Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
thelounge may publicly disclose of all usernames/idents via port 113
GHSA-g49q-jw42-6x85 LOW over 1 year ago
Per RFC 1413, The unique identifying tuple includes not only the ports, but also the both addresses. Without the addresses, the information becomes...
npm
No PRs yet
Next.js Server-Side Request Forgery in Server Actions
GHSA-fr5h-rqp8-mj6g CVE-2024-34351 HIGH over 1 year ago
### Impact A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the...
npm
No PRs yet
Next.js Vulnerable to HTTP Request Smuggling
GHSA-77r5-gw3j-2mpf CVE-2024-34350 HIGH over 1 year ago
### Impact Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate request...
npm
No PRs yet
@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability
GHSA-38gf-rh2w-gmj7 CVE-2024-34345 HIGH over 1 year ago
### Impact XML External entity injections could be possible, when running the provided XML Validator on arbitrary input. #### POC ```js const { ...
npm
No PRs yet
Trix Editor Arbitrary Code Execution Vulnerability
GHSA-qjqp-xr96-cj99 CVE-2024-34341 MODERATE over 1 year ago
The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other document...
npm
8
Dependabot PRs
react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js
GHSA-87hq-q4gp-9wr4 CVE-2024-34342 HIGH over 1 year ago
### Summary If PDF.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value),...
npm
32
Dependabot PRs
13%
Merged
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF
GHSA-wgrm-67xf-hhpq CVE-2024-4367 HIGH over 1 year ago
### Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with `isEvalSupported` set to `true` (which is the default value), u...
npm
52
Dependabot PRs
14%
Merged
kurwov vulnerable to Denial of Service due to improper data sanitization
GHSA-hfrv-h3q8-9jpr CVE-2024-34075 MODERATE over 1 year ago
### Summary An unsafe sanitization of dataset contents on the `MarkovData#getNext` method used in `Markov#generate` and `Markov#choose` allows a ma...
npm
No PRs yet
Vditor allows Cross-site Scripting via an attribute of an `A` element
GHSA-m5jf-8crm-r65m CVE-2024-34449 MODERATE over 1 year ago
Vditor 3.10.3 allows XSS via an attribute of an `A` element. NOTE: the vendor indicates that a user is supposed to mitigate this via `sanitize=true`.
npm
No PRs yet
libxmljs2 type confusion vulnerability when parsing specially crafted XML
GHSA-mjr4-7xg5-pfvh CVE-2024-34393 CRITICAL over 1 year ago
libxmljs2 is vulnerable to type confusion when parsing a specially crafted XML while invoking a function on the result of attrs() that was called o...
npm
No PRs yet
libxmljs2 vulnerable to type confusion when parsing specially crafted XML
GHSA-78h3-pg4x-j8cv CVE-2024-34394 CRITICAL over 1 year ago
libxmljs2 is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the `namespaces()` function (which in...
npm
No PRs yet
libxmljs vulnerable to type confusion when parsing specially crafted XML
GHSA-6433-x5p4-8jc7 CVE-2024-34391 CRITICAL over 1 year ago
libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of `attrs()` ...
npm
No PRs yet
libxmljs vulnerable to type confusion when parsing specially crafted XML
GHSA-mg49-jqgw-gcj6 CVE-2024-34392 CRITICAL over 1 year ago
libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the `namespaces()` function (which inv...
npm
No PRs yet
Firebase vulnerable to CRSF attack
GHSA-rcm2-22f3-pqv3 CVE-2024-4128 LOW over 1 year ago
This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to expo...
npm
No PRs yet
s3-url-parser vulnerable to Denial of Service via regexes component
GHSA-r4q9-xx5g-j24p CVE-2024-25355 HIGH over 1 year ago
s3-url-parser 1.0.3 is vulnerable to denial of service via the regexes component.
npm
No PRs yet
xml-crypto vulnerable to XML signature verification bypass due improper verification of signature/signature spoofing
GHSA-2xp3-57p7-qf4v CVE-2024-32962 CRITICAL over 1 year ago
### Summary Default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of ht...
npm
No PRs yet
Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
GHSA-7grx-f945-mj96 CVE-2023-36821 HIGH over 1 year ago
### Summary Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker. ### Details Uptime Kuma al...
npm
No PRs yet
Uptime Kuma's authenticated path traversal via plugin repository name may lead to unavailability or data loss
GHSA-vr8x-74pm-6vj7 CVE-2023-36822 MODERATE over 1 year ago
### Summary A path traversal vulnerability via the plugin repository name allows an authenticated attacker to delete files on the server leading to...
npm
No PRs yet
Flowise vulnerable to code injection via api/v1
GHSA-6wp6-22x5-rr3w CVE-2024-31621 HIGH over 1 year ago
An issue in FlowiseAI Inc Flowise prior to v1.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component.
npm
No PRs yet
ejs lacks certain pollution protection
GHSA-ghr5-ch3p-vcr6 CVE-2024-33883 MODERATE over 1 year ago
The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.
npm
No PRs yet
Passbolt Browser Extension leaks password information
GHSA-xfq4-78j7-v594 CVE-2024-33669 MODERATE over 1 year ago
An issue was discovered in Passbolt Browser Extension before 4.6.2. It can send multiple requests to HaveIBeenPwned while a password is being typed...
npm
No PRs yet
Conform contains a Prototype Pollution Vulnerability in `parseWith...` function
GHSA-624g-8qjg-8qxf CVE-2024-32866 HIGH over 1 year ago
### Summary Conform allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature, an at...
npm
1
Dependabot PRs
Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases
GHSA-rqgv-292v-5qgr MODERATE over 1 year ago
### Summary Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitra...
npm
No PRs yet
Hono vulnerable to Restricted Directory Traversal in serveStatic with deno
GHSA-3mpf-rcc7-5347 CVE-2024-32869 MODERATE over 1 year ago
### Summary When using serveStatic with deno, it is possible to directory traverse where main.ts is located. My environment is configured as per ...
npm
5
Dependabot PRs
MySQL2 for Node Arbitrary Code Injection
GHSA-4rch-2fh8-94vw CVE-2024-21511 CRITICAL over 1 year ago
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in th...
npm
No PRs yet
@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
GHSA-qmmm-73r2-f8xr CVE-2024-34347 HIGH over 1 year ago
### Observations The Hoppscotch desktop app takes multiple precautions to be secure against arbitrary JavaScript and system command execution. It ...
npm
No PRs yet
@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed
GHSA-hgxw-5xg3-69jx CVE-2024-32652 HIGH over 1 year ago
### Impact The application hangs when receiving a Host header with a value that `@hono/node-server` can't handle well. Invalid values are those th...
npm
No PRs yet
Enabling Authentication does not close all logged in socket connections immediately
GHSA-23q2-5gf8-gjpp LOW over 1 year ago
### Summary This is basically [GHSA-88j4-pcx8-q4q](https://github.com/louislam/uptime-kuma/security/advisories/GHSA-88j4-pcx8-q4q3) but instead of ...
npm
No PRs yet
@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability
GHSA-jjff-q3q4-5hh8 CVE-2024-30564 HIGH over 1 year ago
An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script ...
npm
No PRs yet
Prototype pollution in emit function
GHSA-82jv-9wjw-pqh6 LOW over 1 year ago
### Summary A prototype pollution in derby can crash the application, if the application author has atypical HTML templates that feed user input in...
npm
No PRs yet
Stored Cross-site Scripting (XSS) in excalidraw's web embed component
GHSA-m64q-4jqh-f72f CVE-2024-32472 MODERATE over 1 year ago
### Summary A stored XSS vulnerability in Excalidraw's web embeddable component. This allows arbitrary JavaScript to be run in the context of the ...
npm
No PRs yet
Handling untrusted input can result in a crash, leading to loss of availability / denial of service
GHSA-8m45-2rjm-j347 CVE-2024-30253 HIGH over 1 year ago
Using particular inputs with `@solana/web3.js` will result in memory exhaustion (OOM). If you have a server, client, mobile, or desktop product th...
npm
No PRs yet
AWS Amplify CLI has incorrect trust policy management
GHSA-846g-p7hm-f54r CVE-2024-28056 CRITICAL over 1 year ago
Amazon AWS Amplify CLI before 12.10.1 incorrectly configures the role trust policy of IAM roles associated with Amplify projects. When the Authenti...
npm
No PRs yet
phin may include sensitive headers in subsequent requests after redirect
GHSA-x565-32qp-m3vf MODERATE over 1 year ago
### Impact Users may be impacted if sending requests including sensitive data in specific headers with `followRedirects` enabled. ### Patches Th...
npm
No PRs yet
Matrix IRC Bridge truncated content of messages can be leaked
GHSA-wm4w-7h2q-3pf7 CVE-2024-32000 MODERATE over 1 year ago
### Impact The matrix-appservice-irc before version 2.0.0 can be exploited to leak the truncated body of a message if a malicious user sends a Mat...
npm
No PRs yet
mysql2 Remote Code Execution (RCE) via the readCodeFor function
GHSA-fpw7-j2hg-69v5 CVE-2024-21508 CRITICAL over 1 year ago
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the `readCodeFor` function due to improper validation...
npm
No PRs yet
Summernote vulnerable to cross-site scripting
GHSA-4wh3-3wf2-39m9 CVE-2024-29504 MODERATE over 1 year ago
Cross Site Scripting vulnerability in Summernote v.0.8.18 and before allows a remote attacker to execute arbtirary code via a crafted payload to th...
npm
No PRs yet
zcap has incomplete expiration checks in capability chains.
GHSA-hp8h-7x69-4wmv CVE-2024-31995 MODERATE over 1 year ago
### Impact When invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the `expires` property is ...
npm
No PRs yet
@fastify/secure-session: Reuse of destroyed secure session cookie
GHSA-9wwp-q7wq-jx35 CVE-2024-31999 HIGH over 1 year ago
### Impact At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie val...
npm
No PRs yet
mysql2 cache poisoning vulnerability
GHSA-mqr2-w7wj-jjgr CVE-2024-21507 MODERATE over 1 year ago
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the `keyFromFields` function, resulting in cache po...
npm
No PRs yet
mysql2 vulnerable to Prototype Poisoning
GHSA-49j4-86m8-q2jw CVE-2024-21509 MODERATE over 1 year ago
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input s...
npm
No PRs yet
React Native Sms User Consent Intent Redirection Vulnerability
GHSA-r956-2553-vvhr CVE-2021-4438 MODERATE over 1 year ago
A vulnerability, which was classified as critical, has been found in kyivstarteam react-native-sms-user-consent up to 1.1.4 on Android. Affected by...
npm
No PRs yet
PsiTransfer: File integrity violation
GHSA-2p2x-p7wj-j5h2 CVE-2024-31454 MODERATE over 1 year ago
### Summary The absence of restrictions on the endpoint, which is designed for uploading files, allows an attacker who received the id of a file di...
npm
No PRs yet
PsiTransfer: Violation of the integrity of file distribution
GHSA-xg8v-m2mh-45m6 CVE-2024-31453 MODERATE over 1 year ago
**Summary** The absence of restrictions on the endpoint, which allows you to create a path for uploading a file in a file distribution, allows an a...
npm
No PRs yet
MailDev Remote Code Execution
GHSA-vc6q-ccj9-9r89 CVE-2024-27448 CRITICAL over 1 year ago
MailDev 2 through 2.1.0 allows Remote Code Execution via a crafted Content-ID header for an e-mail attachment, leading to `lib/mailserver.js` writi...
npm
2
Dependabot PRs
50%
Merged
SheetJS Regular Expression Denial of Service (ReDoS)
GHSA-5pgg-2g8v-p4x9 CVE-2024-22363 HIGH over 1 year ago
SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS). A non-vulnerable version cannot be found vi...
npm
No PRs yet
dectalk-tts Uses Unencrypted HTTP Request
GHSA-6cf6-8hvr-r68w CVE-2024-31206 HIGH over 1 year ago
### Impact In `dectalk-tts@1.0.0`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be ea...
npm
No PRs yet
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
GHSA-9qxr-qj54-h672 CVE-2024-30261 LOW over 1 year ago
### Impact If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have ...
npm
681
Dependabot PRs
7%
Merged
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
GHSA-m4v8-wqvr-p9f7 CVE-2024-30260 LOW over 1 year ago
### Impact Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. ### Patches...
npm
681
Dependabot PRs
7%
Merged
Vite's `server.fs.deny` did not deny requests for patterns with directories.
GHSA-8jhw-289h-jh2g CVE-2024-31207 MODERATE over 1 year ago
### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patte...
npm
No PRs yet