VYPR

PyPI package

nautobot

pkg:pypi/nautobot

Vulnerabilities (16)

  • CVE-2026-44798higMay 13, 2026
    affected >= 3.0.0a2, < 3.1.2fixed 3.1.2

    ### Impact A user with access to add/change a GitRepository record could use the REST API to directly set the `current_head` field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a c

  • CVE-2026-44797higMay 13, 2026
    affected >= 3.0.0a2, < 3.1.2fixed 3.1.2

    ### Impact Nautobot's `Webhook` data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be permitted, allowing for various behaviors similar to server-side request forgery (SS

  • CVE-2026-44796May 13, 2026
    affected >= 3.0.0a2, < 3.1.2fixed 3.1.2

    ### Impact Nautobot UI object-bulk-rename endpoints (for example, `/dcim/interfaces/rename/`) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in the `find` field in combination with the `use_regex` flag. ### Patches A general-p

  • CVE-2026-44794May 13, 2026
    affected >= 3.0.0a2, < 3.1.2fixed 3.1.2

    ### Impact In the case of inter-object references via `GenericForeignKey` (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a `GenericForeignKe

  • CVE-2026-34203LowMar 31, 2026
    affected < 2.4.30fixed 2.4.30

    Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty lis

  • CVE-2025-49143Jun 10, 2025
    affected < 1.6.32fixed 1.6.32

    Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users

  • CVE-2024-36112May 28, 2024
    affected >= 1.3.0, < 1.6.23fixed 1.6.23

    Nautobot is a Network Source of Truth and Network Automation Platform. A user with permissions to view Dynamic Group records (`extras.view_dynamicgroup` permission) can use the Dynamic Group detail UI view (`/extras/dynamic-groups//`) and/or the members REST API view (`/api

  • CVE-2024-34707May 13, 2024
    affected < 1.6.22fixed 1.6.22

    Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to pr

  • CVE-2024-32979May 1, 2024
    affected >= 1.5.0, < 1.6.20fixed 1.6.20

    Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously cra

  • CVE-2024-29199Mar 26, 2024
    affected < 1.6.16fixed 1.6.16

    Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobo

  • CVE-2024-23345Jan 22, 2024
    affected >= 2.0.0, < 2.1.2fixed 2.1.2

    Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any user-editable

  • CVE-2023-51649Dec 22, 2023
    affected >= 1.5.14, < 1.6.8fixed 1.6.8

    Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e.,

  • CVE-2023-50263Dec 12, 2023
    affected >= 1.1.0, < 1.6.7fixed 1.6.7

    Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs `/files/get/?name=...` and `/files/download/?name=..

  • CVE-2023-48705Nov 22, 2023
    affected < 1.6.6fixed 1.6.6

    Nautobot is a Network Source of Truth and Network Automation Platform built as a web application All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected by a cross-site scripting vulnerability. Due to incorrect usage of Django's `mark_safe()` API when

  • CVE-2023-46128Oct 24, 2023
    affected >= 2.0.0, < 2.0.3fixed 2.0.3

    Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=` query parameter, can expose hashed user passwords as stor

  • CVE-2023-25657Feb 21, 2023
    affected < 1.5.7fixed 1.5.7

    Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions earlier than 1.5.7 are impacted by a remote code execution vulnerability. Nautobot did not properly sandbox Jinja2 template rendering. In Nautobot 1.5.7 has enabled sandboxed env