Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,842

Total Advisories

1,801

With Dependabot PRs

3,510

Critical Severity

8,633

High Severity

Clear All Filters
Information exposure in Next.js dev server due to lack of origin verification
GHSA-3h52-269p-cp9r CVE-2025-48068 LOW 6 months ago
## Summary A low-severity vulnerability in **Next.js** has been fixed in **version 15.2.2**. This issue may have allowed limited source code expos...
npm
No PRs yet
auth-js Vulnerable to Insecure Path Routing from Malformed User Input
GHSA-8r88-6cj9-9fh5 CVE-2025-48370 LOW 6 months ago
### Impact The library functions `getUserById`, `deleteUser`, `updateUserById`, `listFactors` and `deleteFactor` did not require the user supplied ...
npm
7
Dependabot PRs
14%
Merged
Strapi allows Server-Side Request Forgery in Webhook function
GHSA-v8wj-f5c7-pvxf CVE-2024-52588 MODERATE 6 months ago
## Description In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook con...
npm
No PRs yet
radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
GHSA-2xv9-ghh9-xc69 CVE-2025-48054 MODERATE 6 months ago
### Impact This is a prototype pollution vulnerability. It impacts users of the `set` function within the Radashi library. If an attacker can cont...
npm
No PRs yet
Marked allows Regular Expression Denial of Service (ReDoS) attacks
GHSA-p9wx-2529-fp83 CVE-2018-25110 MODERATE 6 months ago
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several r...
npm
No PRs yet
samlify SAML Signature Wrapping attack
GHSA-r683-v43c-6xqv CVE-2025-47949 CRITICAL 7 months ago
A Signature Wrapping attack has been found in samlify <v2.10.0, allowing an attacker to forge a SAML Response to authenticate as any user. An atta...
npm
11
Dependabot PRs
18%
Merged
Multer vulnerable to Denial of Service from maliciously crafted requests
GHSA-4pg4-qvpc-4q3h CVE-2025-47944 HIGH 7 months ago
### Impact A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-pa...
npm
3800
Dependabot PRs
21%
Merged
Multer vulnerable to Denial of Service via memory leaks from unclosed streams
GHSA-44fp-w29j-9vj5 CVE-2025-47935 HIGH 7 months ago
### Impact Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request strea...
npm
4218
Dependabot PRs
21%
Merged
OpenPGP.js's message signature verification can be spoofed
GHSA-8qff-qr5q-5pr8 CVE-2025-47934 HIGH 7 months ago
### Impact A maliciously modified message can be passed to either `openpgp.verify` or `openpgp.decrypt`, causing these functions to return a valid ...
npm
131
Dependabot PRs
22%
Merged
Cocotais Bot has builtin .echo command injection
GHSA-mj2c-8hxf-ffvq CVE-2025-47948 MODERATE 7 months ago
### Summary  A command echoing feature in the framework allows users to indirectly trigger privileged behavior by injecting special platform tags....
npm
No PRs yet
lockfile-lint-api Vulnerable to Incorrect Behavior Order
GHSA-7cfr-5cjf-32p4 CVE-2025-4759 MODERATE 7 months ago
Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of t...
npm
No PRs yet
Meteor Affected By Inefficient Regular Expression Complexity
GHSA-j3v9-6gc7-vf5f CVE-2025-4727 MODERATE 7 months ago
A vulnerability was found in Meteor up to 3.2.1 and classified as problematic. This issue affects the function Object.assign of the file packages/d...
npm
164
Dependabot PRs
21%
Merged
Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components
GHSA-q58r-hwc8-rm9j CVE-2025-1647 MODERATE 7 months ago
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting ...
npm
No PRs yet
undici Denial of Service attack via bad certificate data
GHSA-cxrh-j4jr-qwg3 CVE-2025-47279 LOW 7 months ago
### Impact Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certifi...
npm
146
Dependabot PRs
21%
Merged
Next.js Race Condition to Cache Poisoning
GHSA-qpjv-v59x-3qc4 CVE-2025-32421 LOW 7 months ago
**Summary** We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue...
npm
No PRs yet
Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data
GHSA-gv5r-9gxr-v74w CVE-2025-47204 MODERATE 7 months ago
An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary PO...
npm
No PRs yet
@lumieducation/h5p-server Fails to Sanitize Plain Text Strings
GHSA-m7gm-v253-56hh CVE-2025-47828 MODERATE 7 months ago
Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings.
npm
No PRs yet
code-server's session cookie can be extracted by having user visit specially crafted proxy URL
GHSA-p483-wpfp-42cj CVE-2025-47269 HIGH 7 months ago
### Summary A maliciously crafted URL using the `proxy` subpath can result in the attacker gaining access to the session token. ### Details Fail...
npm
No PRs yet
Trix vulnerable to Cross-site Scripting on copy & paste
GHSA-mcrw-746g-9q8h CVE-2025-46812 LOW 7 months ago
### Impact The Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user ...
npm
119
Dependabot PRs
34%
Merged
Passport-wsfed-saml2 allows SAML Authentication Bypass via Attribute Smuggling
GHSA-8gqj-226h-gm8r CVE-2025-46573 HIGH 7 months ago
### Overview This vulnerability allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This...
npm
No PRs yet
Passport-wsfed-saml2 allows SAML Authentication Bypass via Signature Wrapping
GHSA-wjmp-wphq-jvqf CVE-2025-46572 CRITICAL 7 months ago
### Overview This vulnerability allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be done ...
npm
No PRs yet
@misskey-dev/summaly allows IP Filter Bypass via Redirect
GHSA-jqx4-9gpq-rppm MODERATE 7 months ago
### Summary Due to a validation error in `got.scpaping`, it is possible to use an HTTP redirect to avoid IP filtering. ### Details In `got.scpapin...
npm
7
Dependabot PRs
Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields
GHSA-hg9m-67mm-7pg3 CVE-2025-46720 LOW 7 months ago
# Summary `{field}.isFilterable` access control can be bypassed in `update` and `delete` mutations by adding additional unique filters. These fil...
npm
No PRs yet
@misskey-dev/summaly Redirect Filter Bypass
GHSA-7899-w6c4-vqc4 CVE-2025-46553 LOW 7 months ago
### Summary A logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn...
npm
7
Dependabot PRs
Information Disclosure via Flags override link
GHSA-892p-pqrr-hxqr CVE-2025-46332 MODERATE 7 months ago
## Summary An information disclosure vulnerability affecting Flags SDK has been addressed. It impacted `flags` ≤3.2.0 and `@vercel/flags` ≤3.1.1 a...
npm
No PRs yet
@cloudflare/workers-oauth-provider PKCE bypass via downgrade attack
GHSA-qgp8-v765-qxx9 CVE-2025-4144 MODERATE 7 months ago
### Summary PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of[ MCP framework](https://github.com/cloudflar...
npm
No PRs yet
@cloudflare/workers-oauth-provider missing validation of redirect_uri on authorize endpoint
GHSA-4pc9-x2fx-p7vj CVE-2025-4143 MODERATE 7 months ago
### Summary The OAuth implementation failed to check that redirect_uri was among the allowed set for the client_id. ### Impact Under certain circu...
npm
No PRs yet
Vite's server.fs.deny bypassed with /. for files under project root
GHSA-859w-5945-r5v3 CVE-2025-46565 MODERATE 7 months ago
### Summary The contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching patt...
npm
2
Dependabot PRs
Homograph attack allows Unicode lookalike characters to bypass validation.
GHSA-xq7p-g2vc-g82p CVE-2025-27611 HIGH 7 months ago
### Impact Attackers can deceive users into sending funds to an unintended address. ### Patches https://github.com/cryptocoinjs/base-x/pull/86
npm
No PRs yet
Auth0 NextJS SDK v4 Missing Session Invalidation
GHSA-pjr6-jx7r-j4r6 CVE-2025-46344 MODERATE 7 months ago
### Overview Auth0 NextJS `v4.0.1` to `v4.5.0` does not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the J...
npm
No PRs yet
AngularJS improperly sanitizes SVG elements
GHSA-j58c-ww9w-pwp5 CVE-2025-0716 LOW 7 months ago
Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS allows attackers to bypass comm...
npm
No PRs yet
@account-kit/smart-contracts Allowlist Module Bypass Vulnerability
GHSA-wfm2-rq5g-f8v5 MODERATE 7 months ago
### Summary Allowlist module contains a bypass vulnerability ### Details The logic for using an allowlist on a Modular Account V2 contained a bug ...
npm
No PRs yet
n8n Vulnerable to Stored XSS through Attachments View Endpoint
GHSA-c8hm-hr8h-5xjw CVE-2025-46343 MODERATE 7 months ago
### Impact n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there was no restriction on the MI...
npm
No PRs yet
NodeJS Driver for Snowflake has race condition when checking access to Easy Logging configuration file
GHSA-wmjq-jrm2-9wfr CVE-2025-46328 LOW 7 months ago
# Issue Snowflake discovered and remediated a vulnerability in the NodeJS Driver for Snowflake (“Driver”). When using the Easy Logging feature on L...
npm
23
Dependabot PRs
Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content
GHSA-75v8-2h7p-7m2m CVE-2025-46653 LOW 7 months ago
Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable c...
npm
11
Dependabot PRs
GraphQL Armor Cost-Limit Plugin Bypass via Introspection Query Obfuscation
GHSA-733v-p3h5-qpq7 MODERATE 7 months ago
### Summary A query cost restriction using the `cost-limit` can be bypassed if `ignoreIntrospection` is enabled (which is the default configuration...
npm
1
Dependabot PRs
React Router allows pre-render data spoofing on React-Router framework mode
GHSA-cpj6-fhp6-mr6j CVE-2025-43865 HIGH 7 months ago
## Summary After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to compl...
npm
No PRs yet
React Router allows a DoS via cache poisoning by forcing SPA mode
GHSA-f46r-rw29-r322 CVE-2025-43864 HIGH 7 months ago
## Summary After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. I...
npm
No PRs yet
tRPC 11 WebSocket DoS Vulnerability
GHSA-pj3v-9cm8-gvj8 CVE-2025-43855 HIGH 7 months ago
### Summary An unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthent...
npm
No PRs yet
PostHog Plugin Server SQL Injection Vulnerability
GHSA-v64v-fq96-c5wv CVE-2025-1520 HIGH 7 months ago
PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execu...
npm
No PRs yet
pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting
GHSA-8cc4-rfj6-fhg4 CVE-2024-47829 MODERATE 7 months ago
The path shortening function is used in pnpm: ``` export function depPathToFilename (depPath: string, maxLengthWithoutHash: number): string { let...
npm
No PRs yet
Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2
GHSA-33qr-m49q-rxfx CVE-2025-32965 CRITICAL 7 months ago
### Impact Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. If...
npm
No PRs yet
QMarkdown Cross-Site Scripting (XSS) vulnerability
GHSA-wm65-ph3w-587c CVE-2025-43954 MODERATE 8 months ago
QMarkdown (aka quasar-ui-qmarkdown) before 2.0.5 allows XSS via headers even when when no-html is set.
npm
No PRs yet
ses's global contour bindings leak into Compartment lexical scope
GHSA-h9w6-f932-gq62 CVE-2025-32792 HIGH 8 months ago
### Impact Web pages and web extensions using `ses` and the `Compartment` API to evaluate third-party code in an isolated execution environment th...
npm
No PRs yet
Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
GHSA-mg2h-6x62-wpwc CVE-2025-32442 HIGH 8 months ago
### Impact In applications that specify different validation strategies for different content types, it's possible to bypass the validation by pro...
npm
351
Dependabot PRs
14%
Merged
Permission policy information leakage in Backstage permission system
GHSA-f8j4-p5cr-p777 CVE-2025-32791 MODERATE 8 months ago
### Impact A vulnerability in the Backstage permission plugin backend allows callers to extract some information about the conditional decisions r...
npm
No PRs yet
aws-cdk-lib's aspect order change causes different Permissions Boundary assigned to Role
GHSA-qc59-cxj2-c2w4 LOW 8 months ago
### Summary The [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk/) is an open-source software development framework for defining c...
npm
No PRs yet
jquery-validation vulnerable to Cross-site Scripting
GHSA-rrj2-ph5q-jxw2 CVE-2025-3573 MODERATE 8 months ago
Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take in...
npm
No PRs yet
http-proxy-middleware can call writeBody twice because "else if" is not used
GHSA-4www-5p9h-95mh CVE-2025-32996 MODERATE 8 months ago
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
npm
No PRs yet
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
GHSA-9gqv-wp59-fq42 CVE-2025-32997 MODERATE 8 months ago
In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.
npm
No PRs yet