Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity
GHSA-prr3-c3m5-p7q2 CVE-2023-48631 MODERATE about 2 years ago
### Impact @adobe/css-tools version 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of s...
npm
401
Dependabot PRs
14%
Merged
google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability
GHSA-4233-7q5q-m7p6 CVE-2023-48711 LOW about 2 years ago
### Summary A Server-Side Request Forgery (SSRF) Vulnerability is present in applications utilizing the `google-translate-api-browser` package and ...
npm
No PRs yet
Uptime Kuma Authenticated remote code execution via TailscalePing
GHSA-hfxh-rjv7-2369 MODERATE about 2 years ago
### Summary The `runTailscalePing` method of the `TailscalePing` class injects the `hostname` parameter inside a shell command, leading to a comma...
npm
No PRs yet
sequelize-typescript Prototype Pollution vulnerability
GHSA-7pvx-4585-hqww CVE-2023-6293 HIGH about 2 years ago
Prototype Pollution in GitHub repository robinbuschmann/sequelize-typescript prior to 2.1.6.
npm
No PRs yet
Attribute Injection leading to XSS(Cross-Site-Scripting)
GHSA-v4v2-8h88-65qj CVE-2023-49276 MODERATE about 2 years ago
### Summary Google Analytics element Attribute Injection leading to XSS ### Details Since the custom status interface can set an independent Googl...
npm
No PRs yet
openssl npm package vulnerable to command execution
GHSA-75w2-qv55-x7fv CVE-2023-49210 CRITICAL about 2 years ago
The openssl (aka node-openssl) NPM package through 2.0.0 was characterized as "a nonsense wrapper with no real purpose" by its author, and accepts ...
npm
No PRs yet
Possible user mocking that bypasses basic authentication
GHSA-v64w-49xw-qq89 CVE-2023-48309 MODERATE about 2 years ago
### Impact `next-auth` applications prior to version **4.24.5** that rely on the default [Middleware authorization](https://next-auth.js.org/confi...
npm
No PRs yet
Bypass of field access control in strapi-plugin-protected-populate
GHSA-6h67-934r-82g7 CVE-2023-48218 MODERATE about 2 years ago
### Impact Users are able to bypass the field level security. This means fields that they where not allowed to populate could be populated anyway e...
npm
No PRs yet
JWT Algorithm Confusion
GHSA-c2ff-88x2-x9pg CVE-2023-48223 MODERATE about 2 years ago
### Summary The fast-jwt library does not properly prevent JWT algorithm confusion for all public key types. ### Details The 'publicKeyPemMatcher'...
npm
2
Dependabot PRs
json-web-token library is vulnerable to a JWT algorithm confusion attack
GHSA-4xw9-cx39-r355 CVE-2023-48238 HIGH about 2 years ago
### Summary The json-web-token library is vulnerable to a JWT algorithm confusion attack. ### Details On line 86 of the 'index.js' file, the algor...
npm
No PRs yet
@vendure/core's insecure currencyCode handling allows wrong payment amounts
GHSA-wm63-7627-ch33 MODERATE about 2 years ago
### Impact Currently, in many Vendure deployments it's possible to select any currencyCode (really any, doesn't need to be assigned to the channel...
npm
No PRs yet
sharp vulnerability in libwebp dependency CVE-2023-4863
GHSA-54xq-cgqr-rpm3 HIGH about 2 years ago
## Overview sharp uses libwebp to decode WebP images and versions prior to the latest 0.32.6 are vulnerable to the high severity https://github.co...
npm
No PRs yet
TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes
GHSA-v626-r774-j7f8 CVE-2023-48219 MODERATE about 2 years ago
### Impact A [mutation cross-site scripting](https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by...
npm nuget packagist
No PRs yet
DOMPurify Open Redirect vulnerability
GHSA-8hgg-xxm5-3873 CVE-2019-25155 MODERATE about 2 years ago
DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.
npm
No PRs yet
Bootbox.js Cross Site Scripting vulnerability
GHSA-m4ch-4m5f-2gp6 CVE-2023-46998 MODERATE about 2 years ago
Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload...
npm
No PRs yet
Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint
GHSA-2rmr-xw8m-22q9 CVE-2023-46729 MODERATE about 2 years ago
### Impact An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to t...
npm
1
Dependabot PRs
NASA Open MCT Cross Site Scripting vulnerability
GHSA-v8fc-qxvj-f3mg CVE-2023-45885 MODERATE about 2 years ago
Cross Site Scripting (XSS) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to run arbitrary code via the new component ...
npm
No PRs yet
NASA Open MCT Cross Site Request Forgery (CSRF) vulnerability
GHSA-4g88-4hgm-m99x CVE-2023-45884 MODERATE about 2 years ago
Cross Site Request Forgery (CSRF) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to view sensitive information via the...
npm
No PRs yet
chromedriver Command Injection vulnerability
GHSA-hm92-vgmw-qfmx CVE-2023-26156 MODERATE about 2 years ago
Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system b...
npm
No PRs yet
Axios Cross-Site Request Forgery Vulnerability
GHSA-wf5p-g6vw-rhxx CVE-2023-45857 MODERATE about 2 years ago
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP he...
npm
2333
Dependabot PRs
13%
Merged
Prototype Pollution(PP) vulnerability in setByPath
GHSA-9w5f-mw3p-pj47 CVE-2023-45827 HIGH about 2 years ago
### Summary There is a Prototype Pollution(PP) vulnerability in dot-diver. It can leads to RCE. ### Details ```javascript //https://github.com/cli...
npm
No PRs yet
Unauthorized Access to Private Fields in User Registration API
GHSA-gc7p-j5xm-xxh2 CVE-2023-39345 HIGH about 2 years ago
### System Details | Name | Value | |----------|------------------------| | OS | Windows 11 | | Version | 4...
npm
No PRs yet
cordova-plugin-fingerprint-aio DoS vulnerability
GHSA-7vfx-hfvm-rhr8 CVE-2021-43849 MODERATE about 2 years ago
## Summary: Sending a specially crafted intent with an invalid/empty extras `de.niklasmerz.cordova.biometric.BiometricActivity` can cause the app ...
npm
No PRs yet
generator-jhipster allows a timing attack against validateToken due to a string comparison that stops at the first character
GHSA-4gpm-r23h-gprw CVE-2015-20110 HIGH about 2 years ago
JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character...
npm
No PRs yet
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack
GHSA-x9w5-v3q2-3rhw CVE-2023-46234 HIGH about 2 years ago
### Summary An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any ...
npm
No PRs yet
crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
GHSA-xwcq-pm8m-c4vf CVE-2023-46233 CRITICAL about 2 years ago
### Impact #### Summary Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current...
npm
16
Dependabot PRs
6%
Merged
crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
GHSA-mpj8-q39x-wq5h CVE-2023-46133 CRITICAL about 2 years ago
### Impact #### Summary Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current...
npm
2
Dependabot PRs
Inefficient Regular Expression Complexity in node-email-check
GHSA-9242-6p36-6256 CVE-2023-39619 HIGH about 2 years ago
ReDos in NPMJS Node Email Check v.1.0.4 allows an attacker to cause a denial of service via a crafted string to the scpSyntax component.
npm
No PRs yet
Parse Server may crash when uploading file without extension
GHSA-792q-q67h-w579 CVE-2023-46119 HIGH about 2 years ago
### Impact Parse Server crashes when uploading a file without extension. ### Patches A permanent fix has been implemented to prevent the server ...
npm
No PRs yet
Next.js missing cache-control header may lead to CDN caching empty reply
GHSA-c59h-r6p8-q9wc CVE-2023-46298 LOW about 2 years ago
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial ...
npm
No PRs yet
Tauri's Updater Private Keys Possibly Leaked via Vite Environment Variables
GHSA-2rcp-jvr4-r259 CVE-2023-46115 HIGH about 2 years ago
### Impact This advisory is not describing a vulnerability in the Tauri code base itself but a commonly used misconfiguration which could lead to ...
cargo npm
No PRs yet
Directus crashes on invalid WebSocket message
GHSA-hmgw-9jrg-hf2m CVE-2023-45820 HIGH about 2 years ago
### Summary It seems that any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. T...
npm
No PRs yet
TinyMCE XSS vulnerability in notificationManager.open API
GHSA-hgqx-r2hp-jr38 CVE-2023-45819 MODERATE about 2 years ago
### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s Notification Mana...
npm nuget packagist
No PRs yet
TinyMCE mXSS vulnerability in undo/redo, getContent API, resetContent API, and Autosave plugin
GHSA-v65r-p3vv-jjfv CVE-2023-45818 MODERATE about 2 years ago
### Impact A [mutation cross-site scripting](https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by...
npm nuget packagist
No PRs yet
React Developer Tools extension Improper Authorization vulnerability
GHSA-rxrc-rgv4-jpvx CVE-2023-5654 MODERATE about 2 years ago
The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is ac...
npm
No PRs yet
Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution
GHSA-jg82-xh3w-rhxx CVE-2023-45811 HIGH about 2 years ago
### Impact A `__proto__` pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code ...
npm
No PRs yet
Prototype Pollution in ali-security/mongoose
GHSA-rc4v-99cr-pjcm CRITICAL about 2 years ago
### Impact This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate(). For applications using Ex...
npm
No PRs yet
nocodb SQL Injection vulnerability
GHSA-3m5q-q39v-xf8f CVE-2023-43794 MODERATE about 2 years ago
## Summary Nocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database...
npm
No PRs yet
Undici's cookie header not cleared on cross-origin redirect in fetch
GHSA-wqq4-5wpv-mx2g CVE-2023-45143 LOW about 2 years ago
### Impact Undici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [fo...
npm
35
Dependabot PRs
5%
Merged
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
GHSA-67hx-6x53-jw92 CVE-2023-45133 CRITICAL about 2 years ago
### Impact Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when ...
npm
14
Dependabot PRs
7%
Merged
node-qpdf vulnerable to command injection
GHSA-fpr8-4wvx-j9q3 CVE-2023-26155 HIGH about 2 years ago
All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its par...
npm
No PRs yet
Allocation of Resources Without Limits or Throttling in vriteio/vrite
GHSA-5ghm-h2wq-g3mh CVE-2023-5573 MODERATE about 2 years ago
Allocation of Resources Without Limits or Throttling in GitHub repository vriteio/vrite prior to 0.3.0.
npm
No PRs yet
Improper Input Validation in vriteio/vrite
GHSA-44ff-9w4f-99w6 CVE-2023-5571 MODERATE about 2 years ago
Improper Input Validation in GitHub repository vriteio/vrite prior to 0.3.0.
npm
No PRs yet
Server-Side Request Forgery (SSRF) in vriteio/vrite
GHSA-w35p-wxwj-rcm9 CVE-2023-5572 CRITICAL about 2 years ago
Server-Side Request Forgery (SSRF) in GitHub repository vriteio/vrite prior to 0.3.0.
npm
No PRs yet
Cache variables with the operations when transforms exist on the root level even if variables change in the further requests with the same operation
GHSA-rr4x-crhf-8886 CVE-2025-27097 MODERATE about 2 years ago
When you have transforms on the root level or single source with transforms, and the client sends the same query with different variables, the init...
npm
No PRs yet
Uptime Kuma has Persistentent User Sessions
GHSA-g9v2-wqcj-j99g CVE-2023-44400 HIGH about 2 years ago
# Summary Attackers with access to a users' device can gain persistent account access. This is caused by missing verification of Session Tokens af...
npm
No PRs yet
Code injection in fsevents
GHSA-8r6j-v8pm-fqw3 CVE-2023-45311 CRITICAL about 2 years ago
fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary...
npm
No PRs yet
Prototype Pollution in NASA Open MCT
GHSA-4xcx-cwrq-w792 CVE-2023-45282 HIGH about 2 years ago
In NASA Open MCT (aka openmct) before commit 545a177 is subject to a prototype pollution which can occur via an import action.
npm
No PRs yet
Zod denial of service vulnerability during email validation
GHSA-mvrp-3cvx-c325 HIGH about 2 years ago
### Impact API servers running `express-zod-api` having: - version of `express-zod-api` below `10.0.0-beta1`, - and using the following (or simil...
npm
No PRs yet
static-server Path Traversal vulnerability
GHSA-v834-rhv4-65m3 CVE-2023-26152 HIGH about 2 years ago
All versions of the package static-server are vulnerable to Directory Traversal due to improper input sanitization passed via the `validPath` funct...
npm
No PRs yet