Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
xml-crypto Vulnerable to XML Signature Verification Bypass via Multiple SignedInfo References
GHSA-9p8x-f768-wp2g CVE-2025-29774 CRITICAL 9 months ago
# Impact An attacker may be able to exploit this vulnerability to bypass authentication or authorization mechanisms in systems that rely on xml-cry...
npm
38
Dependabot PRs
10%
Merged
Flowise Pre-auth Arbitrary File Upload
GHSA-h42x-xx2q-6v6g CRITICAL 9 months ago
## Summary An unauthorized attacker can leverage the whitelisted route `/api/v1/attachments` to upload arbitrary files when the `storageType` is se...
npm
No PRs yet
Prototype Pollution Vulnerability in parse-git-config
GHSA-8g77-54rh-46hx CVE-2025-25975 HIGH 9 months ago
An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function.
npm
No PRs yet
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
GHSA-968p-4wvh-cqc8 CVE-2025-27789 MODERATE 9 months ago
### Impact When using Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Referen...
npm
1255
Dependabot PRs
23%
Merged
Mockoon has a Path Traversal and LFI in the static file serving endpoint
GHSA-w7f9-wqc4-3wxr CVE-2025-59049 HIGH 9 months ago
### Summary A mock API configuration for static file serving following the same approach presented in the [documentation page](https://mockoon.com/...
npm
No PRs yet
canvg Prototype Pollution vulnerability
GHSA-v2mw-5mch-w8c5 CVE-2025-25977 HIGH 9 months ago
An issue in canvg prior to v.4.0.3 and v3.0.11 can lead to prototype pollution via the Constructor of the class StyleElement.
npm
No PRs yet
Vue I18n Allows Prototype Pollution in `handleFlatJson`
GHSA-p2ph-7g93-hw3m CVE-2025-27597 HIGH 9 months ago
**Vulnerability type:** Prototype Pollution **Vulnerability Location(s):** ```js # v9.1 node_modules/@intlify/message-resolver/index.js # v9.2 or...
npm
418
Dependabot PRs
6%
Merged
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
GHSA-jr5f-v2jv-69x6 CVE-2025-27152 HIGH 9 months ago
### Summary A previously reported issue in axios demonstrated that using protocol-relative URLs could lead to SSRF (Server-Side Request Forgery). ...
npm
965
Dependabot PRs
14%
Merged
NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page
GHSA-wf6c-hrhf-86cw CVE-2025-27506 MODERATE 9 months ago
### Summary The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. ### Details Throughout the...
npm
No PRs yet
FlowiseAI Flowise arbitrary file upload vulnerability
GHSA-69jq-qr7w-j7qh CVE-2025-26319 HIGH 9 months ago
FlowiseAI Flowise v2.2.6 was discovered to contain an arbitrary file upload vulnerability in /api/v1/attachments.
npm
No PRs yet
Manifest Uses a One-Way Hash without a Salt
GHSA-h8h6-7752-g28c CVE-2025-27408 MODERATE 9 months ago
### Summary Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of ...
npm
No PRs yet
seajs Cross-site Scripting vulnerability
GHSA-pfr4-4397-3hg8 CVE-2024-51091 LOW 9 months ago
Cross Site Scripting vulnerability in seajs v.2.2.3 allows a remote attacker to execute arbitrary code via the seajs package
npm
No PRs yet
tsup DOM Clobbering vulnerability
GHSA-3mv9-4h5g-vhg3 CVE-2024-53384 LOW 9 months ago
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.cu...
npm
No PRs yet
mavo DOM Clobbering vulnerability
GHSA-3mf5-r4hg-hfx9 CVE-2024-53388 MODERATE 9 months ago
A DOM Clobbering vulnerability in mavo v0.3.2 allows attackers to execute arbitrary code via supplying a crafted HTML element.
npm
No PRs yet
PrismJS DOM Clobbering vulnerability
GHSA-x7hr-w5r2-h6wg CVE-2024-53382 MODERATE 9 months ago
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain J...
npm
No PRs yet
Stage.js DOM Clobbering vulnerabilty
GHSA-fp3m-g5rc-4c28 CVE-2024-53386 MODERATE 9 months ago
Stage.js through 0.8.10 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript),...
npm
No PRs yet
mongosh vulnerable to local privilege escalation
GHSA-f5w3-73h4-jpcm CVE-2025-1756 HIGH 9 months ago
mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with...
npm
No PRs yet
MongoDB Shell may be susceptible to control character injection via pasting
GHSA-973h-3x6p-qg37 CVE-2025-1692 MODERATE 9 months ago
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the user’s clipboard could manipulate them to...
npm
No PRs yet
MongoDB Shell may be susceptible to Control Character Injection via autocomplete
GHSA-43g5-2wr2-q7vj CVE-2025-1691 HIGH 9 months ago
The MongoDB Shell may be susceptible to control character injection where an attacker with control of the mongosh autocomplete feature, can use the...
npm
No PRs yet
MongoDB Shell may be susceptible to control character Injection via shell output
GHSA-r95j-4jvf-mrrw CVE-2025-1693 LOW 9 months ago
The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject co...
npm
No PRs yet
Matrix IRC Bridge allows IRC command injection to own puppeted user
GHSA-5mvm-89c9-9gm5 CVE-2025-27146 LOW 9 months ago
### Impact The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the p...
npm
No PRs yet
DOM Expressions has a Cross-Site Scripting (XSS) vulnerability due to improper use of string.replace
GHSA-hw62-58pr-7wc5 CVE-2025-27108 HIGH 9 months ago
> [!NOTE] > This advisory was originally emailed to community@solidjs.com by @nsysean. To sum it up, the use of javascript's `.replace()` opens ...
npm
No PRs yet
Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)
GHSA-3qxh-p7jc-5xh6 CVE-2025-27109 HIGH 9 months ago
Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside J...
npm
No PRs yet
Better Auth allows bypassing the trustedOrigins Protection which leads to ATO
GHSA-vp58-j275-797x CRITICAL 9 months ago
### Summary A bypass was found for **wildcard** or **absolute URLs** trustedOrigins configurations and opens the victims website to a **Open Redire...
npm
No PRs yet
Beter Auth has an Open Redirect via Scheme-Less Callback Parameter
GHSA-hjpm-7mrm-26w8 CVE-2025-27143 MODERATE 9 months ago
### Summary The application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification end...
npm
No PRs yet
tarteaucitron Cross-site Scripting (XSS)
GHSA-8wp9-x25p-8794 CVE-2025-1467 LOW 9 months ago
Versions of the package tarteaucitronjs before 1.17.0 are vulnerable to Cross-site Scripting (XSS) via the getElemWidth() and getElemHeight(). This...
npm
No PRs yet
Cross-site scripting (XSS) in the CKEditor 5 real-time collaboration package
GHSA-j3mm-wmfm-mwvh CVE-2025-25299 MODERATE 9 months ago
### Impact During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration packa...
npm
No PRs yet
DocsGPT Allows Remote Code Execution
GHSA-9gff-5v8w-x922 CVE-2025-0868 CRITICAL 9 months ago
A vulnerability, that could result in Remote Code Execution (RCE), has been found in DocsGPT. Due to improper parsing of JSON data using eval() an ...
npm
No PRs yet
Directus allows updates to non-allowed fields due to overlapping policies
GHSA-99vm-5v2h-h6r6 CVE-2025-27089 MODERATE 9 months ago
### Summary If there are two overlapping policies for the `update` action that allow access to different fields, instead of correctly checking acce...
npm
No PRs yet
JSONPath Plus allows Remote Code Execution
GHSA-hw8r-x6gr-5gjp CVE-2025-1302 HIGH 10 months ago
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker c...
npm
No PRs yet
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-rmvr-2pp2-xj38 CVE-2025-25290 MODERATE 10 months ago
### Summary The regular expression `/<([^>]+)>; rel="deprecation"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Reg...
npm
1
Dependabot PRs
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-xx4v-prfh-6cgc CVE-2025-25289 MODERATE 10 months ago
### Summary A Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorizat...
npm
1
Dependabot PRs
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-h5c3-5r3r-rr8q CVE-2025-25288 MODERATE 10 months ago
### Summary For the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance...
npm
3
Dependabot PRs
33%
Merged
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-x4c5-c7rf-jjgv CVE-2025-25285 MODERATE 10 months ago
### Summary By crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-...
npm
No PRs yet
Vega allows Cross-site Scripting via the vlSelectionTuples function
GHSA-mp7w-mhcv-673j CVE-2025-25304 MODERATE 10 months ago
### Summary The `vlSelectionTuples` function can be used to call JavaScript functions, leading to XSS. ### Details [`vlSelectionTuples`](https://g...
npm
No PRs yet
DOMPurify allows Cross-site Scripting (XSS)
GHSA-vhxf-7vqr-mrjg CVE-2025-26791 MODERATE 10 months ago
DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation c...
npm
463
Dependabot PRs
14%
Merged
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
GHSA-vjh7-7g9h-fjfh CRITICAL 10 months ago
### Summary Private key can be extracted from ECDSA signature upon signing a malformed input (e.g. a string or a number), which could e.g. come fr...
npm
8
Dependabot PRs
parse-duration has a Regex Denial of Service that results in event loop delay and out of memory
GHSA-hcrg-fc28-fcg5 CVE-2025-25283 HIGH 10 months ago
### Summary This report finds 2 availability issues due to the regex used in the `parse-duration` npm package: 1. An event loop delay due to the C...
npm
No PRs yet
Inefficient Regular Expression Complexity in koa
GHSA-593f-38f6-jp5m CVE-2025-25200 CRITICAL 10 months ago
### Summary Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denia...
npm
538
Dependabot PRs
11%
Merged
Authentication bypass in @sap/approuter
GHSA-cpfx-964w-4jvp CVE-2025-24876 HIGH 10 months ago
The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code, an attacke...
npm
No PRs yet
Cross-site Scripting (XSS) in serialize-javascript
GHSA-76p7-773f-r4q5 CVE-2024-11831 MODERATE 10 months ago
A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain i...
npm
No PRs yet
Unknown vulnerability in Coinbase Wallet SDK
GHSA-8rgj-285w-qcq4 HIGH 10 months ago
### Impact There is a security vulnerability in outdated versions of Coinbase Wallet SDK. This does not directly affect users' keys, smart contract...
npm
1
Dependabot PRs
100%
Merged
esbuild enables any website to send any requests to the development server and read the response
GHSA-67mh-4wv8-2f99 MODERATE 10 months ago
### Summary esbuild allows any websites to send any request to the development server and read the response due to default CORS settings. ### Det...
npm
1654
Dependabot PRs
19%
Merged
Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc
GHSA-j82m-pc2v-2484 CVE-2025-24981 CRITICAL 10 months ago
### Summary An unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around th...
npm
No PRs yet
eazy-logger prototype pollution
GHSA-r7jx-5m6m-cpg9 CVE-2024-57075 HIGH 10 months ago
A prototype pollution in the lib.Logger function of eazy-logger v4.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ...
npm
430
Dependabot PRs
25%
Merged
@zag-js/core prototype pollution
GHSA-fg4m-w35q-vfg2 CVE-2024-57079 HIGH 10 months ago
A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service (DoS) via supplying a cra...
npm
No PRs yet
@rpldy/uploader prototype pollution
GHSA-pc47-g7gv-4gpw CVE-2024-57082 HIGH 10 months ago
A prototype pollution in the lib.createUploader function of @rpldy/uploader v1.8.1 allows attackers to cause a Denial of Service (DoS) via supplyin...
npm
No PRs yet
@stryker-mutator/util vulnerable to Prototype Pollution
GHSA-9j5q-479x-43g2 CVE-2024-57085 HIGH 10 months ago
A prototype pollution in the function deepMerge of @stryker-mutator/util v8.6.0 allows attackers to cause a Denial of Service (DoS) via supplying a...
npm
No PRs yet
utils-extend Prototype Pollution
GHSA-7qgg-vw88-cc99 CVE-2024-57077 CRITICAL 10 months ago
The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a ...
npm
No PRs yet
node-opcua-alarm-condition prototype pollution vulnerability
GHSA-gvwq-6fmx-28xm CVE-2024-57086 HIGH 10 months ago
A prototype pollution in the function fieldsToJson of node-opcua-alarm-condition v2.134.0 allows attackers to cause a Denial of Service (DoS) via s...
npm
No PRs yet