Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection
GHSA-fwxx-wv44-7qfg CVE-2025-41253 HIGH about 2 months ago
The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system propertie...
maven
No PRs yet
Spring Framework STOMP over WebSocket applications may allow attackers to send unauthorized messages
GHSA-7fch-4f2f-jcgm CVE-2025-41254 MODERATE about 2 months ago
STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. ### Affected Sprin...
maven
No PRs yet
GeoIP processor disables SSL certificate validation when downloading databases
GHSA-3xgr-h5hq-7299 MODERATE about 2 months ago
### Impact The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading Geo...
maven
No PRs yet
OpenSearch Data Prepper uses deprecated SSL protocol identifier
GHSA-28gg-8qqj-fhh5 MODERATE about 2 months ago
### Impact The GeoIP processor and Kafka source and buffer were using the deprecated "SSL" protocol identifier when creating SSL contexts, potenti...
maven
No PRs yet
OpenSearch Data Prepper plugins trust all SSL certificates by default
GHSA-43ff-rr26-8hx4 CVE-2025-62371 HIGH about 2 months ago
### Impact The OpenSearch sink and source plugins in Data Prepper are configured to trust all SSL certificates by default when no certificate path...
maven
No PRs yet
Netty has SMTP Command Injection Vulnerability that Allows Email Forgery
GHSA-jq43-27x9-3v86 CVE-2025-59419 HIGH about 2 months ago
### Summary An SMTP Command Injection (CRLF Injection) vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command pa...
maven
No PRs yet
Apache Spark has Inadequate Encryption Strength
GHSA-6p6v-m64v-jx8q CVE-2025-55039 MODERATE about 2 months ago
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure defau...
maven
No PRs yet
JDBC Driver for SQL Server has improper input validation issue
GHSA-m494-w24q-6f7w CVE-2025-59250 HIGH about 2 months ago
Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.
maven
No PRs yet
Apache Geode web-api is vulnerable to Cross-site Scripting
GHSA-w595-4975-gm3h CVE-2024-44088 MODERATE about 2 months ago
Malicious script injection ('Cross-site Scripting') vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks...
maven
No PRs yet
Liferay has Incorrect Permission Assignment for Critical Resource
GHSA-j4f7-gj7q-xg9m CVE-2025-62251 MODERATE about 2 months ago
Liferay Portal 7.3.0 through 7.4.3.119, and Liferay DXP 2023.Q3.1 through 2023.Q3.8, 2023.Q4.0 through 2023.Q4.5, 7.4 GA through update 92 and 7.3 ...
maven
No PRs yet
Liferay Mentions Web is Vulnerable to Cross-site Scripting
GHSA-mj68-2xr5-28xh CVE-2025-62246 MODERATE about 2 months ago
Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay D...
maven
No PRs yet
Liferay Commerce Order Content Web is Vulnerable to Authorization Bypass Through User-Controlled Key
GHSA-fhcw-px4q-pmvv CVE-2025-62241 MODERATE about 2 months ago
Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticate...
maven
No PRs yet
Liferay is Vulnerable to Authorization Bypass Through User-Controlled Key
GHSA-pfwq-mr9g-gq6m CVE-2025-62252 MODERATE about 2 months ago
Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 20...
maven
No PRs yet
Liferay Account Admin Web vulnerable to Authorization Bypass Through User-Controlled Key
GHSA-3cm9-jrf5-h2cx CVE-2025-62242 MODERATE about 2 months ago
Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0...
maven
No PRs yet
Liferay Publications is vulnerable to Incorrect Authorization
GHSA-894w-w643-qvxv CVE-2025-62243 MODERATE about 2 months ago
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through ...
maven
No PRs yet
Liferay Publications vulnerable to Authorization Bypass Through User-Controlled Key
GHSA-2hfj-jv6q-762v CVE-2025-62244 MODERATE about 2 months ago
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through ...
maven
No PRs yet
Liferay Portal is vulnerable to CSRF through publication comments
GHSA-9676-rh83-cr86 CVE-2025-62245 MODERATE about 2 months ago
Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 t...
maven
No PRs yet
PowerJob OpenAPIController is missing authorization
GHSA-9wq6-87hw-6mhc CVE-2025-11581 MODERATE about 2 months ago
A security vulnerability has been detected in PowerJob up to 5.1.2. This vulnerability affects unknown code of the file /openApi/runJob of the comp...
maven
No PRs yet
Liferay Portal Commerce is vulnerable to XSS through account "name" field
GHSA-m4g9-5mg6-gfr3 CVE-2025-62237 MODERATE about 2 months ago
Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4....
maven
No PRs yet
Liferay Portal is vulnerable to XSS through its workflow process builder
GHSA-xcvw-hh99-qm73 CVE-2025-62239 MODERATE about 2 months ago
Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 throug...
maven
No PRs yet
Liferay Portal's Membership page is vulnerable to XSS through “name“ text field
GHSA-xw6m-3m5q-mxpm CVE-2025-62238 MODERATE about 2 months ago
Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay Portal 7.4.3.21 through 7.4.3.111, and Lifera...
maven
No PRs yet
Elasticsearch: Insertion of Sensitive Information into Log File via reindex API
GHSA-56r7-h6mw-rcfv CVE-2025-37727 MODERATE about 2 months ago
Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requ...
maven
No PRs yet
Apache StreamPark contains an Incorrect Execution-Assigned Permissions vulnerability
GHSA-6wwv-6mm3-pp76 CVE-2025-30001 HIGH about 2 months ago
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users a...
maven
No PRs yet
Liferay Portal is vulnerable to XSS through its Calendar Events parameters
GHSA-5264-m964-7pg9 CVE-2025-62240 MODERATE about 2 months ago
Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 th...
maven
No PRs yet
Apache Flink CDC is vulnerable to SQL Injection through maliciously crafted identifiers
GHSA-wqm3-w3p6-xjgm CVE-2025-62228 MODERATE about 2 months ago
Apache Flink CDC version 3.0.0 to before 3.5.0 are vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or c...
maven
No PRs yet
Keycloak Potential Variable Reference in Model Storage Services
GHSA-8hxp-qmph-w5gq CVE-2025-9162 MODERATE 2 months ago
A flaw was found in org.keycloak/keycloak-model-storage-service. The `KeycloakRealmImport` custom resource substitutes placeholders within imported...
maven
No PRs yet
Opencast's Paella Player 7 is vulnerable to Cross-Site Scripting
GHSA-m2vg-rmq6-p62r CVE-2025-61788 MODERATE 2 months ago
Prior to Opencast 17.8 and 18.2 the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodi...
maven
No PRs yet
Liferay Portal Notifications Widget has multiple XSS vulnerabilities through various text fields
GHSA-q8fj-76q7-4p7h CVE-2025-43771 MODERATE 2 months ago
Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023...
maven
No PRs yet
Liferay Portal is vulnerable to Stored XSS through Forms text type field
GHSA-378f-8q54-3fqx CVE-2025-43830 MODERATE 2 months ago
Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 20...
maven
No PRs yet
Liferay Portal Commerce Shop is vulnerable to Stored XSS through SVG file
GHSA-893r-jr58-3hxr CVE-2025-43829 MODERATE 2 months ago
Stored Cross-Site Scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP ...
maven
No PRs yet
Liferay Portal is vulnerable to XXS through its Commerce Product's Name text field
GHSA-fjrp-77f3-43xj CVE-2025-43821 MODERATE 2 months ago
Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP...
maven
No PRs yet
Liferay Portal has multiple Stored XSS vulnerabilities on its View Order page
GHSA-4mqx-4p8g-995w CVE-2025-43822 MODERATE 2 months ago
Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4....
maven
No PRs yet
Liferay Portal is vulnerable to XSS through its Commerce Search Result widget
GHSA-xx7h-2wf7-hc7p CVE-2025-43823 MODERATE 2 months ago
Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 be...
maven
No PRs yet
Liferay Profile Widget does not prevent vCard extension spoofing
GHSA-pfxj-gvqg-mj44 CVE-2025-43824 MODERATE 2 months ago
The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3....
maven
No PRs yet
XWiki Platform is vulnerable to HQL injection via wiki and space search REST API
GHSA-gprp-h92g-gc2h CVE-2025-52472 CRITICAL 2 months ago
### Impact The REST search URL is vulnerable to HQL injection via the `orderField` parameter. The specified value is added twice in the query, tho...
maven
No PRs yet
XWiki OIDC Authenticator: Users with "view" access can create tokens for any users they can view
GHSA-f2hf-pfrj-vrm7 CVE-2025-49594 CRITICAL 2 months ago
### Impact Anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authent...
maven
No PRs yet
Liferay Portal exposes sensitive user data through its Freemarker template
GHSA-rggc-gf6w-9q73 CVE-2025-43825 MODERATE 2 months ago
A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 thro...
maven
No PRs yet
Apache Kylin Authentication Bypass Vulnerability
GHSA-mr9j-4j48-xcm2 CVE-2025-61733 HIGH 2 months ago
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2....
maven
No PRs yet
Apache Kylin Files or Directories Accessible to External Parties
GHSA-p86w-w5rh-m3hx CVE-2025-61734 HIGH 2 months ago
Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin ac...
maven
No PRs yet
Apache Kylin Server-Side Request Forgery (SSRF) Vulnerability
GHSA-f6m8-qm7j-fh65 CVE-2025-61735 HIGH 2 months ago
Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long ...
maven
No PRs yet
QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
GHSA-25qh-j22f-pwp8 CVE-2025-11226 MODERATE 2 months ago
QOS.CH logback-core versions up to 1.5.18 contain an ACE vulnerability in conditional configuration file processing in Java applications. This vuln...
maven
42
Dependabot PRs
4%
Merged
Liferay Portal Vulnerable to XSS in Web Content translation
GHSA-qh92-cr5f-3595 CVE-2025-43826 MODERATE 2 months ago
Stored cross-site scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versi...
maven
No PRs yet
Liferay Portal Vulnerable to IDOR via audit events
GHSA-pw86-qvx9-34r7 CVE-2025-43827 MODERATE 2 months ago
Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, ...
maven
No PRs yet
Liferay Portal vulnerable to cross-site scripting in the related asset selector
GHSA-2856-xf2f-6vrf CVE-2025-43811 MODERATE 2 months ago
Multiple stored cross-site scripting (XSS) vulnerability in the related asset selector in Liferay Portal 7.4.3.50 through 7.4.3.111, and Liferay DX...
maven
No PRs yet
Liferay Portal vulnerable to reflected cross-site scripting on the page configuration page
GHSA-wmjx-xv9v-r89q CVE-2025-43815 MODERATE 2 months ago
Reflected cross-site scripting (XSS) vulnerability on the page configuration page in Liferay Portal 7.4.3.102 through 7.4.3.110, and Liferay DXP 20...
maven
No PRs yet
Liferay Portal vulnerable to path traversal and denial-of-service in the ComboServlet
GHSA-2hm7-r8f3-423h CVE-2025-43813 MODERATE 2 months ago
Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported ve...
maven
No PRs yet
Liferay Portal vulnerable to cross-site scripting in the Calendar widget
GHSA-pf86-4w35-cj89 CVE-2025-43820 MODERATE 2 months ago
Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3....
maven
No PRs yet
Liferay Portal vulnerable to reflected cross-site scripting via the `redirect` parameter
GHSA-m4hg-46pw-6mmv CVE-2025-43817 MODERATE 2 months ago
Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023....
maven
No PRs yet
Liferay Portal vulnerable to cross-site scripting in the Calendar widget
GHSA-gj92-p9mh-83j8 CVE-2025-43818 MODERATE 2 months ago
Cross-site scripting (XSS) vulnerability in the Calendar widget in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 202...
maven
No PRs yet
Liferay Portal vulnerable to cross-site scripting in the web content template
GHSA-jv8x-mm3v-75r7 CVE-2025-43812 MODERATE 2 months ago
Cross-site scripting (XSS) vulnerability in web content template in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 202...
maven
No PRs yet