Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,898

Total Advisories

1,815

With Dependabot PRs

3,517

Critical Severity

8,651

High Severity

Clear All Filters
Apache Tika has XXE vulnerability
GHSA-f58c-gq56-vjjf CVE-2025-66516 CRITICAL about 14 hours ago
Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an...
maven
No PRs yet
Central Dogma's Login Function Has an Open Redirect Vulnerability
GHSA-4hr2-xf7w-jf76 CVE-2025-11222 MODERATE about 16 hours ago
### Impact Successful exploitation of this vulnerability could allow an attacker to craft a malicious link that, when clicked by a victim, redirect...
maven
No PRs yet
Rhino has high CPU usage and potential DoS when passing specific numbers to `toFixed()` function
GHSA-3w8q-xq97-5j7x CVE-2025-66453 LOW 1 day ago
When an application passed an attacker controlled float poing number into the `toFixed()` function, it might lead to high CPU consumption and a pot...
maven
No PRs yet
BlazeMeter Jenkins Plugin is Missing Authorization for Available Resources
GHSA-fxp5-37mh-vff5 CVE-2025-13472 MODERATE 2 days ago
A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like c...
maven
No PRs yet
Keycloak unable to restrict access to the admin console
GHSA-vjr8-56p3-fmqq CVE-2025-10939 LOW 3 days ago
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The...
maven
No PRs yet
Keycloak has debug default bind address
GHSA-j4vq-q93m-4683 CVE-2025-11538 MODERATE 3 days ago
A vulnerability exists in Keycloak's server distribution where enabling debug mode (`--debug`) insecurely defaults to binding the Java Debug Wire P...
maven
No PRs yet
XWiki Jetty Package (XJetty) allows accessing any application file through URL
GHSA-53gx-j3p6-2rw9 CVE-2025-55749 HIGH 4 days ago
### Impact In an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webap...
maven
No PRs yet
Apache Struts is Vulnerable to DoS via File Leak
GHSA-xx7v-hqxh-cjr9 CVE-2025-64775 HIGH 4 days ago
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Stru...
maven
No PRs yet
NutzBoot vulnerable to information disclosure
GHSA-qp56-qj59-hjf8 CVE-2025-13804 LOW 4 days ago
A security flaw has been discovered in nutzam NutzBoot up to 2.6.0-SNAPSHOT. The impacted element is an unknown function of the file nutzboot-demo/...
maven
No PRs yet
NutzBoot vulnerable to deserialization
GHSA-fgmj-6h3v-4q56 CVE-2025-13805 LOW 4 days ago
A weakness has been identified in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This affects the function getInputStream of the file nutzcloud/nutzcloud-li...
maven
No PRs yet
NutzBoot Incorrect Privilege Assignment vulnerability
GHSA-53v5-9752-qq92 CVE-2025-13806 MODERATE 4 days ago
A security vulnerability has been detected in nutzam NutzBoot up to 2.6.0-SNAPSHOT. This impacts an unknown function of the file nutzboot-demo/nutz...
maven
No PRs yet
LZ4 Java Compression has Out-of-bounds memory operations which can cause DoS
GHSA-vqf4-7m7x-wgfc CVE-2025-12183 HIGH 7 days ago
Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory vi...
maven
No PRs yet
Mustangproject allows exfiltrating files via XXE attacks
GHSA-x832-fpvj-r5ph CVE-2025-66372 LOW 7 days ago
Mustang before 2.16.3 allows exfiltrating files via XXE attacks.
maven
No PRs yet
ThingsBoard allows an authenticated user to upload malicious SVG images
GHSA-5p82-2q3r-wj3m CVE-2025-3261 MODERATE 8 days ago
ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cr...
maven
No PRs yet
Hive Metastore Server is vulnerable to SQL Injection
GHSA-932v-x9x2-vq29 CVE-2025-62728 HIGH 9 days ago
SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability...
maven
No PRs yet
Apache Druid’s Kerberos authenticator uses a weak fallback secret
GHSA-w88f-4875-99c8 CVE-2025-59390 CRITICAL 9 days ago
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration ...
maven
No PRs yet
OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization
GHSA-g9gq-3pfx-2gw2 CVE-2025-66021 HIGH 9 days ago
### Summary It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows `noscript` and `style` tags with `allowT...
maven
No PRs yet
OpenSearch is vulnerable to DoS via complex query_string inputs
GHSA-mw3v-mmfw-3x2g CVE-2025-9624 HIGH 9 days ago
A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all ...
maven
No PRs yet
GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
GHSA-fjf5-xgmq-5525 CVE-2025-58360 HIGH 10 days ago
## Description An XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint ``/geoserv...
maven
No PRs yet
GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format
GHSA-w66h-j855-qr72 CVE-2025-21621 MODERATE 10 days ago
### Summary A reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker...
maven
No PRs yet
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
GHSA-93vm-mqpw-8wh3 CVE-2025-13467 MODERATE 10 days ago
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deseriali...
maven
No PRs yet
Apache Syncope's AES encryption stores hard-coded passwords in internal database
GHSA-jqg8-m35q-jh7j CVE-2025-65998 HIGH 11 days ago
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default opt...
maven
No PRs yet
Resty has a Path Traversal vulnerability
GHSA-cv3m-hxpc-4hvm CVE-2025-13435 LOW 15 days ago
A security vulnerability has been detected in Dreampie Resty versions up to the 1.3.1.SNAPSHOT. This affects the function Request of the file /rest...
maven
No PRs yet
Apache Causeway vulnerable to deserialization in Java
GHSA-wq4c-57mh-5f7g CVE-2025-64408 CRITICAL 16 days ago
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These v...
maven
No PRs yet
XWiki view file macro: User can view content of office file without view rights on the attachment
GHSA-8c52-x9w7-vc95 CVE-2025-65089 MODERATE 17 days ago
### Summary A user with no view rights on a page may see the content of an office attachment displayed with the view file macro. ### Details If on...
maven
No PRs yet
Eclipse Jersey has a Race Condition
GHSA-7p63-w6x9-6gr7 CVE-2025-12383 CRITICAL 17 days ago
In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, ...
maven
2
Dependabot PRs
XWiki AdminTools application doesn't set permissions on the AdminTools space
GHSA-v7r8-8p5c-h4xw CVE-2025-54990 MODERATE 17 days ago
### Impact Users without admin rights have access to `AdminTools.SpammedPages`. ### Details View rights are not restricted only to admin users f...
maven
No PRs yet
lsFusion Server is vulnerable to Path Traversal through its unpackFile function
GHSA-8wf8-frjg-xv74 CVE-2025-13265 MODERATE 18 days ago
A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/...
maven
No PRs yet
vlife-base has Path Traversal vulnerability
GHSA-cg6m-9276-qpjj CVE-2025-13266 MODERATE 18 days ago
A security vulnerability has been detected in wwwlike vlife up to 2.0.1. This issue affects the function create of the file vlife-base/src/main/jav...
maven
No PRs yet
lsFusion Platform has a Path Traversal vulnerability
GHSA-gwwr-j923-vq7r CVE-2025-13262 MODERATE 18 days ago
A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file ...
maven
No PRs yet
lsFusion Platform has a Path Traversal vulnerability
GHSA-5jpg-2rj5-964c CVE-2025-13261 MODERATE 18 days ago
A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/...
maven
No PRs yet
Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance
GHSA-7xw4-g7mm-r4hh HIGH 21 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A...
maven
No PRs yet
OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
GHSA-39hr-239p-fhqc CVE-2025-64099 HIGH 22 days ago
### Summary If the "claims_parameter_supported" parameter is activated, it is possible through the "oidc-claims-extension.groovy" script, to inject...
maven
No PRs yet
CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection
GHSA-6fhj-vr9j-g45r CVE-2025-64518 HIGH 24 days ago
### Impact The XML [`Validator`](https://docs.oracle.com/javase/8/docs/api/javax/xml/validation/Validator.html) used by cyclonedx-core-java was no...
maven
2
Dependabot PRs
WSO2 Carbon Mediation vulnerable to XML External Entity (XXE) attacks
GHSA-fvfq-q238-j7j3 CVE-2025-10713 MODERATE 30 days ago
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses...
maven
No PRs yet
Protobuf Maven Plugin protocDigest is ignored when using protoc from PATH
GHSA-j2pc-v64r-mv4f LOW about 1 month ago
### Summary The expected `protocDigest` is ignored when protoc is taken from the `PATH`. ### Details The documentation for the `protocDigest` para...
maven
No PRs yet
Liferay Portal and DXP do not check permissions of images in a blog entry
GHSA-xf7m-v66q-76w8 CVE-2025-62275 MODERATE about 1 month ago
Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 20...
maven
No PRs yet
Liferay Portal and DXP use an incorrect cache-control header
GHSA-6533-fhr2-f38h CVE-2025-62276 MODERATE about 1 month ago
The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023...
maven
No PRs yet
Liferay Portal and DXP affected by multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page
GHSA-q285-wfpg-93hr CVE-2025-62267 MODERATE about 1 month ago
Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, a...
maven
No PRs yet
Liferay Portal Vulnerable to Reflected XSS via the selectedLanguageId Parameter
GHSA-2j97-4jmq-c4xf CVE-2025-62264 MODERATE about 1 month ago
Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 thr...
maven
No PRs yet
Liferay Portal is vulnerable to XSS in the Blogs widget
GHSA-56jv-4ww3-65mw CVE-2025-62265 MODERATE about 1 month ago
Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay...
maven
No PRs yet
Liferay Portal is vulnerable to DNS rebinding attacks
GHSA-f5vh-4rj2-w8r8 CVE-2025-62266 MODERATE about 1 month ago
By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through ...
maven
No PRs yet
Liferay Portal vulnerable to password enumeration
GHSA-8hw3-ghwv-crfh CVE-2025-62257 MODERATE about 1 month ago
Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 202...
maven
No PRs yet
Jenkins Publish to Bitbucket Plugin vulnerable to CSRF and missing permissions check
GHSA-m244-6mff-p355 CVE-2025-64149 MODERATE about 1 month ago
Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Re...
maven
No PRs yet
Jenkins Publish to Bitbucket Plugin is missing a permissions check
GHSA-v549-7pm5-f8qr CVE-2025-64148 MODERATE about 1 month ago
Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in a method implementing form validation. This allows atta...
maven
No PRs yet
Jenkins Curseforge Publisher Plugin does not mask API Keys displayed on the job configuration form
GHSA-hv42-crpx-q355 CVE-2025-64147 MODERATE about 1 month ago
Jenkins Curseforge Publisher Plugin 1.0 and earlier stores API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its ...
maven
No PRs yet
Jenkins Publish to Bitbucket Plugin is missing a permissions check
GHSA-wpr5-rc2j-99p2 CVE-2025-64150 MODERATE about 1 month ago
Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Re...
maven
No PRs yet
Jenkins OpenShift Pipeline Plugin stores authorization tokens unencrypted in job config.xml files
GHSA-4653-9q2r-684q CVE-2025-64143 MODERATE about 1 month ago
Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job `config.xml` files on the Jenkins controller as...
maven
No PRs yet
Jenkins ByteGuard Build Actions Plugin does not mask API tokens displayed on the job configuration form
GHSA-vmm2-53rc-43v3 CVE-2025-64145 MODERATE about 1 month ago
Jenkins ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job `config.xml` files on the Jenkins controller as part of...
maven
No PRs yet
Jenkins MCP Server Plugin does not perform permission checks in multiple MCP tools
GHSA-mrpq-9jr3-rqq9 CVE-2025-64132 MODERATE about 1 month ago
Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in several MCP tools. This allows to do the following...
maven
No PRs yet