Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Mattermost Desktop App fails to safeguard screen capture functionality
GHSA-5777-rcjj-9p22 CVE-2024-39772 MODERATE about 1 year ago
Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality sc...
npm
No PRs yet
Mattermost Desktop App fails to sufficiently configure Electron Fuses
GHSA-xgq9-7gw6-jr5r CVE-2024-45835 LOW about 1 year ago
Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure Electron Fuses which allows an attacker to gather Chromium cookies or abuse ...
npm
No PRs yet
Mattermost Desktop App Uncontrolled Search Path Vulnerability
GHSA-wj4j-qc2m-fgh7 CVE-2024-39613 MODERATE about 1 year ago
Mattermost Desktop App versions <=5.8.0 fail to specify an absolute path when searching the cmd.exe file, which allows a local attacker who is able...
npm
No PRs yet
whatsapp-api-js fails to validate message's signature
GHSA-mwhf-vhr5-7j23 CVE-2024-45607 MODERATE about 1 year ago
### Impact Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted. ### Patches Patched i...
npm
No PRs yet
dset Prototype Pollution vulnerability
GHSA-f6v4-cf5j-vf3w CVE-2024-21529 HIGH about 1 year ago
Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vu...
npm
No PRs yet
Session is cached for OpenID and OAuth2 if `redirect` is not used
GHSA-cff8-x7jv-4fm8 CVE-2024-45596 HIGH about 1 year ago
### Summary Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not includ...
npm
No PRs yet
send vulnerable to template injection that can lead to XSS
GHSA-m6fv-jmcg-4jfg CVE-2024-43799 LOW about 1 year ago
### Impact passing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code ### Patches this issu...
npm
No PRs yet
serve-static vulnerable to template injection that can lead to XSS
GHSA-cm22-4g7w-348p CVE-2024-43800 LOW about 1 year ago
### Impact passing untrusted user input - even after sanitizing it - to `redirect()` may execute untrusted code ### Patches this issue is patche...
npm
No PRs yet
express vulnerable to XSS via response.redirect()
GHSA-qw6h-vgh9-j6wx CVE-2024-43796 LOW about 1 year ago
### Impact In express <4.20.0, passing untrusted user input - even after sanitizing it - to `response.redirect()` may execute untrusted code ### ...
npm
No PRs yet
body-parser vulnerable to denial of service when url encoding is enabled
GHSA-qwcr-r2fm-qrc7 CVE-2024-45590 HIGH about 1 year ago
### Impact body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payloa...
npm
46
Dependabot PRs
10%
Merged
node-gettext vulnerable to Prototype Pollution
GHSA-g974-hxvm-x689 CVE-2024-21528 HIGH about 1 year ago
All versions of the package node-gettext are vulnerable to Prototype Pollution via the addTranslations() function in gettext.js due to improper use...
npm
No PRs yet
path-to-regexp outputs backtracking regular expressions
GHSA-9wv6-86v2-598j CVE-2024-45296 HIGH about 1 year ago
### Impact A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a pe...
npm
3180
Dependabot PRs
24%
Merged
AngularJS allows attackers to bypass common image source restrictions
GHSA-m9gf-397r-hwpg CVE-2024-8372 LOW about 1 year ago
Improper sanitization of the value of the `[srcset]` attribute in AngularJS allows attackers to bypass common image source restrictions, which can ...
npm
No PRs yet
AngularJS allows attackers to bypass common image source restrictions
GHSA-mqm9-c95h-x2p6 CVE-2024-8373 LOW about 1 year ago
Improper sanitization of the value of the `[srcset]` attribute in `<source>` HTML elements in AngularJS allows attackers to bypass common image sou...
npm
No PRs yet
@actions/artifact has an Arbitrary File Write via artifact extraction
GHSA-6q32-hq47-5qq3 CVE-2024-42471 HIGH about 1 year ago
### Impact Versions of `actions/artifact` before 2.1.7 are vulnerable to arbitrary file write when using `downloadArtifactInternal`, `downloadArti...
npm
No PRs yet
@blakeembrey/template vulnerable to code injection when attacker controls template input
GHSA-q765-wm9j-66qj CVE-2024-45390 MODERATE about 1 year ago
### Impact It is possible to inject and run code within the template if the attacker has access to write the template name. ```js const { templat...
npm
No PRs yet
Tina search token leak via lock file in TinaCMS
GHSA-4qrm-9h4r-v2fx CVE-2024-45391 HIGH about 1 year ago
### Impact Tina search token leaked via lock file (tina-lock.json) in TinaCMS. Sites building with @tinacms/cli < 1.6.2 that use a search token are...
npm
No PRs yet
DOM clobbering could escalate to Cross-site Scripting (XSS)
GHSA-gprj-6m2f-j9hx CVE-2024-45389 MODERATE about 1 year ago
Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gather...
cargo npm
18
Dependabot PRs
5%
Merged
ReDoS in urlregex
GHSA-rw72-v6c7-hf9r CVE-2020-36830 MODERATE about 1 year ago
A vulnerability was found in nescalante urlregex up to 0.5.0 and classified as problematic. This issue affects some unknown processing of the file ...
npm
No PRs yet
Svelte has a potential mXSS vulnerability due to improper HTML escaping
GHSA-8266-84wp-wv5c CVE-2024-45047 MODERATE over 1 year ago
### Summary A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19. ### Details Svelte improperly escapes HTML on server-si...
npm
No PRs yet
Directus has an insecure object reference via PATH presets
GHSA-3fff-gqw3-vj86 CVE-2024-6534 MODERATE over 1 year ago
### Impact Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. T...
npm
No PRs yet
AWS CDK RestApi not generating authorizationScope correctly in resultant CFN template
GHSA-qj85-69xf-2vxq CVE-2024-45037 MODERATE over 1 year ago
### Summary The AWS Cloud Development Kit (CDK) is an open-source framework for defining cloud infrastructure using code. Customers use it to creat...
npm
No PRs yet
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
GHSA-4vvj-4cpr-p986 CVE-2024-43788 MODERATE over 1 year ago
### Summary We discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can l...
npm
1064
Dependabot PRs
20%
Merged
Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries
GHSA-fmj9-77q8-g6c4 CVE-2024-43414 HIGH over 1 year ago
### Impact Instances of @apollo/query-planner >=2.0.0 and <2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions >=2.0....
cargo npm
1
Dependabot PRs
100%
Merged
Flowise Unauthenticated Denial of Service (DoS) vulnerability
GHSA-48x4-mx8f-gr4h CVE-2024-8182 HIGH over 1 year ago
An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance running a vuln...
npm
No PRs yet
Flowise Authentication Bypass vulnerability
GHSA-2q4w-x8h2-2fvh CVE-2024-8181 HIGH over 1 year ago
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints...
npm
No PRs yet
unzip-stream allows Arbitrary File Write via artifact extraction
GHSA-6jrj-vc65-c983 HIGH over 1 year ago
### Impact When using the `Extract()` method of unzip-stream, malicious zip files were able to write to paths they shouldn't be allowed to. ### P...
npm
No PRs yet
Hono CSRF middleware can be bypassed using crafted Content-Type header
GHSA-rpfr-3m35-5vx5 CVE-2024-43787 LOW over 1 year ago
### Summary Hono CSRF middleware can be bypassed using crafted Content-Type header. ### Details MIME types are case insensitive, but `isRequeste...
npm
11
Dependabot PRs
18%
Merged
squirrelly Code Injection vulnerability
GHSA-w5pw-gmcw-rfc8 CVE-2024-40453 HIGH over 1 year ago
squirrellyjs squirrelly v9.0.0 was discovered to contain a code injection vulnerability via the component `options.varName`. The issue was fixed in...
npm
No PRs yet
CKEditor4 low-risk cross-site scripting (XSS) vulnerability linked to potential domain takeover
GHSA-6v96-m24v-f58j CVE-2024-43411 MODERATE over 1 year ago
### Affected Packages The issue impacts only editor instances with enabled [version notifications](https://ckeditor.com/docs/ckeditor4/latest/api/...
npm
7
Dependabot PRs
Code Snippet GeSHi plugin in CKEditor 4 has reflected cross-site scripting (XSS) vulnerability
GHSA-7r32-vfj5-c2jv CVE-2024-43407 MODERATE over 1 year ago
### Affected packages The vulnerability has been discovered in [Code Snippet GeSHi](https://ckeditor.com/cke4/addon/codesnippetgeshi) plugin. All i...
npm
8
Dependabot PRs
Ghost's improper authentication allows access to member information and actions
GHSA-78x2-cwp9-5j42 CVE-2024-43409 MODERATE over 1 year ago
### Impact Improper authentication on some endpoints used for member actions would allow an attacker to perform member-only actions, and read memb...
npm
No PRs yet
matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor
GHSA-vhr5-g3pm-49fm CVE-2024-42369 MODERATE over 1 year ago
### Impact A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's `getRoomUpgradeHi...
npm
No PRs yet
gettext.js has a Cross-site Scripting injection
GHSA-vwhg-jwr4-vxgg CVE-2024-43370 HIGH over 1 year ago
### Impact Possible vulnerability to XSS injection if .po dictionary definition files is corrupted ### Patches Update gettext.js to 2.0.3 ### Wor...
npm
No PRs yet
Trix has a cross-site Scripting vulnerability on copy & paste
GHSA-qm2q-9f3q-2vcv CVE-2024-43368 MODERATE over 1 year ago
The Trix editor, versions prior to 2.1.4, is vulnerable to XSS when pasting malicious code. This vulnerability is a bypass of the fix put in place ...
npm
No PRs yet
webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle
GHSA-ccqh-278p-xq6w CVE-2024-43373 MODERATE over 1 year ago
### Summary An arbitrary file write vulnerability exists in the webcrack module when processing specifically crafted malicious code on Windows syst...
npm
No PRs yet
Prototype pollution in izatop bunt
GHSA-p734-xg27-8cfq CVE-2024-38989 CRITICAL over 1 year ago
izatop bunt v0.29.19 was discovered to contain a prototype pollution via the component /esm/qs.js. This vulnerability allows attackers to execute a...
npm
No PRs yet
Server-Side Request Forgery in axios
GHSA-8hc4-vh64-cxmj CVE-2024-39338 HIGH over 1 year ago
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
npm
522
Dependabot PRs
9%
Merged
Qwik has a potential mXSS vulnerability due to improper HTML escaping
GHSA-2rwj-7xq8-4gx4 CVE-2024-41677 MODERATE over 1 year ago
### Summary A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0. ### Details Qwik improperly escapes HTML on server-side rend...
npm
No PRs yet
Matrix SDK for React's URL preview setting for a room is controllable by the homeserver
GHSA-f83w-wqhc-cfp4 CVE-2024-42347 MODERATE over 1 year ago
### Impact A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, ...
npm
1
Dependabot PRs
Flowise Cross-site Scripting in /api/v1/public-chatflows/id
GHSA-fccx-2pwj-hrq7 CVE-2024-36423 MODERATE over 1 year ago
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site script...
npm
No PRs yet
Flowise Cross-site Scripting in/api/v1/credentials/id
GHSA-wxm4-9f8p-gggv CVE-2024-37146 MODERATE over 1 year ago
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site script...
npm
No PRs yet
Flowise Cross-site Scripting in /api/v1/chatflows-streaming/id
GHSA-858c-qxvx-rg9v CVE-2024-37145 MODERATE over 1 year ago
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site script...
npm
No PRs yet
Flowise Cross-site Scripting in api/v1/chatflows/id
GHSA-2jch-qc96-9f5g CVE-2024-36422 MODERATE over 1 year ago
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site script...
npm
No PRs yet
Flowise Cors Misconfiguration in packages/server/src/index.ts
GHSA-66f2-xxgm-f6xp CVE-2024-36421 HIGH over 1 year ago
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, A CORS misconfiguration sets ...
npm
No PRs yet
Flowise Path Injection at /api/v1/openai-assistants-file
GHSA-h997-3fxj-p5j8 CVE-2024-36420 HIGH over 1 year ago
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistant...
npm
No PRs yet
NextChat has full-read SSRF and XSS vulnerability in /api/cors endpoint
GHSA-qf3q-9f3h-cjp9 CVE-2023-49785 CRITICAL over 1 year ago
NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. Versions 2.11.2 and prior are vulnerable to...
npm
No PRs yet
Scrypted Cross-site Scripting vulnerability
GHSA-xmhh-xrcc-mx36 CVE-2023-47620 MODERATE over 1 year ago
Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior, a reflected cross-site scripting vulnerability exists i...
npm
No PRs yet
Scrypted Cross-site Scripting vulnerability
GHSA-ww7p-8gfg-v82r CVE-2023-47623 MODERATE over 1 year ago
Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior (corresponding to `@scrypted/core` 0.1.142 and prior), a...
npm
No PRs yet
Editor.js vulnerable to Code Injection
GHSA-6mvj-2569-3mcm CVE-2022-23474 MODERATE over 1 year ago
Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHT...
npm
No PRs yet