Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Cross-site Scripting in Serenity
GHSA-5jjq-8cvj-v6m9 CVE-2024-26318 MODERATE almost 2 years ago
Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character.
npm nuget
No PRs yet
GitHub Security Lab (GHSL) Vulnerability Report, scrypted: `GHSL-2023-218`, `GHSL-2023-219`
GHSA-w4hv-vmv9-hgcr HIGH almost 2 years ago
# GitHub Security Lab (GHSL) Vulnerability Report, scrypted: `GHSL-2023-218`, `GHSL-2023-219` The [GitHub Security Lab](https://securitylab.github...
npm
No PRs yet
Undici proxy-authorization header not cleared on cross-origin redirect in fetch
GHSA-3787-6prv-h9w3 CVE-2024-24758 LOW almost 2 years ago
### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches ...
npm
679
Dependabot PRs
5%
Merged
fetch(url) leads to a memory leak in undici
GHSA-9f24-jqhm-jfcw CVE-2024-24750 MODERATE almost 2 years ago
### Impact Calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. ### Patches Pat...
npm
1
Dependabot PRs
React Native Document Picker Directory Traversal vulnerability
GHSA-pmgm-h3cc-m4hj CVE-2024-25466 HIGH almost 2 years ago
Directory Traversal vulnerability in React Native Document Picker before 8.2.2 and 9.x before 9.1.1 allows a local attacker to execute arbitrary co...
npm
No PRs yet
mapshaper Path Traversal vulnerability
GHSA-8m36-62rw-9mxw CVE-2024-1163 MODERATE almost 2 years ago
Path Traversal in GitHub repository mbloch/mapshaper prior to 0.6.44.
npm
No PRs yet
lambda-middleware Inefficient Regular Expression Complexity vulnerability
GHSA-m3f4-957x-m785 CVE-2021-4437 LOW almost 2 years ago
A vulnerability, which was classified as problematic, has been found in dbartholomae lambda-middleware frameguard up to 1.0.4. Affected by this iss...
npm
No PRs yet
Ghost has possible Cross-site Scripting issue
GHSA-99vc-xw8j-phjm CVE-2024-23724 MODERATE almost 2 years ago
Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile pic...
npm
No PRs yet
angular vulnerable to super-linear runtime due to backtracking
GHSA-4w4v-5hc9-xrr2 CVE-2024-21490 HIGH almost 2 years ago
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to s...
npm
No PRs yet
Pkg Local Privilege Escalation
GHSA-22r3-9w55-cj54 CVE-2024-24828 MODERATE almost 2 years ago
### Impact Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared di...
npm
No PRs yet
NPM IP package incorrectly identifies some private IP addresses as public
GHSA-78xj-cgh5-2h22 CVE-2023-42282 LOW almost 2 years ago
The `isPublic()` function in the NPM package `ip` doesn't correctly identify certain private IP addresses in uncommon formats such as `0x7F.1` as p...
npm
502
Dependabot PRs
15%
Merged
CKEditor cross-site scripting vulnerability in AJAX sample
GHSA-wh5w-82f3-wrxh CVE-2023-4771 MODERATE almost 2 years ago
### Affected packages The vulnerability has been discovered in the AJAX sample available at the `samples/old/ajax.html` file location. All integrat...
npm
2
Dependabot PRs
CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature
GHSA-mw2c-vx6j-mg76 CVE-2024-24816 MODERATE almost 2 years ago
### Affected packages The vulnerability has been discovered in the samples that use the [preview](https://ckeditor.com/cke4/addon/preview) feature:...
npm
2
Dependabot PRs
CKEditor4 Cross-site Scripting vulnerability caused by incorrect CDATA detection
GHSA-fq6h-4g8v-qqvm CVE-2024-24815 MODERATE almost 2 years ago
### Affected packages The vulnerability has been discovered in the core HTML parsing module and may affect all editor instances that: * Enabled [fu...
npm
8
Dependabot PRs
Stimulsoft Dashboard.JS directory traversal vulnerability
GHSA-gfqf-9w98-7jmx CVE-2024-24398 CRITICAL almost 2 years ago
Directory Traversal vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.3 allows a remote attacker to execute arbitrary code v...
npm
No PRs yet
Stimulsoft Dashboard.JS Cross Site Scripting vulnerability
GHSA-9m6m-c64r-w4f4 CVE-2024-24396 MODERATE almost 2 years ago
Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code ...
npm
No PRs yet
Stimulsoft Dashboard.JS Cross Site Scripting vulnerability
GHSA-9cgf-pxwq-2cpw CVE-2024-24397 MODERATE almost 2 years ago
Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code ...
npm
No PRs yet
Yarn untrusted search path vulnerability
GHSA-mpwj-fcr6-x34c CVE-2021-4435 HIGH almost 2 years ago
An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content,...
npm
No PRs yet
Zmarkdown Server-Side Request Forgery (SSRF) in remark-download-images
GHSA-mf74-qq7w-6j7v MODERATE almost 2 years ago
### Impact A major blind SSRF has been found in `remark-images-download`, which allowed for requests to be made to neighboring servers on local IP...
npm
No PRs yet
Local File Inclusion vulnerability in zmarkdown
GHSA-mq6v-w35g-3c97 LOW almost 2 years ago
### Impact A minor Local File Inclusion vulnerability has been found in `zmarkdown`, which allowed for images with a known path on the host machin...
npm
No PRs yet
Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm.
GHSA-v269-rrr6-cx6r CVE-2023-51838 HIGH almost 2 years ago
Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm.
npm
No PRs yet
Dash apps vulnerable to Cross-site Scripting
GHSA-547x-748v-vp6p CVE-2024-21485 MODERATE almost 2 years ago
Versions of the package dash-core-components before 2.13.0; versions of the package dash-core-components before 2.0.0; versions of the package dash...
npm pypi
No PRs yet
nodemailer ReDoS when trying to send a specially crafted email
GHSA-9h6g-pr28-7cqp MODERATE almost 2 years ago
### Summary A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of eve...
npm
142
Dependabot PRs
8%
Merged
@lobehub/chat vulnerable to unauthorized access to plugins
GHSA-pf55-fj96-xf37 CVE-2024-24566 MODERATE almost 2 years ago
### Description: When the application is password-protected (deployed with the `ACCESS_CODE` option), it is possible to access plugins without prop...
npm
No PRs yet
@apollo/experimental-nextjs-app-support Cross-site Scripting vulnerability
GHSA-rv8p-rr2h-fgpg CVE-2024-23841 HIGH almost 2 years ago
### Impact The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. This vulnerability ari...
npm
No PRs yet
@urql/next Cross-site Scripting vulnerability
GHSA-qhjf-hm5j-335w CVE-2024-24556 HIGH almost 2 years ago
## impact The `@urql/next` package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns `html` tags an...
npm
No PRs yet
react-query-streamed-hydration Cross-site Scripting vulnerability
GHSA-997g-27x8-43rf CVE-2024-24558 HIGH almost 2 years ago
### Impact The `@tanstack/react-query-next-experimental` NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an at...
npm
No PRs yet
network Arbitrary Command Injection vulnerability
GHSA-vvh2-82c7-ppfg CVE-2024-21488 HIGH almost 2 years ago
Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the `child_process` exec function without ...
npm
No PRs yet
Ylianst MeshCentral Missing SSL Certificate Validation
GHSA-8xw6-9h78-c89j CVE-2023-51837 CRITICAL almost 2 years ago
Ylianst MeshCentral 1.1.16 is vulnerable to Missing SSL Certificate Validation.
npm
No PRs yet
DeviceFarmer stf uses DES-ECB
GHSA-7xm8-wjq7-88r5 CVE-2023-51839 CRITICAL almost 2 years ago
DeviceFarmer stf v3.6.6 suffers from Use of a Broken or Risky Cryptographic Algorithm.
npm
No PRs yet
MeshCentral algorithm-downgrade issue
GHSA-wpxw-5xfm-x22v CVE-2023-51842 HIGH almost 2 years ago
An algorithm-downgrade issue was discovered in Ylianst MeshCentral 1.1.16.
npm
No PRs yet
Sending a GET or HEAD request with a body crashes SvelteKit
GHSA-g5m6-hxpp-fc49 CVE-2024-23641 HIGH almost 2 years ago
### Summary In SvelteKit 2 sending a GET request with a body eg `{}` to a SvelteKit app in preview or with `adapter-node` throws `Request with GET/...
npm
No PRs yet
Prototype pollution not blocked by object-path related utilities in hoolock
GHSA-4c2g-hx49-7h25 CVE-2024-23339 MODERATE almost 2 years ago
### Impact Utility functions related to object paths (`get`, `set` and `update`) did not block attempts to access or alter object prototypes. ### ...
npm
No PRs yet
@hono/node-server cannot handle "double dots" in URL
GHSA-rjq5-w47x-x359 CVE-2024-23340 MODERATE almost 2 years ago
### Impact Since v1.3.0, we use our own Request object. This is great, but the `url` behavior is unexpected. In the standard API, if the URL cont...
npm
No PRs yet
Cross-site Scripting in Ghost
GHSA-fh38-9fgr-454w CVE-2024-23725 MODERATE almost 2 years ago
Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.
npm
No PRs yet
SPV Merkle proof malleability allows the maintainer to prove invalid transactions
GHSA-wg2x-rv86-mmpx HIGH almost 2 years ago
## Summary By publishing specially crafted transactions on the Bitcoin blockchain, the SPV maintainer can produce seemingly valid SPV proofs for fr...
npm
No PRs yet
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
GHSA-c24v-8rfc-w8vw CVE-2024-23331 HIGH almost 2 years ago
### Summary [Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` can be bypassed on case-insensi...
npm
No PRs yet
Marvin Attack of RSA and RSAOAEP decryption in jsrsasign
GHSA-rh63-9qcf-83gf CVE-2024-21484 HIGH almost 2 years ago
### Impact RSA PKCS#1.5 or RSAOAEP ciphertexts may be decrypted by this Marvin attack vulnerability. ### Patches update to jsrsasign 11.0.0. ### ...
npm
1
Dependabot PRs
100%
Merged
Default swagger-ui configuration exposes all files in the module
GHSA-62jr-84gf-wmg4 CVE-2024-22207 MODERATE almost 2 years ago
### Impact The default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed...
npm
No PRs yet
EverShop vulnerable to improper authorization in GraphQL endpoints
GHSA-ggpm-9qfx-mhwg CVE-2023-46942 HIGH almost 2 years ago
Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.9, allows remote attackers to obtain sensitive information via i...
npm
No PRs yet
EverShop at risk to unauthorized access via weak HMAC secret
GHSA-32r3-57hp-cgfw CVE-2023-46943 CRITICAL almost 2 years ago
An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.9. The HMAC secret used for generating tokens is hardcoded as "...
npm
No PRs yet
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
GHSA-q6w5-jg5q-47vg CVE-2024-22206 CRITICAL almost 2 years ago
### Impact Unauthorized access or privilege escalation due to a logic flaw in `auth()` in the App Router or `getAuth()` in the Pages Router. ### A...
npm
No PRs yet
react-native-mmkv Insertion of Sensitive Information into Log File vulnerability
GHSA-4jh3-6jhv-2mgp CVE-2024-21668 MODERATE almost 2 years ago
## Summary Before version [v2.11.0](https://github.com/mrousavy/react-native-mmkv/releases/tag/v2.11.0), the react-native-mmkv logged the optional ...
npm
No PRs yet
Apprite CLI makes Use of Hard-coded Credentials
GHSA-g777-crp9-m27g CVE-2023-50974 MODERATE almost 2 years ago
In Appwrite CLI before 3.0.0, when using the login command, the credentials of the Appwrite user are stored in a ~/.appwrite/prefs.json file with 0...
npm
No PRs yet
@fastify/reply-from JSON Content-Type parsing confusion
GHSA-v2v2-hph8-q5xp CVE-2023-51701 MODERATE almost 2 years ago
### Impact The main repo of fastify use [fast-content-type-parse](https://github.com/fastify/fast-content-type-parse) to parse request Content-Typ...
npm
1
Dependabot PRs
@backstage/backend-app-api leaks GitLab access tokens
GHSA-86rg-pf4c-5grg CVE-2023-6944 HIGH almost 2 years ago
A flaw was found in the Red Hat Developer Hub (RHDH). The catalog-import function leaks GitLab access tokens on the frontend when the base64 encode...
npm
No PRs yet
Arbitrary remote code execution within `wrangler dev` Workers sandbox
GHSA-f8mp-x433-5wpf CVE-2023-7080 CRITICAL almost 2 years ago
### Impact The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. `wrangler dev` would previously...
npm
No PRs yet
Arbitrary remote file read in Wrangler dev server
GHSA-cfph-4qqh-w828 CVE-2023-7079 MODERATE almost 2 years ago
### Impact Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer ...
npm
No PRs yet
CouchAuth host header injection vulnerability leaks the password reset token
GHSA-fqh6-6h6c-366m CVE-2023-39655 HIGH almost 2 years ago
A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. By sending a specially crafted host header ...
npm
No PRs yet
plotly.js prototype pollution vulnerability
GHSA-wjc4-73q6-gv3m CVE-2023-46308 CRITICAL almost 2 years ago
In Plotly plotly.js before 2.25.2, plot API calls have a risk of __proto__ being polluted in expandObjectPaths or nestedProperty.
npm packagist
No PRs yet