Bounties
Partners
Community
Info
scrapy / scrapy
Project repository
Scrapy, a fast high-level web crawling & scraping framework for Python.
Submit a report
FIRST INTERACTION
WITHIN
13 DAYS
REVIEW
WITHIN
61 DAYS
FIX
WITHIN
125 DAYS
Arbitrary Code Execution via Untrusted Pickle Deserialization in Scrapy SpiderSt...
Nov 6th 2025
anotherik
•
pending
Brotli decompression bomb DoS
Oct 31st 2025
cycloctane
•
High
High
•
CVE-2025-6176
CVE-2025-6176
Shell command injection in scrapy command
Aug 21st 2024
raj3shp
•
informative
High
User Defined Regex Without any proper validation
Apr 29th 2024
michealkeines
•
informative
Medium
Unhandled Exception in `Sitemap`
Apr 29th 2024
michealkeines
•
informative
Medium
Authorization header leakage on same-domain but cross-origin redirect
May 20th 2024
szarny
•
High
•
$300
High
•
$300
•
CVE-2024-1968
CVE-2024-1968
allowed_domains check bypass with http redirect
Nov 28th 2023
surayp
•
not applicable
local file read using redirect
Nov 23rd 2023
ranjit-git
•
spam
Denial of Service when parsing downloaded XML content in XMLFeedSpider
Feb 28th 2024
nicecatch2000
•
High
•
$750
High
•
$750
•
CVE-2024-1892
CVE-2024-1892
Branch protection not enabled for the master branch
Nov 22nd 2023
dmandefy
•
spam
Parsing XML content using insecure function
Apr 16th 2024
dmandefy
•
High
•
$750
High
•
$750
•
CVE-2024-3572
CVE-2024-3572
local file read using redirect
Nov 1st 2023
ranjit-git
•
not applicable
Authorization header leaked to third party site and it allow to hijack victim ac...
Apr 16th 2024
ranjit-git
•
High
•
$900
High
•
$900
•
CVE-2024-3574
CVE-2024-3574
Does not properly filter dangerous file types.
Nov 10th 2023
andy53
•
not applicable
OS Command Injection at Edit Spider
Nov 10th 2023
dwisiswant0
•
not applicable
Insecure temporary file creation
May 20th 2022
melbinkm
•
not applicable
Exposure of Sensitive Information to an Unauthorized Actor
Mar 1st 2022
ranjit-git
•
High
•
$565
High
•
$565
•
CVE-2022-0577
CVE-2022-0577
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0
