Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,842

Total Advisories

1,805

With Dependabot PRs

3,510

Critical Severity

8,633

High Severity

Clear All Filters
Open WebUI Uncontrolled Resource Consumption vulnerability
GHSA-chf7-q7m5-fq92 CVE-2024-12537 HIGH 9 months ago
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/util...
npm pypi
No PRs yet
Nuxt allows DOS via cache poisoning with payload rendering response
GHSA-jvhm-gjrh-3h93 CVE-2025-27415 HIGH 9 months ago
### Summary By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly i...
npm
No PRs yet
Fast-JWT Improperly Validates iss Claims
GHSA-gm45-q3v2-6cf8 CVE-2025-30144 MODERATE 9 months ago
### Summary The `fast-jwt` library does not properly validate the `iss` claim based on the RFC https://datatracker.ietf.org/doc/html/rfc7519#page-9...
npm
23
Dependabot PRs
13%
Merged
jsPDF Bypass Regular Expression Denial of Service (ReDoS)
GHSA-w532-jxjh-hjhj CVE-2025-29907 HIGH 9 months ago
### Impact User control of the first argument of the `addImage` method results in CPU utilization and denial of service. If given the possibility ...
npm
500
Dependabot PRs
13%
Merged
Mattermost Desktop App allows the bypass of Transparency, Consent, and Control (TCC) via code injection
GHSA-xmvv-w44w-j8wx CVE-2025-1398 LOW 9 months ago
Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass T...
npm
No PRs yet
JS Html Sanitizer allows XSS when used with contentEditable
GHSA-vhv4-fh94-jm5x CVE-2025-29771 MODERATE 9 months ago
### Impact XSS vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerHTML` to a sanitized string prod...
npm
No PRs yet
Flowise allows arbitrary file write to RCE
GHSA-8vvx-qvq9-5948 CRITICAL 9 months ago
### Summary An attacker could write files with arbitrary content to the filesystem via the `/api/v1/document-store/loader/process` API. An attacker...
npm
No PRs yet
nest allows a remote attacker to execute arbitrary code via the Content-Type header
GHSA-cj7v-w2c7-cp7c CVE-2024-29409 MODERATE 9 months ago
File Upload vulnerability in nestjs nest prior to v.11.0.16 allows a remote attacker to execute arbitrary code via the Content-Type header.
npm
No PRs yet
In Azle, calling `setTimer` causes infinite loop of timers
GHSA-xc76-5pf9-mx8m CVE-2025-29776 HIGH 9 months ago
### Impact Calling `setTimer` in Azle versions `0.27.0`, `0.28.0`, and `0.29.0` causes an immediate infinite loop of timers to be executed on the ...
npm
No PRs yet
xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment
GHSA-x3m8-899r-f7c3 CVE-2025-29775 CRITICAL 9 months ago
# Impact An attacker may be able to exploit this vulnerability to bypass authentication or authorization mechanisms in systems that rely on xml-cry...
npm
38
Dependabot PRs
10%
Merged
xml-crypto Vulnerable to XML Signature Verification Bypass via Multiple SignedInfo References
GHSA-9p8x-f768-wp2g CVE-2025-29774 CRITICAL 9 months ago
# Impact An attacker may be able to exploit this vulnerability to bypass authentication or authorization mechanisms in systems that rely on xml-cry...
npm
38
Dependabot PRs
10%
Merged
Flowise Pre-auth Arbitrary File Upload
GHSA-h42x-xx2q-6v6g CRITICAL 9 months ago
## Summary An unauthorized attacker can leverage the whitelisted route `/api/v1/attachments` to upload arbitrary files when the `storageType` is se...
npm
No PRs yet
Prototype Pollution Vulnerability in parse-git-config
GHSA-8g77-54rh-46hx CVE-2025-25975 HIGH 9 months ago
An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function.
npm
No PRs yet
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
GHSA-968p-4wvh-cqc8 CVE-2025-27789 MODERATE 9 months ago
### Impact When using Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Referen...
npm
1257
Dependabot PRs
23%
Merged
Mockoon has a Path Traversal and LFI in the static file serving endpoint
GHSA-w7f9-wqc4-3wxr CVE-2025-59049 HIGH 9 months ago
### Summary A mock API configuration for static file serving following the same approach presented in the [documentation page](https://mockoon.com/...
npm
No PRs yet
canvg Prototype Pollution vulnerability
GHSA-v2mw-5mch-w8c5 CVE-2025-25977 HIGH 9 months ago
An issue in canvg prior to v.4.0.3 and v3.0.11 can lead to prototype pollution via the Constructor of the class StyleElement.
npm
No PRs yet
Vue I18n Allows Prototype Pollution in `handleFlatJson`
GHSA-p2ph-7g93-hw3m CVE-2025-27597 HIGH 9 months ago
**Vulnerability type:** Prototype Pollution **Vulnerability Location(s):** ```js # v9.1 node_modules/@intlify/message-resolver/index.js # v9.2 or...
npm
419
Dependabot PRs
6%
Merged
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
GHSA-jr5f-v2jv-69x6 CVE-2025-27152 HIGH 9 months ago
### Summary A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). ...
npm
965
Dependabot PRs
14%
Merged
NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page
GHSA-wf6c-hrhf-86cw CVE-2025-27506 MODERATE 9 months ago
### Summary The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. ### Details Throughout the...
npm
No PRs yet
FlowiseAI Flowise arbitrary file upload vulnerability
GHSA-69jq-qr7w-j7qh CVE-2025-26319 HIGH 9 months ago
FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.
npm
No PRs yet
Manifest Uses a One-Way Hash without a Salt
GHSA-h8h6-7752-g28c CVE-2025-27408 MODERATE 9 months ago
### Summary Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of ...
npm
No PRs yet
seajs Cross-site Scripting vulnerability
GHSA-pfr4-4397-3hg8 CVE-2024-51091 LOW 9 months ago
Cross Site Scripting vulnerability in seajs v.2.2.3 allows a remote attacker to execute arbitrary code via the seajs package
npm
No PRs yet
tsup DOM Clobbering vulnerability
GHSA-3mv9-4h5g-vhg3 CVE-2024-53384 LOW 9 months ago
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.cu...
npm
No PRs yet
mavo DOM Clobbering vulnerability
GHSA-3mf5-r4hg-hfx9 CVE-2024-53388 MODERATE 9 months ago
A DOM Clobbering vulnerability in mavo v0.3.2 allows attackers to execute arbitrary code via supplying a crafted HTML element.
npm
No PRs yet
PrismJS DOM Clobbering vulnerability
GHSA-x7hr-w5r2-h6wg CVE-2024-53382 MODERATE 9 months ago
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain J...
npm
No PRs yet
Stage.js DOM Clobbering vulnerabilty
GHSA-fp3m-g5rc-4c28 CVE-2024-53386 MODERATE 9 months ago
Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript),...
npm
No PRs yet
mongosh vulnerable to local privilege escalation
GHSA-f5w3-73h4-jpcm CVE-2025-1756 HIGH 9 months ago
mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with...
npm
No PRs yet
MongoDB Shell may be susceptible to control character Injection via shell output
GHSA-r95j-4jvf-mrrw CVE-2025-1693 LOW 9 months ago
The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject co...
npm
No PRs yet
MongoDB Shell may be susceptible to control character injection via pasting
GHSA-973h-3x6p-qg37 CVE-2025-1692 MODERATE 9 months ago
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to...
npm
No PRs yet
MongoDB Shell may be susceptible to Control Character Injection via autocomplete
GHSA-43g5-2wr2-q7vj CVE-2025-1691 HIGH 9 months ago
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the...
npm
No PRs yet
Matrix IRC Bridge allows IRC command injection to own puppeted user
GHSA-5mvm-89c9-9gm5 CVE-2025-27146 LOW 9 months ago
### Impact The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the p...
npm
No PRs yet
DOM Expressions has a Cross-Site Scripting (XSS) vulnerability due to improper use of string.replace
GHSA-hw62-58pr-7wc5 CVE-2025-27108 HIGH 9 months ago
> [!NOTE] > This advisory was originally emailed to community@solidjs.com by @nsysean. To sum it up, the use of javascript's `.replace()` opens ...
npm
No PRs yet
Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)
GHSA-3qxh-p7jc-5xh6 CVE-2025-27109 HIGH 9 months ago
Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside J...
npm
No PRs yet
Better Auth allows bypassing the trustedOrigins Protection which leads to ATO
GHSA-vp58-j275-797x CRITICAL 9 months ago
### Summary A bypass was found for **wildcard** or **absolute URLs** trustedOrigins configurations and opens the victims website to a **Open Redire...
npm
No PRs yet
Beter Auth has an Open Redirect via Scheme-Less Callback Parameter
GHSA-hjpm-7mrm-26w8 CVE-2025-27143 MODERATE 9 months ago
### Summary The application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification end...
npm
No PRs yet
tarteaucitron Cross-site Scripting (XSS)
GHSA-8wp9-x25p-8794 CVE-2025-1467 LOW 9 months ago
Versions of the package tarteaucitronjs before 1.17.0 are vulnerable to Cross-site Scripting (XSS) via the getElemWidth() and getElemHeight(). This...
npm
No PRs yet
Cross-site scripting (XSS) in the CKEditor 5 real-time collaboration package
GHSA-j3mm-wmfm-mwvh CVE-2025-25299 MODERATE 9 months ago
### Impact During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration packa...
npm
No PRs yet
DocsGPT Allows Remote Code Execution
GHSA-9gff-5v8w-x922 CVE-2025-0868 CRITICAL 9 months ago
A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an ...
npm
No PRs yet
Directus allows updates to non-allowed fields due to overlapping policies
GHSA-99vm-5v2h-h6r6 CVE-2025-27089 MODERATE 10 months ago
### Summary If there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking acce...
npm
No PRs yet
JSONPath Plus allows Remote Code Execution
GHSA-hw8r-x6gr-5gjp CVE-2025-1302 HIGH 10 months ago
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker c...
npm
No PRs yet
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-rmvr-2pp2-xj38 CVE-2025-25290 MODERATE 10 months ago
### Summary The regular expression `/<([^>]+)>; rel="deprecation"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Reg...
npm
1
Dependabot PRs
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-xx4v-prfh-6cgc CVE-2025-25289 MODERATE 10 months ago
### Summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorizat...
npm
1
Dependabot PRs
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-h5c3-5r3r-rr8q CVE-2025-25288 MODERATE 10 months ago
### Summary For the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance...
npm
3
Dependabot PRs
33%
Merged
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-x4c5-c7rf-jjgv CVE-2025-25285 MODERATE 10 months ago
### Summary By crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-...
npm
No PRs yet
Vega allows Cross-site Scripting via the vlSelectionTuples function
GHSA-mp7w-mhcv-673j CVE-2025-25304 MODERATE 10 months ago
### Summary The `vlSelectionTuples` function can be used to call JavaScript functions, leading to XSS. ### Details [`vlSelectionTuples`](https://g...
npm
No PRs yet
DOMPurify allows Cross-site Scripting (XSS)
GHSA-vhxf-7vqr-mrjg CVE-2025-26791 MODERATE 10 months ago
DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation c...
npm
464
Dependabot PRs
14%
Merged
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
GHSA-vjh7-7g9h-fjfh CRITICAL 10 months ago
### Summary Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come fr...
npm
8
Dependabot PRs
parse-duration has a Regex Denial of Service that results in event loop delay and out of memory
GHSA-hcrg-fc28-fcg5 CVE-2025-25283 HIGH 10 months ago
### Summary This report finds 2 availability issues due to the regex used in the `parse-duration` npm package: 1. An event loop delay due to the C...
npm
No PRs yet
Inefficient Regular Expression Complexity in koa
GHSA-593f-38f6-jp5m CVE-2025-25200 CRITICAL 10 months ago
### Summary Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denia...
npm
538
Dependabot PRs
11%
Merged
Authentication bypass in @sap/approuter
GHSA-cpfx-964w-4jvp CVE-2025-24876 HIGH 10 months ago
The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code, an attacke...
npm
No PRs yet