Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Hidden fields can be leaked on readable collections in Payload
GHSA-35jj-vqcf-f2jf CVE-2023-30843 HIGH over 2 years ago
### Details If a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer tho...
npm
No PRs yet
@builder.io/qwik-city Cross-Site Request Forgery vulnerability
GHSA-c54w-7j5f-xg98 CVE-2023-2307 MODERATE over 2 years ago
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.
npm
No PRs yet
HTML injection in search results via plaintext message highlighting
GHSA-xv83-x443-7rmw CVE-2023-30609 HIGH over 2 years ago
### Impact Plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user ...
npm
No PRs yet
Remote code execution in broccoli-compass
GHSA-wq8f-xmq3-5vq9 CVE-2023-27848 CRITICAL over 2 years ago
broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.
npm
No PRs yet
Remote code execution in dawnsparks-node-tesseract
GHSA-88qf-5f3v-pm6m CVE-2023-29566 CRITICAL over 2 years ago
dawnsparks-node-tesseract before 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.
npm
No PRs yet
Uncaught Exception in yaml
GHSA-f9xv-q969-pqx4 CVE-2023-2251 HIGH over 2 years ago
Uncaught Exception in GitHub repository eemeli/yaml starting at version 2.0.0-5 and prior to 2.2.2.
npm
86
Dependabot PRs
12%
Merged
Prototype Pollution in sheetJS
GHSA-4r6h-8v6p-xvw6 CVE-2023-30533 HIGH over 2 years ago
All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read ...
npm
No PRs yet
Expo SDK has an OAuth vulnerability
GHSA-wr5g-q49g-548w CVE-2023-28131 CRITICAL over 2 years ago
A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured t...
npm
No PRs yet
Session fixation in fastify-passport
GHSA-4m3m-ppvx-xgw9 CVE-2023-29019 HIGH over 2 years ago
Applications using `@fastify/passport` for user authentication, in combination with `@fastify/session` as the underlying session management mechani...
npm
No PRs yet
CSRF token fixation in fastify-passport
GHSA-2ccf-ffrj-m4qw CVE-2023-29020 MODERATE over 2 years ago
The [CSRF](https://owasp.org/www-community/attacks/csrf) protection enforced by the `@fastify/csrf-protection` library, when combined with `@fastif...
npm
No PRs yet
Nunjucks autoescape bypass leads to cross site scripting
GHSA-x77j-w7wf-fjmw CVE-2023-2142 MODERATE over 2 years ago
### Impact In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionali...
npm
72
Dependabot PRs
15%
Merged
Bypass of CSRF protection in the presence of predictable userInfo
GHSA-qrgf-9gpc-vrxw CVE-2023-27495 MODERATE over 2 years ago
## Description The [CSRF](https://owasp.org/www-community/attacks/csrf) protection enforced by the `@fastify/csrf-protection` library in combinatio...
npm
No PRs yet
Path traversal vulnerability in gatsby-plugin-sharp
GHSA-h2pm-378c-pcxx CVE-2023-30548 MODERATE over 2 years ago
### Impact The gatsby-plugin-sharp plugin prior to versions 5.8.1 and 4.25.1 contains a path traversal vulnerability exposed when running the Gats...
npm
No PRs yet
vm2 Sandbox Escape vulnerability
GHSA-ch3r-j5x3-6q2m CVE-2023-30547 CRITICAL over 2 years ago
There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception ...
npm
No PRs yet
GovernorCompatibilityBravo may trim proposal calldata
GHSA-93hq-5wgc-jc82 CVE-2023-30542 HIGH over 2 years ago
### Impact The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array...
npm
No PRs yet
eslint-detailed-reporter vulnerable to cross-site scripting
GHSA-4xr4-89m5-46c7 CVE-2022-4942 LOW over 2 years ago
A vulnerability was found in mportuga eslint-detailed-reporter up to 0.9.0 and classified as problematic. Affected by this issue is the function re...
npm
No PRs yet
Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin
GHSA-2h87-4q2w-v4hf CVE-2023-22621 CRITICAL over 2 years ago
### Summary Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the...
npm
No PRs yet
Strapi leaking sensitive user information by filtering on private fields
GHSA-jjqf-j4w7-92w8 CVE-2023-22894 HIGH over 2 years ago
### Summary Strapi through 4.7.1 allows unauthenticated attackers to discover sensitive user details for Strapi administrators and API users. ###...
npm
No PRs yet
Strapi does not verify the access or ID tokens issued during the OAuth flow
GHSA-583x-23h9-f5w7 CVE-2023-22893 MODERATE over 2 years ago
Strapi 3.2.1 until 4.6.0 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authe...
npm
No PRs yet
`chainId` may be outdated if user changes chains as part of connection in @web3-react
GHSA-8pf3-6fgr-3g3g CVE-2023-30543 MODERATE over 2 years ago
### Impact `chainId` may be outdated if the user changes chains as part of the connection flow. This means that the value of `chainId` returned by ...
npm
No PRs yet
Authentication Bypass in @strapi/plugin-users-permissions
GHSA-xv3q-jrmm-4fxv HIGH over 2 years ago
### Summary Strapi through 4.5.6 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used ...
npm
No PRs yet
@nuxtlabs/github-module made Use of Hard-coded Credentials
GHSA-fp2w-g92g-fgq4 CVE-2023-2138 CRITICAL over 2 years ago
https://nuxt.com had a hardcoded GitHub token in the source code of the page. This token had access to multiple repositories under `nuxt`, `nuxtlab...
npm
No PRs yet
OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated
GHSA-mx2q-35m2-x2rh CVE-2023-30541 MODERATE over 2 years ago
### Impact A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifical...
npm
No PRs yet
matrix-js-sdk vulnerable to invisible eavesdropping in group calls
GHSA-6g67-q39g-r79q CVE-2023-29529 MODERATE over 2 years ago
### Impact An attacker present in a room where an [MSC3401](https://github.com/matrix-org/matrix-spec-proposals/pull/3401) group call is taking pl...
npm
No PRs yet
vm2 Sandbox Escape vulnerability
GHSA-xj72-wvfv-8985 CVE-2023-29199 CRITICAL over 2 years ago
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypa...
npm
No PRs yet
safe-eval vulnerable to Sandbox Bypass due to improper input sanitization
GHSA-79xf-67r4-q2jj CVE-2023-26122 CRITICAL over 2 years ago
All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from protot...
npm
No PRs yet
safe-eval vulnerable to Prototype Pollution via the safeEval function
GHSA-hcg3-56jf-x4vh CVE-2023-26121 CRITICAL over 2 years ago
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its paramete...
npm
No PRs yet
vm2 vulnerable to sandbox escape
GHSA-7jxr-cg7f-gpgv CVE-2023-29017 CRITICAL over 2 years ago
vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. - vm2 version: ~3.9.14 - Node ve...
npm
No PRs yet
SvelteKit framework has Insufficient CSRF protection for CORS requests
GHSA-gv7g-x59x-wf8f CVE-2023-29008 HIGH over 2 years ago
### Summary The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containin...
npm
5
Dependabot PRs
25%
Merged
xml2js is vulnerable to prototype pollution
GHSA-776f-qx25-q3cc CVE-2023-0842 MODERATE over 2 years ago
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does ...
npm
2
Dependabot PRs
markdown-pdf vulnerable to local file read via server side cross-site scripting (XSS)
GHSA-qghr-877h-f9jh CVE-2023-0835 HIGH over 2 years ago
markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not...
npm
No PRs yet
SvelteKit vulnerable to Cross-Site Request Forgery
GHSA-5p75-vc5g-8rv2 CVE-2023-29003 HIGH over 2 years ago
### Summary The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containin...
npm
4
Dependabot PRs
25%
Merged
Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter
GHSA-w974-rq9x-mh3v CVE-2020-19697 MODERATE over 2 years ago
Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script in the...
npm
No PRs yet
Directus API vulnerable to denial of service
GHSA-3gvp-54v2-2jrp CVE-2020-19850 MODERATE over 2 years ago
An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests.
npm
No PRs yet
Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter
GHSA-5p84-mmh9-pxgr CVE-2020-19698 MODERATE over 2 years ago
Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the...
npm
No PRs yet
Prototype pollution in matrix-js-sdk (part 2)
GHSA-mwq8-fjpf-c2gr CVE-2023-28427 HIGH over 2 years ago
### Impact In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Ob...
npm
No PRs yet
angular vulnerable to regular expression denial of service via the angular.copy() utility
GHSA-2vrf-hf26-jrp5 CVE-2023-26116 MODERATE over 2 years ago
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to t...
npm
No PRs yet
angular vulnerable to regular expression denial of service via the $resource service
GHSA-2qqx-w9hr-q5gx CVE-2023-26117 MODERATE over 2 years ago
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an...
npm
No PRs yet
angular vulnerable to regular expression denial of service via the <input type="url"> element
GHSA-qwqh-hm9m-p5hr CVE-2023-26118 MODERATE over 2 years ago
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the us...
npm
No PRs yet
Prototype pollution in matrix-react-sdk
GHSA-6g43-88cp-w5gv CVE-2023-28103 HIGH over 2 years ago
### Impact In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Obj...
npm
No PRs yet
matrix-react-sdk Prototype pollution vulnerability
GHSA-2x9c-qwgf-94xr CVE-2022-36060 HIGH over 2 years ago
### Impact Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as...
npm
No PRs yet
matrix-js-sdk Prototype Pollution vulnerability
GHSA-rfv9-x7hh-xc32 CVE-2022-36059 HIGH over 2 years ago
### Impact Events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentiall...
npm
No PRs yet
angular-server-side-configuration information disclosure vulnerability in monorepo with node.js backend
GHSA-gwvm-vrp4-4pp5 CVE-2023-28444 CRITICAL over 2 years ago
### Impact angular-server-side-configuration detects used environment variables in TypeScript (.ts) files during build time of an Angular CLI proje...
npm
No PRs yet
directus vulnerable to Insertion of Sensitive Information into Log File
GHSA-8vg2-wf3q-mwv7 CVE-2023-28443 MODERATE over 2 years ago
### Summary CWE-532: Insertion of Sensitive Information into Log File discovered in v9.23.1. The `directus_refresh_token` is not redacted properly...
npm
No PRs yet
code-server vulnerable to Missing Origin Validation in WebSockets
GHSA-frjg-g767-7363 CVE-2023-26114 CRITICAL over 2 years ago
Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerabili...
npm
No PRs yet
Collection.js vulnerable to Prototype Pollution
GHSA-47pj-q2vm-46xc CVE-2023-26113 HIGH over 2 years ago
Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the `extend` function in `Collection.js/dist/node/iter...
npm
No PRs yet
Server-Side Request Forgery in Request
GHSA-p8p7-x288-28g6 CVE-2023-28155 MODERATE over 2 years ago
The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attack...
npm
5
Dependabot PRs
20%
Merged
Arbitrary local file read vulnerability during template rendering
GHSA-2rq5-699j-x7p6 CVE-2023-25345 HIGH over 2 years ago
Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or ext...
npm
No PRs yet
Missing proper state, nonce and PKCE checks for OAuth authentication
GHSA-7r7x-4c4q-c4qf CVE-2023-27490 HIGH over 2 years ago
### Impact `next-auth` applications using OAuth provider versions before `v4.20.1` are affected. A bad actor who can spy on the victim's network o...
npm
No PRs yet
sqlite vulnerable to code execution due to Object coercion
GHSA-jqv5-7xpx-qj74 CVE-2022-43441 HIGH over 2 years ago
### Impact Due to the underlying implementation of `.ToString()`, it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service...
npm
No PRs yet