Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,898

Total Advisories

1,815

With Dependabot PRs

3,517

Critical Severity

8,651

High Severity

Clear All Filters
Trix allows Cross-site Scripting via `javascript:` url in a link
GHSA-j386-3444-qgwg CVE-2025-21610 MODERATE 11 months ago
The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field. ### Impact An attacker could trick...
npm
No PRs yet
path-sanitizer allows bypassing the existing filters to achieve path-traversal vulnerability
GHSA-94p5-r7cc-3rpr CVE-2024-56198 CRITICAL 11 months ago
### Summary This is a POC for a path-sanitizer [npm package](https://www.npmjs.com/package/path-sanitizer). The filters can be bypassed and can res...
npm
No PRs yet
Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint
GHSA-8jhw-6pjj-8723 CVE-2024-56734 HIGH 11 months ago
## Summary An **open redirect vulnerability** has been identified in the **verify email endpoint** of Better Auth, potentially allowing attackers t...
npm
No PRs yet
Marp Core allows XSS by improper neutralization of HTML sanitization
GHSA-x52f-h5g4-8qv5 CVE-2024-56510 MODERATE 11 months ago
Marp Core ([`@marp-team/marp-core`](https://www.npmjs.com/package/@marp-team/marp-core)) from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-...
npm
6
Dependabot PRs
Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID)
GHSA-cvv5-9h9w-qp2m CVE-2024-56334 HIGH 12 months ago
### Summary The SSID is not sanitized when before it is passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that mal...
npm
No PRs yet
uptime-kuma vulnerable to Local File Inclusion (LFI) via Improper URL Handling in `Real-Browser` monitor
GHSA-2qgm-m29m-cj2h CVE-2024-56331 MODERATE 12 months ago
### Summary An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///...
npm
No PRs yet
Astro's server source code is exposed to the public if sourcemaps are enabled
GHSA-49w6-73cw-chjr CVE-2024-56159 HIGH 12 months ago
### Summary A bug in the build process allows any unauthenticated user to read parts of the server source code. ### Details During build, along wi...
npm
No PRs yet
Prototype pollution in jsii.configureCategories
GHSA-m56h-5xx3-2jc2 LOW 12 months ago
## Summary `jsii` is a TypeScript to JavaScript compiler that also extracts an interface definition manifest to generate RPC stubs in various prog...
npm
No PRs yet
Atro CSRF Middleware Bypass (security.checkOrigin)
GHSA-c4pw-33h3-35xw CVE-2024-56140 MODERATE 12 months ago
### Summary A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. ### Details When the `security.checkOrigin` confi...
npm
No PRs yet
Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo
GHSA-v9mx-4pqq-h232 CVE-2024-21548 MODERATE 12 months ago
Versions of the package bun before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vu...
npm
No PRs yet
Next.js authorization bypass vulnerability
GHSA-7gfc-8cq8-jh5f CVE-2024-51479 HIGH 12 months ago
### Impact If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypas...
npm
2
Dependabot PRs
pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
GHSA-vm32-9rqf-rh3r CVE-2024-53866 MODERATE 12 months ago
### Summary pnpm seems to mishandle overrides and global cache: 1. Overrides from one workspace leak into npm metadata saved in global cache 2. np...
npm
No PRs yet
Avenwu Whistle Cross-Site Request Forgery (CSRF)
GHSA-gg6x-448q-pqqm CVE-2024-55500 HIGH 12 months ago
Cross-Site Request Forgery (CSRF) in Avenwu Whistle v.2.9.90 and before allows attackers to perform malicious API calls, resulting in the execution...
npm
No PRs yet
Angular Expressions - Remote Code Execution when using locals
GHSA-5462-4vcx-jh7j CVE-2024-54152 CRITICAL 12 months ago
### Impact An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. Example of vulnerable c...
npm
1
Dependabot PRs
Bit flip attack vulnerability in cookie-encrypter
GHSA-h63v-hw6g-x8hp CVE-2024-53441 HIGH 12 months ago
due to a weakness in the encryption method used in cookie-encrypter an attack can use the world visible IV to edit encrypted cookies without decryp...
npm
No PRs yet
Directus allows unauthenticated access to WebSocket events and operations
GHSA-849r-qrwj-8rv4 CVE-2024-54151 HIGH 12 months ago
### Summary When setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supporte...
npm
No PRs yet
Trix editor subject to XSS vulnerabilities on copy & paste
GHSA-6vx4-v2jw-qwqh CVE-2024-53847 MODERATE 12 months ago
The Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code. ### Impact An att...
npm
No PRs yet
Predictable results in nanoid generation when given non-integer values
GHSA-mwcw-c2x4-8c55 CVE-2024-55565 MODERATE 12 months ago
When nanoid is called with a fractional value, there were a number of undesirable effects: 1. in browser and non-secure, the code infinite loops o...
npm
No PRs yet
path-to-regexp contains a ReDoS
GHSA-rhx6-c78j-4q9w CVE-2024-52798 HIGH 12 months ago
### Impact The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of `path-to-regexp`, originally re...
npm
24
Dependabot PRs
4%
Merged
Directus has an HTML Injection in Comment
GHSA-r6wx-627v-gh2f CVE-2024-54128 MODERATE 12 months ago
### Summary The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filte...
npm
No PRs yet
Firepad allows insecure document access
GHSA-4fh7-m2wx-6wfm CVE-2024-51210 LOW about 1 year ago
Firepad through 1.5.11 allows remote attackers, who have knowledge of a pad ID, to retrieve both the current text of a document and all content tha...
npm
No PRs yet
Modified package published to npm, containing malware that exfiltrates private key material
GHSA-jcxm-7wvp-g6p5 CVE-2024-54134 HIGH about 1 year ago
Earlier today, a publish-access account was compromised for `@solana/web3.js`, a JavaScript library that is commonly used by Solana dapps. This all...
npm
No PRs yet
Backstage Scaffolder plugin vulnerable to Server-Side Request Forgery
GHSA-qmc2-jpr5-7rg9 CVE-2024-53983 MODERATE about 1 year ago
### Impact A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection (SSTI) can be exploit...
npm
No PRs yet
Mongoose search injection vulnerability
GHSA-m7xq-9374-9rvx CVE-2024-53900 HIGH about 1 year ago
Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the abili...
npm
No PRs yet
hull.js Code Injection Vulnerability
GHSA-q849-wxrc-vqrp CRITICAL about 1 year ago
Versions of the library from 0.2.2 to 1.0.9 are vulnerable to the arbitrary code execution due to unsafe usage of `new Function(...)` in the module...
npm
No PRs yet
@intlify/shared Prototype Pollution vulnerability
GHSA-hjwq-mjwj-4x6c CVE-2024-52810 MODERATE about 1 year ago
**Vulnerability type: Prototype Pollution** **Affected Package:** Product: @intlify/shared Version: 10.0.4 **Vulnerability Location(s):** `nod...
npm
241
Dependabot PRs
5%
Merged
vue-i18n has cross-site scripting vulnerability with prototype pollution
GHSA-9r9m-ffp6-9x4v CVE-2024-52809 MODERATE about 1 year ago
### Vulnerability type XSS ### Description vue-i18n can be passed locale messages to `createI18n` or `useI18n`. we can then translate them using `...
npm
225
Dependabot PRs
5%
Merged
@dapperduckling/keycloak-connector-server has Reflected XSS Vulnerability in Authentication Flow URL Handling
GHSA-w5rq-g9r6-vrcg CVE-2024-53843 MODERATE about 1 year ago
**Impact** A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the authentication flow of the application. This issue arises due...
npm
No PRs yet
@lobehub/chat Server Side Request Forgery vulnerability
GHSA-2xcc-vm3f-m8rw CVE-2024-32965 HIGH about 1 year ago
### Summary lobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without log...
npm
No PRs yet
@sveltejs/kit vulnerable to XSS on dev mode 404 page
GHSA-rjjv-87mx-6x3h CVE-2024-53261 LOW about 1 year ago
### Summary "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may res...
npm
1
Dependabot PRs
@sveltejs/kit has unescaped error message included on error page
GHSA-mh2x-fcqh-fmqv CVE-2024-53262 LOW about 1 year ago
### Summary The static error.html template for errors contains placeholders that are replaced without escaping the content first. ### Details Fr...
npm
1
Dependabot PRs
smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables
GHSA-pqhp-25j4-6hq9 MODERATE about 1 year ago
### Summary An attacker can send a maliciously crafted TOML to cause the parser to crash because of a stack overflow caused by a deeply nested inli...
npm
26
Dependabot PRs
9%
Merged
Flowise OverrideConfig security vulnerability
GHSA-5cph-wvm9-45gj HIGH about 1 year ago
### Impact Flowise allows developers to inject configuration into the Chainflow during execution through the `overrideConfig` option. This is suppo...
npm
No PRs yet
Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server
GHSA-3wf4-68gx-mph8 CVE-2024-11023 MODERATE about 1 year ago
Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session ...
npm
No PRs yet
Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit
GHSA-7q7g-4xm8-89cq CVE-2024-21539 LOW about 1 year ago
Crafting a very large and well crafted string can increase the CPU usage and crash the program. ## POC ```js const { ConfigCommentParser } = requ...
npm
No PRs yet
Remote Code Execution on click of <a> Link in markdown preview
GHSA-hff8-hjwv-j9q7 CVE-2024-49362 HIGH about 1 year ago
### Summary There is a vulnerability in `Joplin-desktop` that leads to remote code execution (RCE) when a user clicks on an `<a>` link within untr...
npm
No PRs yet
dom-iterator code execution vulnerability
GHSA-jrvm-mcxc-mf6m CVE-2024-21541 MODERATE about 1 year ago
Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complet...
npm
20
Dependabot PRs
11%
Merged
matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal
GHSA-xvg8-m4x3-w6xr CVE-2024-50336 MODERATE about 1 year ago
### Summary matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger cli...
npm
No PRs yet
Regular Expression Denial of Service (ReDoS) in cross-spawn
GHSA-3xgq-45jj-v275 CVE-2024-21538 HIGH about 1 year ago
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization....
npm
78
Dependabot PRs
15%
Merged
Froala WYSIWYG editor allows cross-site scripting (XSS)
GHSA-549p-5c7f-c5p4 CVE-2024-51434 MODERATE about 1 year ago
Inconsistent <plaintext> tag parsing allows for XSS in Froala WYSIWYG editor 4.3.0 and earlier.
npm packagist
2
Dependabot PRs
happy-dom allows for server side code to be executed by a <script> tag
GHSA-96g7-g7g9-jxw8 CVE-2024-51757 CRITICAL about 1 year ago
### Impact Consumers of the NPM package `happy-dom` ### Patches The security vulnerability has been patched in v15.10.2 ### Workarounds No easy w...
npm
No PRs yet
@workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled
GHSA-v2qh-f584-6hj8 CVE-2024-51753 LOW about 1 year ago
### Impact Refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. ### Patches Patched in [https://github....
npm
No PRs yet
@workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled
GHSA-5wmg-9cvh-qw25 CVE-2024-51752 LOW about 1 year ago
### Impact Refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. ### Patches Patched in [https://github....
npm
No PRs yet
Path traversal in oak allows transfer of hidden files within the served root directory
GHSA-qm92-93fv-vh7m CVE-2024-49770 HIGH about 1 year ago
### Summary By default `oak` does not allow transferring of hidden files with `Context.send` API. However, this can be bypassed by encoding `/` as...
npm
No PRs yet
Glossarizer Cross-site Scripting vulnerability
GHSA-hhhv-ggjx-q9j2 CVE-2024-42515 MODERATE about 1 year ago
Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g., <>), the...
npm
No PRs yet
DOMPurify vulnerable to tampering by prototype polution
GHSA-p3vf-v8qc-cwcr CVE-2024-48910 CRITICAL about 1 year ago
dompurify was vulnerable to prototype pollution Fixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc
npm
No PRs yet
lilconfig Code Injection vulnerability
GHSA-fq9m-v26v-2m4f CVE-2024-21537 HIGH about 1 year ago
Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the d...
npm
No PRs yet
Express ressource injection
GHSA-cm5g-3pgc-8rg4 CVE-2024-10491 MODERATE about 1 year ago
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsan...
npm
No PRs yet
Langchain Path Traversal vulnerability
GHSA-hc5w-c9f8-9cc4 CVE-2024-7774 MODERATE about 1 year ago
A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to...
npm
No PRs yet
@langchain/community SQL Injection vulnerability
GHSA-6m59-8fmv-m5f9 CVE-2024-7042 LOW about 1 year ago
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injec...
npm
No PRs yet