Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,830

Total Advisories

1,801

With Dependabot PRs

3,510

Critical Severity

8,627

High Severity

Clear All Filters
TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes
GHSA-v626-r774-j7f8 CVE-2023-48219 MODERATE about 2 years ago
### Impact A [mutation cross-site scripting](https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by...
npm nuget packagist
No PRs yet
DOMPurify Open Redirect vulnerability
GHSA-8hgg-xxm5-3873 CVE-2019-25155 MODERATE about 2 years ago
DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.
npm
No PRs yet
Bootbox.js Cross Site Scripting vulnerability
GHSA-m4ch-4m5f-2gp6 CVE-2023-46998 MODERATE about 2 years ago
Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload...
npm
No PRs yet
Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint
GHSA-2rmr-xw8m-22q9 CVE-2023-46729 MODERATE about 2 years ago
### Impact An unsanitized input of Next.js SDK tunnel endpoint allows sending HTTP requests to arbitrary URLs and reflecting the response back to t...
npm
1
Dependabot PRs
NASA Open MCT Cross Site Scripting vulnerability
GHSA-v8fc-qxvj-f3mg CVE-2023-45885 MODERATE about 2 years ago
Cross Site Scripting (XSS) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to run arbitrary code via the new component ...
npm
No PRs yet
NASA Open MCT Cross Site Request Forgery (CSRF) vulnerability
GHSA-4g88-4hgm-m99x CVE-2023-45884 MODERATE about 2 years ago
Cross Site Request Forgery (CSRF) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to view sensitive information via the...
npm
No PRs yet
chromedriver Command Injection vulnerability
GHSA-hm92-vgmw-qfmx CVE-2023-26156 MODERATE about 2 years ago
Versions of the package chromedriver before 119.0.1 are vulnerable to Command Injection when setting the chromedriver.path to an arbitrary system b...
npm
No PRs yet
Axios Cross-Site Request Forgery Vulnerability
GHSA-wf5p-g6vw-rhxx CVE-2023-45857 MODERATE about 2 years ago
An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP he...
npm
2329
Dependabot PRs
13%
Merged
Prototype Pollution(PP) vulnerability in setByPath
GHSA-9w5f-mw3p-pj47 CVE-2023-45827 HIGH about 2 years ago
### Summary There is a Prototype Pollution(PP) vulnerability in dot-diver. It can leads to RCE. ### Details ```javascript //https://github.com/cli...
npm
No PRs yet
Unauthorized Access to Private Fields in User Registration API
GHSA-gc7p-j5xm-xxh2 CVE-2023-39345 HIGH about 2 years ago
### System Details | Name | Value | |----------|------------------------| | OS | Windows 11 | | Version | 4...
npm
No PRs yet
cordova-plugin-fingerprint-aio DoS vulnerability
GHSA-7vfx-hfvm-rhr8 CVE-2021-43849 MODERATE about 2 years ago
## Summary: Sending a specially crafted intent with an invalid/empty extras `de.niklasmerz.cordova.biometric.BiometricActivity` can cause the app ...
npm
No PRs yet
generator-jhipster allows a timing attack against validateToken due to a string comparison that stops at the first character
GHSA-4gpm-r23h-gprw CVE-2015-20110 HIGH about 2 years ago
JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character...
npm
No PRs yet
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack
GHSA-x9w5-v3q2-3rhw CVE-2023-46234 HIGH about 2 years ago
### Summary An upper bound check issue in `dsaVerify` function allows an attacker to construct signatures that can be successfully verified by any ...
npm
No PRs yet
crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
GHSA-xwcq-pm8m-c4vf CVE-2023-46233 CRITICAL about 2 years ago
### Impact #### Summary Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current...
npm
16
Dependabot PRs
6%
Merged
crypto-es PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard
GHSA-mpj8-q39x-wq5h CVE-2023-46133 CRITICAL about 2 years ago
### Impact #### Summary Crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and [at least 1,300,000 times weaker than current...
npm
2
Dependabot PRs
Inefficient Regular Expression Complexity in node-email-check
GHSA-9242-6p36-6256 CVE-2023-39619 HIGH about 2 years ago
ReDos in NPMJS Node Email Check v.1.0.4 allows an attacker to cause a denial of service via a crafted string to the scpSyntax component.
npm
No PRs yet
Parse Server may crash when uploading file without extension
GHSA-792q-q67h-w579 CVE-2023-46119 HIGH about 2 years ago
### Impact Parse Server crashes when uploading a file without extension. ### Patches A permanent fix has been implemented to prevent the server ...
npm
No PRs yet
Next.js missing cache-control header may lead to CDN caching empty reply
GHSA-c59h-r6p8-q9wc CVE-2023-46298 LOW about 2 years ago
Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial ...
npm
No PRs yet
Tauri's Updater Private Keys Possibly Leaked via Vite Environment Variables
GHSA-2rcp-jvr4-r259 CVE-2023-46115 HIGH about 2 years ago
### Impact This advisory is not describing a vulnerability in the Tauri code base itself but a commonly used misconfiguration which could lead to ...
cargo npm
No PRs yet
Directus crashes on invalid WebSocket message
GHSA-hmgw-9jrg-hf2m CVE-2023-45820 HIGH about 2 years ago
### Summary It seems that any Directus installation that has websockets enabled can be crashed if the websocket server receives an invalid frame. T...
npm
No PRs yet
TinyMCE XSS vulnerability in notificationManager.open API
GHSA-hgqx-r2hp-jr38 CVE-2023-45819 MODERATE about 2 years ago
### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s Notification Mana...
npm nuget packagist
No PRs yet
TinyMCE mXSS vulnerability in undo/redo, getContent API, resetContent API, and Autosave plugin
GHSA-v65r-p3vv-jjfv CVE-2023-45818 MODERATE about 2 years ago
### Impact A [mutation cross-site scripting](https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by...
npm nuget packagist
No PRs yet
React Developer Tools extension Improper Authorization vulnerability
GHSA-rxrc-rgv4-jpvx CVE-2023-5654 MODERATE about 2 years ago
The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is ac...
npm
No PRs yet
Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution
GHSA-jg82-xh3w-rhxx CVE-2023-45811 HIGH about 2 years ago
### Impact A `__proto__` pollution vulnerability exists in synchrony versions before v2.4.4. Successful exploitation could lead to arbitrary code ...
npm
No PRs yet
Prototype Pollution in ali-security/mongoose
GHSA-rc4v-99cr-pjcm CRITICAL about 2 years ago
### Impact This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate(). For applications using Ex...
npm
No PRs yet
nocodb SQL Injection vulnerability
GHSA-3m5q-q39v-xf8f CVE-2023-43794 MODERATE about 2 years ago
## Summary Nocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database...
npm
No PRs yet
Undici's cookie header not cleared on cross-origin redirect in fetch
GHSA-wqq4-5wpv-mx2g CVE-2023-45143 LOW about 2 years ago
### Impact Undici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [fo...
npm
35
Dependabot PRs
5%
Merged
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
GHSA-67hx-6x53-jw92 CVE-2023-45133 CRITICAL about 2 years ago
### Impact Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when ...
npm
14
Dependabot PRs
7%
Merged
node-qpdf vulnerable to command injection
GHSA-fpr8-4wvx-j9q3 CVE-2023-26155 HIGH about 2 years ago
All versions of the package node-qpdf are vulnerable to Command Injection such that the package-exported method encrypt() fails to sanitize its par...
npm
No PRs yet
Allocation of Resources Without Limits or Throttling in vriteio/vrite
GHSA-5ghm-h2wq-g3mh CVE-2023-5573 MODERATE about 2 years ago
Allocation of Resources Without Limits or Throttling in GitHub repository vriteio/vrite prior to 0.3.0.
npm
No PRs yet
Improper Input Validation in vriteio/vrite
GHSA-44ff-9w4f-99w6 CVE-2023-5571 MODERATE about 2 years ago
Improper Input Validation in GitHub repository vriteio/vrite prior to 0.3.0.
npm
No PRs yet
Server-Side Request Forgery (SSRF) in vriteio/vrite
GHSA-w35p-wxwj-rcm9 CVE-2023-5572 CRITICAL about 2 years ago
Server-Side Request Forgery (SSRF) in GitHub repository vriteio/vrite prior to 0.3.0.
npm
No PRs yet
Cache variables with the operations when transforms exist on the root level even if variables change in the further requests with the same operation
GHSA-rr4x-crhf-8886 CVE-2025-27097 MODERATE about 2 years ago
When you have transforms on the root level or single source with transforms, and the client sends the same query with different variables, the init...
npm
No PRs yet
Uptime Kuma has Persistentent User Sessions
GHSA-g9v2-wqcj-j99g CVE-2023-44400 HIGH about 2 years ago
# Summary Attackers with access to a users' device can gain persistent account access. This is caused by missing verification of Session Tokens af...
npm
No PRs yet
Code injection in fsevents
GHSA-8r6j-v8pm-fqw3 CVE-2023-45311 CRITICAL about 2 years ago
fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary...
npm
No PRs yet
Prototype Pollution in NASA Open MCT
GHSA-4xcx-cwrq-w792 CVE-2023-45282 HIGH about 2 years ago
In NASA Open MCT (aka openmct) before commit 545a177 is subject to a prototype pollution which can occur via an import action.
npm
No PRs yet
Zod denial of service vulnerability during email validation
GHSA-mvrp-3cvx-c325 HIGH about 2 years ago
### Impact API servers running `express-zod-api` having: - version of `express-zod-api` below `10.0.0-beta1`, - and using the following (or simil...
npm
No PRs yet
static-server Path Traversal vulnerability
GHSA-v834-rhv4-65m3 CVE-2023-26152 HIGH about 2 years ago
All versions of the package static-server are vulnerable to Directory Traversal due to improper input sanitization passed via the `validPath` funct...
npm
No PRs yet
PostCSS line return parsing error
GHSA-7fh5-64p2-3v2j CVE-2023-44270 MODERATE about 2 years ago
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\r...
npm
1196
Dependabot PRs
10%
Merged
Zod denial of service vulnerability
GHSA-m95q-7qp3-xv42 CVE-2023-4316 MODERATE about 2 years ago
Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.
npm
1
Dependabot PRs
Electron affected by libvpx's heap buffer overflow in vp8 encoding
GHSA-qqvq-6xgj-jw8g CVE-2023-5217 HIGH about 2 years ago
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially ...
npm
43
Dependabot PRs
12%
Merged
quill-mention Cross-site Scripting vulnerability
GHSA-jgw5-rp4p-qhp6 CVE-2023-26149 MODERATE about 2 years ago
Versions of the package quill-mention before 4.0.0 are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization, via the re...
npm
No PRs yet
@napi-rs/image affected by libwebp CVE
GHSA-4vjr-crvh-383h HIGH about 2 years ago
### Impact Heap buffer overflow in `libwebp` allows a remote attacker to perform an out of bounds memory write via a crafted webp image. ### Refer...
npm
No PRs yet
Chaijs/get-func-name vulnerable to ReDoS
GHSA-4q6p-r6v2-jvc5 CVE-2023-43646 HIGH about 2 years ago
The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks. The r...
npm
148
Dependabot PRs
9%
Merged
FUXA SQL Injection vulnerability
GHSA-v9q5-9crp-92f9 CVE-2023-31717 HIGH about 2 years ago
A SQL Injection attack in FUXA <= 1.1.12 allows exfiltration of confidential information from the database.
npm
No PRs yet
FUXA local file inclusion vulnerability
GHSA-wwfj-h843-3hrq CVE-2023-31718 HIGH about 2 years ago
FUXA <= 1.1.12 is vulnerable to Local File Inclusion via `/api/download`.
npm
No PRs yet
FUXA SQL Injection vulnerability
GHSA-p46g-8c3q-89p2 CVE-2023-31719 CRITICAL about 2 years ago
FUXA <= 1.1.12 is vulnerable to SQL Injection via `/api/signin`.
npm
No PRs yet
FUXA vulnerable to Local File Inclusion
GHSA-45c3-c4c3-8rqg CVE-2023-31716 HIGH about 2 years ago
FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log
npm
No PRs yet
systeminformation SSID Command Injection Vulnerability
GHSA-gx6r-qc2v-3p3v CVE-2023-42810 CRITICAL about 2 years ago
### Impact SSID Command Injection Vulnerability ### Patches Problem was fixed with a parameter check. Please upgrade to version >= 5.21.7, Version...
npm
No PRs yet
Improper Input Validation in nocodb
GHSA-xrpm-hccg-28x7 CVE-2023-5104 MODERATE about 2 years ago
Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.
npm
No PRs yet