Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
GHSA-9hcv-j9pv-qmph CVE-2024-38356 MODERATE over 1 year ago
### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s content extractio...
npm nuget packagist
No PRs yet
TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements
GHSA-w9jx-4g6g-rp7x CVE-2024-38357 MODERATE over 1 year ago
### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s content parsing c...
npm nuget packagist
No PRs yet
socket.io has an unhandled 'error' event
GHSA-25hc-qcg6-38wj CVE-2024-38355 MODERATE over 1 year ago
### Impact A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. ``` ...
npm
No PRs yet
Lobe Chat API Key Leak
GHSA-p36r-qxgx-jq2v CVE-2024-37895 MODERATE over 1 year ago
### Summary If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base U...
npm
No PRs yet
ws affected by a DoS when handling a request with many HTTP headers
GHSA-3h5v-q93c-6h6q CVE-2024-37890 HIGH over 1 year ago
### Impact A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server. ### Proof o...
npm
424
Dependabot PRs
21%
Merged
@akbr/update Prototype Pollution
GHSA-mj4p-gmhr-92g3 CVE-2024-36578 MODERATE over 1 year ago
akbr update 1.0.0 is vulnerable to Prototype Pollution via update/index.js.
npm
No PRs yet
obx Prototype Pollution
GHSA-jj58-488v-4rgf CVE-2024-36573 CRITICAL over 1 year ago
almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/ob...
npm
No PRs yet
flatten-json Prototype Pollution
GHSA-j8px-pjmp-325f CVE-2024-36574 MODERATE over 1 year ago
A Prototype Pollution issue in flatten-json 1.0.1 allows an attacker to execute arbitrary code via module.exports.unflattenJSON (flatten-json/index...
npm
No PRs yet
Object Resolver Prototype Pollution
GHSA-qj86-v6m7-4qv2 CVE-2024-36577 HIGH over 1 year ago
apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty.
npm
No PRs yet
Badger Database Prototype Pollution
GHSA-69r2-2fg7-7hf9 CVE-2024-36581 HIGH over 1 year ago
A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm.
npm
No PRs yet
object-deep-assign Prototype Pollution
GHSA-4xg3-7w7q-856q CVE-2024-36582 MODERATE over 1 year ago
alexbinary object-deep-assign 1.0.11 is vulnerable to Prototype Pollution via the extend() method of Module.deepAssign (/src/index.js)
npm
No PRs yet
@cdr0/sg Prototype Pollution
GHSA-fg52-5jjj-28h7 CVE-2024-36580 MODERATE over 1 year ago
A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.
npm
No PRs yet
Mattermost Desktop App allows for bypassing TCC restrictions on macOS
GHSA-xgqm-wp7w-mgg2 CVE-2024-36287 LOW over 1 year ago
Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS.
npm
No PRs yet
Mattermost Desktop App Remote Code Execution
GHSA-hvxg-77mg-vrvp CVE-2024-37182 MODERATE over 1 year ago
Mattermost Desktop App versions <=5.7.0 fail to correctly prompt for permission when opening external URLs which allows a remote attacker to force ...
npm
No PRs yet
@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass
GHSA-wrvh-rcmr-9qfc CVE-2024-34065 HIGH over 1 year ago
### Summary By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in Strapi framework is its possi...
npm
4
Dependabot PRs
@strapi/plugin-upload has a Denial-of-Service via Improper Exception Handling
GHSA-pm9q-xj9p-96pm CVE-2024-31217 MODERATE over 1 year ago
### Summary A Denial-of-Service was found in the media upload process causing the server to crash without restarting, affecting either development ...
npm
No PRs yet
@strapi/plugin-content-manager leaks data via relations via the Admin Panel
GHSA-6j89-frxc-q26m CVE-2024-29181 LOW over 1 year ago
### Summary 1. If a super admin creates a collection where an item in the collection has an association to another collection, a user with the Auth...
npm
No PRs yet
SummerNote Cross Site Scripting Vulnerability
GHSA-cc55-mvqc-g9mg CVE-2024-37629 MODERATE over 1 year ago
SummerNote 0.8.18 is vulnerable to Cross Site Scripting (XSS) via the Code View Function.
npm
No PRs yet
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
GHSA-m5vv-6r4h-3vj9 CVE-2024-35255 MODERATE over 1 year ago
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.
maven npm nuget +1 more
14
Dependabot PRs
21%
Merged
@grpc/grpc-js can allocate memory for incoming messages well above configured limits
GHSA-7v5v-9h63-cj86 CVE-2024-37168 MODERATE over 1 year ago
### Impact There are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channe...
npm
184
Dependabot PRs
9%
Merged
ghtml Cross-Site Scripting (XSS) vulnerability
GHSA-vvhj-v88f-5gxr CVE-2024-37166 HIGH over 1 year ago
## Summary It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting (XSS) vulnerability in some cases. ## A...
npm
No PRs yet
Generation of Error Message Containing Sensitive Information in zsa
GHSA-wjmj-h3xc-hxp8 CVE-2024-37162 MODERATE over 1 year ago
### Impact All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This...
npm
No PRs yet
Arbitrary file read via Playwright's screenshot feature exploiting file wrapper
GHSA-665w-mwrr-77q3 CVE-2024-37169 MODERATE over 1 year ago
### Impact All users of url-to-png. Please see https://github.com/jasonraimondi/url-to-png/issues/47 ### Patches [v2.0.3](https://github.com/jas...
npm
No PRs yet
Jan path traversal vulnerability
GHSA-878h-rqcq-mv3x CVE-2024-37273 CRITICAL over 1 year ago
An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via upload...
npm
No PRs yet
Jan path traversal vulnerability
GHSA-qfjh-mvq6-c5p8 CVE-2024-36858 CRITICAL over 1 year ago
An arbitrary file upload vulnerability in the /v1/app/writeFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploadi...
npm
No PRs yet
Jan path traversal vulnerability
GHSA-5jqc-qj57-4hrc CVE-2024-36857 HIGH over 1 year ago
Jan v0.4.12 was discovered to contain an arbitrary file read vulnerability via the /v1/app/readFileSync interface.
npm
No PRs yet
Directus is soft-locked by providing a string value to random string util
GHSA-632p-p495-25m5 CVE-2024-36128 HIGH over 1 year ago
### Describe the Bug Providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capabili...
npm
No PRs yet
javascript-deobfuscator crafted payload can lead to code execution
GHSA-9p6p-8v9r-8c9m CVE-2024-36120 HIGH over 1 year ago
javascript-deobfuscator removes common JavaScript obfuscation techniques. Crafted payloads targeting expression simplification can lead to code exe...
npm
No PRs yet
ip SSRF improper categorization in isPublic
GHSA-2p57-rm9w-gvfp CVE-2024-29415 HIGH over 1 year ago
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::f...
npm
20
Dependabot PRs
5%
Merged
wangEditor was discovered to contain a cross-site scripting (XSS) vulnerability via the image upload function
GHSA-9hfw-cvf4-5x25 CVE-2022-25037 MODERATE over 1 year ago
There is a cross-site scripting (XSS) issue in wangEditor via the image upload function in version 4.7.11. This issue has been fixed in version 4.7...
npm
No PRs yet
mysql2 vulnerable to Prototype Pollution
GHSA-pmh2-wpjm-fj45 CVE-2024-21512 HIGH over 1 year ago
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tabl...
npm
No PRs yet
vxe-table Cross-site Scripting vulnerability
GHSA-2qjp-fg8c-g878 CVE-2023-1001 LOW over 1 year ago
A vulnerability, which was classified as problematic, has been found in xuliangzhan vxe-table up to 3.7.9. This issue affects the function export o...
npm
No PRs yet
Pug allows JavaScript code execution if an application accepts untrusted input
GHSA-3965-hpx2-q597 CVE-2024-36361 MODERATE over 1 year ago
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the `compileClient`, `compileFi...
npm
No PRs yet
Ghost allows CSV Injection during member CSV export
GHSA-xgwh-cgv9-783v CVE-2024-34448 HIGH over 1 year ago
Ghost before 5.82.0 allows CSV Injection during a member CSV export.
npm
No PRs yet
@fastify/session reuses destroyed session cookie
GHSA-pj27-2xvp-4qxg CVE-2024-35220 HIGH over 1 year ago
### Impact When restoring the cookie from the session store, the `expires` field is overriden if the `maxAge` field was set. This means a cookie i...
npm
No PRs yet
json-schema-ref-parser Prototype Pollution issue
GHSA-5f97-h2c2-826q CVE-2024-29651 HIGH over 1 year ago
A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via th...
npm
No PRs yet
MiguelCastillo @bit/loader Prototype Pollution issue
GHSA-8vr4-h4rr-8ph6 CVE-2024-24293 HIGH over 1 year ago
A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in in...
npm
No PRs yet
Blackprint @blackprint/engine Prototype Pollution issue
GHSA-g3q2-vcjq-rgrc CVE-2024-24294 CRITICAL over 1 year ago
A Prototype Pollution issue in Blackprint @blackprint/engine 0.8.12 through 0.9.1 allows an attacker to execute arbitrary code via the `_utils.setD...
npm
No PRs yet
njwt Prototype Pollution vulnerability
GHSA-3hvj-2783-34x2 CVE-2024-34273 HIGH over 1 year ago
njwt up to v0.4.0 was discovered to contain a prototype pollution in the `Parser.prototype.parse` method.
npm
No PRs yet
Oceanic allows unsanitized user input to lead to path traversal in URLs
GHSA-5h5v-hw44-f6gg CVE-2024-34712 MODERATE over 1 year ago
### Impact Input to functions such as `Client.rest.channels.removeBan` is not url-encoded, resulting in specially crafted input such as `../../../c...
npm
No PRs yet
Konga is vulnerable to Cross Site Scripting (XSS) attacks
GHSA-93pf-mrc8-4g3h CVE-2024-34243 MODERATE over 1 year ago
Konga v0.14.9 is vulnerable to Cross Site Scripting (XSS) via the username parameter.
npm
No PRs yet
Regular Expression Denial of Service (ReDoS) in micromatch
GHSA-952p-6rrq-rcjv CVE-2024-4067 MODERATE over 1 year ago
The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `mic...
npm
2652
Dependabot PRs
19%
Merged
Uncontrolled resource consumption in braces
GHSA-grv7-fg5c-xmjg CVE-2024-4068 HIGH over 1 year ago
The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a mali...
npm
2704
Dependabot PRs
19%
Merged
Directus Lacks Session Tokens Invalidation
GHSA-g65h-35f3-x2w3 CVE-2024-34709 MODERATE over 1 year ago
### Summary Currently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_ses...
npm
No PRs yet
NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue
GHSA-h6r4-xvw6-jc5h CVE-2023-49781 HIGH over 1 year ago
### Summary A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. ### Details The nc-gui/comp...
npm
No PRs yet
Directus allows redacted data extraction on the API through "alias"
GHSA-p8v3-m643-4xqx CVE-2024-34708 MODERATE over 1 year ago
## Summary A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` funct...
npm
No PRs yet
NocoDB SQL Injection vulnerability
GHSA-8fxg-mr34-jqr8 CVE-2023-50718 MODERATE over 1 year ago
### Summary --- An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name. ### Deta...
npm
No PRs yet
NocoDB Allows Preview of Files with Dangerous Content
GHSA-qg73-g3cf-vhhh CVE-2023-50717 MODERATE over 1 year ago
### Summary --- Attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be execute...
npm
No PRs yet
@valtimo/components exposes access token to form.io
GHSA-xcp4-62vj-cq3r CVE-2024-34706 CRITICAL over 1 year ago
### Impact When opening a form in Valtimo, the access token (JWT) of the user is exposed to `api.form.io` via the the `x-jwt-token` header. An atta...
npm
No PRs yet
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
GHSA-mxhq-xw3g-rphc CVE-2024-32964 CRITICAL over 1 year ago
### Summary The latest version of lobe-chat(by now v0.141.2) has an unauthorized ssrf vulnerability. An attacker can construct malicious requests t...
npm
No PRs yet