 7:27 p.m.10 views

CVE-2026-34203

CVE-2026-34203 affects Nautobot where, before versions 2.4.30 and 3.0.10, creating or editing users via the REST API did not apply Django’s password validators (AUTH_PASSWORD_VALIDATORS). This could allow weak passwords if Nautobot’s nautobot_config.py did not configure validators. The issue has ...

4.3CVSS5.8AI score0.00245EPSS