Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,820

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
mcp-server-kubernetes has potential security issue in exec_in_pod tool
GHSA-wvxp-jp4w-w8wg CVE-2025-66404 MODERATE 4 days ago
### Summary A security issue exists in the `exec_in_pod` tool of the `mcp-server-kubernetes` MCP Server. The tool accepts user-provided commands in...
npm
No PRs yet
mdast-util-to-hast has unsanitized class attribute
GHSA-4fh9-h7wg-q85m CVE-2025-66400 MODERATE 5 days ago
### Impact Multiple (unprefixed) classnames could be added in markdown source by using character references. This could make rendered user supplie...
npm
1
Dependabot PRs
Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host
GHSA-hhh5-2cvx-vmfp CVE-2025-66405 MODERATE 5 days ago
### Summary The gateway determines the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route t...
npm
No PRs yet
fastify-reply-from affected by bypass of reply forwarding
GHSA-2q7r-29rg-6m5h CVE-2025-66415 MODERATE 5 days ago
### Summary By crafting a malicious URL, an attacker could access routes that are not allowed, even though the `reply.from` is defined for specific...
npm
No PRs yet
Tryton sao allows XSS because it does not escape completion values
GHSA-6qj9-2g9m-29x9 CVE-2025-66421 MODERATE 7 days ago
Tryton sao (aka tryton-sao) before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0...
npm
No PRs yet
Tryton sao allows XSS via an HTML attachment
GHSA-xhgv-99mj-8m2x CVE-2025-66420 MODERATE 7 days ago
Tryton sao (aka tryton-sao) before 7.6.9 allows XSS via an HTML attachment. This is fixed in 7.6.9, 7.4.19, 7.0.38, and 6.0.67.
npm
No PRs yet
willitmerge has a Command Injection vulnerability
GHSA-j9wj-m24m-7jj6 CVE-2025-66219 MODERATE 10 days ago
willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version ...
npm
No PRs yet
node-forge is vulnerable to ASN.1 OID Integer Truncation
GHSA-65ch-62r8-g69g CVE-2025-66030 MODERATE 11 days ago
### Summary **MITRE-Formatted CVE Description** An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote,...
npm
1848
Dependabot PRs
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
GHSA-675q-66gf-gqg8 CVE-2025-66028 MODERATE 11 days ago
### Summary During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter ...
npm
No PRs yet
body-parser is vulnerable to denial of service when url encoding is used
GHSA-wqch-xfxh-vrr4 CVE-2025-13466 MODERATE 12 days ago
### Impact body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of param...
npm
405
Dependabot PRs
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`
GHSA-6465-jgvq-jhgp CVE-2025-65944 MODERATE 13 days ago
### Impact In version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be add...
npm
No PRs yet
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage
GHSA-3mm3-wfpv-q85g CVE-2025-63700 MODERATE 17 days ago
An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verifi...
npm
No PRs yet
zx Uses Incorrectly-Resolved Name or Reference
GHSA-w87r-vg9q-crqm CVE-2025-13437 MODERATE 17 days ago
When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error...
npm
No PRs yet
@perfood/couch-auth may expose session tokens, passwords
GHSA-62vx-hpcr-m9ch CVE-2025-60794 MODERATE 17 days ago
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts li...
npm
No PRs yet
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
GHSA-fvmw-cj7j-j39q CVE-2025-65019 MODERATE 18 days ago
**Summary** A Cross-Site Scripting (XSS) vulnerability exists in Astro when using the **@astrojs/cloudflare** adapter with `output: 'server'`. Th...
npm
No PRs yet
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
GHSA-ggxq-hp9w-j794 CVE-2025-64765 MODERATE 18 days ago
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validati...
npm
No PRs yet
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
GHSA-7xvh-c266-cfr5 CVE-2025-64758 MODERATE 20 days ago
### Description Since version 4.12.0, Dependency-Track users with the `SYSTEM_CONFIGURATION` permission can configure a "welcome message", which i...
npm
No PRs yet
Directus is Vulnerable to Stored Cross-site Scripting
GHSA-vv2v-pw69-8crf CVE-2025-64747 MODERATE 23 days ago
### Summary A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject m...
npm
No PRs yet
Directus has Improper Permission Handling on Deleted Fields
GHSA-9x5g-62gj-wqf2 CVE-2025-64746 MODERATE 23 days ago
### Summary Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later...
npm
No PRs yet
js-yaml has prototype pollution in merge (<<)
GHSA-mh29-5h37-fv8m CVE-2025-64718 MODERATE 23 days ago
### Impact In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml doc...
npm
1
Dependabot PRs
Directus Vulnerable to Information Leakage in Existing Collections
GHSA-cph6-524f-3hgr CVE-2025-64749 MODERATE 23 days ago
### Summary: An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error...
npm
No PRs yet
Directus's conceal fields are searchable if read permissions enabled
GHSA-8jpw-gpr4-8cmh CVE-2025-64748 MODERATE 23 days ago
## Summary A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values re...
npm
No PRs yet
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
GHSA-hr2q-hp5q-x767 CVE-2025-64525 MODERATE 23 days ago
## Summary In impacted versions of Astro using [on-demand rendering](https://docs.astro.build/en/guides/on-demand-rendering/), request headers `x-...
npm
No PRs yet
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
GHSA-7cx5-254x-cgrq CVE-2025-64502 MODERATE 24 days ago
### Impact The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning be...
npm
No PRs yet
Nuxt DevTools vulnerable to cross-site scripting (XSS)
GHSA-xmq3-q5pm-rp26 CVE-2025-52662 MODERATE about 1 month ago
A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain...
npm
No PRs yet
node-tar has a race condition leading to uninitialized memory exposure
GHSA-29xp-372q-xqph CVE-2025-64118 MODERATE about 1 month ago
### Summary Using `.t` (aka `.list`) with `{ sync: true }` to read tar entry contents returns uninitialized memory contents if tar file was change...
npm
7
Dependabot PRs
NextAuthjs Email misdelivery Vulnerability
GHSA-5jpx-9hw9-2fx4 MODERATE about 1 month ago
### Summary NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in `nodemail...
npm
No PRs yet
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
GHSA-q7jf-gf43-6x6p MODERATE about 1 month ago
### Summary A flaw in the CORS middleware allowed request `Vary` headers to be reflected into the response, enabling attacker-controlled `Vary` v...
npm
6
Dependabot PRs
rollbar vulnerable to Prototype Pollution in merge()
GHSA-xcg2-9pp4-j82x CVE-2025-62517 MODERATE about 1 month ago
### Impact Prototype pollution vulnerability in merge(). If application code calls `rollbar.configure()` with untrusted input, prototype pollution...
npm
No PRs yet
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
GHSA-g8mr-fgfg-5qpc CVE-2025-62595 MODERATE about 2 months ago
### Summary: A bypass was discovered in the `Koa.js` framework affecting its back redirect functionality. In certain circumstances, an attacker ca...
npm
No PRs yet
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
GHSA-vffh-c9pq-4crh MODERATE about 2 months ago
### Summary In some Notification types (e.g., Webhook, Telegram), the `send()` function allows user-controlled renderTemplate input. This leads to...
npm
No PRs yet
vite allows server.fs.deny bypass via backslash on Windows
GHSA-93m4-6634-74q7 CVE-2025-62522 MODERATE about 2 months ago
### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` wh...
npm
No PRs yet
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
GHSA-xvp7-8vm8-xfxx MODERATE about 2 months ago
### Summary The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using `console.log`and `console.debug` ...
npm
No PRs yet
Mammoth is vulnerable to Directory Traversal
GHSA-rmjr-87wv-gf87 CVE-2025-11849 MODERATE about 2 months ago
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the packa...
maven npm nuget +1 more
No PRs yet
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
GHSA-9329-mxxw-qwf8 CVE-2025-53092 MODERATE about 2 months ago
### Summary A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly refle...
npm
No PRs yet
Strapi Password Hashing is Missing Maximum Password Length Validation
GHSA-2cjv-6wg9-f4f3 CVE-2025-25298 MODERATE about 2 months ago
## Summary Strapi's password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords ex...
npm
No PRs yet
Strapi is vulnerable to Insufficient Session Expiration
GHSA-4r8w-3jww-m2rp CVE-2025-3930 MODERATE about 2 months ago
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker wh...
npm
No PRs yet
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
GHSA-9f2h-7v79-mxw3 CVE-2025-62374 MODERATE about 2 months ago
### Summary Prototype pollution capabilities on various APIs. ### Details Injection of malicious payload allows attacker to remotely execute arb...
npm
2
Dependabot PRs
50%
Merged
CommandKit has incorrect command name exposure in context object for message command aliases
GHSA-fhwm-pc6r-4h2f CVE-2025-62378 MODERATE about 2 months ago
### Impact A logic flaw exists in the message command handler of CommandKit that affects how the `commandName` property is exposed to both middlew...
npm
No PRs yet
QGIS QWC2 Cross-Site Scripting vulnerability
GHSA-gxp8-m5rq-3m38 CVE-2025-11183 MODERATE about 2 months ago
Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 < 2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in...
npm
No PRs yet
Astro's `X-Forwarded-Host` is reflected without validation
GHSA-5ff5-9fcw-vg88 CVE-2025-61925 MODERATE about 2 months ago
### Summary When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an `X-Forwar...
npm
No PRs yet
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
GHSA-mm7p-fcc7-pg87 CVE-2025-13033 MODERATE 2 months ago
The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extra...
npm
No PRs yet
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function
GHSA-v7c4-33vf-cqqq CVE-2025-11287 MODERATE 2 months ago
A vulnerability was identified in samanhappy MCPHub up to 0.9.10. This vulnerability affects the function handleSseConnection of the file src/servi...
npm
No PRs yet
Flowise Stored XSS vulnerability through logs in chatbot
GHSA-7r4h-vmj9-wg42 CVE-2025-29192 MODERATE 2 months ago
### Description In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject maliciou...
npm
No PRs yet
Flowise vulnerable to XSS
GHSA-4fr9-3x69-36wv MODERATE 2 months ago
### Summary A XSS(cross-site scripting) vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this...
npm
No PRs yet
validator.js has a URL validation bypass vulnerability in its isURL function
GHSA-9965-vmph-33xx CVE-2025-56200 MODERATE 2 months ago
A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse pro...
npm
968
Dependabot PRs
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
GHSA-529q-4j3p-7c5r CVE-2025-3193 MODERATE 2 months ago
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in mer...
npm
No PRs yet
express-xss-sanitizer has an unbounded recursion depth
GHSA-hvq2-wf92-j4f3 CVE-2025-59364 MODERATE 2 months ago
# Security Advisory: express-xss-sanitizer ## Overview A vulnerability was discovered in express-xss-sanitizer that allowed unbounded recursion de...
npm
No PRs yet
lobe-chat has an Open Redirect
GHSA-xph5-278p-26qx CVE-2025-59426 MODERATE 2 months ago
### **Description** --- > Vulnerability Overview > The project's OIDC redirect handling logic constructs the host and protocol of the final red...
npm
No PRs yet
ts-fns has prototype pollution vulnerability
GHSA-g7wq-wggw-vmhg CVE-2025-57351 MODERATE 2 months ago
A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in t...
npm
No PRs yet