Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/apache-airflow@2.10.1
Typepypi
Namespace
Nameapache-airflow
Version2.10.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.2.0
Latest_non_vulnerable_version3.2.0
Affected_by_vulnerabilities
0
url VCID-2xr2-w3hk-auck
vulnerability_id VCID-2xr2-w3hk-auck
summary 
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.

Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow/pull/61641
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/61641
1
reference_url https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/6whgpkqbh12rvpfmvcg8b0vwlv4hq3po
2
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/9
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
url http://www.openwall.com/lists/oss-security/2026/04/17/9
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases CVE-2026-25917, PYSEC-2026-13
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2xr2-w3hk-auck
1
url VCID-91n6-evww-zybp
vulnerability_id VCID-91n6-evww-zybp
summary In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
references
0
reference_url https://github.com/apache/airflow/pull/63028
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/63028
1
reference_url https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/tp6kz1hnfb3zsrrtg19myo8x5x80w8r9
2
reference_url http://www.openwall.com/lists/oss-security/2026/04/17/5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/04/17/5
fixed_packages
0
url pkg:pypi/apache-airflow@3.2.0
purl pkg:pypi/apache-airflow@3.2.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.2.0
aliases CVE-2026-30912, PYSEC-2026-18
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-91n6-evww-zybp
2
url VCID-dh4r-77xc-cbas
vulnerability_id VCID-dh4r-77xc-cbas
summary 
Improper Input Validation vulnerability in the Apache Airflow Sqoop Provider.

This issue affects Apache Airflow Sqoop Provider versions before 3.1.1.
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/29500
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://github.com/apache/airflow/pull/29500
2
reference_url https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://lists.apache.org/thread/79qn8g5xbq036f8crb115obvr22l52q4
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-25693
reference_id CVE-2023-25693
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-25693
4
reference_url https://github.com/advisories/GHSA-j69x-v4wc-3fpf
reference_id GHSA-j69x-v4wc-3fpf
reference_type
scores
url https://github.com/advisories/GHSA-j69x-v4wc-3fpf
fixed_packages
0
url pkg:pypi/apache-airflow@3.1.1
purl pkg:pypi/apache-airflow@3.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2b14-1bp2-gua6
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-5hxx-r2d2-9ybk
3
vulnerability VCID-91n6-evww-zybp
4
vulnerability VCID-9j1n-cypf-p7g5
5
vulnerability VCID-etmw-7eq5-mqa2
6
vulnerability VCID-ezmu-8g1y-e3hz
7
vulnerability VCID-geg4-1kgh-akde
8
vulnerability VCID-hkwf-65vr-dkfz
9
vulnerability VCID-knrd-atwy-gubn
10
vulnerability VCID-snqz-3f8t-syhd
11
vulnerability VCID-t3ap-dzfp-1bd6
12
vulnerability VCID-tbb9-myv7-a7h4
13
vulnerability VCID-w56f-fmkf-dkfv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.1
aliases CVE-2023-25693, GHSA-j69x-v4wc-3fpf, PYSEC-2023-314
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dh4r-77xc-cbas
3
url VCID-t3ap-dzfp-1bd6
vulnerability_id VCID-t3ap-dzfp-1bd6
summary 
In Apache Airflow versions before 3.1.6, and 2.11.1 the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed.

Users are recommended to upgrade to 3.1.6 or later for Airflow 3, and 2.11.1 or later for Airflow 2 which fixes this issue
references
0
reference_url https://github.com/apache/airflow
reference_id
reference_type
scores
url https://github.com/apache/airflow
1
reference_url https://github.com/apache/airflow/pull/59688
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://github.com/apache/airflow/pull/59688
2
reference_url https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://lists.apache.org/thread/x6kply4nqd4vc4wgxtm6g9r2tt63s8c5
3
reference_url http://www.openwall.com/lists/oss-security/2026/01/15/6
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url http://www.openwall.com/lists/oss-security/2026/01/15/6
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-68675
reference_id CVE-2025-68675
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-68675
5
reference_url https://github.com/advisories/GHSA-7c2f-r6gc-h92h
reference_id GHSA-7c2f-r6gc-h92h
reference_type
scores
url https://github.com/advisories/GHSA-7c2f-r6gc-h92h
fixed_packages
0
url pkg:pypi/apache-airflow@2.11.1
purl pkg:pypi/apache-airflow@2.11.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-91n6-evww-zybp
2
vulnerability VCID-dh4r-77xc-cbas
3
vulnerability VCID-t3ap-dzfp-1bd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.11.1
1
url pkg:pypi/apache-airflow@3.1.6
purl pkg:pypi/apache-airflow@3.1.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2b14-1bp2-gua6
1
vulnerability VCID-2xr2-w3hk-auck
2
vulnerability VCID-5hxx-r2d2-9ybk
3
vulnerability VCID-91n6-evww-zybp
4
vulnerability VCID-9j1n-cypf-p7g5
5
vulnerability VCID-etmw-7eq5-mqa2
6
vulnerability VCID-geg4-1kgh-akde
7
vulnerability VCID-hkwf-65vr-dkfz
8
vulnerability VCID-knrd-atwy-gubn
9
vulnerability VCID-tbb9-myv7-a7h4
10
vulnerability VCID-w56f-fmkf-dkfv
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@3.1.6
aliases CVE-2025-68675, GHSA-7c2f-r6gc-h92h, PYSEC-2026-10
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t3ap-dzfp-1bd6
4
url VCID-u5wv-47m4-8yd6
vulnerability_id VCID-u5wv-47m4-8yd6
summary Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.
references
0
reference_url https://github.com/apache/airflow/pull/43040
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/43040
1
reference_url https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
reference_id
reference_type
scores
url https://lists.apache.org/thread/k2jm55jztlbmk4zrlh10syvq3n57hl4h
2
reference_url http://www.openwall.com/lists/oss-security/2024/11/15/1
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/11/15/1
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.3
purl pkg:pypi/apache-airflow@2.10.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-91n6-evww-zybp
2
vulnerability VCID-dh4r-77xc-cbas
3
vulnerability VCID-t3ap-dzfp-1bd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.3
aliases CVE-2024-45784, PYSEC-2024-182
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u5wv-47m4-8yd6
Fixing_vulnerabilities
0
url VCID-56eq-awhd-d3fr
vulnerability_id VCID-56eq-awhd-d3fr
summary 
Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. 
Users are advised to upgrade to version 2.10.1 or later, which has fixed the vulnerability.
references
0
reference_url https://github.com/apache/airflow/pull/41672
reference_id
reference_type
scores
url https://github.com/apache/airflow/pull/41672
1
reference_url https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
reference_id
reference_type
scores
url https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
2
reference_url http://www.openwall.com/lists/oss-security/2024/09/06/3
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/09/06/3
fixed_packages
0
url pkg:pypi/apache-airflow@2.10.1
purl pkg:pypi/apache-airflow@2.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2xr2-w3hk-auck
1
vulnerability VCID-91n6-evww-zybp
2
vulnerability VCID-dh4r-77xc-cbas
3
vulnerability VCID-t3ap-dzfp-1bd6
4
vulnerability VCID-u5wv-47m4-8yd6
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.1
aliases CVE-2024-45034, PYSEC-2024-212
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-56eq-awhd-d3fr
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/apache-airflow@2.10.1