Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
GHSA-58c5-g7wp-6w37 CVE-2025-66035 HIGH about 19 hours ago
The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token*...
npm
No PRs yet
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
GHSA-wmjr-v86c-m9jj LOW about 20 hours ago
## Summary - Vulnerable component: `multi-session` plugin’s `/sign-out` after-hook (`packages/better-auth/src/plugins/multi-session/index.ts`) - Is...
npm
No PRs yet
willitmerge has a Command Injection vulnerability
GHSA-j9wj-m24m-7jj6 MODERATE about 20 hours ago
willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version ...
npm
No PRs yet
node-forge has ASN.1 Unbounded Recursion
GHSA-554w-wpv2-vw27 CVE-2025-66031 HIGH about 20 hours ago
### Summary An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to ...
npm
1080
Dependabot PRs
node-forge is vulnerable to ASN.1 OID Integer Truncation
GHSA-65ch-62r8-g69g CVE-2025-66030 MODERATE about 20 hours ago
### Summary **MITRE-Formatted CVE Description** An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote,...
npm
1080
Dependabot PRs
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
GHSA-5gfm-wpxj-wjgq CVE-2025-12816 HIGH about 20 hours ago
### Summary CVE-2025-12816 has been reserved by CERT/CC **Description** An Interpretation Conflict (CWE-436) vulnerability in node-forge versions...
npm
1080
Dependabot PRs
Valibot has a ReDoS vulnerability in `EMOJI_REGEX`
GHSA-vqpr-j7v3-hqw9 CVE-2025-66020 HIGH about 22 hours ago
### Summary The `EMOJI_REGEX` used in the `emoji` action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciou...
npm
No PRs yet
OneUptime Unauthorized User Creation via API
GHSA-m449-vh5f-574g CVE-2025-65966 HIGH about 22 hours ago
### Summary A low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. ### ...
npm
No PRs yet
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
GHSA-675q-66gf-gqg8 CVE-2025-66028 MODERATE 2 days ago
### Summary During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter ...
npm
No PRs yet
Better Auth Passkey Plugin allows passkey deletion through IDOR
GHSA-4vcf-q4xf-f48m HIGH 2 days ago
# Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using `...
npm
No PRs yet
body-parser is vulnerable to denial of service when url encoding is used
GHSA-wqch-xfxh-vrr4 CVE-2025-13466 MODERATE 2 days ago
### Impact body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of param...
npm
283
Dependabot PRs
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`
GHSA-6465-jgvq-jhgp CVE-2025-65944 MODERATE 3 days ago
### Impact In version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be add...
npm
No PRs yet
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage
GHSA-3mm3-wfpv-q85g CVE-2025-63700 MODERATE 7 days ago
An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verifi...
npm
No PRs yet
authkit-nextjs may let session cookies be cached in CDNs
GHSA-p8pf-44ff-93gf CVE-2025-64762 HIGH 7 days ago
In `authkit-nextjs` version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN cach...
npm
No PRs yet
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
GHSA-7mv8-j34q-vp7q CVE-2025-64755 HIGH 7 days ago
Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host sys...
npm
No PRs yet
zx Uses Incorrectly-Resolved Name or Reference
GHSA-w87r-vg9q-crqm CVE-2025-13437 MODERATE 7 days ago
When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error...
npm
No PRs yet
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
GHSA-547r-qmjm-8hvw CVE-2025-65108 CRITICAL 7 days ago
### Summary A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code ...
npm
No PRs yet
@hpke/core reuses AEAD nonces
GHSA-73g8-5h73-26h4 CVE-2025-64767 CRITICAL 7 days ago
### Summary The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls....
npm
2
Dependabot PRs
@perfood/couch-auth may expose session tokens, passwords
GHSA-62vx-hpcr-m9ch CVE-2025-60794 MODERATE 7 days ago
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts li...
npm
No PRs yet
Claude Code vulnerable to command execution prior to startup trust dialog
GHSA-5hhx-v7f6-x7gv CVE-2025-65099 HIGH 8 days ago
When running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins befor...
npm
No PRs yet
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
GHSA-fvmw-cj7j-j39q CVE-2025-65019 MODERATE 8 days ago
**Summary** A Cross-Site Scripting (XSS) vulnerability exists in Astro when using the **@astrojs/cloudflare** adapter with `output: 'server'`. Th...
npm
No PRs yet
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
GHSA-ggxq-hp9w-j794 CVE-2025-64765 MODERATE 8 days ago
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validati...
npm
No PRs yet
Astro vulnerable to reflected XSS via the server islands feature
GHSA-wrwg-2hg8-v723 CVE-2025-64764 HIGH 8 days ago
## Summary After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted app...
npm
No PRs yet
Astro Development Server has Arbitrary Local File Read
GHSA-x3h8-62x9-952g CVE-2025-64757 LOW 8 days ago
### Summary A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through th...
npm
No PRs yet
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
GHSA-v5w9-prxf-w882 HIGH 10 days ago
### Summary An unauthenticated attacker can exploit the unprotected registration endpoint (/register) to create a new user and bypass authenticatio...
npm
No PRs yet
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
GHSA-7xvh-c266-cfr5 CVE-2025-64758 MODERATE 10 days ago
### Description Since version 4.12.0, Dependency-Track users with the `SYSTEM_CONFIGURATION` permission can configure a "welcome message", which i...
npm
No PRs yet
glob CLI: Command injection via -c/--cmd executes matches with shell:true
GHSA-5j98-mcp5-4vw2 CVE-2025-64756 HIGH 10 days ago
### Summary The glob CLI contains a command injection vulnerability in its `-c/--cmd` option that allows arbitrary command execution when processi...
npm
832
Dependabot PRs
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
GHSA-m8jr-fxqx-8xx6 HIGH 13 days ago
# Summary A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through `@requires` and/...
npm
No PRs yet
Directus is Vulnerable to Stored Cross-site Scripting
GHSA-vv2v-pw69-8crf CVE-2025-64747 MODERATE 13 days ago
### Summary A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject m...
npm
No PRs yet
Directus has Improper Permission Handling on Deleted Fields
GHSA-9x5g-62gj-wqf2 CVE-2025-64746 MODERATE 13 days ago
### Summary Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later...
npm
No PRs yet
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change
GHSA-fjh6-8679-9pch HIGH 13 days ago
### Summary Bypass of Password Confirmation - Unverified Password Change (authenticated change without current password) An authenticated user is ...
npm
No PRs yet
Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)
GHSA-x39m-3393-3qp4 HIGH 13 days ago
### Summary Unverified Email Change - Email as part of Credential / Unverified Account Recovery Channel Change The application allows changing the...
npm
No PRs yet
Flowise Fails to Invalidate Existing Sessions After Password Changes
GHSA-x7rp-qj2h-ghgw HIGH 13 days ago
### Summary Failure to Invalidate Existing Sessions After Password Change (Persistent Session / Session Invalidity Failure). ### Details After a u...
npm
No PRs yet
expr-eval vulnerable to Prototype Pollution
GHSA-8gw3-rxh4-v6jx CVE-2025-13204 HIGH 13 days ago
npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based ...
npm
No PRs yet
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields
GHSA-mx7m-j9xf-62hw CVE-2025-64530 HIGH 13 days ago
# Summary A vulnerability in Apollo Federation's composition logic allowed some queries to Apollo Router to improperly bypass access controls on ty...
npm
No PRs yet
js-yaml has prototype pollution in merge (<<)
GHSA-mh29-5h37-fv8m CVE-2025-64718 MODERATE 13 days ago
### Impact In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml doc...
npm
No PRs yet
Directus Vulnerable to Information Leakage in Existing Collections
GHSA-cph6-524f-3hgr CVE-2025-64749 MODERATE 14 days ago
### Summary: An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error...
npm
No PRs yet
Directus's conceal fields are searchable if read permissions enabled
GHSA-8jpw-gpr4-8cmh CVE-2025-64748 MODERATE 14 days ago
## Summary A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values re...
npm
No PRs yet
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
GHSA-hr2q-hp5q-x767 CVE-2025-64525 MODERATE 14 days ago
## Summary In impacted versions of Astro using [on-demand rendering](https://docs.astro.build/en/guides/on-demand-rendering/), request headers `x-...
npm
No PRs yet
Astro development server error page is vulnerable to reflected Cross-site Scripting
GHSA-w2vj-39qv-7vh7 CVE-2025-64745 LOW 14 days ago
## Summary A Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configur...
npm
No PRs yet
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable
GHSA-7f2v-3qq3-vvjf CVE-2025-59840 HIGH 14 days ago
## Impact Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" [expressionInterpreter](https:...
npm
No PRs yet
AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance
GHSA-8wj8-cfxr-9374 HIGH 14 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. ...
npm
No PRs yet
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
GHSA-7cx5-254x-cgrq CVE-2025-64502 MODERATE 15 days ago
### Impact The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning be...
npm
No PRs yet
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand
GHSA-g4mf-96x5-5m2c CVE-2025-12613 HIGH 17 days ago
Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containi...
npm
No PRs yet
EverShop is vulnerable to Unauthorized Order Information Access (IDOR)
GHSA-c73g-mx2w-cc93 CVE-2025-12919 LOW 18 days ago
A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolv...
npm
No PRs yet
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
GHSA-cm35-v4vp-5xvx CVE-2025-64496 HIGH 20 days ago
### Summary Open WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external m...
npm pypi
No PRs yet
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
GHSA-w7xj-8fx7-wfch CVE-2025-64495 HIGH 20 days ago
### Summary The functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabl...
npm pypi
No PRs yet
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files
GHSA-rwvc-j5jr-mgvh CVE-2025-48985 LOW 21 days ago
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass fil...
npm
No PRs yet
Nuxt DevTools vulnerable to cross-site scripting (XSS)
GHSA-xmq3-q5pm-rp26 CVE-2025-52662 MODERATE 21 days ago
A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain...
npm
No PRs yet
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
GHSA-x4qj-2f4q-r4rx CVE-2025-64430 HIGH 22 days ago
### Impact A Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a `Parse.File` with `uri` par...
npm
No PRs yet