Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Apache Druid’s Kerberos authenticator uses a weak fallback secret
GHSA-w88f-4875-99c8 CVE-2025-59390 CRITICAL 1 day ago
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration ...
maven
No PRs yet
OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization
GHSA-g9gq-3pfx-2gw2 CVE-2025-66021 HIGH 2 days ago
### Summary It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows `noscript` and `style` tags with `allowT...
maven
No PRs yet
OpenSearch is vulnerable to DoS via complex query_string inputs
GHSA-mw3v-mmfw-3x2g CVE-2025-9624 HIGH 2 days ago
A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all ...
maven
No PRs yet
GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
GHSA-fjf5-xgmq-5525 CVE-2025-58360 HIGH 2 days ago
## Description An XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint ``/geoserv...
maven
No PRs yet
GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format
GHSA-w66h-j855-qr72 CVE-2025-21621 MODERATE 2 days ago
### Summary A reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker...
maven
No PRs yet
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
GHSA-93vm-mqpw-8wh3 CVE-2025-13467 MODERATE 2 days ago
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deseriali...
maven
No PRs yet
Apache Syncope's AES encryption stores hard-coded passwords in internal database
GHSA-jqg8-m35q-jh7j CVE-2025-65998 HIGH 3 days ago
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default opt...
maven
No PRs yet
Resty has a Path Traversal vulnerability
GHSA-cv3m-hxpc-4hvm CVE-2025-13435 LOW 7 days ago
A security vulnerability has been detected in Dreampie Resty versions up to the 1.3.1.SNAPSHOT. This affects the function Request of the file /rest...
maven
No PRs yet
Apache Causeway vulnerable to deserialization in Java
GHSA-wq4c-57mh-5f7g CVE-2025-64408 CRITICAL 8 days ago
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These v...
maven
No PRs yet
XWiki view file macro: User can view content of office file without view rights on the attachment
GHSA-8c52-x9w7-vc95 CVE-2025-65089 MODERATE 9 days ago
### Summary A user with no view rights on a page may see the content of an office attachment displayed with the view file macro. ### Details If on...
maven
No PRs yet
Eclipse Jersey has a Race Condition
GHSA-7p63-w6x9-6gr7 CVE-2025-12383 CRITICAL 9 days ago
In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, ...
maven
No PRs yet
XWiki AdminTools application doesn't set permissions on the AdminTools space
GHSA-v7r8-8p5c-h4xw CVE-2025-54990 MODERATE 9 days ago
### Impact Users without admin rights have access to `AdminTools.SpammedPages`. ### Details View rights are not restricted only to admin users f...
maven
No PRs yet
lsFusion Platform has a Path Traversal vulnerability
GHSA-gwwr-j923-vq7r CVE-2025-13262 MODERATE 11 days ago
A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file ...
maven
No PRs yet
vlife-base has Path Traversal vulnerability
GHSA-cg6m-9276-qpjj CVE-2025-13266 MODERATE 11 days ago
A security vulnerability has been detected in wwwlike vlife up to 2.0.1. This issue affects the function create of the file vlife-base/src/main/jav...
maven
No PRs yet
lsFusion Server is vulnerable to Path Traversal through its unpackFile function
GHSA-8wf8-frjg-xv74 CVE-2025-13265 MODERATE 11 days ago
A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/...
maven
No PRs yet
lsFusion Platform has a Path Traversal vulnerability
GHSA-5jpg-2rj5-964c CVE-2025-13261 MODERATE 11 days ago
A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/...
maven
No PRs yet
Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance
GHSA-7xw4-g7mm-r4hh HIGH 14 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A...
maven
No PRs yet
Keycloak allows Binding to an Unrestricted IP Address
GHSA-7m9g-pmxf-m9m8 CVE-2025-11538 MODERATE 14 days ago
A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug W...
maven
No PRs yet
OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
GHSA-39hr-239p-fhqc CVE-2025-64099 HIGH 15 days ago
### Summary If the "claims_parameter_supported" parameter is activated, it is possible through the "oidc-claims-extension.groovy" script, to inject...
maven
No PRs yet
CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection
GHSA-6fhj-vr9j-g45r CVE-2025-64518 HIGH 17 days ago
### Impact The XML [`Validator`](https://docs.oracle.com/javase/8/docs/api/javax/xml/validation/Validator.html) used by cyclonedx-core-java was no...
maven
2
Dependabot PRs
WSO2 Carbon Mediation vulnerable to XML External Entity (XXE) attacks
GHSA-fvfq-q238-j7j3 CVE-2025-10713 MODERATE 22 days ago
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses...
maven
No PRs yet
Protobuf Maven Plugin protocDigest is ignored when using protoc from PATH
GHSA-j2pc-v64r-mv4f LOW 23 days ago
### Summary The expected `protocDigest` is ignored when protoc is taken from the `PATH`. ### Details The documentation for the `protocDigest` para...
maven
No PRs yet
Liferay Portal and DXP do not check permissions of images in a blog entry
GHSA-xf7m-v66q-76w8 CVE-2025-62275 MODERATE 27 days ago
Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 20...
maven
No PRs yet
Liferay Portal and DXP use an incorrect cache-control header
GHSA-6533-fhr2-f38h CVE-2025-62276 MODERATE 27 days ago
The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023...
maven
No PRs yet
Liferay Portal and DXP affected by multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page
GHSA-q285-wfpg-93hr CVE-2025-62267 MODERATE 27 days ago
Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, a...
maven
No PRs yet
Liferay Portal Vulnerable to Reflected XSS via the selectedLanguageId Parameter
GHSA-2j97-4jmq-c4xf CVE-2025-62264 MODERATE 27 days ago
Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 thr...
maven
No PRs yet
Liferay Portal is vulnerable to XSS in the Blogs widget
GHSA-56jv-4ww3-65mw CVE-2025-62265 MODERATE 28 days ago
Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay...
maven
No PRs yet
Liferay Portal is vulnerable to DNS rebinding attacks
GHSA-f5vh-4rj2-w8r8 CVE-2025-62266 MODERATE 28 days ago
By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through ...
maven
No PRs yet
Liferay Portal vulnerable to password enumeration
GHSA-8hw3-ghwv-crfh CVE-2025-62257 MODERATE 29 days ago
Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 202...
maven
No PRs yet
Jenkins Publish to Bitbucket Plugin vulnerable to CSRF and missing permissions check
GHSA-m244-6mff-p355 CVE-2025-64149 MODERATE 29 days ago
Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Re...
maven
No PRs yet
Jenkins Publish to Bitbucket Plugin is missing a permissions check
GHSA-v549-7pm5-f8qr CVE-2025-64148 MODERATE 29 days ago
Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in a method implementing form validation. This allows atta...
maven
No PRs yet
Jenkins Curseforge Publisher Plugin does not mask API Keys displayed on the job configuration form
GHSA-hv42-crpx-q355 CVE-2025-64147 MODERATE 29 days ago
Jenkins Curseforge Publisher Plugin 1.0 and earlier stores API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its ...
maven
No PRs yet
Jenkins Publish to Bitbucket Plugin is missing a permissions check
GHSA-wpr5-rc2j-99p2 CVE-2025-64150 MODERATE 29 days ago
Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Re...
maven
No PRs yet
Jenkins Nexus Task Runner Plugin is missing a permission check
GHSA-h83r-7f9f-mqjj CVE-2025-64142 MODERATE 29 days ago
Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Rea...
maven
No PRs yet
Jenkins Nexus Task Runner Plugin vulnerable to cross-site request forgery
GHSA-x2pv-fph3-phfx CVE-2025-64141 MODERATE 29 days ago
Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Rea...
maven
No PRs yet
Jenkins Themis Plugin is missing a permission check
GHSA-jwm4-955w-4hj3 CVE-2025-64137 MODERATE 29 days ago
Jenkins Themis Plugin 1.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permissio...
maven
No PRs yet
Jenkins JDepend Plugin vulnerable to XML external entity attacks
GHSA-jfg6-4gx3-3v7w CVE-2025-64134 HIGH 29 days ago
Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML...
maven
No PRs yet
Jenkins SAML Plugin does not implement a replay cache
GHSA-j7r7-7qmf-xq87 CVE-2025-64131 HIGH 29 days ago
Jenkins SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache. This allows attackers able to obtain information about the...
maven
No PRs yet
Jenkins Azure CLI Plugin does not restrict the commands it executes
GHSA-rh72-238f-g26q CVE-2025-64140 HIGH 29 days ago
Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller. This allows attackers with Item/C...
maven
No PRs yet
Jenkins OpenShift Pipeline Plugin stores authorization tokens unencrypted in job config.xml files
GHSA-4653-9q2r-684q CVE-2025-64143 MODERATE 29 days ago
Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job `config.xml` files on the Jenkins controller as...
maven
No PRs yet
Jenkins Themis Plugin vulnerable to cross-site request forgery
GHSA-93mh-mx9w-m69q CVE-2025-64136 MODERATE 29 days ago
Jenkins Themis Plugin 1.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permissio...
maven
No PRs yet
Jenkins Curseforge Publisher Plugin stores API Keys unencrypted in job config.xml files
GHSA-23vj-j6jc-w892 CVE-2025-64146 MODERATE 29 days ago
Jenkins Curseforge Publisher Plugin 1.0 and earlier stores API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its ...
maven
No PRs yet
Jenkins MCP Server Plugin does not perform permission checks in multiple MCP tools
GHSA-mrpq-9jr3-rqq9 CVE-2025-64132 MODERATE 29 days ago
Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in several MCP tools. This allows to do the following...
maven
No PRs yet
Jenkins ByteGuard Build Actions Plugin does not mask API tokens displayed on the job configuration form
GHSA-vmm2-53rc-43v3 CVE-2025-64145 MODERATE 29 days ago
Jenkins ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job `config.xml` files on the Jenkins controller as part of...
maven
No PRs yet
Jenkins Start Windocks Containers Plugin is missing a permission check
GHSA-mj6v-4wr4-gj57 CVE-2025-64139 MODERATE 29 days ago
Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overa...
maven
No PRs yet
Jenkins Start Windocks Containers Plugin vulnerable to cross-site request forgery
GHSA-6mgr-3374-4p3c CVE-2025-64138 MODERATE 29 days ago
Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overa...
maven
No PRs yet
Jenkins Extensible Choice Parameter Plugin vulnerable to cross-site request forgery
GHSA-3jw2-5hjg-hc2c CVE-2025-64133 MODERATE 29 days ago
Jenkins Extensible Choice Parameter Plugin 239.v5f5c278708cf and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-...
maven
No PRs yet
Jenkins ByteGuard Build Actions Plugin stores API tokens unencrypted in job config.xml files
GHSA-2vmr-8c82-x8xq CVE-2025-64144 MODERATE 29 days ago
Jenkins ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job `config.xml` files on the Jenkins controller as part of...
maven
No PRs yet
Jenkins Eggplant Runner Plugin protection mechanism disabled
GHSA-w5r3-gr8w-7fj5 CVE-2025-64135 MODERATE 29 days ago
Jenkins Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property `jdk.http.auth.tunneling.disabledSchemes` to an e...
maven
No PRs yet
InventoryGui allows item duplication in GUIs which use GuiStorageElement
GHSA-7whh-79j3-7c55 CVE-2025-62784 MODERATE about 1 month ago
### Impact Any plugin using a GUI with the GuiStorageElement and allows taking out items out of that element. ### Patches InventoryGui 1.6.5 (incl...
maven
No PRs yet