Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
In Astro-Shield, setting a correct `integrity` attribute to injected code allows to bypass the allow-lists
GHSA-c4gr-q97g-ppwc CVE-2024-30250 HIGH over 1 year ago
### Impact Versions from 1.2.0 to 1.3.1 of Astro-Shield allow to bypass the allow-lists for cross-origin resources by introducing valid `integrity...
npm
No PRs yet
@electron/packager's build process memory potentially leaked into final executable
GHSA-34h3-8mw4-qw57 CVE-2024-29900 HIGH over 1 year ago
### Impact A random segment of ~1-10kb of Node.js heap memory allocated either side of a known buffer will be leaked into the final executable. Thi...
npm
No PRs yet
@workos-inc/authkit-nextjs session replay vulnerability
GHSA-35w3-6qhc-474v CVE-2024-29901 MODERATE over 1 year ago
### Impact A user can reuse an expired session by controlling the `x-workos-session` header. ### Patches Patched in https://github.com/workos/au...
npm
No PRs yet
Content-Security-Policy header generation in middleware could be compromised by malicious injections
GHSA-w387-5qqw-7g8m CVE-2024-29896 HIGH over 1 year ago
### Impact When the following conditions are met: - Automated CSP headers generation for SSR content is enabled - The web application serves conte...
npm
No PRs yet
Incorrect Access Control in NodeBB
GHSA-qc99-r4wh-c8h6 CVE-2024-29316 MODERATE over 1 year ago
In NodeBB prior to 3.6.7 an attacker was able to access the restricted tabs for the Admin group which are only allowed the the administrators.
npm
No PRs yet
domain-suffix RegEx Denial of Service
GHSA-cqfh-c4c5-c2hg CVE-2024-25354 HIGH over 1 year ago
RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function. ## PoC ```js asy...
npm
No PRs yet
web3-utils Prototype Pollution vulnerability
GHSA-2g4c-8fpm-c46v CVE-2024-21505 HIGH over 1 year ago
### Impact: The mergeDeep() function in the web3-utils package has been identified for Prototype Pollution vulnerability. An attacker has the abil...
npm
No PRs yet
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes
GHSA-438c-3975-5x3f CVE-2024-29203 MODERATE over 1 year ago
### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s content insertion...
npm nuget packagist
No PRs yet
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements
GHSA-5359-pvf2-pw78 CVE-2024-29881 MODERATE over 1 year ago
### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s content loading a...
npm nuget packagist
No PRs yet
Express.js Open Redirect in malformed URLs
GHSA-rv95-896h-c2vc CVE-2024-29041 MODERATE over 1 year ago
### Impact Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vul...
npm
4
Dependabot PRs
KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols
GHSA-3wc5-fcw2-2329 CVE-2024-28246 MODERATE over 1 year ago
### Impact Code that uses KaTeX's `trust` option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs...
npm
No PRs yet
KaTeX's `\includegraphics` does not escape filename
GHSA-f98w-7cxr-ff2h CVE-2024-28245 MODERATE over 1 year ago
### Impact KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\includegraphics` that runs arbitrary J...
npm
No PRs yet
KaTeX's maxExpand bypassed by Unicode sub/superscripts
GHSA-cvr6-37gx-v8wc CVE-2024-28244 MODERATE over 1 year ago
### Impact KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\def` or `\newcommand` that causes a ne...
npm
No PRs yet
KaTeX's maxExpand bypassed by `\edef`
GHSA-64fm-8hw2-v72w CVE-2024-28243 MODERATE over 1 year ago
### Impact KaTeX users who render untrusted mathematical expressions could encounter malicious input using `\edef` that causes a near-infinite loop...
npm
No PRs yet
OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation
GHSA-246p-xmg8-wmcq CVE-2024-29194 HIGH over 1 year ago
## Summary A security vulnerability exists in oneuptime's local storage handling, where a regular user can escalate privileges by modifying the `is...
npm
No PRs yet
@thi.ng/paths Prototype Pollution vulnerability
GHSA-8ppr-www8-hfjx CVE-2024-29650 CRITICAL over 1 year ago
An issue in @thi.ng/paths v.5.1.62 and before allows a remote attacker to execute arbitrary code via the `mutIn` and `mutInManyUnsafe` components.
npm
No PRs yet
Cache Poisoning Vulnerability
GHSA-882j-4vj5-7vmj CVE-2024-29042 MODERATE over 1 year ago
### Summary An attacker controlling the second variable of the `translate` function is able to perform a cache poisoning attack. They can change th...
npm
No PRs yet
Denial of service while parsing a tar file due to lack of folders count validation
GHSA-f5x3-32g6-xq36 CVE-2024-28863 MODERATE over 1 year ago
## Description: During some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar ...
npm
5
Dependabot PRs
VvvebJs Arbitrary File Upload vulnerability
GHSA-pmm3-68q9-57jg CVE-2024-29272 MODERATE over 1 year ago
Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain s...
npm
No PRs yet
VvvebJs Reflected Cross-Site Scripting (XSS) vulnerability
GHSA-pc95-3wgm-x28p CVE-2024-29271 MODERATE over 1 year ago
A reflected Cross-Site Scripting (XSS) vulnerability in VvvebJs before version 1.7.5 allows remote attackers to execute arbitrary code and obtain s...
npm
No PRs yet
Path traversal in webpack-dev-middleware
GHSA-wr3j-pwj9-hqq6 CVE-2024-29180 HIGH over 1 year ago
### Summary _The **webpack-dev-middleware** middleware does not validate the supplied URL address sufficiently before returning the local file. It ...
npm
No PRs yet
Cross-site scripting in Survey Creator
GHSA-xgj4-2hrf-j4xg CVE-2024-28635 MODERATE over 1 year ago
Cross Site Scripting (XSS) vulnerability in SurveyJS Survey Creator v.1.9.132 and before, allows attackers to execute arbitrary code and obtain sen...
npm
No PRs yet
Server crashes on invalid Cloud Function or Cloud Job name
GHSA-6hh7-46r2-vf29 CVE-2024-29027 CRITICAL over 1 year ago
### Impact Calling an invalid Parse Server Cloud Function name or Cloud Job name crashes server and may allow for code injection. ### Patches Ad...
npm
No PRs yet
TurboBoost Commands vulnerable to arbitrary method invocation
GHSA-mp76-7w5v-pr75 CVE-2024-28181 HIGH over 1 year ago
### Impact TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, ...
npm rubygems
No PRs yet
follow-redirects' Proxy-Authorization header kept across hosts
GHSA-cxjh-pqwp-8mfp CVE-2024-28849 MODERATE over 1 year ago
When using [axios](https://github.com/axios/axios), its dependency follow-redirects only clears authorization header during cross-domain redirect, ...
npm
78
Dependabot PRs
3%
Merged
URL Redirection to Untrusted Site in OAuth2/OpenID in directus
GHSA-fr3w-2p22-6w7p CVE-2024-28239 MODERATE over 1 year ago
### Summary The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in v...
npm
No PRs yet
Session Token in URL in directus
GHSA-2ccr-g2rv-h677 CVE-2024-28238 LOW over 1 year ago
### Impact When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are o...
npm
No PRs yet
StimulusReflex arbitrary method call
GHSA-f78j-4w3g-4q65 CVE-2024-28121 HIGH over 1 year ago
### Summary More methods than expected can be called on reflex instances. Being able to call some of them has security implications. ### Details T...
npm rubygems
No PRs yet
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
GHSA-hhhv-q57g-882q CVE-2024-28176 MODERATE over 1 year ago
A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the [support for decompressing ...
npm
157
Dependabot PRs
13%
Merged
RSSHub vulnerable to Server-Side Request Forgery
GHSA-3p3p-cgj7-vgw3 CVE-2024-27927 MODERATE over 1 year ago
### Summary Serveral Server-Side Request Forgery (SSRF) vulnerabilities in RSSHub allow remote attackers to use the server as a proxy to send HTTP...
npm
No PRs yet
RSSHub Cross-site Scripting vulnerability caused by internal media proxy
GHSA-2wqw-hr4f-xrhh CVE-2024-27926 MODERATE over 1 year ago
## Impact When the specially crafted image is supplied to the internal media proxy, it proxies the image without handling XSS vulnerabilities, allo...
npm
No PRs yet
HTTP Handling Vulnerability in the Bare server
GHSA-86fc-f9gr-v533 CVE-2024-27922 CRITICAL over 1 year ago
### Impact This vulnerability relates to insecure handling of HTTP requests by the @tomphttp/bare-server-node package. This flaw potentially expose...
npm
No PRs yet
JSONata expression can pollute the "Object" prototype
GHSA-fqg8-vfv7-8fj8 CVE-2024-27307 CRITICAL over 1 year ago
### Impact In JSONata versions `>= 1.4.0, < 1.8.7` and `>= 2.0.0, < 2.0.4`, a malicious expression can use the [transform operator](https://docs.j...
npm
No PRs yet
electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only)
GHSA-r4pf-3v7r-hh55 CVE-2024-27303 HIGH over 1 year ago
### Impact Windows-Only: The NSIS installer makes a system call to open cmd.exe via NSExec in the `.nsh` installer script. NSExec by default search...
npm
No PRs yet
hexo-theme-anzhiyu Cross-site Scripting vulnerability
GHSA-82jf-8f24-xq9m CVE-2024-25865 MODERATE over 1 year ago
Cross Site Scripting (XSS) vulnerability in hexo-theme-anzhiyu v1.6.12, allows remote attackers to execute arbitrary code via the algolia search fu...
npm
No PRs yet
Directus version number disclosure
GHSA-5mhg-wv8w-p59j CVE-2024-27296 MODERATE almost 2 years ago
### Impact Currently the exact Directus version number is being shipped in compiled JS bundles which are accessible without authentication. With t...
npm
No PRs yet
Budibase affected by VM2 Constructor Escape Vulnerability
GHSA-4g2x-vq5p-5vj6 CRITICAL almost 2 years ago
### Impact Previously, budibase used a library called `vm2` for code execution inside the Budibase builder and apps, such as the UI below for confi...
npm
No PRs yet
ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection
GHSA-6927-3vr9-fxf2 CVE-2024-27298 CRITICAL almost 2 years ago
### Impact This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. ### Patches The algorithm to ...
npm
No PRs yet
Directus has MySQL accent insensitive email matching
GHSA-qw9g-7549-7wg5 CVE-2024-27295 HIGH almost 2 years ago
## Password reset vulnerable to accent confusion The password reset mechanism of the Directus backend is implemented in a way where combined with ...
npm
No PRs yet
Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin
GHSA-68c2-4mpx-qh95 LOW almost 2 years ago
### Impact SDK versions between and including 5.16.0 and 5.19.0 allowed Sentry auth tokens to be set in the optional authToken configuration parame...
npm
No PRs yet
mongo-express Cross-site Request Forgery vulnerability
GHSA-fffg-cwc9-xvj7 CVE-2023-52555 MODERATE almost 2 years ago
In mongo-express 1.0.2, /admin allows CSRF, as demonstrated by deletion of a Collection.
npm
No PRs yet
Nteract Remote Code Execution vulnerability
GHSA-6jvg-hp25-42f6 CVE-2024-22891 MODERATE almost 2 years ago
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link.
npm
No PRs yet
OpenZeppelin Contracts base64 encoding may read from potentially dirty memory
GHSA-9vx6-7xxf-x967 CVE-2024-27094 LOW almost 2 years ago
### Impact The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3,...
npm
No PRs yet
@nfid/embed has compromised private key due to @dfinity/auth-client producing insecure session keys
GHSA-84c3-j8r2-mcm8 CRITICAL almost 2 years ago
### Problem User sessions in the @nfid/embed SDK with Ed25519 keys are vulnerable due to a compromised private key `535yc-uxytb-gfk7h-tny7p-vjkoe-i...
npm
No PRs yet
es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`
GHSA-4gmj-3p3h-gm8h CVE-2024-27088 LOW almost 2 years ago
### Impact Passing functions with very long names or complex default argument names into `function#copy` or`function#toStringTokens` may put scrip...
npm
No PRs yet
sanitize-html Information Exposure vulnerability
GHSA-rm97-x556-q36h CVE-2024-21501 MODERATE almost 2 years ago
Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute al...
npm
No PRs yet
`@backstage/backend-common` vulnerable to path traversal through symlinks
GHSA-2fc9-xpp8-2g9h CVE-2024-26150 HIGH almost 2 years ago
### Impact Paths checks with the `resolveSafeChildPath` utility were not exhaustive enough, leading to risk of path traversal vulnerabilities if s...
npm
No PRs yet
agent-js: Insecure Key Generation in `Ed25519KeyIdentity.generate`
GHSA-c9vv-fhgv-cjc3 CVE-2024-1631 CRITICAL almost 2 years ago
## Impact The library offers a function to generate an ed25519 key pair via `Ed25519KeyIdentity.generate` with an optional param to provide a 32 b...
npm
No PRs yet
MeshCentral cross-site websocket hijacking (CSWSH) vulnerability
GHSA-cp68-qrhr-g9h8 CVE-2024-26135 HIGH almost 2 years ago
We have identified a cross-site websocket hijacking (CSWSH) vulnerability within the control.ashx endpoint of MeshCentral. This component is the pr...
npm
No PRs yet
Cross-site Scripting in electron-pdf
GHSA-3jcv-5f9p-2f2p CVE-2024-1648 HIGH almost 2 years ago
electron-pdf version 20.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does no...
npm
No PRs yet