Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,275

Total Advisories

1,941

With Dependabot PRs

3,556

Critical Severity

8,791

High Severity

Clear All Filters
`IterMut` violates Stacked Borrows by invalidating internal pointer
GHSA-rhfx-m35p-ff5j LOW about 16 hours ago
Affected versions of this crate contain a soundness issue in the `IterMut` iterator implementation. The `IterMut::next` and `IterMut::next_back` me...
cargo
No PRs yet
OpenMetadata's Server-Side Template Injection (SSTI) in FreeMarker email templates leads to RCE
GHSA-5f29-2333-h9c7 CRITICAL about 17 hours ago
# OpenMetadata RCE Vulnerability - Proof of Concept ## Executive Summary **CRITICAL Remote Code Execution vulnerability** confirmed in OpenMetada...
maven
No PRs yet
CoreShop Vulnerable to SQL Injection via Admin Reports
GHSA-ch7p-mpv4-4vg4 MODERATE about 17 hours ago
### Affected Version(s) - CoreShop 4.1.2 Demo (tested) [Demo | CoreShop](https://docs.coreshop.com/CoreShop/Getting_Started/Demo/index.html) - Ear...
packagist
No PRs yet
loggingredactor converts non-string types to string types in logs
GHSA-rvjx-cfjh-5mc9 CVE-2026-22041 LOW about 18 hours ago
### Impact Non-string types are converted into string types, leading to type errors in %d conversions. ### Patches The problem has been patched in...
pypi
No PRs yet
Preact has JSON VNode Injection issue
GHSA-36hm-qxxp-pg3m CVE-2026-22028 HIGH about 18 hours ago
## Impact **Vulnerability Type:** HTML Injection via JSON Type Confusion **Affected Versions:** Preact 10.26.5 through 10.28.1 **Severity:** Low...
npm
No PRs yet
n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
GHSA-jf52-3f2h-h9j5 CVE-2026-21894 MODERATE about 18 hours ago
### Impact An authentication bypass in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook...
npm
No PRs yet
Miniflux Media Proxy SSRF via /proxy endpoint allows access to internal network resources
GHSA-xwh2-742g-w3wp CVE-2026-21885 MODERATE about 18 hours ago
### Summary Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF)...
go
No PRs yet
n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling
GHSA-v4pr-fm98-w9pg CVE-2026-21858 CRITICAL about 18 hours ago
### Impact A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows. A ...
npm
No PRs yet
Decompression-bomb safeguards bypassed when following HTTP redirects (streaming API)
GHSA-38jv-5279-wg99 CVE-2026-21441 HIGH about 18 hours ago
### Impact urllib3's [streaming API](https://urllib3.readthedocs.io/en/2.6.2/advanced-usage.html#streaming-and-i-o) is designed for the efficient ...
pypi
470
Dependabot PRs
pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"
GHSA-379q-355j-w6rj CVE-2025-69264 HIGH about 18 hours ago
# pnpm v10+ Git Dependency Script Execution Bypass ### Summary A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to exe...
npm
No PRs yet
pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies
GHSA-7vhp-vf5g-r2fw CVE-2025-69263 HIGH about 18 hours ago
### Summary HTTP tarball dependencies (and git-hosted tarballs) are stored in the lockfile without integrity hashes. This allows the remote server...
npm
No PRs yet
pnpm vulnerable to Command Injection via environment variable substitution
GHSA-2phv-j68v-wwqx CVE-2025-69262 HIGH about 18 hours ago
## Summary A command injection vulnerability exists in pnpm when using environment variable substitution in `.npmrc` configuration files with `tok...
npm
No PRs yet
RustFS gRPC GetMetrics deserialization panic enables remote DoS
GHSA-gw2x-q739-qhcr CVE-2025-69255 MODERATE about 18 hours ago
### Summary A malformed gRPC `GetMetrics` request causes `get_metrics` to `unwrap()` failed deserialization of `metric_type`/`opts`, panicking the ...
cargo
No PRs yet
RustFS Path Traversal Vulnerability
GHSA-pq29-69jg-9mxc CVE-2025-68705 HIGH about 19 hours ago
# RustFS Path Traversal Vulnerability ## Vulnerability Details - **CVE ID**: - **Severity**: Critical (CVSS estimated 9.9) - **Impact**: Arbitra...
cargo
No PRs yet
Quarkus REST has potential worker thread starvation when HTTP connection is closed while waiting to write
GHSA-5rfx-cp42-p624 CVE-2025-66560 MODERATE about 19 hours ago
A vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for pr...
maven
No PRs yet
Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools
GHSA-6fg3-hvw7-2fwq CVE-2025-9611 HIGH 1 day ago
Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to pe...
npm
No PRs yet
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware
GHSA-rwp9-5g7q-73q3 CVE-2026-0650 CRITICAL 1 day ago
OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of...
go
No PRs yet
carbone Code Injection vulnerability
GHSA-6rcw-ww3x-xqwm CVE-2024-14020 LOW 1 day ago
A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file li...
npm
No PRs yet
Directus has open redirect in SAML
GHSA-3573-4c68-g8cc CVE-2026-22032 MODERATE 1 day ago
## Security Advisory: Open Redirect in Directus SAML Authentication ### Summary An open redirect vulnerability exists in the Directus SAML authen...
npm
No PRs yet
rsa crate has potential panic on a prime being equal to 1
GHSA-9c48-w39g-hm26 CVE-2026-21895 LOW 2 days ago
When creating a RSA private key from its components, the construction panics, instead of returning an error, when one of the primes is `1`. Disco...
cargo
No PRs yet
Parsl Monitoring Visualization Vulnerable to SQL Injection
GHSA-f2mf-q878-gh58 CVE-2026-21892 MODERATE 2 days ago
**Affected Product:** Parsl (Python Parallel Scripting Library) **Component:** parsl.monitoring.visualization **Vulnerability Type:** SQL Injecti...
pypi
No PRs yet
Bypassing Kyverno Policies via Double Policy Exceptions
GHSA-gg4x-fgg2-h9w9 CRITICAL 2 days ago
### Summary If a cluster has a `Kyverno` policy in enforce mode and there are two exceptions, this allows the policy to be bypassed, even if the fi...
go
No PRs yet
Bokeh server applications have Incomplete Origin Validation in WebSockets
GHSA-793v-589g-574v CVE-2026-21883 MODERATE 2 days ago
This vulnerability allows for **Cross-Site WebSocket Hijacking (CSWSH)** of a deployed Bokeh server instance. ### Scope This vulnerability is on...
pypi
No PRs yet
n8n Vulnerable to RCE via Arbitrary File Write
GHSA-v364-rw7m-3263 CVE-2026-21877 CRITICAL 2 days ago
### Impact n8n is affected by an authenticated Remote Code Execution (RCE) vulnerability. Under certain conditions, an authenticated user may be a...
npm
No PRs yet
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
GHSA-8v65-47jx-7mfr CVE-2026-21859 MODERATE 2 days ago
## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's `/proxy` endpoint that allows attackers to make requests to inte...
go
No PRs yet
MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download
GHSA-9rg3-9pvr-6p27 CVE-2026-21851 MODERATE 2 days ago
## Summary A **Path Traversal (Zip Slip)** vulnerability exists in MONAI's `_download_from_ngc_private()` function. The function uses `zipfile.Zip...
pypi
No PRs yet
Pterodactyl TOTPs can be reused during validity window
GHSA-rgmp-4873-r683 CVE-2025-69197 MODERATE 2 days ago
### Summary When a user signs into an account with 2FA enabled they are prompted to enter a token. When that token is used, it is not sufficiently ...
packagist
No PRs yet
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
GHSA-8c39-xppg-479c CVE-2025-68954 HIGH 2 days ago
### Summary Pterodactyl does not revoke _active_ SFTP connections when a user is removed from a server instance or has their permissions changes wi...
go packagist
No PRs yet
AIOHTTP Vulnerable to Cookie Parser Warning Storm
GHSA-fh55-r93g-j68g CVE-2025-69230 LOW 3 days ago
### Summary Reading multiple invalid cookies can lead to a logging storm. ### Impact If the ``cookies`` attribute is accessed in an application, t...
pypi
No PRs yet
AIOHTTP vulnerable to DoS through chunked messages
GHSA-g84x-mcqj-x9qq CVE-2025-69229 MODERATE 3 days ago
### Summary Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. ### Impact If an ap...
pypi
No PRs yet
AIOHTTP vulnerable to denial of service through large payloads
GHSA-6jhg-hg63-jvvf CVE-2025-69228 MODERATE 3 days ago
### Summary A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing. ### Impact If an app...
pypi
No PRs yet
AIOHTTP vulnerable to DoS when bypassing asserts
GHSA-jj3x-wxrx-4x23 CVE-2025-69227 MODERATE 3 days ago
### Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. ### Impact If ...
pypi
No PRs yet
AIOHTTP vulnerable to brute-force leak of internal static file path components
GHSA-54jq-c3m8-4m76 CVE-2025-69226 LOW 3 days ago
### Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of abs...
pypi
No PRs yet
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
GHSA-mqqc-3gqh-h2x8 CVE-2025-69225 LOW 3 days ago
### Summary The parser allows non-ASCII decimals to be present in the Range header. ### Impact There is no known impact, but there is the possib...
pypi
No PRs yet
AIOHTTP's unicode processing of header values could cause parsing discrepancies
GHSA-69f9-5gxw-wvc2 CVE-2025-69224 LOW 3 days ago
### Summary The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. ### Impact If a pure Python ver...
pypi
No PRs yet
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
GHSA-6mq8-rvhq-8wgg CVE-2025-69223 HIGH 3 days ago
### Summary A zip bomb can be used to execute a DoS against the aiohttp server. ### Impact An attacker may be able to send a compressed request th...
pypi
No PRs yet
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function
GHSA-m9rg-mr6g-75gm CVE-2025-66648 HIGH 3 days ago
### Impact For sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the [public API](https://...
npm
No PRs yet
Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope
GHSA-829q-m3qg-ph8r CVE-2025-65110 HIGH 3 days ago
## Impact Applications meeting these two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" [expressionInterpreter...
npm
No PRs yet
Spinnaker vulnerable to SSRF due to improper restrictions on http from user input
GHSA-vrjc-q2fh-6x9h CVE-2025-61916 HIGH 3 days ago
### Impact The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into Spinnaker pipelines via helm ...
maven
No PRs yet
Anthropic's MCP TypeScript SDK has a ReDoS vulnerability
GHSA-8r9q-7v3j-jr4g CVE-2026-0621 HIGH 3 days ago
### Impact A ReDoS vulnerability in the `UriTemplate` class allows attackers to cause denial of service. The `partToRegExp()` function generates a...
npm
No PRs yet
evershop allows unauthenticated attackers to exhaust application server's resources via "GET /images" API
GHSA-m2q5-xhqg-92r2 CVE-2025-67419 HIGH 3 days ago
A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources ...
npm
No PRs yet
evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API
GHSA-vp8w-wj4m-3r7j CVE-2025-67427 MODERATE 3 days ago
A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initia...
npm
No PRs yet
Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer
GHSA-6g8q-hp2j-gvwv CVE-2025-62877 CRITICAL 3 days ago
### Impact Projects using the SUSE Virtualization (Harvester) environment are vulnerable to this exploit if they are using the 1.5.x or 1.6.x inte...
go
No PRs yet
Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read
GHSA-824x-88xg-cwrv CVE-2026-21857 HIGH 3 days ago
### Summary Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file e...
packagist
No PRs yet
ERC7984ERC20Wrapper: once a wrapper is filled, subsequent wrap requests do not revert and result in loss of funds.
GHSA-hqf9-8xv5-x8xw MODERATE 3 days ago
### Impact The `ERC7984` contract tracks total supply using a confidential `euint64` value. If a call to the internal `_mint` function would result...
npm
No PRs yet
gix-date can create non-utf8 string with `TimeBuf::as_str`
GHSA-6mw6-mj76-grwc MODERATE 3 days ago
The function `gix_date::parse::TimeBuf::as_str` can create an illegal string containing non-utf8 characters. This violates the safety invariant of ...
cargo
No PRs yet
Sliver Vulnerable to Pre-Auth Memory Exhaustion via NoEncoder Bypass
GHSA-hjr9-wj7v-7hv8 MODERATE 3 days ago
### Summary A specially crafted nonce routes unauthenticated requests through the NoEncoder path, where `startSessionHandler()` reads the entire re...
go
No PRs yet
badkeys vulnerable to ASCII control character injection on console via malformed input
GHSA-wjpc-4f29-83h3 CVE-2026-21439 LOW 3 days ago
### Impact An attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleadin...
pypi
No PRs yet
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
GHSA-255j-qw47-wjh5 CVE-2025-68455 HIGH 3 days ago
Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.2...
packagist
No PRs yet
Unauthenticated Craft CMS users can trigger a database backup
GHSA-v64r-7wg9-23pr CVE-2025-68456 HIGH 3 days ago
Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information ...
packagist
No PRs yet