Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,257

Total Advisories

1,939

With Dependabot PRs

3,553

Critical Severity

8,784

High Severity

Clear All Filters
Directus has open redirect in SAML
GHSA-3573-4c68-g8cc MODERATE about 13 hours ago
## Security Advisory: Open Redirect in Directus SAML Authentication ### Summary An open redirect vulnerability exists in the Directus SAML authen...
npm
No PRs yet
rsa crate has potential panic on a prime being equal to 1
GHSA-9c48-w39g-hm26 LOW about 14 hours ago
When creating a RSA private key from its components, the construction panics, instead of returning an error, when one of the primes is `1`. Disco...
cargo
No PRs yet
Parsl Monitoring Visualization Vulnerable to SQL Injection
GHSA-f2mf-q878-gh58 MODERATE about 15 hours ago
**Affected Product:** Parsl (Python Parallel Scripting Library) **Component:** parsl.monitoring.visualization **Vulnerability Type:** SQL Injecti...
pypi
No PRs yet
Bypassing Kyverno Policies via Double Policy Exceptions
GHSA-gg4x-fgg2-h9w9 CRITICAL about 15 hours ago
### Summary If a cluster has a `Kyverno` policy in enforce mode and there are two exceptions, this allows the policy to be bypassed, even if the fi...
go
No PRs yet
Bokeh server applications have Incomplete Origin Validation in WebSockets
GHSA-793v-589g-574v CVE-2026-21883 MODERATE about 15 hours ago
This vulnerability allows for **Cross-Site WebSocket Hijacking (CSWSH)** of a deployed Bokeh server instance. ### Scope This vulnerability is on...
pypi
No PRs yet
n8n Vulnerable to RCE via Arbitrary File Write
GHSA-v364-rw7m-3263 CVE-2026-21877 CRITICAL about 15 hours ago
### Impact n8n is affected by an authenticated Remote Code Execution (RCE) vulnerability. Under certain conditions, an authenticated user may be a...
npm
No PRs yet
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
GHSA-8v65-47jx-7mfr CVE-2026-21859 MODERATE about 15 hours ago
## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's `/proxy` endpoint that allows attackers to make requests to inte...
go
No PRs yet
MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download
GHSA-9rg3-9pvr-6p27 CVE-2026-21851 MODERATE about 15 hours ago
## Summary A **Path Traversal (Zip Slip)** vulnerability exists in MONAI's `_download_from_ngc_private()` function. The function uses `zipfile.Zip...
pypi
No PRs yet
Pterodactyl TOTPs can be reused during validity window
GHSA-rgmp-4873-r683 CVE-2025-69197 MODERATE about 15 hours ago
### Summary When a user signs into an account with 2FA enabled they are prompted to enter a token. When that token is used, it is not sufficiently ...
packagist
No PRs yet
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
GHSA-8c39-xppg-479c CVE-2025-68954 HIGH about 15 hours ago
### Summary Pterodactyl does not revoke _active_ SFTP connections when a user is removed from a server instance or has their permissions changes wi...
go packagist
No PRs yet
AIOHTTP Vulnerable to Cookie Parser Warning Storm
GHSA-fh55-r93g-j68g CVE-2025-69230 LOW 1 day ago
### Summary Reading multiple invalid cookies can lead to a logging storm. ### Impact If the ``cookies`` attribute is accessed in an application, t...
pypi
No PRs yet
AIOHTTP vulnerable to DoS through chunked messages
GHSA-g84x-mcqj-x9qq CVE-2025-69229 MODERATE 1 day ago
### Summary Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. ### Impact If an ap...
pypi
No PRs yet
AIOHTTP vulnerable to denial of service through large payloads
GHSA-6jhg-hg63-jvvf CVE-2025-69228 MODERATE 1 day ago
### Summary A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing. ### Impact If an app...
pypi
No PRs yet
AIOHTTP vulnerable to DoS when bypassing asserts
GHSA-jj3x-wxrx-4x23 CVE-2025-69227 MODERATE 1 day ago
### Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. ### Impact If ...
pypi
No PRs yet
AIOHTTP vulnerable to brute-force leak of internal static file path components
GHSA-54jq-c3m8-4m76 CVE-2025-69226 LOW 1 day ago
### Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of abs...
pypi
No PRs yet
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
GHSA-mqqc-3gqh-h2x8 CVE-2025-69225 LOW 1 day ago
### Summary The parser allows non-ASCII decimals to be present in the Range header. ### Impact There is no known impact, but there is the possib...
pypi
No PRs yet
AIOHTTP's unicode processing of header values could cause parsing discrepancies
GHSA-69f9-5gxw-wvc2 CVE-2025-69224 LOW 1 day ago
### Summary The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. ### Impact If a pure Python ver...
pypi
No PRs yet
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
GHSA-6mq8-rvhq-8wgg CVE-2025-69223 HIGH 1 day ago
### Summary A zip bomb can be used to execute a DoS against the aiohttp server. ### Impact An attacker may be able to send a compressed request th...
pypi
No PRs yet
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function
GHSA-m9rg-mr6g-75gm CVE-2025-66648 HIGH 1 day ago
### Impact For sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the [public API](https://...
npm
No PRs yet
Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope
GHSA-829q-m3qg-ph8r CVE-2025-65110 HIGH 1 day ago
## Impact Applications meeting these two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" [expressionInterpreter...
npm
No PRs yet
Spinnaker vulnerable to SSRF due to improper restrictions on http from user input
GHSA-vrjc-q2fh-6x9h CVE-2025-61916 HIGH 1 day ago
### Impact The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into Spinnaker pipelines via helm ...
maven
No PRs yet
evershop allows unauthenticated attackers to exhaust application server's resources via "GET /images" API
GHSA-m2q5-xhqg-92r2 CVE-2025-67419 HIGH 1 day ago
A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources ...
npm
No PRs yet
Anthropic's MCP TypeScript SDK has a ReDoS vulnerability
GHSA-8r9q-7v3j-jr4g CVE-2026-0621 HIGH 1 day ago
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriT...
npm
No PRs yet
evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API
GHSA-vp8w-wj4m-3r7j CVE-2025-67427 MODERATE 1 day ago
A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initia...
npm
No PRs yet
Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer
GHSA-6g8q-hp2j-gvwv CVE-2025-62877 CRITICAL 1 day ago
### Impact Projects using the SUSE Virtualization (Harvester) environment are vulnerable to this exploit if they are using the 1.5.x or 1.6.x inte...
go
No PRs yet
Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read
GHSA-824x-88xg-cwrv CVE-2026-21857 HIGH 1 day ago
### Summary Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file e...
packagist
No PRs yet
ERC7984ERC20Wrapper: once a wrapper is filled, subsequent wrap requests do not revert and result in loss of funds.
GHSA-hqf9-8xv5-x8xw MODERATE 1 day ago
### Impact The `ERC7984` contract tracks total supply using a confidential `euint64` value. If a call to the internal `_mint` function would result...
npm
No PRs yet
gix-date can create non-utf8 string with `TimeBuf::as_str`
GHSA-6mw6-mj76-grwc MODERATE 1 day ago
The function `gix_date::parse::TimeBuf::as_str` can create an illegal string containing non-utf8 characters. This violates the safety invariant of ...
cargo
No PRs yet
Sliver Vulnerable to Pre-Auth Memory Exhaustion via NoEncoder Bypass
GHSA-hjr9-wj7v-7hv8 MODERATE 1 day ago
### Summary A specially crafted nonce routes unauthenticated requests through the NoEncoder path, where `startSessionHandler()` reads the entire re...
go
No PRs yet
badkeys vulnerable to ASCII control character injection on console via malformed input
GHSA-wjpc-4f29-83h3 CVE-2026-21439 LOW 1 day ago
### Impact An attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleadin...
pypi
No PRs yet
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
GHSA-255j-qw47-wjh5 CVE-2025-68455 HIGH 1 day ago
Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.2...
packagist
No PRs yet
Unauthenticated Craft CMS users can trigger a database backup
GHSA-v64r-7wg9-23pr CVE-2025-68456 HIGH 1 day ago
Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information ...
packagist
No PRs yet
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
GHSA-742x-x762-7383 CVE-2025-68454 MODERATE 1 day ago
For this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/...
packagist
No PRs yet
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
GHSA-x27p-wfqw-hfcc CVE-2025-68437 MODERATE 1 day ago
The Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the...
packagist
No PRs yet
Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
GHSA-53vf-c43h-j2x9 CVE-2025-68436 MODERATE 1 day ago
Authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests...
packagist
No PRs yet
jsPDF has Local File Inclusion/Path Traversal vulnerability
GHSA-f8cm-6447-x5h2 CVE-2025-68428 CRITICAL 1 day ago
### Impact User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the...
npm
91
Dependabot PRs
Apache SIS has Improper Restriction of XML External Entity Reference vulnerability
GHSA-jqmr-2pg9-vfx7 CVE-2025-68280 MODERATE 1 day ago
Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when pa...
maven
No PRs yet
flagd: Multiple Go Runtime CVEs Impact Security and Availability
GHSA-4c5f-9mj4-m247 HIGH 1 day ago
### Summary In 2025, several vulnerabilities in the Go Standard Library were disclosed, impacting Go-based applications like flagd (the evaluation ...
go
No PRs yet
MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation
GHSA-cw39-r4h6-8j3x CVE-2026-21452 HIGH 1 day ago
### Summary Affected Components: ``` org.msgpack.core.MessageUnpacker.readPayload() org.msgpack.core.MessageUnpacker.unpackValue() org.msgpack.valu...
maven
1
Dependabot PRs
Apache Kyuubi Server vulnerable to Path Traversal
GHSA-f8r6-6222-9pvc CVE-2025-66518 HIGH 2 days ago
Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list a...
maven
No PRs yet
Vaadin vulnerable to Cross-site Scripting
GHSA-7wwv-79xw-rvvg CVE-2025-15022 MODERATE 2 days ago
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is deri...
maven
No PRs yet
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
GHSA-jmr4-p576-v565 CVE-2026-21483 MODERATE 4 days ago
## Security Advisory: Stored XSS Leading to Admin Account Takeover **Affected Versions:** ≤ 5.1.0 **Vulnerability Type:** CWE-79: Stored Cross-S...
go
No PRs yet
Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users
GHSA-mqhg-v22x-pqj8 CVE-2026-21449 HIGH 4 days ago
### Summary SSTI is possible via first name and last name parameters provided by lowest-privileged users. ### Details 1. Go to `http://127.0.0.1:80...
packagist
No PRs yet
Bagisto has IDOR in Customer Order Reorder Functionality
GHSA-x5rw-qvvp-5cgm CVE-2026-21447 HIGH 4 days ago
### Summary An Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add item...
packagist
No PRs yet
Bagisto has Normal & Blind SSTI from low-privilege user when ordering product
GHSA-5j4h-4f72-qpm6 CVE-2026-21448 HIGH 4 days ago
### Summary SSTI when normal customer orders any product in add address step can inject value run in admin view. ### Details `As normal user` 1. Go...
packagist
No PRs yet
Bagisto SSTI vulnerability in type parameter can lead to RCE
GHSA-9hvg-qw5q-wqwp CVE-2026-21450 HIGH 4 days ago
### Summary SSTI is possible in Bagisto via type parameter can lead to RCE and other exploitations. ### Details 1. Go to `http://127.0.0.1:8000/ad...
packagist
No PRs yet
Bagisto has HTML Filter Bypass that Enables Stored XSS
GHSA-2mwc-h2mg-v6p8 CVE-2026-21451 MODERATE 4 days ago
### Summary A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto 2.3.8 within the CMS page editor. Although the platform normally at...
packagist
No PRs yet
Bagisto Missing Authentication on Installer API Endpoints
GHSA-6h7w-v2xr-mqvw CVE-2026-21446 HIGH 4 days ago
### Vulnerable Code **File:** `packages/Ibkul/Installer/src/Routes/Ib.php` ``` <?php use Illuminate\\Session\\Middleware\\StartSession; use Il...
packagist
No PRs yet
Langflow Missing Authentication on Critical API Endpoints
GHSA-c5cp-vx83-jhqx CVE-2026-21445 HIGH 4 days ago
### Summary Multiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive ...
pypi
No PRs yet
AdonisJS Path Traversal in Multipart File Handling
GHSA-gvq6-hvvp-h34h CVE-2026-21440 CRITICAL 5 days ago
### Summary **Description** A Path Traversal (CWE-22) vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbit...
npm
2
Dependabot PRs