Nautobot
by Nautobot
Source repositories
CVEs (17)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-44797 | Hig | 0.48 | 8.5 | 0.00 | May 28, 2026 | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be… | ||
| CVE-2026-44798 | Hig | 0.39 | 7.1 | 0.00 | May 28, 2026 | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable.… | ||
| CVE-2026-44796 | Med | 0.35 | 6.5 | 0.00 | May 28, 2026 | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in… | ||
| CVE-2026-44794 | Med | 0.28 | 5.4 | 0.00 | May 28, 2026 | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or… | ||
| CVE-2026-34203 | Low | 0.11 | 2.7 | 0.00 | Mar 31, 2026 | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty… | ||
| CVE-2025-49143 | 0.00 | — | 0.00 | Jun 10, 2025 | Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users… | |||
| CVE-2025-49142 | 0.00 | — | 0.00 | Jun 10, 2025 | Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links,… | |||
| CVE-2024-36112 | 0.00 | — | 0.00 | May 28, 2024 | Nautobot is a Network Source of Truth and Network Automation Platform. A user with permissions to view Dynamic Group records (`extras.view_dynamicgroup` permission) can use the Dynamic Group detail UI view (`/extras/dynamic-groups//`) and/or the members REST API view… | |||
| CVE-2024-34707 | 0.00 | — | 0.01 | May 13, 2024 | Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to… | |||
| CVE-2024-32979 | 0.00 | — | 0.00 | May 1, 2024 | Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously… | |||
| CVE-2024-29199 | 0.00 | — | 0.01 | Mar 26, 2024 | Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the… | |||
| CVE-2024-23345 | 0.00 | — | 0.00 | Jan 22, 2024 | Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any… | |||
| CVE-2023-51649 | 0.00 | — | 0.00 | Dec 22, 2023 | Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked… | |||
| CVE-2023-50263 | 0.00 | — | 0.01 | Dec 12, 2023 | Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs `/files/get/?name=...` and… | |||
| CVE-2023-48705 | 0.00 | — | 0.01 | Nov 22, 2023 | Nautobot is a Network Source of Truth and Network Automation Platform built as a web application All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected by a cross-site scripting vulnerability. Due to incorrect usage of Django's `mark_safe()` API when… | |||
| CVE-2023-46128 | 0.00 | — | 0.01 | Oct 24, 2023 | Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=` query parameter, can expose hashed user passwords as… | |||
| CVE-2023-25657 | 0.00 | — | 0.02 | Feb 21, 2023 | Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions earlier than 1.5.7 are impacted by a remote code execution vulnerability. Nautobot did not properly sandbox Jinja2 template rendering. In Nautobot 1.5.7 has enabled sandboxed… |
- risk 0.48cvss 8.5epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot's Webhook data model and associated feature set could be configured by users with sufficient access to perform requests to various hosts and IP addresses that should not be…
- risk 0.39cvss 7.1epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the current_head field on the record, which was not intended to be user-editable.…
- risk 0.35cvss 6.5epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, Nautobot UI object-bulk-rename endpoints (for example, /dcim/interfaces/rename/) were vulnerable to application-wide denial of service via maliciously crafted regular expressions in…
- risk 0.28cvss 5.4epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or…
- risk 0.11cvss 2.7epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTH_PASSWORD_VALIDATORS setting (which defaults to an empty…
- CVE-2025-49143Jun 10, 2025risk 0.00cvss —epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users…
- CVE-2025-49142Jun 10, 2025risk 0.00cvss —epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links,…
- CVE-2024-36112May 28, 2024risk 0.00cvss —epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform. A user with permissions to view Dynamic Group records (`extras.view_dynamicgroup` permission) can use the Dynamic Group detail UI view (`/extras/dynamic-groups//`) and/or the members REST API view…
- CVE-2024-34707May 13, 2024risk 0.00cvss —epss 0.01
Nautobot is a Network Source of Truth and Network Automation Platform. A Nautobot user with admin privileges can modify the `BANNER_TOP`, `BANNER_BOTTOM`, and `BANNER_LOGIN` configuration settings via the `/admin/constance/config/` endpoint. Normally these settings are used to…
- CVE-2024-32979May 1, 2024risk 0.00cvss —epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously…
- CVE-2024-29199Mar 26, 2024risk 0.00cvss —epss 0.01
Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the…
- CVE-2024-23345Jan 22, 2024risk 0.00cvss —epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted by a cross-site scripting vulnerability. Due to inadequate input sanitization, any…
- CVE-2023-51649Dec 22, 2023risk 0.00cvss —epss 0.00
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked…
- CVE-2023-50263Dec 12, 2023risk 0.00cvss —epss 0.01
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 1.x and 2.0.x prior to 1.6.7 and 2.0.6, the URLs `/files/get/?name=...` and…
- CVE-2023-48705Nov 22, 2023risk 0.00cvss —epss 0.01
Nautobot is a Network Source of Truth and Network Automation Platform built as a web application All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected by a cross-site scripting vulnerability. Due to incorrect usage of Django's `mark_safe()` API when…
- CVE-2023-46128Oct 24, 2023risk 0.00cvss —epss 0.01
Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. In Nautobot 2.0.x, certain REST API endpoints, in combination with the `?depth=` query parameter, can expose hashed user passwords as…
- CVE-2023-25657Feb 21, 2023risk 0.00cvss —epss 0.02
Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions earlier than 1.5.7 are impacted by a remote code execution vulnerability. Nautobot did not properly sandbox Jinja2 template rendering. In Nautobot 1.5.7 has enabled sandboxed…