HIGH8.5CVE-2026-44797Nautobot: Webhook definitions could be used for server-side request forgery (SSRF) >= 3.0.0a2, < 3.1.2
HIGH7.7CVE-2023-46128Nautobot vulnerable to exposure of hashed user passwords via REST API from 0, < 1ce8e5c658a075c29554d517cd453675e5d40d71 | >= 2.0.0, < 2.0.3
HIGH7.7CVE-2023-46128Nautobot vulnerable to exposure of hashed user passwords via REST API >= 2.0.0, < 2.0.3
HIGH7.5Nautobot's BANNER_* configuration can be used to inject arbitrary HTML content into Nautobot pages
from 0, < 1.6.22
HIGH7.5nautobot has reflected Cross-site Scripting potential in all object list views
>= 1.5.0, < 1.6.20
HIGH7.5Nautobot vulnerable to remote code execution via Jinja2 template rendering
from 0, < d47f157e83b0c353bb2b697f911882c71cf90ca0 | from 0, < 1.5.7
HIGH7.5Nautobot vulnerable to remote code execution via Jinja2 template rendering
from 0, < 1.5.7
HIGH7.1Nautobot: GitRepository.current_head field should not be writable through REST API
>= 3.0.0a2, < 3.1.2
HIGH7.1Nautobot vulnerable to secrets exposure and data manipulation through Jinja2 templating
from 0, < 1.6.32, >= 2.0.0, < 2.4.10
HIGH7.1Nautobot vulnerable to secrets exposure and data manipulation through Jinja2 templating
from 0, < 1.6.32
HIGH7.1XSS potential in rendered Markdown fields (comments, description, notes, etc.)
>= 2.0.0, < 2.1.2
HIGH7.1XSS potential in rendered Markdown fields (comments, description, notes, etc.)
from 0, < 17effcbe84a72150c82b138565c311bbee357e80, < 64312a4297b5ca49b6cdedf477e41e8e4fd61cce | >= 2.0.0, < 2.1.2, from 0, < 1.6.10
HIGH7.1Cross-site Scripting potential in custom links, job buttons, and computed fields
from 0, < 1.6.6
HIGH7.1Cross-site Scripting potential in custom links, job buttons, and computed fields
from 0, < 362850f5a94689a4c75e3188bf6de826c3b012b2, < 54abe23331b6c3d0d82bf1b028c679b1d200920d | >= 2.0.0, < 2.0.5, from 0, < 1.6.6
MEDIUM6.5Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS)
>= 3.0.0a2, < 3.1.2
MEDIUM6.3Nautobot dynamic-group-members doesn't enforce permission restrictions on member objects
>= 1.3.0, < 1.6.23
MEDIUM6.3Nautobot dynamic-group-members doesn't enforce permission restrictions on member objects
>= 2.0.0, < 2.3.0b1
MEDIUM5.4Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference
>= 3.0.0a2, < 3.1.2
LOW3.7Unauthenticated views may expose information to anonymous users
from 0, < 1.6.16
LOW3.7Unauthenticated db-file-storage views
>= 1.1.0, < 1.6.7
LOW3.7Unauthenticated db-file-storage views
from 0, < 458280c359a4833a20da294eaf4b8d55edc91cee, < 7c4cf3137f45f1541f09f2f6a7f8850cd3a2eaee | >= 2.0.0, < 2.0.6, >= 1.1.0, < 1.6.7
LOW3.5Nautobot missing object-level permissions enforcement when running Job Buttons
>= 2.0.0, < 2.1.0, >= 1.5.14, < 1.6.8
LOW3.5Nautobot missing object-level permissions enforcement when running Job Buttons
>= 1.5.14, < 1.6.8
LOW2.7Nautobot: Management of users via REST API does not apply configured password validators
from 0, < 2.4.30
—Nautobot may allows uploaded media files to be accessible without authentication
from 0, < 1.6.32