Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Sending a GET or HEAD request with a body crashes SvelteKit
GHSA-g5m6-hxpp-fc49 CVE-2024-23641 HIGH almost 2 years ago
### Summary In SvelteKit 2 sending a GET request with a body eg `{}` to a SvelteKit app in preview or with `adapter-node` throws `Request with GET/...
npm
No PRs yet
Prototype pollution not blocked by object-path related utilities in hoolock
GHSA-4c2g-hx49-7h25 CVE-2024-23339 MODERATE almost 2 years ago
### Impact Utility functions related to object paths (`get`, `set` and `update`) did not block attempts to access or alter object prototypes. ### ...
npm
No PRs yet
@hono/node-server cannot handle "double dots" in URL
GHSA-rjq5-w47x-x359 CVE-2024-23340 MODERATE almost 2 years ago
### Impact Since v1.3.0, we use our own Request object. This is great, but the `url` behavior is unexpected. In the standard API, if the URL cont...
npm
No PRs yet
Cross-site Scripting in Ghost
GHSA-fh38-9fgr-454w CVE-2024-23725 MODERATE almost 2 years ago
Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.
npm
No PRs yet
SPV Merkle proof malleability allows the maintainer to prove invalid transactions
GHSA-wg2x-rv86-mmpx HIGH almost 2 years ago
## Summary By publishing specially crafted transactions on the Bitcoin blockchain, the SPV maintainer can produce seemingly valid SPV proofs for fr...
npm
No PRs yet
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
GHSA-c24v-8rfc-w8vw CVE-2024-23331 HIGH almost 2 years ago
### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensi...
npm
No PRs yet
Marvin Attack of RSA and RSAOAEP decryption in jsrsasign
GHSA-rh63-9qcf-83gf CVE-2024-21484 HIGH almost 2 years ago
### Impact RSA PKCS#1.5 or RSAOAEP ciphertexts may be decrypted by this Marvin attack vulnerability. ### Patches update to jsrsasign 11.0.0. ### ...
npm
1
Dependabot PRs
100%
Merged
Default swagger-ui configuration exposes all files in the module
GHSA-62jr-84gf-wmg4 CVE-2024-22207 MODERATE almost 2 years ago
### Impact The default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed...
npm
No PRs yet
EverShop vulnerable to improper authorization in GraphQL endpoints
GHSA-ggpm-9qfx-mhwg CVE-2023-46942 HIGH almost 2 years ago
Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.9, allows remote attackers to obtain sensitive information via i...
npm
No PRs yet
EverShop at risk to unauthorized access via weak HMAC secret
GHSA-32r3-57hp-cgfw CVE-2023-46943 CRITICAL almost 2 years ago
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.9. The HMAC secret used for generating tokens is hardcoded as "...
npm
No PRs yet
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
GHSA-q6w5-jg5q-47vg CVE-2024-22206 CRITICAL almost 2 years ago
### Impact Unauthorized access or privilege escalation due to a logic flaw in `auth()` in the App Router or `getAuth()` in the Pages Router. ### A...
npm
No PRs yet
react-native-mmkv Insertion of Sensitive Information into Log File vulnerability
GHSA-4jh3-6jhv-2mgp CVE-2024-21668 MODERATE almost 2 years ago
## Summary Before version [v2.11.0](https://github.com/mrousavy/react-native-mmkv/releases/tag/v2.11.0), the react-native-mmkv logged the optional ...
npm
No PRs yet
Apprite CLI makes Use of Hard-coded Credentials
GHSA-g777-crp9-m27g CVE-2023-50974 MODERATE almost 2 years ago
In Appwrite CLI before 3.0.0, when using the login command, the credentials of the Appwrite user are stored in a ~/.appwrite/prefs.json file with 0...
npm
No PRs yet
@fastify/reply-from JSON Content-Type parsing confusion
GHSA-v2v2-hph8-q5xp CVE-2023-51701 MODERATE almost 2 years ago
### Impact The main repo of fastify use [fast-content-type-parse](https://github.com/fastify/fast-content-type-parse) to parse request Content-Typ...
npm
1
Dependabot PRs
@backstage/backend-app-api leaks GitLab access tokens
GHSA-86rg-pf4c-5grg CVE-2023-6944 HIGH almost 2 years ago
A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encode...
npm
No PRs yet
Arbitrary remote code execution within `wrangler dev` Workers sandbox
GHSA-f8mp-x433-5wpf CVE-2023-7080 CRITICAL almost 2 years ago
### Impact The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. `wrangler dev` would previously...
npm
No PRs yet
Arbitrary remote file read in Wrangler dev server
GHSA-cfph-4qqh-w828 CVE-2023-7079 MODERATE almost 2 years ago
### Impact Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer ...
npm
No PRs yet
CouchAuth host header injection vulnerability leaks the password reset token
GHSA-fqh6-6h6c-366m CVE-2023-39655 HIGH almost 2 years ago
A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. By sending a specially crafted host header ...
npm
No PRs yet
plotly.js prototype pollution vulnerability
GHSA-wjc4-73q6-gv3m CVE-2023-46308 CRITICAL almost 2 years ago
In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.
npm packagist
No PRs yet
Follow Redirects improperly handles URLs in the url.parse() function
GHSA-jchw-25xp-jwwc CVE-2023-26159 MODERATE almost 2 years ago
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url....
npm
7
Dependabot PRs
25%
Merged
Layui cross-site scripting (XSS) vulnerability
GHSA-rcvr-8whx-3m5p CVE-2023-50550 MODERATE almost 2 years ago
layui up to v2.74 was discovered to contain a cross-site scripting (XSS) vulnerability via the data-content parameter.
npm
No PRs yet
Miniflare vulnerable to Server-Side Request Forgery (SSRF)
GHSA-fwvg-2739-22v7 CVE-2023-7078 HIGH almost 2 years ago
### Impact Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the ...
npm
No PRs yet
msgpackr's conversion of property names to strings can trigger infinite recursion
GHSA-7hpj-7hhx-2fgx CVE-2023-52079 HIGH almost 2 years ago
### Impact When decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a ...
npm
No PRs yet
blinksocks has weak encryption algorithms
GHSA-pqj5-37xf-x5gc CVE-2023-50481 MODERATE almost 2 years ago
An issue was discovered in blinksocks version 3.3.8, allows remote attackers to obtain sensitive information via weak encryption algorithms in the ...
npm
No PRs yet
bsock uses weak hashing algorithms
GHSA-jj93-39pf-7mcf CVE-2023-50475 CRITICAL almost 2 years ago
An issue was discovered in the bsock component of bcoin-org bcoin that allows remote attackers to obtain sensitive information via weak hashing alg...
npm
No PRs yet
Pedroetb TTS-API OS Command Injection
GHSA-jx6q-fq9h-6g7q CVE-2019-25158 CRITICAL almost 2 years ago
A vulnerability has been found in pedroetb tts-api up to 2.1.4 and classified as critical. This vulnerability affects the function onSpeechDone of ...
npm
No PRs yet
Sentry's Astro SDK vulnerable to ReDoS
GHSA-x3v3-8xg8-8v72 CVE-2023-50249 HIGH almost 2 years ago
### Impact A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain cond...
npm
No PRs yet
Unauthenticated Denial of Service in the octokit/webhooks library
GHSA-pwfr-8pq7-x9qv CVE-2023-50728 HIGH almost 2 years ago
### Impact Versions [v9.26.0](https://github.com/octokit/webhooks.js/releases/tag/v9.26.0), [v10.9.x](https://github.com/octokit/webhooks.js/releas...
npm
No PRs yet
Cross-site Scripting in @spscommerce/ds-react
GHSA-cfxh-frx4-9gjg CRITICAL almost 2 years ago
### Impact XSS, anyone using the SPS Select with options prop populated from user input is impacted. If these options are stored, then it could hav...
npm
No PRs yet
Named path parameters can be overridden in TrieRouter
GHSA-f6gv-hh8j-q8vq CVE-2023-50710 MODERATE almost 2 years ago
### Impact The clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk...
npm
No PRs yet
Cube API denial of service attack
GHSA-9759-3276-g2pm CVE-2023-50709 MODERATE almost 2 years ago
### Impact It is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. ### Patches Th...
npm
No PRs yet
Escalation of privileges in @sap/xssec
GHSA-p2vx-qj66-88q3 CVE-2023-49583 CRITICAL almost 2 years ago
SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges....
npm
No PRs yet
Password Change Vulnerability
GHSA-88j4-pcx8-q4q3 CVE-2023-49804 MODERATE almost 2 years ago
## Overview: A moderate security vulnerability has been identified in Uptime Kuma platform that poses a significant threat to the confidentiality ...
npm
No PRs yet
SSRF & Credentials Leak
GHSA-3wfp-253j-5jxv CVE-2023-49799 HIGH almost 2 years ago
### Summary `nuxt-api-party` allows developers to proxy requests to an API without exposing credentials to the client. [A previous vulnerability](h...
npm
No PRs yet
OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4
GHSA-699g-q6qh-q4v8 CVE-2023-49798 MODERATE almost 2 years ago
### Context Merge conflict resolution issue when porting the v5.0.1 `Multicall` update to the v4.9 branch caused a duplicated line. ### Impact Ve...
npm
No PRs yet
Overly permissive origin policy
GHSA-qxrj-hx23-xp82 CVE-2023-49803 HIGH almost 2 years ago
Currently, the middleware operates in a way that if an allowed origin is not provided, it will return an `Access-Control-Allow-Origin` header with ...
npm
24
Dependabot PRs
16%
Merged
DOS by abusing `fetchOptions.retry`.
GHSA-q6hx-3m4p-749h CVE-2023-49800 HIGH almost 2 years ago
### Summary `nuxt-api-party` allows developers to proxy requests to an API without exposing credentials to the client. [`ofetch`](https://github.co...
npm
No PRs yet
Directory Traversal in evershop
GHSA-4wrm-qmq2-5fjx CVE-2023-46493 MODERATE almost 2 years ago
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a craft...
npm
No PRs yet
Cross-site Scripting in evershop
GHSA-gjj8-m83c-qv9h CVE-2023-46499 MODERATE almost 2 years ago
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a craf...
npm
No PRs yet
Code execution in evershop
GHSA-5mmr-9qx3-3pf9 CVE-2023-46498 CRITICAL almost 2 years ago
An issue in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information and execute arbitrary code via the /...
npm
No PRs yet
Directory Traversal in evershop
GHSA-7443-5962-wp4r CVE-2023-46497 MODERATE almost 2 years ago
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a craft...
npm
No PRs yet
Cross-site Scripting in evershop
GHSA-2xcj-557c-hf8r CVE-2023-46495 MODERATE almost 2 years ago
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a craf...
npm
No PRs yet
Directory Traversal in evershop
GHSA-rwf3-w4jq-f4cm CVE-2023-46496 HIGH almost 2 years ago
Directory Traversal vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a craft...
npm
No PRs yet
Cross Site Scripting in evershop
GHSA-m6vm-ff9v-jp3r CVE-2023-46494 MODERATE almost 2 years ago
Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.5 allows a remote attacker to obtain sensitive information via a craf...
npm
No PRs yet
mockjs vulnerable to Prototype Pollution via the Util.extend function
GHSA-mh8j-9jvh-gjf6 CVE-2023-26158 HIGH almost 2 years ago
All versions of the package mockjs are vulnerable to Prototype Pollution via the Util.extend function due to missing check if the attribute resolve...
npm
No PRs yet
Directory Traversal in Gladys Assistant
GHSA-c79f-pqgf-fhp3 CVE-2023-47440 MODERATE about 2 years ago
Gladys Assistant v4.27.0 and prior is vulnerable to Directory Traversal. The patch of CVE-2023-43256 was found to be incomplete, allowing authentic...
npm
No PRs yet
pubnub Insufficient Entropy vulnerability
GHSA-5844-q3fc-56rh CVE-2023-26154 MODERATE about 2 years ago
Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versi...
cargo go maven +6 more
No PRs yet
Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
GHSA-92r3-m2mg-pj97 CVE-2023-49293 MODERATE about 2 years ago
### Summary When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, ...
npm
No PRs yet
Logging of the firestore key within nodejs-firestore
GHSA-4g6q-77j7-vvjc CVE-2023-6460 MODERATE about 2 years ago
A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings wo...
npm
No PRs yet
ASAR Integrity bypass via filetype confusion in electron
GHSA-7m48-wc93-9g85 CVE-2023-44402 MODERATE about 2 years ago
### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs...
npm
No PRs yet