Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF'
GHSA-8wvc-869r-xfqf CVE-2025-65959 HIGH 3 days ago
## Summary A **Stored XSS vulnerability** has been discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown...
npm
No PRs yet
Anthropic Sandbox Runtime Incorrectly Implemented Network Sandboxing
GHSA-9gqj-5w7c-vx47 CVE-2025-66479 LOW 3 days ago
Due to a bug in sandboxing logic, `sandbox-runtime` did not properly enforce a network sandbox if the sandbox policy did not configure any allowed ...
npm
No PRs yet
auth0/node-jws Improperly Verifies HMAC Signature
GHSA-869p-cjfg-cm3x CVE-2025-65945 HIGH 3 days ago
### Overview An improper signature verification vulnerability exists when using auth0/node-jws with the HS256 algorithm under specific conditions. ...
npm
662
Dependabot PRs
mcp-server-kubernetes has potential security issue in exec_in_pod tool
GHSA-wvxp-jp4w-w8wg CVE-2025-66404 MODERATE 4 days ago
### Summary A security issue exists in the `exec_in_pod` tool of the `mcp-server-kubernetes` MCP Server. The tool accepts user-provided commands in...
npm
No PRs yet
React Server Components are Vulnerable to RCE
GHSA-fmh4-wr37-44fp CRITICAL 4 days ago
### Summary `@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained an unauthenticated remote code execution vulnerability in ver...
npm
No PRs yet
React Server Components are Vulnerable to RCE
GHSA-fv66-9v8q-g76r CVE-2025-55182 CRITICAL 4 days ago
### Impact There is an unauthenticated remote code execution vulnerability in React Server Components. We recommend upgrading immediately. The v...
npm
7
Dependabot PRs
Next.js is vulnerable to RCE in React flight protocol
GHSA-9qr9-h5gf-34mp CVE-2025-66478 CRITICAL 4 days ago
A vulnerability affects certain React packages<sup>1</sup> for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected pac...
npm
1873
Dependabot PRs
Claude Code Command Validation Bypass Allows Arbitrary Code Execution
GHSA-xq4m-mc3c-vvg3 CVE-2025-66032 HIGH 4 days ago
Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and tri...
npm
No PRs yet
Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default
GHSA-w48q-cv73-mx4w CVE-2025-66414 HIGH 5 days ago
The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP ...
npm
No PRs yet
mdast-util-to-hast has unsanitized class attribute
GHSA-4fh9-h7wg-q85m CVE-2025-66400 MODERATE 6 days ago
### Impact Multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplie...
npm
1
Dependabot PRs
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes
GHSA-v4hv-rgfq-gp49 CVE-2025-66412 HIGH 6 days ago
A **Stored Cross-Site Scripting ([XSS](https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss))** vulnerability has been i...
npm
No PRs yet
Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host
GHSA-hhh5-2cvx-vmfp CVE-2025-66405 MODERATE 6 days ago
### Summary The gateway determines the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route t...
npm
No PRs yet
fastify-reply-from affected by bypass of reply forwarding
GHSA-2q7r-29rg-6m5h CVE-2025-66415 MODERATE 6 days ago
### Summary By crafting a malicious URL, an attacker could access routes that are not allowed, even though the `reply.from` is defined for specific...
npm
No PRs yet
MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL
GHSA-27m7-ffhq-jqrm CVE-2025-66401 CRITICAL 6 days ago
### Summary The `MCPScanner ` class contains a critical Command Injection vulnerability in the `cloneRepo `method. The application passes the user-...
npm
No PRs yet
Better Auth affected by external request basePath modification DoS
GHSA-569q-mpph-wgww LOW 6 days ago
# Summary Affected versions of Better Auth allow an external request to configure `baseURL` when it isn’t defined through any other means. This ca...
npm
No PRs yet
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls
GHSA-rcmh-qjqh-p98v LOW 6 days ago
### Summary A DoS can occur that immediately halts the system due to the use of an unsafe function. ### Details According to **RFC 5322**, nested ...
npm
No PRs yet
Tryton sao allows XSS because it does not escape completion values
GHSA-6qj9-2g9m-29x9 CVE-2025-66421 MODERATE 8 days ago
Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0...
npm
No PRs yet
Tryton sao allows XSS via an HTML attachment
GHSA-xhgv-99mj-8m2x CVE-2025-66420 MODERATE 8 days ago
Tryton sao (aka tryton-sao) before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67.
npm
No PRs yet
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements
GHSA-vghf-hv5q-vc2g CVE-2025-12758 HIGH 11 days ago
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLeng...
npm
No PRs yet
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
GHSA-58c5-g7wp-6w37 CVE-2025-66035 HIGH 11 days ago
The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token*...
npm
No PRs yet
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
GHSA-wmjr-v86c-m9jj LOW 11 days ago
## Summary - Vulnerable component: `multi-session` plugin’s `/sign-out` after-hook (`packages/better-auth/src/plugins/multi-session/index.ts`) - Is...
npm
No PRs yet
willitmerge has a Command Injection vulnerability
GHSA-j9wj-m24m-7jj6 CVE-2025-66219 MODERATE 11 days ago
willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version ...
npm
No PRs yet
node-forge has ASN.1 Unbounded Recursion
GHSA-554w-wpv2-vw27 CVE-2025-66031 HIGH 11 days ago
### Summary An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to ...
npm
1868
Dependabot PRs
node-forge is vulnerable to ASN.1 OID Integer Truncation
GHSA-65ch-62r8-g69g CVE-2025-66030 MODERATE 11 days ago
### Summary **MITRE-Formatted CVE Description** An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote,...
npm
1867
Dependabot PRs
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
GHSA-5gfm-wpxj-wjgq CVE-2025-12816 HIGH 11 days ago
### Summary CVE-2025-12816 has been reserved by CERT/CC **Description** An Interpretation Conflict (CWE-436) vulnerability in node-forge versions...
npm
1868
Dependabot PRs
Valibot has a ReDoS vulnerability in `EMOJI_REGEX`
GHSA-vqpr-j7v3-hqw9 CVE-2025-66020 HIGH 11 days ago
### Summary The `EMOJI_REGEX` used in the `emoji` action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciou...
npm
3
Dependabot PRs
OneUptime Unauthorized User Creation via API
GHSA-m449-vh5f-574g CVE-2025-65966 HIGH 11 days ago
### Summary A low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. ### ...
npm
No PRs yet
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
GHSA-675q-66gf-gqg8 CVE-2025-66028 MODERATE 12 days ago
### Summary During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter ...
npm
No PRs yet
Better Auth Passkey Plugin allows passkey deletion through IDOR
GHSA-4vcf-q4xf-f48m HIGH 12 days ago
# Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using `...
npm
No PRs yet
body-parser is vulnerable to denial of service when url encoding is used
GHSA-wqch-xfxh-vrr4 CVE-2025-13466 MODERATE 12 days ago
### Impact body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of param...
npm
407
Dependabot PRs
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`
GHSA-6465-jgvq-jhgp CVE-2025-65944 MODERATE 13 days ago
### Impact In version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be add...
npm
No PRs yet
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage
GHSA-3mm3-wfpv-q85g CVE-2025-63700 MODERATE 17 days ago
An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verifi...
npm
No PRs yet
authkit-nextjs may let session cookies be cached in CDNs
GHSA-p8pf-44ff-93gf CVE-2025-64762 HIGH 17 days ago
In `authkit-nextjs` version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN cach...
npm
No PRs yet
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
GHSA-7mv8-j34q-vp7q CVE-2025-64755 HIGH 17 days ago
Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host sys...
npm
No PRs yet
zx Uses Incorrectly-Resolved Name or Reference
GHSA-w87r-vg9q-crqm CVE-2025-13437 MODERATE 17 days ago
When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error...
npm
No PRs yet
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
GHSA-547r-qmjm-8hvw CVE-2025-65108 CRITICAL 17 days ago
### Summary A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code ...
npm
No PRs yet
@hpke/core reuses AEAD nonces
GHSA-73g8-5h73-26h4 CVE-2025-64767 CRITICAL 17 days ago
### Summary The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls....
npm
4
Dependabot PRs
@perfood/couch-auth may expose session tokens, passwords
GHSA-62vx-hpcr-m9ch CVE-2025-60794 MODERATE 17 days ago
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts li...
npm
No PRs yet
Claude Code vulnerable to command execution prior to startup trust dialog
GHSA-5hhx-v7f6-x7gv CVE-2025-65099 HIGH 18 days ago
When running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins befor...
npm
No PRs yet
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
GHSA-fvmw-cj7j-j39q CVE-2025-65019 MODERATE 18 days ago
**Summary** A Cross-Site Scripting (XSS) vulnerability exists in Astro when using the **@astrojs/cloudflare** adapter with `output: 'server'`. Th...
npm
No PRs yet
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
GHSA-ggxq-hp9w-j794 CVE-2025-64765 MODERATE 18 days ago
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validati...
npm
No PRs yet
Astro vulnerable to reflected XSS via the server islands feature
GHSA-wrwg-2hg8-v723 CVE-2025-64764 HIGH 18 days ago
## Summary After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted app...
npm
No PRs yet
Astro Development Server has Arbitrary Local File Read
GHSA-x3h8-62x9-952g CVE-2025-64757 LOW 18 days ago
### Summary A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through th...
npm
No PRs yet
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
GHSA-v5w9-prxf-w882 HIGH 20 days ago
### Summary An unauthenticated attacker can exploit the unprotected registration endpoint (/register) to create a new user and bypass authenticatio...
npm
No PRs yet
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
GHSA-7xvh-c266-cfr5 CVE-2025-64758 MODERATE 20 days ago
### Description Since version 4.12.0, Dependency-Track users with the `SYSTEM_CONFIGURATION` permission can configure a "welcome message", which i...
npm
No PRs yet
glob CLI: Command injection via -c/--cmd executes matches with shell:true
GHSA-5j98-mcp5-4vw2 CVE-2025-64756 HIGH 20 days ago
### Summary The glob CLI contains a command injection vulnerability in its `-c/--cmd` option that allows arbitrary command execution when processi...
npm
1008
Dependabot PRs
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
GHSA-m8jr-fxqx-8xx6 HIGH 23 days ago
# Summary A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through `@requires` and/...
npm
No PRs yet
Directus is Vulnerable to Stored Cross-site Scripting
GHSA-vv2v-pw69-8crf CVE-2025-64747 MODERATE 23 days ago
### Summary A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject m...
npm
No PRs yet
Directus has Improper Permission Handling on Deleted Fields
GHSA-9x5g-62gj-wqf2 CVE-2025-64746 MODERATE 23 days ago
### Summary Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later...
npm
No PRs yet
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change
GHSA-fjh6-8679-9pch HIGH 23 days ago
### Summary Bypass of Password Confirmation - Unverified Password Change (authenticated change without current password) An authenticated user is ...
npm
No PRs yet