Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Directus Blind SSRF On File Import
GHSA-8p72-rcq4-h6pw CVE-2024-39699 MODERATE over 1 year ago
### Summary There was already a reported SSRF vulnerability via file import. [https://github.com/directus/directus/security/advisories/GHSA-j3rg-3r...
npm
No PRs yet
Server Side Request Forgery (SSRF) attack in Fedify
GHSA-p9cg-vqcc-grcx CVE-2024-39687 MODERATE over 1 year ago
### Summary At present, when Fedify needs to retrieve an object or activity from a remote activitypub server, it makes a HTTP request to the `@id...
npm
No PRs yet
Malicious Matrix homeserver can leak truncated message content of messages it shouldn't have access to
GHSA-w9mh-5x8j-9754 CVE-2024-39691 MODERATE over 1 year ago
### Impact The fix for GHSA-wm4w-7h2q-3pf7 / [CVE-2024-32000](https://www.cve.org/CVERecord?id=CVE-2024-32000) included in matrix-appservice-irc 2...
npm
No PRs yet
rejetto HFS vulnerable to OS Command Execution by remote authenticated users
GHSA-5f4x-hwv2-w9w2 CVE-2024-39943 HIGH over 1 year ago
rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they ha...
npm
No PRs yet
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
GHSA-c2hr-cqg6-8j6r CVE-2024-39309 CRITICAL over 1 year ago
### Impact This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. ### Patches The algorithm to ...
npm
No PRs yet
ejson shell parser in MongoDB Compass maybe bypassed
GHSA-jxr4-4prv-mh83 CVE-2024-6376 HIGH over 1 year ago
MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compas...
npm
No PRs yet
@cat5th/key-serializer Prototype Pollution vulnerability
GHSA-whpx-g542-7c7v CVE-2024-39018 MODERATE over 1 year ago
harvey-woo cat5th/key-serializer v0.2.5 was discovered to contain a prototype pollution via the function "query". This vulnerability allows attacke...
npm
No PRs yet
robinweser fast-loops vulnerable to prototype pollution
GHSA-3q56-9cc2-46j4 CVE-2024-39008 HIGH over 1 year ago
robinweser fast-loops v1.1.3 was discovered to contain a prototype pollution via the function `objectMergeDeep`. This vulnerability allows attacker...
npm
No PRs yet
ag-grid packages vulnerable to Prototype Pollution
GHSA-328p-362g-r48j CVE-2024-39001 MODERATE over 1 year ago
ag-grid-enterprise v31.3.2 was discovered to contain a prototype pollution via the component _ModuleSupport.jsonApply. This vulnerability allows at...
npm
No PRs yet
jrburke requirejs vulnerable to prototype pollution
GHSA-x3m3-4wpv-5vgc CVE-2024-38999 HIGH over 1 year ago
jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function `s.contexts._.configure`. This vulnerability allows attac...
npm
No PRs yet
adolph_dudu ratio-swiper was discovered to contain a prototype pollution via the function extendDefaults
GHSA-88vr-hjqx-57qh CVE-2024-38997 MODERATE over 1 year ago
adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype pollution via the function extendDefaults. This vulnerability allows attacker...
npm
No PRs yet
Prototype pollution in ag-grid-community via the _.mergeDeep function
GHSA-876p-c77m-x2hc CVE-2024-38996 HIGH over 1 year ago
ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discovered to contain a prototype pollution via the _.mergeDeep function. This vulner...
npm
No PRs yet
@amoy/common v was discovered to contain a prototype pollution via the function extend
GHSA-w58v-r3cp-qr93 CVE-2024-38994 HIGH over 1 year ago
amoyjs amoy common v1.0.10 was discovered to contain a prototype pollution via the function extend. This vulnerability allows attackers to execute ...
npm
No PRs yet
akbr patch-into was discovered to contain a prototype pollution via the function patchInto
GHSA-gh4x-qv3p-m9pm CVE-2024-38991 HIGH over 1 year ago
akbr patch-into version 1.0.1 was discovered to contain a prototype pollution via the function patchInto. This vulnerability allows attackers to ex...
npm
No PRs yet
frappejs was discovered to contain a prototype pollution via the function registerView
GHSA-gc7m-596h-x57r CVE-2024-38992 HIGH over 1 year ago
airvertco frappejs v0.0.11 was discovered to contain a prototype pollution via the function registerView. This vulnerability allows attackers to ex...
npm
No PRs yet
@aofl/cli-lib Prototype Pollution vulnerability
GHSA-vg6v-jcg3-5mp7 CVE-2024-38987 MODERATE over 1 year ago
aofl cli-lib v3.14.0 was discovered to contain a prototype pollution via the component defaultsDeep. This vulnerability allows attackers to execute...
npm
No PRs yet
@fastly/js-compute has a use-after-free in some host call implementations
GHSA-mp3g-vpm9-9vqv CVE-2024-38375 MODERATE over 1 year ago
### Impact The implementation of the following functions were determined to include a use-after-free bug: * `FetchEvent.client.tlsCipherOpensslNam...
npm
No PRs yet
Cross-site Scripting in ZenUML
GHSA-q6xv-jm4v-349h CVE-2024-38527 MODERATE over 1 year ago
### Summary Markdown-based comments in the ZenUML diagram syntax are susceptible to Cross-site Scripting (XSS). ### Details The comment feature ...
npm
No PRs yet
Strapi Server-Side Request Forgery (SSRF)
GHSA-p9ff-j98v-p435 CVE-2024-37818 HIGH over 1 year ago
Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability allows a...
npm
No PRs yet
TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
GHSA-9hcv-j9pv-qmph CVE-2024-38356 MODERATE over 1 year ago
### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s content extractio...
npm nuget packagist
No PRs yet
TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements
GHSA-w9jx-4g6g-rp7x CVE-2024-38357 MODERATE over 1 year ago
### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s content parsing c...
npm nuget packagist
No PRs yet
socket.io has an unhandled 'error' event
GHSA-25hc-qcg6-38wj CVE-2024-38355 MODERATE over 1 year ago
### Impact A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. ``` ...
npm
No PRs yet
Lobe Chat API Key Leak
GHSA-p36r-qxgx-jq2v CVE-2024-37895 MODERATE over 1 year ago
### Summary If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base U...
npm
No PRs yet
ws affected by a DoS when handling a request with many HTTP headers
GHSA-3h5v-q93c-6h6q CVE-2024-37890 HIGH over 1 year ago
### Impact A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server. ### Proof o...
npm
427
Dependabot PRs
21%
Merged
@akbr/update Prototype Pollution
GHSA-mj4p-gmhr-92g3 CVE-2024-36578 MODERATE over 1 year ago
akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js.
npm
No PRs yet
obx Prototype Pollution
GHSA-jj58-488v-4rgf CVE-2024-36573 CRITICAL over 1 year ago
almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/ob...
npm
No PRs yet
flatten-json Prototype Pollution
GHSA-j8px-pjmp-325f CVE-2024-36574 MODERATE over 1 year ago
A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker to execute arbitrary code via module.exports.unflattenJSON (flatten-json/index...
npm
No PRs yet
Object Resolver Prototype Pollution
GHSA-qj86-v6m7-4qv2 CVE-2024-36577 HIGH over 1 year ago
apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty.
npm
No PRs yet
Badger Database Prototype Pollution
GHSA-69r2-2fg7-7hf9 CVE-2024-36581 HIGH over 1 year ago
A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm.
npm
No PRs yet
object-deep-assign Prototype Pollution
GHSA-4xg3-7w7q-856q CVE-2024-36582 MODERATE over 1 year ago
alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js)
npm
No PRs yet
@cdr0/sg Prototype Pollution
GHSA-fg52-5jjj-28h7 CVE-2024-36580 MODERATE over 1 year ago
A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.
npm
No PRs yet
Mattermost Desktop App Remote Code Execution
GHSA-hvxg-77mg-vrvp CVE-2024-37182 MODERATE over 1 year ago
Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force ...
npm
No PRs yet
Mattermost Desktop App allows for bypassing TCC restrictions on macOS
GHSA-xgqm-wp7w-mgg2 CVE-2024-36287 LOW over 1 year ago
Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS.
npm
No PRs yet
@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass
GHSA-wrvh-rcmr-9qfc CVE-2024-34065 HIGH over 1 year ago
### Summary By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in Strapi framework is its possi...
npm
4
Dependabot PRs
@strapi/plugin-upload has a Denial-of-Service via Improper Exception Handling
GHSA-pm9q-xj9p-96pm CVE-2024-31217 MODERATE over 1 year ago
### Summary A Denial-of-Service was found in the media upload process causing the server to crash without restarting, affecting either development ...
npm
No PRs yet
@strapi/plugin-content-manager leaks data via relations via the Admin Panel
GHSA-6j89-frxc-q26m CVE-2024-29181 LOW over 1 year ago
### Summary 1. If a super admin creates a collection where an item in the collection has an association to another collection, a user with the Auth...
npm
No PRs yet
SummerNote Cross Site Scripting Vulnerability
GHSA-cc55-mvqc-g9mg CVE-2024-37629 MODERATE over 1 year ago
SummerNote 0.8.18 is vulnerable to Cross Site Scripting (XSS) via the Code View Function.
npm
No PRs yet
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
GHSA-m5vv-6r4h-3vj9 CVE-2024-35255 MODERATE over 1 year ago
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.
maven npm nuget +1 more
14
Dependabot PRs
21%
Merged
@grpc/grpc-js can allocate memory for incoming messages well above configured limits
GHSA-7v5v-9h63-cj86 CVE-2024-37168 MODERATE over 1 year ago
### Impact There are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channe...
npm
186
Dependabot PRs
9%
Merged
ghtml Cross-Site Scripting (XSS) vulnerability
GHSA-vvhj-v88f-5gxr CVE-2024-37166 HIGH over 1 year ago
## Summary It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting (XSS) vulnerability in some cases. ## A...
npm
No PRs yet
Generation of Error Message Containing Sensitive Information in zsa
GHSA-wjmj-h3xc-hxp8 CVE-2024-37162 MODERATE over 1 year ago
### Impact All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This...
npm
No PRs yet
Arbitrary file read via Playwright's screenshot feature exploiting file wrapper
GHSA-665w-mwrr-77q3 CVE-2024-37169 MODERATE over 1 year ago
### Impact All users of url-to-png. Please see https://github.com/jasonraimondi/url-to-png/issues/47 ### Patches [v2.0.3](https://github.com/jas...
npm
No PRs yet
Jan path traversal vulnerability
GHSA-878h-rqcq-mv3x CVE-2024-37273 CRITICAL over 1 year ago
An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via upload...
npm
No PRs yet
Jan path traversal vulnerability
GHSA-qfjh-mvq6-c5p8 CVE-2024-36858 CRITICAL over 1 year ago
An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploadi...
npm
No PRs yet
Jan path traversal vulnerability
GHSA-5jqc-qj57-4hrc CVE-2024-36857 HIGH over 1 year ago
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
npm
No PRs yet
Directus is soft-locked by providing a string value to random string util
GHSA-632p-p495-25m5 CVE-2024-36128 HIGH over 1 year ago
### Describe the Bug Providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capabili...
npm
No PRs yet
javascript-deobfuscator crafted payload can lead to code execution
GHSA-9p6p-8v9r-8c9m CVE-2024-36120 HIGH over 1 year ago
javascript-deobfuscator removes common JavaScript obfuscation techniques. Crafted payloads targeting expression simplification can lead to code exe...
npm
No PRs yet
ip SSRF improper categorization in isPublic
GHSA-2p57-rm9w-gvfp CVE-2024-29415 HIGH over 1 year ago
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::f...
npm
20
Dependabot PRs
5%
Merged
wangEditor was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function
GHSA-9hfw-cvf4-5x25 CVE-2022-25037 MODERATE over 1 year ago
There is a cross-site scripting (XSS) issue in wangEditor via the image upload function in version 4.7.11. This issue has been fixed in version 4.7...
npm
No PRs yet
mysql2 vulnerable to Prototype Pollution
GHSA-pmh2-wpjm-fj45 CVE-2024-21512 HIGH over 1 year ago
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tabl...
npm
No PRs yet