Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,050

Total Advisories

1,846

With Dependabot PRs

3,534

Critical Severity

8,712

High Severity

Clear All Filters
ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay
GHSA-6gvq-jcmp-8959 CVE-2025-68113 MODERATE about 1 hour ago
### Impact A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC ...
go hex maven +4 more
No PRs yet
LikeC4 has RCE through vulnerable React and Next.js versions
GHSA-vr6p-vq2p-6j74 CRITICAL about 4 hours ago
LikeC4 uses React and Next.js: which contain known RCE vulnerabilities, as seen in CVE-2025-55182. [2025-12-15] Edit: the last fixes published by ...
npm
No PRs yet
Misskey has a login rate limit bypass via spoofed X-Forwarded-For header
GHSA-wwrj-3hvj-prpm CVE-2025-66482 MODERATE about 5 hours ago
### Summary When using an untrusted reverse proxy or not using a reverse proxy at all, attackers can bypass IP rate limiting by adding a forged X-F...
npm
No PRs yet
misskey.js's export data contains private post data
GHSA-496g-mmpw-j9x3 CVE-2025-66402 HIGH about 5 hours ago
### Summary After adding private posts (followers, direct) that you do not have permission to view to your favorites or clips, you can export them...
npm
No PRs yet
Vuetify has a Prototype Pollution vulnerability
GHSA-3jp5-5f8r-q2wg CVE-2025-8083 HIGH 3 days ago
The Preset configuration feature of Vuetify is vulnerable to Prototype Pollution due to the internal 'mergeDeep' utility function used to merge opt...
npm
No PRs yet
Vuetify has a Cross-site Scripting (XSS) vulnerability in the VDatePicker component
GHSA-9w3x-85mw-4fwm CVE-2025-8082 MODERATE 3 days ago
Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page. This can...
npm
No PRs yet
Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule
GHSA-55jh-84jv-8mx8 CVE-2025-67750 HIGH 3 days ago
### Impact The APIVersion rule uses `new Function()` to evaluate expression strings. A malicious crafted flow metadata file can cause arbitrary Jav...
npm
No PRs yet
Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
GHSA-5j59-xgg2-r9c4 HIGH 3 days ago
It was found that the fix addressing [CVE-2025-55184](https://github.com/advisories/GHSA-2m3v-v2m8-q956) in React Server Components was incomplete ...
npm
No PRs yet
Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components
GHSA-c6m7-q6pr-c64r MODERATE 3 days ago
### Impact `@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained a vulnerability in versions prior to 19.2.3. See details in Re...
npm
No PRs yet
Vite Plugin React has a Denial of Service Vulnerability in React Server Components
GHSA-cpqf-f22c-r95x HIGH 3 days ago
### Impact `@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained a vulnerability in versions prior to 19.2.3. See details in Re...
npm
No PRs yet
Denial of Service Vulnerability in React Server Components
GHSA-7gmr-mq3h-m5h9 CVE-2025-67779 HIGH 3 days ago
## Impact It was found that the fix to address [CVE-2025-55184](https://github.com/facebook/react/security/advisories/GHSA-2m3v-v2m8-q956) in Reac...
npm
6
Dependabot PRs
Next Server Actions Source Code Exposure
GHSA-w37m-7fhw-fmv9 MODERATE 4 days ago
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the ...
npm
No PRs yet
Next Vulnerable to Denial of Service with Server Components
GHSA-mwv6-3258-q52c HIGH 4 days ago
A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the ...
npm
No PRs yet
Denial of Service Vulnerability in React Server Components
GHSA-2m3v-v2m8-q956 CVE-2025-55184 HIGH 4 days ago
## Impact There is a denial of service vulnerability in React Server Components. React recommends updating immediately. The vulnerability exists...
npm
9
Dependabot PRs
Source Code Exposure Vulnerability in React Server Components
GHSA-925w-6v3x-g4j4 CVE-2025-55183 MODERATE 4 days ago
## Impact There is a source code exposure vulnerability in React Server Components. React recommends updating immediately. The vulnerability exi...
npm
11
Dependabot PRs
Servify-express rate limit issue
GHSA-qgc4-8p88-4w7m CVE-2025-67731 HIGH 4 days ago
### Impact The Express server uses `express.json()` without a size limit, which can allow attackers to send extremely large request bodies. This ma...
npm
No PRs yet
Improper Validation of Query Parameters in Auth0 Next.js SDK
GHSA-mr6f-h57v-rpj5 CVE-2025-67716 LOW 5 days ago
### Description An input-validation flaw in the returnTo parameter in the Auth0 Next.js SDK could allow attackers to inject unintended OAuth query ...
npm
No PRs yet
Improper Request Caching Lookup in the Auth0 Next.js SDK
GHSA-wcgj-f865-c7j7 CVE-2025-67490 MODERATE 5 days ago
### Description When using affected versions of the Next.js SDK, simultaneous requests on the same client may result in improper lookups in the Tok...
npm
No PRs yet
Formio improperly authorized permission elevation through specially crafted request path
GHSA-m654-769v-qjv7 CVE-2025-67718 HIGH 5 days ago
# Security Advisory: Unauthorized permission elevation through specially crafted request path **Summary:** A flaw in path handling could allow an ...
npm
No PRs yet
Fetch MCP Server has a Server-Side Request Forgery (SSRF) vulnerability
GHSA-8fxj-2g9q-8fjw CVE-2025-65513 MODERATE 6 days ago
fetch-mcp v1.0.2 and before is vulnerable to Server-Side Request Forgery (SSRF) vulnerability, which allows attackers to bypass private IP validati...
npm
No PRs yet
@tiptap/extension-link vulnerable to Cross-site Scripting (XSS)
GHSA-vhrc-hgrq-x75r CVE-2025-14284 LOW 6 days ago
Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in ...
npm
No PRs yet
Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments
GHSA-mv7p-34fv-4874 CVE-2025-13877 MODERATE 6 days ago
### Impact CVE-2025-13877 is an **authentication bypass vulnerability caused by insecure default JWT key usage** in NocoBase Docker deployments. ...
npm
No PRs yet
Elysia affected by arbitrary code injection through cookie config
GHSA-8vch-m3f4-q8jf CVE-2025-66457 HIGH 6 days ago
Arbitrary code execution from cookie config. If dynamic cookies are enabled (ie there exists a schema for cookies), the cookie config is injected i...
npm
No PRs yet
Elysia vulnerable to prototype pollution with multiple standalone schema validation
GHSA-hxj9-33pp-j2cc CVE-2025-66456 CRITICAL 6 days ago
Prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of...
npm
No PRs yet
@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server
GHSA-j76j-5p5g-9wfr CVE-2025-67489 CRITICAL 7 days ago
## Summary Arbitrary Remote Code Execution on development server via unsafe dynamic imports in `@vitejs/plugin-rsc` server function APIs (`loadSer...
npm
No PRs yet
Altcha Proof-of-Work obfuscation mode cryptanalytic break
GHSA-mpmc-qchh-r9q8 CVE-2025-65849 MODERATE 7 days ago
A cryptanalytic break in Altcha Proof-of-Work obfuscation mode version 0.8.0 and later allows for remote visitors to recover the Proof-of-Work nonc...
npm
No PRs yet
n8n vulnerable to Remote Code Execution via Git Node Custom Pre-Commit Hook
GHSA-wpqc-h9wp-chmq CVE-2025-65964 CRITICAL 7 days ago
### Impact The n8n Git node allows workflows to set arbitrary Git configuration values through the _Add Config_ operation. When an attacker-contro...
npm
No PRs yet
Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765
GHSA-whqg-ppgf-wp8c CVE-2025-66202 MODERATE 7 days ago
# Authentication Bypass via Double URL Encoding in Astro ## Bypass for CVE-2025-64765 / GHSA-ggxq-hp9w-j794 --- ### Summary A **double URL encod...
npm
No PRs yet
Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF'
GHSA-8wvc-869r-xfqf CVE-2025-65959 HIGH 11 days ago
## Summary A **Stored XSS vulnerability** has been discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown...
npm
No PRs yet
Anthropic Sandbox Runtime Incorrectly Implemented Network Sandboxing
GHSA-9gqj-5w7c-vx47 CVE-2025-66479 LOW 11 days ago
Due to a bug in sandboxing logic, `sandbox-runtime` did not properly enforce a network sandbox if the sandbox policy did not configure any allowed ...
npm
No PRs yet
auth0/node-jws Improperly Verifies HMAC Signature
GHSA-869p-cjfg-cm3x CVE-2025-65945 HIGH 11 days ago
### Overview An improper signature verification vulnerability exists when using auth0/node-jws with the HS256 algorithm under specific conditions. ...
npm
818
Dependabot PRs
mcp-server-kubernetes has potential security issue in exec_in_pod tool
GHSA-wvxp-jp4w-w8wg CVE-2025-66404 MODERATE 12 days ago
### Summary A security issue exists in the `exec_in_pod` tool of the `mcp-server-kubernetes` MCP Server. The tool accepts user-provided commands in...
npm
No PRs yet
React Server Components are Vulnerable to RCE
GHSA-fmh4-wr37-44fp CRITICAL 12 days ago
### Summary `@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained an unauthenticated remote code execution vulnerability in ver...
npm
No PRs yet
React Server Components are Vulnerable to RCE
GHSA-fv66-9v8q-g76r CVE-2025-55182 CRITICAL 12 days ago
### Impact There is an unauthenticated remote code execution vulnerability in React Server Components. We recommend upgrading immediately. The v...
npm
72
Dependabot PRs
Next.js is vulnerable to RCE in React flight protocol
GHSA-9qr9-h5gf-34mp CRITICAL 12 days ago
A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected pac...
npm
2097
Dependabot PRs
Claude Code Command Validation Bypass Allows Arbitrary Code Execution
GHSA-xq4m-mc3c-vvg3 CVE-2025-66032 HIGH 12 days ago
Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and tri...
npm
No PRs yet
Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default
GHSA-w48q-cv73-mx4w CVE-2025-66414 HIGH 13 days ago
The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP ...
npm
2
Dependabot PRs
mdast-util-to-hast has unsanitized class attribute
GHSA-4fh9-h7wg-q85m CVE-2025-66400 MODERATE 14 days ago
### Impact Multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplie...
npm
2
Dependabot PRs
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes
GHSA-v4hv-rgfq-gp49 CVE-2025-66412 HIGH 14 days ago
A **Stored Cross-Site Scripting ([XSS](https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss))** vulnerability has been i...
npm
No PRs yet
Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host
GHSA-hhh5-2cvx-vmfp CVE-2025-66405 MODERATE 14 days ago
### Summary The gateway determines the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route t...
npm
No PRs yet
fastify-reply-from affected by bypass of reply forwarding
GHSA-2q7r-29rg-6m5h CVE-2025-66415 MODERATE 14 days ago
### Summary By crafting a malicious URL, an attacker could access routes that are not allowed, even though the `reply.from` is defined for specific...
npm
No PRs yet
MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL
GHSA-27m7-ffhq-jqrm CVE-2025-66401 CRITICAL 14 days ago
### Summary The `MCPScanner ` class contains a critical Command Injection vulnerability in the `cloneRepo `method. The application passes the user-...
npm
No PRs yet
Better Auth affected by external request basePath modification DoS
GHSA-569q-mpph-wgww LOW 14 days ago
# Summary Affected versions of Better Auth allow an external request to configure `baseURL` when it isn’t defined through any other means. This ca...
npm
No PRs yet
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls
GHSA-rcmh-qjqh-p98v LOW 14 days ago
### Summary A DoS can occur that immediately halts the system due to the use of an unsafe function. ### Details According to **RFC 5322**, nested ...
npm
No PRs yet
Tryton sao allows XSS because it does not escape completion values
GHSA-6qj9-2g9m-29x9 CVE-2025-66421 MODERATE 16 days ago
Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0...
npm
No PRs yet
Tryton sao allows XSS via an HTML attachment
GHSA-xhgv-99mj-8m2x CVE-2025-66420 MODERATE 16 days ago
Tryton sao (aka tryton-sao) before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67.
npm
No PRs yet
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements
GHSA-vghf-hv5q-vc2g CVE-2025-12758 HIGH 19 days ago
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLeng...
npm
No PRs yet
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
GHSA-58c5-g7wp-6w37 CVE-2025-66035 HIGH 19 days ago
The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token*...
npm
No PRs yet
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
GHSA-wmjr-v86c-m9jj LOW 19 days ago
### Summary A vulnerability was identified in the multi-session plugin for Better Auth, specifically in the /sign-out after-hook. The hook trusts ...
npm
No PRs yet
willitmerge has a Command Injection vulnerability
GHSA-j9wj-m24m-7jj6 CVE-2025-66219 MODERATE 19 days ago
willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version ...
npm
No PRs yet