Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,842

Total Advisories

1,806

With Dependabot PRs

3,510

Critical Severity

8,633

High Severity

Clear All Filters
Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
GHSA-m4gq-x24j-jpmf HIGH about 1 year ago
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/D...
npm
No PRs yet
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
GHSA-c5g6-6xf7-qxp3 CVE-2024-47819 MODERATE about 1 year ago
### Impact This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you ca...
npm nuget
No PRs yet
secp256k1-node allows private key extraction over ECDH
GHSA-584q-6j8j-r5pm CVE-2024-48930 HIGH about 1 year ago
### Summary In `elliptic`-based version, `loadUncompressedPublicKey` has a check that the public key is on the curve: https://github.com/cryptocoi...
npm
No PRs yet
Denial of service in http-proxy-middleware
GHSA-c7qv-q95q-8v27 CVE-2024-21536 HIGH about 1 year ago
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an Unhandl...
npm
No PRs yet
ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
GHSA-5j4c-8p2g-v4jx CVE-2024-9506 LOW about 1 year ago
The ReDoS can be exploited through the `parseHTML` function in the `html-parser.ts` file. This flaw allows attackers to slow down the application b...
npm
No PRs yet
Malicious homeservers can steal message keys when the matrix-react-sdk user invites another user to a room
GHSA-qcvh-p9jq-wp8v CVE-2024-47824 HIGH about 1 year ago
### Impact matrix-react-sdk before 3.102.0 allows a malicious homeserver to potentially steal message keys for a room when a user invites another ...
npm
No PRs yet
Matrix JavaScript SDK's key history sharing could share keys to malicious devices
GHSA-4jf8-g8wp-cx7c CVE-2024-47080 HIGH about 1 year ago
### Impact In matrix-js-sdk versions 9.11.0 through 34.7.0, the method `MatrixClient.sendSharedHistoryKeys` is vulnerable to interception by malici...
npm
No PRs yet
Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
GHSA-r9mq-3c9r-fmjq CVE-2024-48914 CRITICAL about 1 year ago
# Description ## Path traversal This vulnerability allows an attacker to craft a request which is able to traverse the server file system and ret...
npm
No PRs yet
Hono allows bypass of CSRF Middleware by a request without Content-Type header.
GHSA-2234-fmw7-43wr CVE-2024-48913 MODERATE about 1 year ago
### Summary Bypass CSRF Middleware by a request without Content-Type herader. ### Details Although the csrf middleware verifies the Content-Type H...
npm
55
Dependabot PRs
10%
Merged
Valid ECDSA signatures erroneously rejected in Elliptic
GHSA-fc9h-whq2-v747 CVE-2024-48948 LOW about 1 year ago
The Elliptic prior to 6.6.0 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least ...
npm
250
Dependabot PRs
16%
Merged
Cross site scripting in markdown-to-jsx
GHSA-4wx3-54gh-9fr9 CVE-2024-21535 MODERATE about 1 year ago
Versions of the package markdown-to-jsx before 7.4.0 are vulnerable to Cross-site Scripting (XSS) via the src property due to improper input saniti...
npm
No PRs yet
DOM Clobbering Gadget found in astro's client-side router that leads to XSS
GHSA-m85w-3h95-hcf9 CVE-2024-47885 MODERATE about 1 year ago
### Summary A DOM Clobbering gadget has been discoverd in Astro's client-side router. It can lead to cross-site scripting (XSS) in websites enable...
npm
No PRs yet
Denial of Service condition in Next.js image optimization
GHSA-g77x-44xx-532m CVE-2024-47831 MODERATE about 1 year ago
### Impact The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition whic...
npm
No PRs yet
angular-base64-upload vulnerable to unauthenticated remote code execution
GHSA-vgxq-6rcf-qwrw CVE-2024-42640 CRITICAL about 1 year ago
angular-base64-upload versions prior to v0.1.21 are vulnerable to unauthenticated remote code execution via the `angular-base64-upload/demo/server....
npm
No PRs yet
DOMpurify has a nesting-based mXSS
GHSA-gx9m-whjm-85jf CVE-2024-47875 HIGH about 1 year ago
DOMpurify was vulnerable to nesting-based mXSS fixed by [0ef5e537](https://github.com/cure53/DOMPurify/tree/0ef5e537a514f904b6aa1d7ad9e749e365d71...
npm
No PRs yet
Elliptic's verify function omits uniqueness validation
GHSA-434g-2637-qmqr CVE-2024-48949 LOW about 1 year ago
The Elliptic package 6.5.5 for Node.js for EDDSA implementation does not perform the required check if the signature proof(s) is within the bounds ...
npm
255
Dependabot PRs
16%
Merged
ggit is vulnerable to Arbitrary Argument Injection via the clone() API
GHSA-pr45-cg4x-ff4m CVE-2024-21533 MODERATE about 1 year ago
All versions of the package ggit are vulnerable to Arbitrary Argument Injection via the clone() API, which allows specifying the remote URL to clon...
npm
No PRs yet
SAP HANA Node.js client package vulnerable to Prototype Pollution
GHSA-6339-gv7w-g5f4 CVE-2024-45277 MODERATE about 1 year ago
The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add...
npm
No PRs yet
ggit is vulnerable to Command Injection via the fetchTags(branch) API
GHSA-62cx-5xj4-wfm4 CVE-2024-21532 MODERATE about 1 year ago
All versions of the package ggit are vulnerable to Command Injection via the fetchTags(branch) API, which allows user input to specify the branch t...
npm
No PRs yet
Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page
GHSA-pf56-h9qf-rxq4 MODERATE about 1 year ago
### Summary Event log data is not properly sanitized leading to stored Cross-Site Scripting (XSS) vulnerability. ### Details - file: https://gith...
npm
No PRs yet
Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability
GHSA-43f3-h63w-p6f6 CVE-2024-47818 HIGH about 1 year ago
### Summary A logged-in user with any role can delete arbitrary files on the filesystem by calling the `sync/clean_sync_dir` endpoint. The `dir_na...
npm
No PRs yet
cookie accepts cookie name, path, and domain with out of bounds characters
GHSA-pxg6-pf52-xh8x CVE-2024-47764 LOW about 1 year ago
### Impact The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize("user...
npm
13096
Dependabot PRs
13%
Merged
Parse Server's custom object ID allows to acquire role privileges
GHSA-8xq9-g7ch-35hg CVE-2024-47183 HIGH about 1 year ago
### Impact If the Parse Server option `allowCustomObjectId: true` is set, an attacker that is allowed to create a new user can set a custom object...
npm
1
Dependabot PRs
100%
Merged
@saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plugins using git source
GHSA-fm76-w8jw-xf8m HIGH about 1 year ago
### Summary When creating a new plugin using the `git` source, the user-controlled value `req.body.name` is used to build the plugin directory whe...
npm
No PRs yet
Express Open Redirect vulnerability
GHSA-jj78-5fmv-mv28 CVE-2024-9266 LOW about 1 year ago
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express. This vulnerability affects the use of the Express Response object. Th...
npm
No PRs yet
@saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defstring` parameters when setting localizer strings
GHSA-78p3-fwcq-62c2 HIGH about 1 year ago
### Summary The endpoint `/site-structure/localizer/save-string/:lang/:defstring` accepts two parameter values: `lang` and `defstring`. These valu...
npm
No PRs yet
@saltcorn/server arbitrary file and directory listing when accessing build mobile app results
GHSA-cfqx-f43m-vfh7 MODERATE about 1 year ago
### Summary A user with admin permission can read arbitrary file and directory names on the filesystem by calling the `admin/build-mobile-app/resu...
npm
No PRs yet
@saltcorn/server arbitrary file zip read and download when downloading auto backups
GHSA-277h-px4m-62q8 MODERATE about 1 year ago
### Summary A user with admin permission can read and download arbitrary zip files when downloading auto backups. The file name used to identify t...
npm
No PRs yet
Sentry SDK Prototype Pollution gadget in JavaScript SDKs
GHSA-593m-55hh-j8gv MODERATE about 1 year ago
### Impact In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially se...
npm
No PRs yet
Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend
GHSA-qc4v-xq2m-65wc CVE-2024-47762 MODERATE about 1 year ago
### Impact Configuration supplied through `APP_CONFIG_*` environment variables, for example `APP_CONFIG_backend_listen_port=7007`, where unexpecte...
npm
No PRs yet
Slim Select has potential Cross-site Scripting issue
GHSA-qvqv-mcxr-x8qw CVE-2024-9440 MODERATE about 1 year ago
Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption(), the text variab...
npm
No PRs yet
OpenC3 stores passwords in clear text (`GHSL-2024-129`)
GHSA-4xqv-47rm-37mm CVE-2024-47529 MODERATE about 1 year ago
### Summary OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible ...
npm rubygems
No PRs yet
OpenC3 Cross-site Scripting in Login functionality (`GHSL-2024-128`)
GHSA-vfj8-5pj7-2f9g CVE-2024-43795 MODERATE about 1 year ago
### Summary The login functionality contains a reflected cross-site scripting (XSS) vulnerability. Note: This CVE only affects Open Source Edition...
npm rubygems
No PRs yet
git-shallow-clone Argument Injection vulnerability
GHSA-qwrq-vxvw-537r CVE-2024-21531 MODERATE about 1 year ago
All versions of the package git-shallow-clone are vulnerable to Argument injection due to missing sanitization or mitigation flags in the process v...
npm
No PRs yet
uPlot Prototype Pollution vulnerability
GHSA-34q8-jcq6-mc37 CVE-2024-21489 HIGH about 1 year ago
Versions of the package uplot before 1.6.31 are vulnerable to Prototype Pollution via the uplot.assign function due to missing check if the attribu...
npm
No PRs yet
basic-auth-connect's callback uses time unsafe string comparison
GHSA-7p89-p6hx-q4fw CVE-2024-47178 HIGH about 1 year ago
### Impact basic-auth-connect <1.1.0 uses a timing-unsafe equality comparison that can leak timing information ### Patches this issue has been f...
npm
36
Dependabot PRs
2%
Merged
ReLaXed Cross-site Scripting vulnerability
GHSA-gj3p-j74v-3x57 CVE-2024-9283 LOW about 1 year ago
A vulnerability classified as problematic has been found in RelaxedJS ReLaXed up to 0.2.2. Affected is an unknown function of the component Pug to ...
npm
No PRs yet
Agnai vulnerable to Relative Path Traversal in Image Upload
GHSA-g54f-66mw-hv66 CVE-2024-47171 LOW about 1 year ago
### Summary A vulnerability has been discovered in **Agnai** that permits attackers to upload image files at attacker-chosen location on the serve...
npm
No PRs yet
Agnai File Disclosure Vulnerability: JSON via Path Traversal
GHSA-h355-hm5h-cm8h CVE-2024-47170 LOW about 1 year ago
### CWE-35: Path Traversal https://cwe.mitre.org/data/definitions/35.html ### CVSSv3.1 4.3 - Medium CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N ...
npm
No PRs yet
Agnai vulnerable to Remote Code Execution via JS Upload using Directory Traversal
GHSA-mpch-89gm-hm83 CVE-2024-47169 CRITICAL about 1 year ago
## Summary A vulnerability has been discovered in **Agnai** that permits attackers to upload arbitrary files to attacker-chosen locations on the s...
npm
No PRs yet
Layui has DOM Clobbering gadgets that leads to Cross-site Scripting
GHSA-j827-6rgf-9629 CVE-2024-47075 MODERATE about 1 year ago
### Summary A DOM Clobbering vulnerability has been discovered in `layui` that can lead to Cross-site Scripting (XSS) on web pages where attacker-c...
npm
No PRs yet
Heap-based Buffer Overflow in sqlite-vec
GHSA-vrcx-gx3g-j3h8 CVE-2024-46488 HIGH about 1 year ago
sqlite-vec v0.1.1 was discovered to contain a heap buffer overflow via the npy_token_next function. This vulnerability allows attackers to cause a ...
cargo npm pypi +1 more
No PRs yet
Remote command execution in promptr
GHSA-hwxp-6qf7-q3rc CVE-2024-46489 HIGH about 1 year ago
A remote command execution (RCE) vulnerability in promptr v6.0.7 allows attackers to execute arbitrary commands via a crafted URL.
npm
No PRs yet
Cross-site scripting (XSS) in the clipboard package
GHSA-rgg8-g5x8-wr9v CVE-2024-45613 MODERATE about 1 year ago
### Impact During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 clipboard package. This vulne...
npm
2
Dependabot PRs
Denial of service in rocket chat message parser
GHSA-6375-pg5j-8wph CVE-2024-46935 MODERATE about 1 year ago
Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to denial of service (DoS). Attackers who craft messages with sp...
npm
No PRs yet
Flowise and Flowise Chat Embed vulnerable to Stored Cross-site Scripting
GHSA-m5p9-xvxj-64c8 CVE-2024-9148 MODERATE about 1 year ago
Flowise < 2.1.1 suffers from a Stored Cross-Site vulnerability due to a lack of input sanitization in Flowise Chat Embed < 2.0.0.
npm
No PRs yet
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
GHSA-gcx4-mw62-g8wm CVE-2024-47068 HIGH about 1 year ago
### Summary We discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use `import.meta.url` or with plugins that emit and ...
npm
4
Dependabot PRs
lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
GHSA-3fc8-2r3f-8wrg CVE-2024-47066 MODERATE about 1 year ago
### Summary SSRF protection implemented in https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts does not consider redirect and...
npm
No PRs yet
Plate allows arbitrary DOM attributes in element.attributes and leaf.attributes
GHSA-73rg-f94j-xvhx CVE-2024-47061 HIGH about 1 year ago
### Impact One longstanding feature of Plate is the ability to add custom DOM attributes to any element or leaf using the `attributes` property. Th...
npm
No PRs yet
DOM Clobbering Gadget found in Rspack's AutoPublicPathRuntimeModule that leads to XSS
GHSA-84jw-g43v-8gjm MODERATE about 1 year ago
Hi, Rspack|Webpack developer team! ## Summary We discovered a DOM Clobbering vulnerability in Webpack’s AutoPublicPathRuntimeModule. The DOM Clobb...
npm
No PRs yet