Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

23,521

Total Advisories

1,693

With Dependabot PRs

3,384

Critical Severity

8,238

High Severity

Clear All Filters
OpenFGA Authorization Bypass
GHSA-mgh9-4mwp-fg55 CVE-2025-55213 MODERATE 3 months ago
### Overview OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper pol...
go
No PRs yet
Capsule tenant owners with "patch namespace" permission can hijack system namespaces label
GHSA-fcpm-6mxq-m5vv CVE-2025-55205 CRITICAL 3 months ago
### Summary A namespace label injection vulnerability in Capsule v0.10.3 allows authenticated tenant users to inject arbitrary labels into system n...
go
No PRs yet
HashiCorp go-getter Vulnerable to Symlink Attacks
GHSA-wjrx-6529-hcj3 CVE-2025-8959 HIGH 3 months ago
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designa...
go
240
Dependabot PRs
15%
Merged
Information Disclosure in Amazon ECS Container Agent
GHSA-wm7x-ww72-r77q CVE-2025-9039 MODERATE 3 months ago
**Summary** [Amazon Elastic Container Service (Amazon ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) is a fully ma...
go
No PRs yet
Helm May Panic Due To Incorrect YAML Content
GHSA-f9f8-9pmf-xv68 CVE-2025-55198 MODERATE 3 months ago
A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic. ### Impa...
go
361
Dependabot PRs
18%
Merged
Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion
GHSA-9h84-qmv7-982p CVE-2025-55199 MODERATE 3 months ago
A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and h...
go
361
Dependabot PRs
18%
Merged
External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access
GHSA-fcxq-v2r3-cc8h CVE-2025-55196 HIGH 3 months ago
## Summary A vulnerability was discovered in the External Secrets Operator where the `List()` calls for Kubernetes Secret and SecretStore resources...
go
No PRs yet
OliveTin OS Command Injection vulnerability
GHSA-p3qf-84rg-jxfc CVE-2025-50946 HIGH 3 months ago
OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go.
go
No PRs yet
Komari vulnerable to 2FA Authentication Bypass
GHSA-jhmr-57cj-q6g9 HIGH 3 months ago
### Summary Logic error in 2FA verification condition allows bypass of two-factor authentication ### Details https://github.com/komari-monitor/k...
go
No PRs yet
Komari vulnerable to Cross-site WebSocket Hijacking
GHSA-q355-h244-969h HIGH 3 months ago
### Summary WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users ...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-qjrx-j8wm-xf83 CVE-2025-8285 MODERATE 3 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check the access of the user to the channel which allows attackers to create channel subscrip...
go
No PRs yet
Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions
GHSA-gjpm-6w34-ppvf CVE-2025-54463 MODERATE 3 months ago
Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits t...
go
No PRs yet
Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions
GHSA-vc77-c2hx-h5x2 CVE-2025-52931 HIGH 3 months ago
Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits t...
go
No PRs yet
Mattermost Confluence Plugin has Improper Validation of Specified Type of Input
GHSA-3cg3-3mmr-w8hj CVE-2025-54525 HIGH 3 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-j66h-xhpr-7q5g CVE-2025-54458 MODERATE 3 months ago
Mattermost Confluence Plugin versions < 1.5.0 fails to check user access of the Confluence space, allowing attackers to create a subscription to a ...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-v6c8-g53h-mc2h CVE-2025-53910 MODERATE 3 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to create a channel subscription without...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-42m6-5vm7-fjv2 CVE-2025-53857 LOW 3 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to get channel subscription details with...
go
No PRs yet
Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions
GHSA-w92j-c6gr-hj8r CVE-2025-53514 MODERATE 3 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allow\ing attackers to crash the plugin via constant hits t...
go
No PRs yet
Mattermost Confluence Plugin is Missing Authentication for Critical Function
GHSA-qpjq-c5hr-7925 CVE-2025-54478 HIGH 3 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to enforce user authentication of the Mattermost instance, allowing unauthenticated attackers to...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-rfg4-2m63-fw2q CVE-2025-49221 LOW 3 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to enforce authentication of the user to the Mattermost instance, which allows unauthenticated a...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-cmpr-8prq-w5p5 CVE-2025-48731 MODERATE 3 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to Confluence spaces, which allows attackers to edit subscriptions for Conf...
go
No PRs yet
Mattermost Confluence Plugin is Missing Authentication for Critical Function
GHSA-6ff3-jgxh-vffj CVE-2025-44004 HIGH 3 months ago
Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to creat...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-vpcr-fqpc-386h CVE-2025-44001 MODERATE 3 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, which allows attackers to get channel subscription details ...
go
No PRs yet
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
GHSA-2q8q-8fgw-9p6p CVE-2025-55001 MODERATE 3 months ago
### Impact OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using t...
go
1
Dependabot PRs
100%
Merged
OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse
GHSA-rxp7-9q75-vj3p CVE-2025-55003 MODERATE 3 months ago
### Impact OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normali...
go
1
Dependabot PRs
100%
Merged
OpenBao TOTP Secrets Engine Code Reuse
GHSA-f7c3-mhj2-9pvg CVE-2025-55000 MODERATE 3 months ago
### Impact OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normaliz...
go
1
Dependabot PRs
100%
Merged
OpenBao has a Timing Side-Channel in the Userpass Auth Method
GHSA-hh28-h22f-8357 CVE-2025-54999 LOW 3 months ago
### Impact When using OpenBao's `userpass` auth method, user enumeration was possible due to timing difference between non-existent users and user...
go
1
Dependabot PRs
100%
Merged
OpenBao Userpass and LDAP User Lockout Bypass
GHSA-j3xv-7fxp-gfhx CVE-2025-54998 MODERATE 3 months ago
### Impact Attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different...
go
1
Dependabot PRs
100%
Merged
Privileged OpenBao Operator May Execute Code on the Underlying Host
GHSA-xp75-r577-cvhp CVE-2025-54997 CRITICAL 3 months ago
### Impact Under certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the a...
go
1
Dependabot PRs
100%
Merged
OpenBao Root Namespace Operator May Elevate Token Privileges
GHSA-vf84-mxrq-crqc CVE-2025-54996 HIGH 3 months ago
### Impact Accounts with access to the highly-privileged identity entity system in the root namespace may increase their scope directly to the `ro...
go
1
Dependabot PRs
100%
Merged
operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd
GHSA-856v-8qm2-9wjv CVE-2025-7195 MODERATE 3 months ago
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK...
go
No PRs yet
Ollama allows deletion of arbitrary files
GHSA-93jv-pvg8-hf3v CVE-2025-44779 MODERATE 3 months ago
An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull.
go
No PRs yet
github.com/go-acme/lego/v4/acme/api does not enforce HTTPS
GHSA-q82r-2j7m-9rv4 CVE-2025-54799 LOW 3 months ago
## Summary It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce H...
go
1
Dependabot PRs
100%
Merged
HashiCorp Vault ldap auth method may not have correctly enforced MFA
GHSA-7rx2-769v-hrwf CVE-2025-6013 MODERATE 3 months ago
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had mul...
go
1
Dependabot PRs
100%
Merged
Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder
GHSA-qx2q-88mx-vhg7 CVE-2025-54801 HIGH 3 months ago
### Description When using Fiber's `Ctx.BodyParser` to parse form data containing a large numeric key that represents a slice index (e.g., `test.1...
go
No PRs yet
RatPanel can perform remote command execution without authorization
GHSA-fm3m-jrgm-5ppg CVE-2025-53534 HIGH 3 months ago
### Summary * When an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, ...
go
No PRs yet
Grafana Infinity Datasource Plugin SSRF Vulnerability
GHSA-3c93-92r7-j934 CVE-2025-8341 MODERATE 3 months ago
Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing...
go
No PRs yet
Hashicorp Vault has Incorrect Validation for Non-CA Certificates
GHSA-6c5r-4wfc-3mcx CVE-2025-6037 MODERATE 3 months ago
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certi...
go
12
Dependabot PRs
Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users
GHSA-mwgr-84fv-3jh9 CVE-2025-6011 LOW 3 months ago
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-ex...
go
13
Dependabot PRs
7%
Merged
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse
GHSA-qv3p-fmv3-9hww CVE-2025-6014 MODERATE 3 months ago
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed ...
go
13
Dependabot PRs
7%
Merged
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration
GHSA-mr4h-qf9j-f665 CVE-2025-6000 CRITICAL 3 months ago
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a ...
go
13
Dependabot PRs
7%
Merged
Hashicorp Vault has Lockout Feature Authentication Bypass
GHSA-qgj7-fmq2-6cc4 CVE-2025-6004 MODERATE 3 months ago
Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Communit...
go
13
Dependabot PRs
7%
Merged
Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability
GHSA-v6r4-35f9-9rpw CVE-2025-6015 MODERATE 3 months ago
Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1....
go
13
Dependabot PRs
7%
Merged
Hashicorp Vault has Privilege Escalation Vulnerability
GHSA-6h4p-m86h-hhgh CVE-2025-5999 HIGH 3 months ago
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privi...
go
8
Dependabot PRs
25%
Merged
1Panel agent certificate verification bypass leading to arbitrary command execution
GHSA-8j63-96wh-wh3j CVE-2025-54424 HIGH 3 months ago
### Project Address: Project Address [1Panel](https://github.com/1Panel-dev/1Panel) ### Official website: https://www.1panel.cn/ ### Time: 2025 07 ...
go
No PRs yet
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
GHSA-q6gg-9f92-r9wg CVE-2025-54386 HIGH 3 months ago
### Summary A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP a...
go
No PRs yet
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion
GHSA-7rh7-c77v-6434 CVE-2025-54576 CRITICAL 3 months ago
### Impact This vulnerability affects oauth2-proxy deployments using the `skip_auth_routes` configuration option with regex patterns. The vulnerabi...
go
3
Dependabot PRs
OAuth2-Proxy's `--gitlab-group` GitLab Group Authorization config flag stopped working in v7.0.0
GHSA-652x-m2gr-hppm CVE-2021-21411 MODERATE 3 months ago
The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag setti...
go
No PRs yet
Moby firewalld reload removes bridge network isolation
GHSA-4vq8-7jfc-9cvp CVE-2025-54410 LOW 3 months ago
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various o...
go
No PRs yet
Moby firewalld reload makes published container ports accessible from remote hosts
GHSA-x4rx-4gw3-53p4 CVE-2025-54388 MODERATE 3 months ago
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various o...
go
707
Dependabot PRs
24%
Merged