Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
expr-eval does not restrict functions passed to the evaluate function
GHSA-jc85-fpwf-qm7x CVE-2025-12735 HIGH 22 days ago
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variab...
npm
No PRs yet
@react-native-community/cli has arbitrary OS command injection
GHSA-399j-vxmf-hjvr CVE-2025-11953 CRITICAL 24 days ago
The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that...
npm
No PRs yet
node-tar has a race condition leading to uninitialized memory exposure
GHSA-29xp-372q-xqph CVE-2025-64118 MODERATE 28 days ago
### Summary Using `.t` (aka `.list`) with `{ sync: true }` to read tar entry contents returns uninitialized memory contents if tar file was change...
npm
3
Dependabot PRs
n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook
GHSA-xgp7-7qjq-vg47 CVE-2025-62726 HIGH 28 days ago
### Impact A remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a m...
npm
No PRs yet
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
GHSA-q2pj-6v73-8rgj CVE-2025-60542 HIGH 29 days ago
### Summary SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring ...
npm
No PRs yet
NextAuthjs Email misdelivery Vulnerability
GHSA-5jpx-9hw9-2fx4 MODERATE 29 days ago
### Summary NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in `nodemail...
npm
No PRs yet
Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
GHSA-qcpr-679q-rhm2 CVE-2025-59837 HIGH 30 days ago
### Summary This is a patch bypass of CVE-2025-58179 in commit [9ecf359](https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047e...
npm
No PRs yet
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
GHSA-q7jf-gf43-6x6p MODERATE about 1 month ago
### Summary A flaw in the CORS middleware allowed request `Vary` headers to be reflected into the response, enabling attacker-controlled `Vary` v...
npm
3
Dependabot PRs
rollbar vulnerable to Prototype Pollution in merge()
GHSA-xcg2-9pp4-j82x CVE-2025-62517 MODERATE about 1 month ago
### Impact Prototype pollution vulnerability in merge(). If application code calls `rollbar.configure()` with untrusted input, prototype pollution...
npm
No PRs yet
Kottster app reinitialization can be re-triggered allowing command injection in development mode
GHSA-j3w7-9qc3-g96p CVE-2025-62713 HIGH about 1 month ago
### Impact **Development mode only**. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development...
npm
No PRs yet
Hono Improper Authorization vulnerability
GHSA-m732-5p4w-x69g CVE-2025-62610 HIGH about 1 month ago
### Improper Authorization in Hono (JWT Audience Validation) Hono’s JWT authentication middleware did not validate the `aud` (Audience) claim by d...
npm
No PRs yet
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
GHSA-g8mr-fgfg-5qpc CVE-2025-62595 MODERATE about 1 month ago
### Summary: A bypass was discovered in the `Koa.js` framework affecting its back redirect functionality. In certain circumstances, an attacker ca...
npm
No PRs yet
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
GHSA-vffh-c9pq-4crh MODERATE about 1 month ago
### Summary In some Notification types (e.g., Webhook, Telegram), the `send()` function allows user-controlled renderTemplate input. This leads to...
npm
No PRs yet
vite allows server.fs.deny bypass via backslash on Windows
GHSA-93m4-6634-74q7 CVE-2025-62522 MODERATE about 1 month ago
### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` wh...
npm
No PRs yet
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
GHSA-xvp7-8vm8-xfxx MODERATE about 1 month ago
### Summary The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using `console.log`and `console.debug` ...
npm
No PRs yet
rollbar vulnerable to prototype pollution
GHSA-r8c2-2qwq-94p6 CVE-2025-57325 LOW about 1 month ago
### Impact Prototype pollution potential with the utility function `rollbar/src/utility`.`set()`. No impact when using the published public interf...
npm
No PRs yet
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
GHSA-fgx4-p8xf-qhp9 CVE-2025-62505 LOW about 1 month ago
### Vulnerability Description --- Vulnerability Overview - When the client sends an arbitrary URL array and impl: ["naive"] to the tRPC endpoint...
npm
No PRs yet
Mammoth is vulnerable to Directory Traversal
GHSA-rmjr-87wv-gf87 CVE-2025-11849 MODERATE about 1 month ago
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the packa...
maven npm nuget +1 more
No PRs yet
Angular SSR has a Server-Side Request Forgery (SSRF) flaw
GHSA-q63q-pgmf-mxhr CVE-2025-62427 HIGH about 1 month ago
### Impact The vulnerability is a **Server-Side Request Forgery (SSRF)** flaw within the URL resolution mechanism of Angular's Server-Side Renderin...
npm
No PRs yet
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
GHSA-9329-mxxw-qwf8 CVE-2025-53092 MODERATE about 1 month ago
### Summary A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly refle...
npm
No PRs yet
Strapi Password Hashing is Missing Maximum Password Length Validation
GHSA-2cjv-6wg9-f4f3 CVE-2025-25298 MODERATE about 1 month ago
## Summary Strapi's password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords ex...
npm
No PRs yet
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
GHSA-495j-h493-42q2 CVE-2024-56143 HIGH about 1 month ago
### Summary It's possible to access any private fields by filtering through the lookup parameters ### Details Using the new lookup operator provi...
npm
No PRs yet
Strapi is vulnerable to Insufficient Session Expiration
GHSA-4r8w-3jww-m2rp CVE-2025-3930 MODERATE about 1 month ago
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker wh...
npm
No PRs yet
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
GHSA-qpm2-6cq5-7pq5 CVE-2025-62410 CRITICAL about 1 month ago
### Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice,...
npm
No PRs yet
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
GHSA-hwmc-4c8j-xxj7 CVE-2025-62381 HIGH about 1 month ago
### Summary `sveltekit-superforms` v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the `parseFormData` function of ...
npm
No PRs yet
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails
GHSA-q4w9-x3rv-4c8j CVE-2025-62380 LOW about 1 month ago
### Summary An HTML injection vulnerability in plaintext emails generated by Mailgen has been discovered. Projecta are affected if the `Mailgen.ge...
npm
No PRs yet
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
GHSA-9f2h-7v79-mxw3 CVE-2025-62374 MODERATE about 1 month ago
### Summary Prototype pollution capabilities on various APIs. ### Details Injection of malicious payload allows attacker to remotely execute arb...
npm
2
Dependabot PRs
50%
Merged
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
GHSA-r4hh-pcgx-j5r2 CVE-2025-34267 HIGH about 1 month ago
Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and nod...
npm
No PRs yet
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails
GHSA-xw6r-chmh-vpmj CVE-2025-62366 LOW about 1 month ago
### Summary An HTML injection vulnerability in plaintext emails generated by Mailgen has been discovered. Your project is affected if you use the ...
npm
No PRs yet
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
GHSA-7mvr-c777-76hp CVE-2025-59288 HIGH about 1 month ago
### Summary Use of `curl` with the `-k` (or `--insecure`) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-th...
npm
No PRs yet
CommandKit has incorrect command name exposure in context object for message command aliases
GHSA-fhwm-pc6r-4h2f CVE-2025-62378 MODERATE about 1 month ago
### Impact A logic flaw exists in the message command handler of CommandKit that affects how the `commandName` property is exposed to both middlew...
npm
No PRs yet
QGIS QWC2 Cross-Site Scripting vulnerability
GHSA-gxp8-m5rq-3m38 CVE-2025-11183 MODERATE about 2 months ago
Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 < 2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in...
npm
No PRs yet
Happy DOM: VM Context Escape can lead to Remote Code Execution
GHSA-37j7-fg3j-429f CVE-2025-61927 CRITICAL about 2 months ago
# Escape of VM Context gives access to process level functionality ## Summary Happy DOM v19 and lower contains a security vulnerability that puts ...
npm
221
Dependabot PRs
12%
Merged
Astro's `X-Forwarded-Host` is reflected without validation
GHSA-5ff5-9fcw-vg88 CVE-2025-61925 MODERATE about 2 months ago
### Summary When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an `X-Forwar...
npm
No PRs yet
Flowise is vulnerable to arbitrary file exposure through its ReadFileTool
GHSA-j44m-5v8f-gc9c HIGH about 2 months ago
### Summary The ReadFileTool in Flowise does not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read...
npm
No PRs yet
Better Auth: Unauthenticated API key creation through api-key plugin
GHSA-99h5-pjcv-gr6v CVE-2025-61928 CRITICAL about 2 months ago
### Summary Unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api...
npm
No PRs yet
n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
GHSA-365g-vjw2-grx8 HIGH about 2 months ago
### Impact The `Execute Command` node in n8n allows execution of arbitrary commands on the host system where n8n runs. While this functionality is...
npm
No PRs yet
Flowise is vulnerable to arbitrary file write through its WriteFileTool
GHSA-jv9m-vf54-chjj CVE-2025-61913 CRITICAL about 2 months ago
### Summary The WriteFileTool in Flowise does not restrict the file path for reading, allowing authenticated attackers to exploit this vulnerabili...
npm
No PRs yet
FlowiseAI/Flosise has File Upload vulnerability
GHSA-35g6-rrw3-v6xc CVE-2025-61687 HIGH about 2 months ago
### Summary A file upload vulnerability in FlowiseAI allows authenticated users to upload arbitrary files without proper validation. This enables a...
npm
No PRs yet
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
GHSA-mm7p-fcc7-pg87 CVE-2025-13033 MODERATE about 2 months ago
The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extra...
npm
No PRs yet
pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding
GHSA-rj3r-r7hh-jxfq CVE-2025-11362 HIGH about 2 months ago
Versions of the package pdfmake from 0.3.0-beta.1 to before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling vi...
npm
No PRs yet
SillyTavern Web Interface Vulnerable DNS Rebinding
GHSA-7cxj-w27x-x78q CVE-2025-59159 CRITICAL about 2 months ago
### Summary The web UI for SillyTavern is susceptible to DNS rebinding, allowing attackers to perform actions like install malicious extensions, re...
npm
No PRs yet
Flowise vulnerable to RCE via Dynamic function constructor injection
GHSA-hmgh-466j-fx4c CVE-2025-55346 CRITICAL about 2 months ago
### Summary User-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in...
npm
No PRs yet
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function
GHSA-v7c4-33vf-cqqq CVE-2025-11287 MODERATE about 2 months ago
A vulnerability was identified in samanhappy MCPHub up to 0.9.10. This vulnerability affects the function handleSseConnection of the file src/servi...
npm
No PRs yet
MCPHub's ServerController is vulnerable to Command Injection
GHSA-5q2p-3jg8-2m98 CVE-2025-11285 LOW about 2 months ago
A vulnerability was found in samanhappy MCPHub up to 0.9.10. Affected by this issue is some unknown functionality of the file src/controllers/serve...
npm
No PRs yet
Flowise Stored XSS vulnerability through logs in chatbot
GHSA-7r4h-vmj9-wg42 CVE-2025-29192 MODERATE about 2 months ago
### Description In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject maliciou...
npm
No PRs yet
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
GHSA-964p-j4gg-mhwc CVE-2025-50538 CRITICAL about 2 months ago
### Summary A stored Cross-Site Scripting (XSS) vulnerability in FlowiseAI allows a user to inject arbitrary JavaScript code via message input. Whe...
npm
No PRs yet
Flowise vulnerable to XSS
GHSA-4fr9-3x69-36wv MODERATE about 2 months ago
### Summary A XSS(cross-site scripting) vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this...
npm
No PRs yet
Claude Code permission deny bypass through symlink
GHSA-66m2-gx93-v996 CVE-2025-59829 LOW about 2 months ago
Claude Code failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude...
npm
No PRs yet
Claude Code can execute commands prior to the startup trust dialog
GHSA-4fgq-fpq9-mr3g CVE-2025-59536 HIGH about 2 months ago
Due to a bug in the startup trust dialog implementation, Claude Code could be tricked to execute code contained in a project before the user accept...
npm
No PRs yet