Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,842

Total Advisories

1,804

With Dependabot PRs

3,510

Critical Severity

8,633

High Severity

Clear All Filters
MCP Server Kubernetes vulnerable to command injection in several tools
GHSA-gjv4-ghm7-q58q CVE-2025-53355 HIGH 5 months ago
### Summary A command injection vulnerability exists in the `mcp-server-kubernetes` MCP Server. The vulnerability is caused by the unsanitized use...
npm
No PRs yet
Cloudflare Vite plugin exposes secrets over the built-in dev server
GHSA-4pfg-2mw5-f8jx CVE-2025-59427 MODERATE 5 months ago
### Summary Note: [originally posted on H1](https://hackerone.com/reports/3117837) but closed. Cross-posting over to here in abundance of caution ...
npm
No PRs yet
Node.js Sandbox MCP Server vulnerability can lead to Sandbox Escape via Command Injection
GHSA-5w57-2ccq-8w95 CVE-2025-53372 HIGH 5 months ago
### Summary A command injection vulnerability exists in the `node-code-sandbox-mcp` MCP Server. The vulnerability is caused by the unsanitized use...
npm
No PRs yet
Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes
GHSA-36rg-gfq2-3h56 CVE-2025-53535 LOW 5 months ago
### Summary An open redirect has been found in the `originCheck` middleware function, which affects the following routes: `/verify-email`, `/reset...
npm
No PRs yet
Next.JS vulnerability can lead to DoS via cache poisoning
GHSA-67rr-84xm-4c7r CVE-2025-49826 HIGH 5 months ago
### Summary A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug lea...
npm
No PRs yet
Next.js has a Cache poisoning vulnerability due to omission of the Vary header
GHSA-r2fc-ccr8-96c4 CVE-2025-49005 LOW 5 months ago
### Summary A cache poisoning issue in **Next.js App Router >=15.3.0 and < 15.3.3** may have allowed RSC payloads to be cached and served in place...
npm
No PRs yet
n8n is vulnerable to Improper Authorization through its `/stop` endpoint
GHSA-gq57-v332-7666 CVE-2025-52554 MODERATE 5 months ago
## Summary An authorization vulnerability was discovered in the `/rest/executions/:id/stop` endpoint of n8n. An authenticated user can stop workfl...
npm
No PRs yet
tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript
GHSA-q43x-79jr-cq98 CVE-2025-48939 MODERATE 5 months ago
A vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual `<scrip...
npm
No PRs yet
n8n Vulnerable to Denial of Service via Malformed Binary Data Requests
GHSA-pr9r-gxgp-9rm8 CVE-2025-49595 MODERATE 5 months ago
## Summary Denial of Service vulnerability in `/rest/binary-data` endpoint when processing empty filesystem URIs (`filesystem://` or `filesystem-v2...
npm
No PRs yet
@modelcontextprotocol/server-filesystem vulnerability allows for path validation bypass via colliding path prefix
GHSA-hc55-p739-j48w CVE-2025-53110 HIGH 5 months ago
Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files in cases where the prefix matches an allowed directory. Use...
npm
No PRs yet
@modelcontextprotocol/server-filesystem allows for path validation bypass via prefix matching and symlink handling
GHSA-q66q-fx2p-7w4m CVE-2025-53109 HIGH 5 months ago
Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files via symlinks within allowed directories. Users are advised ...
npm
No PRs yet
@cyanheads/git-mcp-server vulnerable to command injection in several tools
GHSA-3q26-f695-pp76 CVE-2025-53107 HIGH 5 months ago
### Summary A command injection vulnerability exists in the `git-mcp-server` MCP Server. The vulnerability is caused by the unsanitized use of inp...
npm
No PRs yet
Electron vulnerable to Heap Buffer Overflow in NativeImage
GHSA-6r2x-8pq8-9489 CVE-2024-46993 MODERATE 5 months ago
### Impact The `nativeImage.createFromPath()` and `nativeImage.createFromBuffer()` functions call a function downstream that is vulnerable to a hea...
npm
No PRs yet
string-math's string-math.js vulnerability can cause Regex Denial of Service (ReDoS)
GHSA-994j-5c83-r424 CVE-2025-45143 LOW 5 months ago
string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.
npm
No PRs yet
electron ASAR Integrity bypass by just modifying the content
GHSA-xw5q-g62x-2qjc CVE-2024-46992 HIGH 5 months ago
electron's ASAR Integrity can be bypass by modifying the content. ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation...
npm
No PRs yet
tiny-secp256k1 allows for verify() bypass when running in bundled environment
GHSA-5vhg-9xg4-cv9m CVE-2024-49365 HIGH 5 months ago
### Summary A malicious JSON-stringifyable message can be made passing on `verify()`, when global Buffer is [`buffer` package](https://www.npmjs.c...
npm
No PRs yet
tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment
GHSA-7mc2-6phr-23xc CVE-2024-49364 HIGH 5 months ago
### Summary Private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is [`buffer` package](https://www.np...
npm
No PRs yet
Taylor has race condition in /get-patch that allows purchase token replay
GHSA-vh5j-5fhq-9xwg LOW 5 months ago
Hi team, I was looking at the recent fix and you limited the exploitability of race conditions but unfortunately it is still possible to exploit t...
npm
No PRs yet
n8n allows open redirects via the /signin endpoint
GHSA-5vj6-wjr7-5v9f CVE-2025-49592 MODERATE 5 months ago
### Impact This is an Open Redirect (CWE-601) vulnerability in the login flow of n8n. Authenticated users can be redirected to untrusted, attacker...
npm
No PRs yet
iOS Simulator MCP Command Injection allowed via exec API
GHSA-6f6r-m9pv-67jw CVE-2025-52573 MODERATE 5 months ago
# Command Injection in MCP Server The MCP Server at https://github.com/joshuayoes/ios-simulator-mcp/ is written in a way that is vulnerable to com...
npm
No PRs yet
Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or DEBUG/TRACE mode
GHSA-6hwc-9h8r-3vmf CVE-2025-6624 LOW 5 months ago
Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. ...
go npm
No PRs yet
pbkdf2 silently disregards Uint8Array input, returning static keys
GHSA-v62p-rq8g-8h59 CVE-2025-6547 CRITICAL 5 months ago
### Summary On historic but declared as supported Node.js versions (0.12-2.x), pbkdf2 silently disregards Uint8Array input This only affects Node...
npm
2
Dependabot PRs
50%
Merged
pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
GHSA-h7cp-r72f-jxh6 CVE-2025-6545 CRITICAL 5 months ago
### Summary This affects both: 1. Unsupported algos (e.g. `sha3-256` / `sha3-512` / `sha512-256`) 2. Supported but non-normalized algos (e.g. `S...
npm
2
Dependabot PRs
50%
Merged
Claude Code Improper Authorization via websocket connections from arbitrary origins
GHSA-9f65-56v6-gxw7 CVE-2025-52882 HIGH 5 months ago
Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) ...
npm
No PRs yet
Taylored webhook validation vulnerabilities
GHSA-8g98-m4j9-qww5 CRITICAL 6 months ago
### Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5 #### Summary A series of moderate to high-severity security vulnerabil...
npm
No PRs yet
OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer
GHSA-2hw3-h8qx-hqqp CVE-2025-50183 MODERATE 6 months ago
XSS via `.py` file containing script tag interpreted as HTML ## Summary A vulnerability exists in the file preview/browsing feature of the applic...
npm
No PRs yet
OpenNext for Cloudflare (opennextjs-cloudflare) has a SSRF vulnerability via /_next/image endpoint
GHSA-rvpw-p7vw-wj3m CVE-2025-6087 HIGH 6 months ago
A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplem...
npm
No PRs yet
MCP Inspector proxy server lacks authentication between the Inspector client and proxy
GHSA-7f8r-222p-6f5g CVE-2025-49596 CRITICAL 6 months ago
Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy...
npm
No PRs yet
pg-promise SQL Injection vulnerability
GHSA-ff9h-848c-4xfj CVE-2025-29744 MODERATE 6 months ago
pg-promise before 11.5.5 is vulnerable to SQL Injection due to improper handling of negative numbers.
npm
No PRs yet
@nx/azure-cache Vulnerable to Build Cache Poisoning via Untrusted Pull Requests
GHSA-rrr2-jcr8-7q3x CVE-2025-36852 CRITICAL 6 months ago
A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache (such as those usi...
npm
No PRs yet
Erxes Path Traversal vulnerability
GHSA-2977-5php-6789 CVE-2024-57189 MODERATE 6 months ago
In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCr...
npm
No PRs yet
Erxes Path Traversal vulnerability
GHSA-rq9r-qvwg-829q CVE-2024-57186 HIGH 6 months ago
In Erxes <1.6.2, an unauthenticated attacker can read arbitrary files from the system using a Path Traversal vulnerability in the /read-file endpoi...
npm
No PRs yet
Erxes Incorrect Access Control vulnerability
GHSA-7rhv-xm4q-wh42 CVE-2024-57190 HIGH 6 months ago
Erxes <1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any u...
npm
No PRs yet
@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability
GHSA-79vf-hf9f-j9q8 CVE-2025-5897 MODERATE 6 months ago
A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file...
npm
No PRs yet
taro-css-to-react-native Regular Expression Denial of Service vulnerability
GHSA-f5xg-cfpj-2mw6 CVE-2025-5896 MODERATE 6 months ago
A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro...
npm
No PRs yet
pm2 Regular Expression Denial of Service vulnerability
GHSA-x5gf-qvw8-r2rm CVE-2025-5891 LOW 6 months ago
A vulnerability classified as problematic was found in Unitech pm2 up to 6.0.8. This vulnerability affects unknown code of the file /lib/tools/Conf...
npm
No PRs yet
brace-expansion Regular Expression Denial of Service vulnerability
GHSA-v6h2-p8h4-qcjw CVE-2025-5889 LOW 6 months ago
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue ...
npm
19
Dependabot PRs
52%
Merged
HaxCMS-PHP Command Injection Vulnerability
GHSA-g4cf-pp4x-hqgw CVE-2025-49141 HIGH 6 months ago
### Summary The 'gitImportSite' functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ fu...
npm
No PRs yet
@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability
GHSA-v3ph-2q5q-cg88 CVE-2025-49139 MODERATE 6 months ago
### Summary In the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a t...
npm
No PRs yet
react-native-keys insecurely stores encryption cipher and Base64 chunks
GHSA-fj44-h6xw-896g CVE-2025-45001 HIGH 6 months ago
react-native-keys 0.7.11 is vulnerable to sensitive information disclosure (remote) as encryption cipher and Base64 chunks are stored as plaintext ...
npm
No PRs yet
Multer vulnerable to Denial of Service via unhandled exception
GHSA-g5hg-p3ph-g8qg CVE-2025-48997 HIGH 6 months ago
### Impact A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload f...
npm
3696
Dependabot PRs
21%
Merged
Unauthenticated Disclosure of PSU HAX CMS Site Listings via haxPsuUsage API Endpoint
GHSA-fvx2-x7ff-fc56 CVE-2025-48996 MODERATE 6 months ago
### Summary An **unauthenticated information disclosure vulnerability** exists in the PSU deployment of HAX CMS via the `haxPsuUsage` API endpoint....
npm
No PRs yet
NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies
GHSA-f3fg-mf2q-fj3f CVE-2025-48947 HIGH 6 months ago
**Overview** In Auth0 Next.js SDK versions 4.0.1 to 4.6.0, __session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Con...
npm
27
Dependabot PRs
19%
Merged
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
GHSA-9jgg-88mc-972h CVE-2025-30360 MODERATE 6 months ago
### Summary Source code may be stolen when you access a malicious web site with non-Chromium based browser. ### Details The `Origin` header is che...
npm
No PRs yet
webpack-dev-server users' source code may be stolen when they access a malicious web site
GHSA-4v9v-hfq4-rm2v CVE-2025-30359 MODERATE 6 months ago
### Summary Source code may be stolen when you access a malicious web site. ### Details Because the request for classic script by a script tag is ...
npm
No PRs yet
AngularJS Incomplete Filtering of Special Elements vulnerability
GHSA-4p4w-6hg8-63wx CVE-2025-2336 MODERATE 6 months ago
Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS's 'ngSanitize' module allows at...
npm
No PRs yet
billboard.js allows prototype pollution via the function generate
GHSA-65p9-j6pg-72hj CVE-2025-49223 CRITICAL 6 months ago
billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitr...
npm
No PRs yet
tar-fs can extract outside the specified dir with a specific tarball
GHSA-8cj5-5rvv-wf4v CVE-2025-48387 HIGH 6 months ago
### Impact v3.0.8, v2.1.2, v1.16.4 and below ### Patches Has been patched in 3.0.9, 2.1.3, and 1.16.5 ### Workarounds You can use the ignore opt...
npm
No PRs yet
Markdownify MCP Server allows Server-Side Request Forgery (SSRF) via the Markdownify.get() function
GHSA-frq9-3hp2-xvxg CVE-2025-5276 MODERATE 6 months ago
All versions of the package mcp-markdownify-server are vulnerable to Server-Side Request Forgery (SSRF) via the Markdownify.get() function. An atta...
npm
No PRs yet
Markdownify MCP Server allows attackers to read arbitrary files
GHSA-22v8-p7h2-rj7p CVE-2025-5273 MODERATE 6 months ago
All versions of the package mcp-markdownify-server are vulnerable to Files or Directories Accessible to External Parties via the get-markdown-file ...
npm
No PRs yet