Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,820

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Vite middleware may serve files starting with the same name with the public directory
GHSA-g4jq-h2w9-997c CVE-2025-58751 LOW 3 months ago
### Summary Files starting with the same name with the public directory were served bypassing the `server.fs` settings. ### Impact Only apps that ...
npm
No PRs yet
Vite's `server.fs` settings were not applied to HTML files
GHSA-jqfw-vq24-v9c3 CVE-2025-58752 LOW 3 months ago
### Summary Any HTML files on the machine were served regardless of the `server.fs` settings. ### Impact Only apps that match the following condi...
npm
No PRs yet
Cattown is Vulnerable to Uncontrolled Resource Consumption through Inefficient Regular Expression Complexity
GHSA-455v-w7r9-3vv9 CVE-2025-58451 HIGH 3 months ago
### Overview A security review of the Cattown identified multiple weaknesses that could potentially impact its stability and security. ### Affecte...
npm
No PRs yet
Element Plus Link component (el-link) implements insufficient input validation for the href attribute
GHSA-5m5x-9j46-h678 CVE-2025-57665 MODERATE 3 months ago
Element Plus Link component (el-link) prior to 2.11.0 implements insufficient input validation for the href attribute, creating a security abstract...
npm
No PRs yet
DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware
GHSA-w62p-hx95-gf2c CVE-2025-59037 HIGH 3 months ago
The DuckDB distribution for [Node.js](http://node.js/) on [npm](https://www.npmjs.com/) was compromised with malware (along with [several other pac...
npm
No PRs yet
MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server
GHSA-g9hg-qhmf-q45m CVE-2025-58444 HIGH 3 months ago
An XSS flaw exists in the MCP Inspector local development tool when it renders a redirect URL returned by a remote MCP server. If the Inspector con...
npm
No PRs yet
@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API
GHSA-3ch2-jxxc-v4xf CVE-2025-54994 CRITICAL 3 months ago
# Command Injection in MCP Server The MCP Server at https://github.com/akoskm/create-mcp-server-stdio is written in a way that is vulnerable to co...
npm
No PRs yet
CodeceptJS's incomprehensive sanitation can lead to Command Injection
GHSA-34w8-mcwr-vg29 CVE-2025-57285 CRITICAL 3 months ago
CodeceptJS versions 3.5.0 through 3.7.5-beta.18 contain a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync ...
npm
No PRs yet
N8N's Chat Trigger component is vulnerable to XSS
GHSA-v2x8-97xq-8xrr CVE-2025-56265 HIGH 3 months ago
An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary c...
npm
No PRs yet
SimStudioAI: A function in route.ts is vulnerable to Code Injection
GHSA-g4c9-f287-64xg CVE-2025-10097 MODERATE 3 months ago
A vulnerability was identified in SimStudioAI sim. This impacts an unknown function of the file apps/sim/app/api/function/execute/route.ts. The man...
npm
No PRs yet
sanitize-html is vulnerable to XSS through incomprehensive sanitization
GHSA-qhxp-v273-g94h CVE-2019-25225 MODERATE 3 months ago
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanit...
npm
No PRs yet
Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter
GHSA-qpr4-c339-7vq8 CVE-2025-58179 HIGH 3 months ago
### Summary When using Astro's Cloudflare adapter (`@astrojs/cloudflare`) configured with `output: 'server'` while using the default `imageService...
npm
No PRs yet
Hono's flaw in URL path parsing could cause path confusion
GHSA-9hp6-4448-45g2 CVE-2025-58362 HIGH 3 months ago
### Summary A flaw in the `getPath` utility function could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location bloc...
npm
3
Dependabot PRs
Electron has ASAR Integrity Bypass via resource modification
GHSA-vmqv-hx8q-j7mg CVE-2025-55305 MODERATE 3 months ago
### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs...
npm
No PRs yet
Claude Code Vulnerable to Arbitrary Code Execution Due to Insufficient Startup Warning
GHSA-ph6w-f82w-28w6 HIGH 3 months ago
When Claude Code was started in a new directory, it displayed a warning asking, "Do you trust the files in this folder?". This warning did not prop...
npm
No PRs yet
CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package
GHSA-x9gp-vjh6-3wv6 CVE-2025-58064 LOW 3 months ago
### Impact A Cross-Site Scripting (XSS) vulnerability has been discovered in the CKEditor 5 clipboard package. This vulnerability could be triggere...
npm
No PRs yet
mcp-markdownify-server vulnerable to command injection in pptx-to-markdown tool
GHSA-45qj-4xq3-3c45 CVE-2025-58358 HIGH 3 months ago
### Summary A command injection vulnerability exists in the `mcp-markdownify-server` MCP Server. The vulnerability is caused by the unsanitized us...
npm
No PRs yet
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
GHSA-g5qg-72qw-gw5v CVE-2025-57752 MODERATE 3 months ago
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request he...
npm
No PRs yet
Next.js Content Injection Vulnerability for Image Optimization
GHSA-xv57-4mr9-wg8v CVE-2025-55173 MODERATE 3 months ago
A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external im...
npm
No PRs yet
Next.js Improper Middleware Redirect Handling Leads to SSRF
GHSA-4342-x723-ch2f CVE-2025-57822 MODERATE 3 months ago
A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly pas...
npm
No PRs yet
AiondaDotCom mcp-ssh command injection vulnerability in SSH operations
GHSA-694p-3fxc-m92h CVE-2025-9654 MODERATE 3 months ago
A security flaw has been discovered in AiondaDotCom mcp-ssh up to 1.0.3. Affected by this issue is some unknown functionality of the file server-si...
npm
No PRs yet
Payload does not invalidate JWTs after log out
GHSA-5v66-m237-hwf7 CVE-2025-4643 MODERATE 3 months ago
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted...
npm
No PRs yet
Payload's SQLite adapter Session Fixation vulnerability
GHSA-26rv-h2hf-3fw4 CVE-2025-4644 MODERATE 3 months ago
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could cr...
npm
No PRs yet
Volto affected by possible DoS by invoking specific URL by anonymous user
GHSA-xjhf-7833-3pm5 CVE-2025-58047 HIGH 3 months ago
### Impact When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error. ### Patches The prob...
npm
No PRs yet
NodeBB SQL Injection vulnerability
GHSA-rfh2-8vxq-jqr8 CVE-2025-50979 HIGH 3 months ago
NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not p...
npm
No PRs yet
Malicious versions of Nx were published
GHSA-cxm3-wv7p-598c CVE-2025-10894 CRITICAL 3 months ago
## Summary Malicious versions of the [`nx` package](https://www.npmjs.com/package/nx), as well as some supporting plugin packages, were published ...
npm
No PRs yet
devalue prototype pollution vulnerability
GHSA-vj54-72f3-p5jv CVE-2025-57820 HIGH 3 months ago
## 1. `devalue.parse` allows `__proto__` to be set A string passed to `devalue.parse` could represent an object with a `__proto__` property, which...
npm
33
Dependabot PRs
24%
Merged
GraphQL Armor Max-Depth Plugin Bypass via fragment caching
GHSA-224p-v68g-5g8f MODERATE 3 months ago
### Summary A query depth restriction using the max-depth can be bypassed if `ignoreIntrospection` is enabled (which is the default configuration) ...
npm
No PRs yet
GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation
GHSA-hmfr-rx46-4jx2 MODERATE 3 months ago
### Summary A query depth restriction using the `max-depth` property can be bypassed if `ignoreIntrospection` is enabled (which is the default conf...
npm
No PRs yet
jsPDF Denial of Service (DoS)
GHSA-8mvj-3j78-4qmw CVE-2025-57810 HIGH 3 months ago
### Impact User control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to...
npm
39
Dependabot PRs
request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1
GHSA-pw25-c82r-75mm CVE-2025-57814 MODERATE 3 months ago
request-filtering-agent versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTT...
npm
No PRs yet
Liferay Portal Reflected XSS in CKeditor 4.21.0 endpoint
GHSA-3h7r-4xxj-3mfm CVE-2025-43761 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.4, 20...
maven npm
No PRs yet
@musistudio/claude-code-router has improper CORS configuration
GHSA-8hmm-4crw-vm2c CVE-2025-57755 HIGH 4 months ago
### Impact Due to improper Cross-Origin Resource Sharing (CORS) configuration, there is a risk that user API Keys or equivalent credentials may be ...
npm
No PRs yet
vite-plugin-static-copy files not included in `src` are possible to access with a crafted request
GHSA-pp7p-q8fx-2968 CVE-2025-57753 MODERATE 4 months ago
### Summary Files not included in `src` was possible to access with a crafted request. ### Impact Only apps explicitly exposing the Vite dev ser...
npm
6
Dependabot PRs
sha.js is missing type checks leading to hash rewind and passing on crafted data
GHSA-95m3-7q98-8xr5 CVE-2025-9288 CRITICAL 4 months ago
### Summary This is the same as [GHSA-cpq7-6gpm-g9rc](https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc) but just ...
npm
5
Dependabot PRs
cipher-base is missing type checks, leading to hash rewind and passing on crafted data
GHSA-cpq7-6gpm-g9rc CVE-2025-9287 CRITICAL 4 months ago
### Summary This affects e.g. `create-hash` (and `crypto-browserify`), so I'll describe the issue against that package Also affects `create-hmac` ...
npm
No PRs yet
wong2 mcp-cli Command Injection Vulnerability
GHSA-p6rm-483j-37jf CVE-2025-9262 LOW 4 months ago
A flaw has been found in wong2 mcp-cli 1.13.0. Affected is the function redirectToAuthorization of the file /src/oauth/provider.js of the component...
npm
No PRs yet
x402 SDK vulnerable in outdated versions in resource servers for builders
GHSA-3j63-5h8p-gf7c HIGH 4 months ago
### Impact There is a security vulnerability in outdated versions of the x402 SDK. This does not directly affect users' keys, smart contracts, or f...
npm
No PRs yet
n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted files
GHSA-ggjm-f3g4-rwmm CVE-2025-57749 MODERATE 4 months ago
### Impact A symlink traversal vulnerability was discovered in the `Read/Write File` node in n8n. While the node attempts to restrict access to sen...
npm
No PRs yet
Directus allows unauthenticated file upload and file modification due to lacking input sanitization
GHSA-mv33-9f6j-pfmc CVE-2025-55746 CRITICAL 4 months ago
## Summary A vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary conte...
npm
No PRs yet
elysia-cors Origin Validation Error
GHSA-f9qj-4c5x-cpcw CVE-2025-50864 MODERATE 4 months ago
An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The ...
npm
No PRs yet
screenshot-desktop vulnerable to command Injection via `format` option
GHSA-gjx4-2c7g-fm94 CVE-2025-55294 CRITICAL 4 months ago
## Impact This vulnerability is a **command injection** issue. When user-controlled input is passed into the `format` option of the screenshot fu...
npm
No PRs yet
Mermaid improperly sanitizes sequence diagram labels leading to XSS
GHSA-7rqq-prvp-x9jh CVE-2025-54881 MODERATE 4 months ago
### Summary In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to `innerHTML` during calcula...
npm
No PRs yet
Mermaid does not properly sanitize architecture diagram iconText leading to XSS
GHSA-8gwm-58g9-j8pw CVE-2025-54880 MODERATE 4 months ago
### Summary In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 `html()` method,...
npm
3
Dependabot PRs
Astro allows unauthorized third-party images in _image endpoint
GHSA-xf8x-j4p2-f749 CVE-2025-55303 MODERATE 4 months ago
### Summary In affected versions of `astro`, the image optimization endpoint in projects deployed with on-demand rendering allows images from unau...
npm
No PRs yet
Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source
GHSA-hfmv-hhh3-43f2 CVE-2025-52478 HIGH 4 months ago
### Impact A stored **Cross-Site Scripting (XSS)** vulnerability was identified in [n8n](https://github.com/n8n-io/n8n), specifically in the **For...
npm
No PRs yet
Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code
GHSA-x5gv-jw7f-j6xj CVE-2025-55284 HIGH 4 months ago
Due to an overly broad allowlist of safe commands, it was possible to bypass the Claude Code confirmation prompts to read a file and then send file...
npm
No PRs yet
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js
GHSA-q4rg-7cjj-5r86 CVE-2025-9095 MODERATE 4 months ago
A cross-site scripting (XSS) issue exists in ExpressGateway up to 1.16.10 in the REST endpoint implemented in lib/rest/routes/users.js. User-contro...
npm
No PRs yet
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js
GHSA-xfp8-x3j6-h67v CVE-2025-9096 MODERATE 4 months ago
A cross-site scripting (XSS) issue exists in ExpressGateway ≤ 1.16.10 in lib/rest/routes/apps.js. User-controlled data returned by the REST endpoin...
npm
No PRs yet
Template Secret leakage in logs in Scaffolder when using `fetch:template`
GHSA-3x3q-ghcp-whf7 CVE-2025-55285 LOW 4 months ago
A logging flaw in Backstage Scaffolder’s `fetch:template` action up to `@backstage/plugin-scaffolder-backend` **2.1.0** may write template secrets ...
npm
No PRs yet