Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

26,264

Total Advisories

2,108

With Dependabot PRs

3,675

Critical Severity

9,170

High Severity

Clear All Filters
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs
GHSA-cxpw-2g23-2vgw CVE-2026-27576 MODERATE 2 days ago
## Vulnerability The ACP bridge accepted very large prompt text blocks and could assemble oversized prompt payloads before forwarding them to `cha...
npm
No PRs yet
Google Cloud Vertex AI has a a vulnerability involving predictable bucket naming
GHSA-wh2j-26j7-9728 CVE-2026-2473 HIGH 2 days ago
Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud ...
pypi
No PRs yet
Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS)
GHSA-qv8j-hgpc-vrq8 CVE-2026-2472 HIGH 2 days ago
Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions fro...
pypi
No PRs yet
Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)
GHSA-q5fh-2hc8-f6rq CVE-2026-27482 MODERATE 3 days ago
### Summary Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated b...
pypi
No PRs yet
AVideo has Stored Cross-Site Scripting via Markdown Comment Injection
GHSA-rcqw-6466-3mv7 CVE-2026-27568 MODERATE 3 days ago
## Vulnerability Type Stored Cross-Site Scripting (XSS) — CWE-79. ## Affected Product/Versions AVideo 18.0. ## Root Cause Summary AVideo allows M...
packagist
No PRs yet
Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused
GHSA-49pc-8936-wvfp CVE-2026-27492 MODERATE 3 days ago
### Impact Email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused ...
npm
No PRs yet
Traefik affected by TLS ClientAuth Bypass on HTTP/3
GHSA-gv8r-9rw9-9697 CRITICAL 3 days ago
### Summary There is a potential vulnerability in Traefik managing HTTP/3 connections. More details in the [CVE-2025-68121](https://nvd.nist.gov/...
go
No PRs yet
OpenClaw hardened cron webhook delivery against SSRF
GHSA-w45g-5746-x9fp CVE-2026-27488 MODERATE 3 days ago
## Affected Packages / Versions - `openclaw` npm package versions `<= 2026.2.17`. ## Vulnerability Cron webhook delivery in `src/gateway/server-c...
npm
No PRs yet
OpenClaw: Reject symlinks in local skill packaging script
GHSA-r6h2-5gqq-v5v6 CVE-2026-27485 MODERATE 3 days ago
## Vulnerability `skills/skill-creator/scripts/package_skill.py` (a local helper script used when authors package skills) previously followed syml...
npm
No PRs yet
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows
GHSA-wh94-p5m6-mr7j CVE-2026-27484 LOW 3 days ago
## Overview Discord moderation action handling (`timeout`, `kick`, `ban`) used sender identity from request parameters in tool-driven flows, inste...
npm
No PRs yet
Sync-in Server has a stored cross-site scripting (XSS) vulnerability
GHSA-9jmq-xgjm-p8c2 CVE-2025-67438 MODERATE 3 days ago
A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript i...
npm
No PRs yet
Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames
GHSA-qhp6-635j-x7r2 CVE-2026-27480 MODERATE 3 days ago
## Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attack...
cargo
No PRs yet
Fickling has a detection bypass via stdlib network-protocol constructors
GHSA-83pf-v6qq-pwmr LOW 3 days ago
# Our assessment `imtplib`, `imaplib`, `ftplib`, `poplib`, `telnetlib`, and `nntplib` are added to the list of unsafe imports (https://github.com/...
pypi
No PRs yet
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
GHSA-m7jm-9gc2-mpf2 CVE-2026-25896 CRITICAL 3 days ago
# Entity encoding bypass via regex injection in DOCTYPE entity names ## Summary A dot (`.`) in a DOCTYPE entity name is treated as a regex wildca...
npm
No PRs yet
TFTP Path Traversal
EEF-CVE-2026-21620 GHSA-hmrc-prh3-rpvp CVE-2026-21620 LOW 3 days ago
Relative Path Traversal, Improper Isolation or Compartmentalization vulnerability in erlang otp erlang/otp (tftp_file modules), erlang otp inets (t...
No PRs yet
bn.js affected by an infinite loop
GHSA-378v-28hj-76wf CVE-2026-2739 MODERATE 3 days ago
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmo...
npm
No PRs yet
Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped
GHSA-wfqv-66vq-46rm CVE-2026-24122 LOW 3 days ago
## Summary When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not b...
go
2
Dependabot PRs
Centrifugo v6.6.0 dependency vulnerabilities
GHSA-j9wf-6r2x-hqmx MODERATE 3 days ago
### Summary ...
go
No PRs yet
OpenClaw safeBins file-existence oracle information disclosure
GHSA-6c9j-x93c-rw6j MODERATE 3 days ago
An information disclosure vulnerability in OpenClaw's `tools.exec.safeBins` approval flow allowed a file-existence oracle. When safe-bin validatio...
npm
No PRs yet
OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags
GHSA-4685-c5cp-vp95 LOW 3 days ago
## Summary `tools.exec.safeBins` could be bypassed for filesystem access when `sort` output flags (`-o` / `--output`) or recursive `grep` flags wer...
npm
No PRs yet
Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize()
GHSA-v7m3-fpcr-h7m2 CVE-2026-27206 HIGH 3 days ago
### Description The `zumba/json-serializer` library allows deserialization of PHP objects from JSON using a special `@type` field. Prior to versi...
packagist
No PRs yet
Dagu affected by unauthenticated RCE via inline DAG spec in default configuration
GHSA-6qr9-g2xw-cw92 CRITICAL 3 days ago
### Summary Dagu's default configuration ships with authentication disabled. The `POST /api/v2/dag-runs` endpoint accepts an inline YAML spec and e...
go
No PRs yet
OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace
GHSA-r5fq-947m-xm57 HIGH 4 days ago
## Summary In affected versions, when `apply_patch` was enabled and the agent ran without filesystem sandbox containment, crafted paths could caus...
npm
No PRs yet
Flask session does not add `Vary: Cookie` header when accessed in some ways
GHSA-68rp-wp8r-4726 CVE-2026-27205 LOW 4 days ago
When the `session` object is accessed, Flask should set the `Vary: Cookie` header. This instructs caches not to cache the response, as it may conta...
pypi
146
Dependabot PRs
Pannellum has a XSS vulnerability in hot spot attributes
GHSA-8423-w5wx-h2r6 CVE-2026-27210 MODERATE 4 days ago
### Impact The hot spot `attributes` configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for ...
npm
No PRs yet
Werkzeug safe_join() allows Windows special device names
GHSA-29vq-49wr-vm6x CVE-2026-27199 MODERATE 4 days ago
Werkzeug's `safe_join` function allows Windows device names as filenames if when preceded by other path segments. This was previously reported as ...
pypi
69
Dependabot PRs
Feathers exposes internal headers via unencrypted session cookie
GHSA-9m9c-vpv5-9g85 CVE-2026-27193 HIGH 4 days ago
All HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. ...
npm
No PRs yet
Feathers has an origin validation bypass via prefix matching
GHSA-mp4x-c34x-wv3x CVE-2026-27192 HIGH 4 days ago
The origin validation uses `startsWith()` for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefi...
npm
No PRs yet
Feathers has an open redirect in OAuth callback enables account takeover
GHSA-ppf9-4ffw-hh4p CVE-2026-27191 HIGH 4 days ago
### Description The `redirect` query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via UR...
npm
No PRs yet
Deno has a Command Injection via Incomplete shell metacharacter blocklist in node:child_process
GHSA-hmh4-3xvx-q5hr CVE-2026-27190 HIGH 4 days ago
## Summary A command injection vulnerability exists in Deno's `node:child_process` implementation. ## Reproduction ```javascript import { spawnSy...
cargo
No PRs yet
Formwork Improperly Managed Privileges in User creation
GHSA-34p4-7w83-35g2 CVE-2026-27198 HIGH 4 days ago
### Summary The application fails to properly enforce role-based authorization during account creation. Although the system validates that the spe...
packagist
No PRs yet
Statamic affected by privilege escalation via stored cross-site scripting
GHSA-8r7r-f4gm-wcpq CVE-2026-27196 HIGH 4 days ago
## Impact Stored XSS vulnerability in `html` fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript...
packagist
No PRs yet
CPU exhaustion in SvelteKit remote form deserialization (experimental only)
GHSA-88qp-p4qg-rqm6 MODERATE 4 days ago
Versions of `@sveltejs/kit` prior to 2.52.2 with remote functions enabled are vulnerable to CPU exhaustion. Malformed form data can cause the serve...
npm
No PRs yet
Memory exhaustion in SvelteKit remote form deserialization (experimental only)
GHSA-vrhm-gvg7-fpcf MODERATE 4 days ago
Versions of `@sveltejs/kit` prior to 2.52.2 with remote functions enabled can be vulnerable to memory exhaustion. Malformed form data can cause the...
npm
No PRs yet
devalue affected by CPU and memory amplification from sparse arrays
GHSA-33hq-fvwr-56pm LOW 4 days ago
Under certain circumstances, serializing sparse arrays using `uneval` or `stringify` could cause CPU and/or memory exhaustion. When this occurs on ...
npm
No PRs yet
devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed
GHSA-8qm3-746x-r74r LOW 4 days ago
Under certain circumstances, `uneval`ing untrusted data can produce output code that will create objects with polluted prototypes when later `eval`...
npm
No PRs yet
D-Tale affected by Remote Code Execution through the /save-column-filter endpoint
GHSA-c87c-78rc-vmv2 CVE-2026-27194 HIGH 4 days ago
### Impact Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. ### Pa...
pypi
No PRs yet
Svelte SSR attribute spreading includes inherited properties from prototype chain
GHSA-crpf-4hrx-3jrp CVE-2026-27125 MODERATE 4 days ago
In server-side rendering, attribute spreading on elements (e.g. `<div {...attrs}>`) enumerates inherited properties from the object's prototype cha...
npm
No PRs yet
Prototype pollution in swiper
GHSA-hmx5-qpq5-p643 CVE-2026-27212 CRITICAL 4 days ago
### Summary A prototype pollution vulnerability exists in the the npm package swiper (>=6.5.1, < 12.1.2). Despite a previous fix that attempted to ...
npm
No PRs yet
eBay API MCP Server Affected by Environment Variable Injection
GHSA-97rm-xj73-33jh CVE-2026-27203 HIGH 4 days ago
The `ebay_set_user_tokens` tool allows updating the `.env` file with new tokens. The `updateEnvFile` function in `src/auth/oauth.ts` blindly append...
npm
No PRs yet
PyO3 has type confusion when accessing data from sublasses of subclasses of native types with `abi3` feature
GHSA-47qc-857f-7w7f HIGH 4 days ago
PyO3 0.28.1 added support for `#[pyclass(extends=PyList)] struct NativeSub` (and other native types) when targeting Python 3.12 and up with the `ab...
cargo
No PRs yet
Hono added timing comparison hardening in basicAuth and bearerAuth
GHSA-gq3j-xvxp-8hrf LOW 4 days ago
## Summary The `basicAuth` and `bearerAuth` middlewares previously used a comparison that was not fully timing-safe. The `timingSafeEqual` functi...
npm
No PRs yet
OpenClaw replaced a deprecated sandbox hash algorithm
GHSA-fh3f-q9qw-93j9 MODERATE 4 days ago
## Affected Packages / Versions - npm package: `openclaw` - Affected versions: `<= 2026.2.14` - Fixed version (pre-set): `2026.2.15` ## Descriptio...
npm
No PRs yet
OpenClaw has a Web Fetch DoS via unbounded response parsing
GHSA-p536-vvpp-9mc8 MODERATE 4 days ago
### Summary The `web_fetch` tool could be used to crash the OpenClaw Gateway process (OOM / resource exhaustion) by fetching and attempting to pars...
npm
No PRs yet
Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
GHSA-4hfh-fch3-5q7p CVE-2026-27120 MODERATE 4 days ago
### Summary `htmlEscaped` in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing es...
swift
No PRs yet
Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled
GHSA-5r23-prx4-mqg3 CVE-2026-26963 MODERATE 4 days ago
### Impact [Host Policies](https://docs.cilium.io/en/stable/security/policy/language/#host-policies) will incorrectly permit traffic from Pods on ...
go
No PRs yet
Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution
GHSA-xjw9-4gw8-4rqx CVE-2026-26030 CRITICAL 4 days ago
### Impact: An RCE vulnerability has been identified in Microsoft Semantic Kernel Python SDK, specifically within the `InMemoryVectorStore` filter ...
pypi
No PRs yet
jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)
GHSA-p5xg-68wr-hm3m CVE-2026-25940 HIGH 4 days ago
### Impact User control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions....
npm
110
Dependabot PRs
jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method
GHSA-9vjf-qc39-jprp CVE-2026-25755 HIGH 4 days ago
### Impact User control of the argument of the `addJS` method allows an attacker to inject arbitrary PDF objects into the generated document. By c...
npm
110
Dependabot PRs
carbon-apimgt does not properly restrict uploaded files
GHSA-p6jf-79j3-33f3 CVE-2025-13590 CRITICAL 4 days ago
A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the deployment via a system REST...
maven
No PRs yet