Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
vxe-table prototype pollution
GHSA-89fp-f5mx-748x CVE-2024-57080 HIGH 10 months ago
A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ...
npm
No PRs yet
module-from-string prototype pollution
GHSA-q5j8-9m9g-x2jh CVE-2024-57072 HIGH 10 months ago
A prototype pollution in the lib.requireFromString function of module-from-string v3.3.1 allows attackers to cause a Denial of Service (DoS) via su...
npm
No PRs yet
@tanstack/form-core prototype pollution
GHSA-ggv3-vmgw-xv2q CVE-2024-57068 HIGH 10 months ago
A prototype pollution in the lib.mutateMergeDeep function of @tanstack/form-core v0.35.0 allows attackers to cause a Denial of Service (DoS) via su...
npm
2
Dependabot PRs
50%
Merged
@ndhoule/defaults prototype pollution
GHSA-79h2-v6hh-wq23 CVE-2024-57066 HIGH 10 months ago
A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a craf...
npm
No PRs yet
Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)
GHSA-9x4v-xfq5-m8x5 CRITICAL 10 months ago
### Summary The better-auth `/api/auth/error` page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerabil...
npm
No PRs yet
Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
GHSA-9crc-q9x8-hgqq CVE-2025-24964 CRITICAL 10 months ago
### Summary Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacki...
npm
981
Dependabot PRs
13%
Merged
Vitest browser mode serves arbitrary files
GHSA-8gvc-j273-4wm5 CVE-2025-24963 MODERATE 10 months ago
### Summary `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exp...
npm
487
Dependabot PRs
12%
Merged
ZX Allows Environment Variable Injection for dotenv API
GHSA-qwp8-x4ff-5h87 CVE-2025-24959 MODERATE 10 months ago
### Impact This vulnerability is an **Environment Variable Injection** issue in `dotenv.stringify`, affecting `google/zx` version **8.3.1**. An a...
npm
No PRs yet
files.photo.gallery command injection
GHSA-5wjw-qjhm-v43h CVE-2024-53615 MODERATE 10 months ago
A command injection vulnerability in the video thumbnail rendering component of files.photo.gallery v0.3.0 through 0.11.0 allows remote attackers t...
npm
No PRs yet
snowflake-sdk may incorrectly validate temporary credential cache file permissions
GHSA-xfhv-wqj6-rx99 CVE-2025-24791 MODERATE 10 months ago
### Issue Snowflake discovered and remediated a vulnerability in the Snowflake NodeJS Driver. File permissions checks of the temporary credential c...
npm
No PRs yet
Potential DoS when using ContextLines integration
GHSA-r5w7-f542-q2j4 LOW 10 months ago
### Impact The [ContextLines integration](https://docs.sentry.io/platforms/javascript/guides/node/configuration/integrations/contextlines/) uses re...
npm
No PRs yet
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
GHSA-4gf7-ff8x-hq99 CVE-2025-24361 MODERATE 10 months ago
### Summary Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site. ### Details Because the re...
npm
14
Dependabot PRs
14%
Merged
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
GHSA-2452-6xj8-jh47 CVE-2025-24360 MODERATE 10 months ago
### Summary Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. ### Detail...
npm
17
Dependabot PRs
14%
Merged
NodeBB Cross-site scripting (XSS) vulnerability
GHSA-vqr3-vrrg-f3jh CVE-2024-57041 MODERATE 10 months ago
A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section o...
npm
No PRs yet
Cross Site Scripting vulnerability in store2
GHSA-w5hq-hm5m-4548 CVE-2024-57556 MODERATE 10 months ago
Cross Site Scripting vulnerability in nbubna store v.2.14.2 and before allows a remote attacker to execute arbitrary code via the store.deep.js com...
npm
No PRs yet
Directus has a DOM-Based cross-site scripting (XSS) via layout_options
GHSA-9qrm-48qf-r2rw LOW 10 months ago
### Impact Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application in...
npm
No PRs yet
Directus allows privilege escalation using Share feature
GHSA-pmf4-v838-29hg CVE-2025-24353 MODERATE 10 months ago
### Summary When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise t...
npm
No PRs yet
Unlimited consumption of resources in @fastify/multipart
GHSA-27c6-mcxv-x3fh CVE-2025-24033 HIGH 10 months ago
### Impact The `saveRequestFiles` function does not delete the uploaded temporary files when user cancels the request. ### Patches Fixed in vers...
npm
No PRs yet
MathLive's Lack of Escaping of HTML allows for XSS
GHSA-qwj6-q94f-8425 CVE-2025-29049 MODERATE 10 months ago
### Summary Despite normal text rendering as LaTeX expressions, preventing XSS, the library also provides users with commands which may modify HTML...
npm
3
Dependabot PRs
33%
Merged
Use of Insufficiently Random Values in undici
GHSA-c76h-2ccp-4975 CVE-2025-22150 MODERATE 10 months ago
### Impact [Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body...
npm
3138
Dependabot PRs
14%
Merged
XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
GHSA-wv8v-rmw2-25wc CVE-2025-24012 MODERATE 10 months ago
### Impact Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components. ### Patches Will be ...
npm nuget
2
Dependabot PRs
Infinite loop and Blind SSRF found inside the Webfinger mechanism in @fedify/fedify
GHSA-c59p-wq67-24wx CVE-2025-23221 MODERATE 10 months ago
### Summary This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Por...
npm
No PRs yet
Websites were able to send any requests to the development server and read the response in vite
GHSA-vg6x-rcgg-rjx6 CVE-2025-24010 MODERATE 10 months ago
### Summary Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of...
npm
8308
Dependabot PRs
10%
Merged
KaTeX \htmlData does not validate attribute names
GHSA-cg87-wmx4-v546 CVE-2025-23207 MODERATE 11 months ago
### Impact KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that r...
npm
496
Dependabot PRs
10%
Merged
AWS Cloud Development Kit (AWS CDK) IAM OIDC custom resource allows connection to unauthorized OIDC provider
GHSA-v4mq-x674-ff73 CVE-2025-23206 LOW 11 months ago
### Impact Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow, https://gi...
npm
No PRs yet
Eugeny Tabby Sends Password Despite Host Key Verification Failure
GHSA-8vq4-8hfp-29xh CVE-2024-48460 HIGH 11 months ago
An issue in Eugeny Tabby 1.0.213 allows a remote attacker to obtain sensitive information via the server and sends the SSH username and password ev...
npm
No PRs yet
parse-uri Regular expression Denial of Service (ReDoS)
GHSA-6fx8-h7jm-663j CVE-2024-36751 MODERATE 11 months ago
An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL. ## PoC ```js async functi...
npm
No PRs yet
Mongoose search injection vulnerability
GHSA-vg7j-7cwx-8wgw CVE-2025-23061 CRITICAL 11 months ago
Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the `$where` operator. This vulnerability arises from the abi...
npm
851
Dependabot PRs
26%
Merged
Lodestar snappy checksum issue
GHSA-m9c9-mc2h-9wjw LOW 11 months ago
### Impact Unintended permanent chain split affecting greater than or equal to 25% of the network, requiring hard fork (network partition requiring...
npm
No PRs yet
Lodestar snappy decompression issue
GHSA-53rv-hcvm-rpp9 LOW 11 months ago
### Impact Unintended permanent chain split affecting greater than or equal to 25% of the network, requiring hard fork (network partition requiring...
npm
No PRs yet
Next.js Allows a Denial of Service (DoS) with Server Actions
GHSA-7m27-7ghc-44w9 CVE-2024-56332 MODERATE 11 months ago
### Impact A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting...
npm
2
Dependabot PRs
Trix allows Cross-site Scripting via `javascript:` url in a link
GHSA-j386-3444-qgwg CVE-2025-21610 MODERATE 11 months ago
The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field. ### Impact An attacker could trick...
npm
No PRs yet
path-sanitizer allows bypassing the existing filters to achieve path-traversal vulnerability
GHSA-94p5-r7cc-3rpr CVE-2024-56198 CRITICAL 11 months ago
### Summary This is a POC for a path-sanitizer [npm package](https://www.npmjs.com/package/path-sanitizer). The filters can be bypassed and can res...
npm
No PRs yet
Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint
GHSA-8jhw-6pjj-8723 CVE-2024-56734 HIGH 11 months ago
## Summary An **open redirect vulnerability** has been identified in the **verify email endpoint** of Better Auth, potentially allowing attackers t...
npm
No PRs yet
Marp Core allows XSS by improper neutralization of HTML sanitization
GHSA-x52f-h5g4-8qv5 CVE-2024-56510 MODERATE 11 months ago
Marp Core ([`@marp-team/marp-core`](https://www.npmjs.com/package/@marp-team/marp-core)) from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-...
npm
6
Dependabot PRs
Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID)
GHSA-cvv5-9h9w-qp2m CVE-2024-56334 HIGH 11 months ago
### Summary The SSID is not sanitized when before it is passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` function. This means that mal...
npm
No PRs yet
uptime-kuma vulnerable to Local File Inclusion (LFI) via Improper URL Handling in `Real-Browser` monitor
GHSA-2qgm-m29m-cj2h CVE-2024-56331 MODERATE 11 months ago
### Summary An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///...
npm
No PRs yet
Astro's server source code is exposed to the public if sourcemaps are enabled
GHSA-49w6-73cw-chjr CVE-2024-56159 HIGH 12 months ago
### Summary A bug in the build process allows any unauthenticated user to read parts of the server source code. ### Details During build, along wi...
npm
No PRs yet
Prototype pollution in jsii.configureCategories
GHSA-m56h-5xx3-2jc2 LOW 12 months ago
## Summary `jsii` is a TypeScript to JavaScript compiler that also extracts an interface definition manifest to generate RPC stubs in various prog...
npm
No PRs yet
Atro CSRF Middleware Bypass (security.checkOrigin)
GHSA-c4pw-33h3-35xw CVE-2024-56140 MODERATE 12 months ago
### Summary A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. ### Details When the `security.checkOrigin` confi...
npm
No PRs yet
Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo
GHSA-v9mx-4pqq-h232 CVE-2024-21548 MODERATE 12 months ago
Versions of the package bun before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vu...
npm
No PRs yet
Next.js authorization bypass vulnerability
GHSA-7gfc-8cq8-jh5f CVE-2024-51479 HIGH 12 months ago
### Impact If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypas...
npm
2
Dependabot PRs
pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
GHSA-vm32-9rqf-rh3r CVE-2024-53866 MODERATE 12 months ago
### Summary pnpm seems to mishandle overrides and global cache: 1. Overrides from one workspace leak into npm metadata saved in global cache 2. np...
npm
No PRs yet
Avenwu Whistle Cross-Site Request Forgery (CSRF)
GHSA-gg6x-448q-pqqm CVE-2024-55500 HIGH 12 months ago
Cross-Site Request Forgery (CSRF) in Avenwu Whistle v.2.9.90 and before allows attackers to perform malicious API calls, resulting in the execution...
npm
No PRs yet
Angular Expressions - Remote Code Execution when using locals
GHSA-5462-4vcx-jh7j CVE-2024-54152 CRITICAL 12 months ago
### Impact An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. Example of vulnerable c...
npm
1
Dependabot PRs
Bit flip attack vulnerability in cookie-encrypter
GHSA-h63v-hw6g-x8hp CVE-2024-53441 HIGH 12 months ago
due to a weakness in the encryption method used in cookie-encrypter an attack can use the world visible IV to edit encrypted cookies without decryp...
npm
No PRs yet
Directus allows unauthenticated access to WebSocket events and operations
GHSA-849r-qrwj-8rv4 CVE-2024-54151 HIGH 12 months ago
### Summary When setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supporte...
npm
No PRs yet
Trix editor subject to XSS vulnerabilities on copy & paste
GHSA-6vx4-v2jw-qwqh CVE-2024-53847 MODERATE 12 months ago
The Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code. ### Impact An att...
npm
No PRs yet
Predictable results in nanoid generation when given non-integer values
GHSA-mwcw-c2x4-8c55 CVE-2024-55565 MODERATE 12 months ago
When nanoid is called with a fractional value, there were a number of undesirable effects: 1. in browser and non-secure, the code infinite loops o...
npm
No PRs yet
path-to-regexp contains a ReDoS
GHSA-rhx6-c78j-4q9w CVE-2024-52798 HIGH 12 months ago
### Impact The regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of `path-to-regexp`, originally re...
npm
24
Dependabot PRs
4%
Merged