Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Directus has an HTML Injection in Comment
GHSA-r6wx-627v-gh2f CVE-2024-54128 MODERATE 12 months ago
### Summary The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filte...
npm
No PRs yet
Firepad allows insecure document access
GHSA-4fh7-m2wx-6wfm CVE-2024-51210 LOW 12 months ago
Firepad through 1.5.11 allows remote attackers, who have knowledge of a pad ID, to retrieve both the current text of a document and all content tha...
npm
No PRs yet
Modified package published to npm, containing malware that exfiltrates private key material
GHSA-jcxm-7wvp-g6p5 CVE-2024-54134 HIGH 12 months ago
Earlier today, a publish-access account was compromised for `@solana/web3.js`, a JavaScript library that is commonly used by Solana dapps. This all...
npm
No PRs yet
Backstage Scaffolder plugin vulnerable to Server-Side Request Forgery
GHSA-qmc2-jpr5-7rg9 CVE-2024-53983 MODERATE 12 months ago
### Impact A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection (SSTI) can be exploit...
npm
No PRs yet
Mongoose search injection vulnerability
GHSA-m7xq-9374-9rvx CVE-2024-53900 HIGH 12 months ago
Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the abili...
npm
No PRs yet
hull.js Code Injection Vulnerability
GHSA-q849-wxrc-vqrp CRITICAL 12 months ago
Versions of the library from 0.2.2 to 1.0.9 are vulnerable to the arbitrary code execution due to unsafe usage of `new Function(...)` in the module...
npm
No PRs yet
@intlify/shared Prototype Pollution vulnerability
GHSA-hjwq-mjwj-4x6c CVE-2024-52810 MODERATE 12 months ago
**Vulnerability type: Prototype Pollution** **Affected Package:** Product: @intlify/shared Version: 10.0.4 **Vulnerability Location(s):** `nod...
npm
240
Dependabot PRs
5%
Merged
vue-i18n has cross-site scripting vulnerability with prototype pollution
GHSA-9r9m-ffp6-9x4v CVE-2024-52809 MODERATE 12 months ago
### Vulnerability type XSS ### Description vue-i18n can be passed locale messages to `createI18n` or `useI18n`. we can then translate them using `...
npm
224
Dependabot PRs
5%
Merged
@dapperduckling/keycloak-connector-server has Reflected XSS Vulnerability in Authentication Flow URL Handling
GHSA-w5rq-g9r6-vrcg CVE-2024-53843 MODERATE about 1 year ago
**Impact** A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the authentication flow of the application. This issue arises due...
npm
No PRs yet
@lobehub/chat Server Side Request Forgery vulnerability
GHSA-2xcc-vm3f-m8rw CVE-2024-32965 HIGH about 1 year ago
### Summary lobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without log...
npm
No PRs yet
@sveltejs/kit vulnerable to XSS on dev mode 404 page
GHSA-rjjv-87mx-6x3h CVE-2024-53261 LOW about 1 year ago
### Summary "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may res...
npm
1
Dependabot PRs
@sveltejs/kit has unescaped error message included on error page
GHSA-mh2x-fcqh-fmqv CVE-2024-53262 LOW about 1 year ago
### Summary The static error.html template for errors contains placeholders that are replaced without escaping the content first. ### Details Fr...
npm
1
Dependabot PRs
smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables
GHSA-pqhp-25j4-6hq9 MODERATE about 1 year ago
### Summary An attacker can send a maliciously crafted TOML to cause the parser to crash because of a stack overflow caused by a deeply nested inli...
npm
26
Dependabot PRs
9%
Merged
Flowise OverrideConfig security vulnerability
GHSA-5cph-wvm9-45gj HIGH about 1 year ago
### Impact Flowise allows developers to inject configuration into the Chainflow during execution through the `overrideConfig` option. This is suppo...
npm
No PRs yet
Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server
GHSA-3wf4-68gx-mph8 CVE-2024-11023 MODERATE about 1 year ago
Firebase JavaScript SDK utilizes a "FIREBASE_DEFAULTS" cookie to store configuration data, including an "_authTokenSyncURL" field used for session ...
npm
No PRs yet
Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit
GHSA-7q7g-4xm8-89cq CVE-2024-21539 LOW about 1 year ago
Crafting a very large and well crafted string can increase the CPU usage and crash the program. ## POC ```js const { ConfigCommentParser } = requ...
npm
No PRs yet
Remote Code Execution on click of <a> Link in markdown preview
GHSA-hff8-hjwv-j9q7 CVE-2024-49362 HIGH about 1 year ago
### Summary There is a vulnerability in `Joplin-desktop` that leads to remote code execution (RCE) when a user clicks on an `<a>` link within untr...
npm
No PRs yet
dom-iterator code execution vulnerability
GHSA-jrvm-mcxc-mf6m CVE-2024-21541 MODERATE about 1 year ago
Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complet...
npm
20
Dependabot PRs
11%
Merged
matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal
GHSA-xvg8-m4x3-w6xr CVE-2024-50336 MODERATE about 1 year ago
### Summary matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger cli...
npm
No PRs yet
Regular Expression Denial of Service (ReDoS) in cross-spawn
GHSA-3xgq-45jj-v275 CVE-2024-21538 HIGH about 1 year ago
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization....
npm
78
Dependabot PRs
15%
Merged
Froala WYSIWYG editor allows cross-site scripting (XSS)
GHSA-549p-5c7f-c5p4 CVE-2024-51434 MODERATE about 1 year ago
Inconsistent <plaintext> tag parsing allows for XSS in Froala WYSIWYG editor 4.3.0 and earlier.
npm packagist
2
Dependabot PRs
happy-dom allows for server side code to be executed by a <script> tag
GHSA-96g7-g7g9-jxw8 CVE-2024-51757 CRITICAL about 1 year ago
### Impact Consumers of the NPM package `happy-dom` ### Patches The security vulnerability has been patched in v15.10.2 ### Workarounds No easy w...
npm
No PRs yet
@workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled
GHSA-v2qh-f584-6hj8 CVE-2024-51753 LOW about 1 year ago
### Impact Refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. ### Patches Patched in [https://github....
npm
No PRs yet
@workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled
GHSA-5wmg-9cvh-qw25 CVE-2024-51752 LOW about 1 year ago
### Impact Refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. ### Patches Patched in [https://github....
npm
No PRs yet
Path traversal in oak allows transfer of hidden files within the served root directory
GHSA-qm92-93fv-vh7m CVE-2024-49770 HIGH about 1 year ago
### Summary By default `oak` does not allow transferring of hidden files with `Context.send` API. However, this can be bypassed by encoding `/` as...
npm
No PRs yet
Glossarizer Cross-site Scripting vulnerability
GHSA-hhhv-ggjx-q9j2 CVE-2024-42515 MODERATE about 1 year ago
Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g., <>), the...
npm
No PRs yet
DOMPurify vulnerable to tampering by prototype polution
GHSA-p3vf-v8qc-cwcr CVE-2024-48910 CRITICAL about 1 year ago
dompurify was vulnerable to prototype pollution Fixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc
npm
No PRs yet
lilconfig Code Injection vulnerability
GHSA-fq9m-v26v-2m4f CVE-2024-21537 HIGH about 1 year ago
Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the d...
npm
No PRs yet
Express ressource injection
GHSA-cm5g-3pgc-8rg4 CVE-2024-10491 MODERATE about 1 year ago
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsan...
npm
No PRs yet
Langchain Path Traversal vulnerability
GHSA-hc5w-c9f8-9cc4 CVE-2024-7774 MODERATE about 1 year ago
A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to...
npm
No PRs yet
@langchain/community SQL Injection vulnerability
GHSA-6m59-8fmv-m5f9 CVE-2024-7042 LOW about 1 year ago
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injec...
npm
No PRs yet
CycloneDX cdxgen may execute code contained within build-related files
GHSA-hxf3-vgpm-fv9p CVE-2024-50611 MODERATE about 1 year ago
CycloneDX cdxgen prior to 11.1.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradl...
npm
1
Dependabot PRs
useragent Regular Expression Denial of Service vulnerability
GHSA-mgfv-m47x-4wqp CVE-2020-26311 MODERATE about 1 year ago
Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to...
npm
No PRs yet
CommonRegexJS Regular Expression Denial of Service vulnerability
GHSA-pmvv-57rg-5g86 CVE-2020-26305 MODERATE about 1 year ago
CommonRegexJS is a CommonRegex port for JavaScript. All available versions contain one or more regular expressions that are vulnerable to Regular E...
npm
No PRs yet
Knwl.js Regular Expression Denial of Service vulnerability
GHSA-68qg-g787-3rp5 CVE-2020-26306 MODERATE about 1 year ago
Knwl.js is a Javascript library that parses through text for dates, times, phone numbers, emails, places, and more. Versions 1.0.2 and prior contai...
npm
No PRs yet
nope-validator Regular Expression Denial of Service vulnerability
GHSA-3phv-83cj-p8p7 CVE-2020-26309 MODERATE about 1 year ago
Nope is a JavaScript validator. Versions 0.11.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial ...
npm
No PRs yet
insane vulnerable to Regular Expression Denial of Service
GHSA-w455-mfq9-hf74 CVE-2020-26303 MODERATE about 1 year ago
insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expr...
npm
No PRs yet
Foundation Regular Expression Denial of Service vulnerability
GHSA-p8pc-3f7w-jr5q CVE-2020-26304 MODERATE about 1 year ago
Foundation is a front-end framework. Versions 6.3.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Den...
npm
No PRs yet
validate.js Regular Expression Denial of Service vulnerability
GHSA-rv73-9c8w-jp4c CVE-2020-26308 MODERATE about 1 year ago
Validate.js provides a declarative way of validating javascript objects. Versions 0.13.1 and prior contain one or more regular expressions that are...
npm
No PRs yet
OS Command Injection in Snyk gradle plugin
GHSA-qqqw-gm93-qf6m CVE-2024-48964 HIGH about 1 year ago
The Snyk gradle plugin is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test i...
npm
No PRs yet
OS Command Injection in Snyk php plugin
GHSA-69f9-h8f9-7vjf CVE-2024-48963 HIGH about 1 year ago
The Snyk php plugin is vulnerable to Code Injection when scanning an untrusted PHP project. The vulnerability can be triggered if Snyk test is run ...
npm
No PRs yet
Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
GHSA-m4gq-x24j-jpmf HIGH about 1 year ago
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/D...
npm
No PRs yet
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
GHSA-c5g6-6xf7-qxp3 CVE-2024-47819 MODERATE about 1 year ago
### Impact This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you ca...
npm nuget
No PRs yet
secp256k1-node allows private key extraction over ECDH
GHSA-584q-6j8j-r5pm CVE-2024-48930 HIGH about 1 year ago
### Summary In `elliptic`-based version, `loadUncompressedPublicKey` has a check that the public key is on the curve: https://github.com/cryptocoi...
npm
No PRs yet
Denial of service in http-proxy-middleware
GHSA-c7qv-q95q-8v27 CVE-2024-21536 HIGH about 1 year ago
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an Unhandl...
npm
No PRs yet
ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
GHSA-5j4c-8p2g-v4jx CVE-2024-9506 LOW about 1 year ago
The ReDoS can be exploited through the `parseHTML` function in the `html-parser.ts` file. This flaw allows attackers to slow down the application b...
npm
No PRs yet
Malicious homeservers can steal message keys when the matrix-react-sdk user invites another user to a room
GHSA-qcvh-p9jq-wp8v CVE-2024-47824 HIGH about 1 year ago
### Impact matrix-react-sdk before 3.102.0 allows a malicious homeserver to potentially steal message keys for a room when a user invites another ...
npm
No PRs yet
Matrix JavaScript SDK's key history sharing could share keys to malicious devices
GHSA-4jf8-g8wp-cx7c CVE-2024-47080 HIGH about 1 year ago
### Impact In matrix-js-sdk versions 9.11.0 through 34.7.0, the method `MatrixClient.sendSharedHistoryKeys` is vulnerable to interception by malici...
npm
No PRs yet
Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
GHSA-r9mq-3c9r-fmjq CVE-2024-48914 CRITICAL about 1 year ago
# Description ## Path traversal This vulnerability allows an attacker to craft a request which is able to traverse the server file system and ret...
npm
No PRs yet
Hono allows bypass of CSRF Middleware by a request without Content-Type header.
GHSA-2234-fmw7-43wr CVE-2024-48913 MODERATE about 1 year ago
### Summary Bypass CSRF Middleware by a request without Content-Type herader. ### Details Although the csrf middleware verifies the Content-Type H...
npm
55
Dependabot PRs
10%
Merged