Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
GHSA-353f-5xf4-qw67 CVE-2023-34092 HIGH over 2 years ago
The issue involves a security vulnerability in Vite where the server options can be bypassed using a double forward slash (`//`). This vulnerabilit...
npm
No PRs yet
Phishing attack vulnerability by uploading malicious HTML file
GHSA-9prm-jqwx-45x9 CVE-2023-32689 MODERATE over 2 years ago
### Impact Phishing attack vulnerability by uploading malicious files. A malicious user could upload a HTML file to Parse Server via its public AP...
npm
No PRs yet
proxy denial of service vulnerability
GHSA-mj6p-3pc9-wf5m CVE-2023-2968 MODERATE over 2 years ago
A remote attacker can trigger a denial of service in the `socket.remoteAddress` variable, by sending a crafted HTTP request. Usage of the undefined...
npm
No PRs yet
antfu/utils vulnerable to prototype pollution
GHSA-p2fh-2h23-6grg CVE-2023-2972 MODERATE over 2 years ago
Prototype Pollution in GitHub repository antfu/utils prior to 0.7.3.
npm
No PRs yet
keep-module-latest vulnerable to Command Injection due to missing input sanitization
GHSA-wxrx-pc44-rcgc CVE-2023-26128 HIGH over 2 years ago
All versions of the package keep-module-latest are vulnerable to Command Injection due to missing input sanitization or other checks and sandboxes ...
npm
No PRs yet
bwm-ng vulnerable to command injection
GHSA-8vw3-vxmj-h43w CVE-2023-26129 HIGH over 2 years ago
All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js ...
npm
No PRs yet
n158 vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function
GHSA-549h-r7g9-2qpf CVE-2023-26127 HIGH over 2 years ago
All versions of the package n158 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function. **Note:*...
npm
No PRs yet
html inputs of type password recorded in plaintext when converted to text inputs
GHSA-9qpj-qq2r-5mcc CVE-2023-33187 MODERATE over 2 years ago
### Impact Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Pa...
npm
No PRs yet
Malware in pre-build binaries of bignum
GHSA-7cgc-fjv4-52x6 CRITICAL over 2 years ago
### Impact bignum releases from v0.12.2 to v0.13.0 (inclusive) used node-pre-gyp to optionally download pre-built binary versions of the addon. Th...
npm
No PRs yet
Insufficient validation when decoding a Socket.IO packet
GHSA-cqmj-92xf-r6r9 CVE-2023-32695 MODERATE over 2 years ago
### Impact A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. ``` ...
npm
No PRs yet
Potential for cross-site scripting in PostHog-js
GHSA-8775-5hwv-wr6v CVE-2023-32325 MODERATE over 2 years ago
### Impact Potential for cross-site scripting in `posthog-js`. ### Patches The problem has been patched in `posthog-js` version 1.57.2. ### Wor...
npm
No PRs yet
Invalid push request payload crashes Parse Server
GHSA-mxhg-rvwx-x993 CVE-2023-32688 MODERATE over 2 years ago
### Impact The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. ### Patches Invalid push notificati...
npm
No PRs yet
Double spend in snarkjs
GHSA-xp5g-jhg3-3rg2 CVE-2023-33252 HIGH over 2 years ago
iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.
npm
No PRs yet
vm2 vulnerable to Inspect Manipulation
GHSA-p5gc-c584-jj6v CVE-2023-32313 MODERATE over 2 years ago
In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. ...
npm
No PRs yet
vm2 Sandbox Escape vulnerability
GHSA-whpj-8f3w-67p5 CVE-2023-32314 CRITICAL over 2 years ago
A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specificatio...
npm
No PRs yet
Buffer under-read in workerd
GHSA-8vx6-69vg-c46f CVE-2023-2512 MODERATE over 2 years ago
### Impact Prior to version v1.20230419.0, the FormData API implementation was subject to an integer overflow. If a FormData instance contained mor...
npm
No PRs yet
n8n Privilege Escalation vulnerability
GHSA-97cp-mr4m-9mcf CVE-2023-27563 HIGH over 2 years ago
The n8n package prior to 0.216.1 for Node.js allows Escalation of Privileges.
npm
No PRs yet
n8n Directory Traversal vulnerability
GHSA-p58x-7733-vp9m CVE-2023-27562 MODERATE over 2 years ago
The n8n package prior to version 0.216.1 for Node.js allows Directory Traversal.
npm
No PRs yet
n8n Information Disclosure vulnerability
GHSA-r9xw-p7wj-w792 CVE-2023-27564 HIGH over 2 years ago
The n8n package prior to 0.216.1 for Node.js allows Information Disclosure.
npm
No PRs yet
m.static Directory Traversal vulnerability
GHSA-vcxh-qvgr-9fw9 CVE-2023-26126 HIGH over 2 years ago
All versions of the package m.static are vulnerable to Directory Traversal due to improper input sanitization of the path being requested via the `...
npm
No PRs yet
jsreport vulnerable to code injection
GHSA-g7rj-q722-245g CVE-2023-2583 CRITICAL over 2 years ago
jsreport prior to 3.11.3 had a version of vm2 vulnerable to CVE-2023-29017 hard coded in the package.json of the jsreport-core component. An attack...
npm
No PRs yet
Path Traversal in Ghost
GHSA-wf7x-fh6w-34r6 CVE-2023-32235 HIGH over 2 years ago
Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory trav...
npm
No PRs yet
Cross-site scripting in TotalJS
GHSA-jj45-24rw-v6jw CVE-2023-30094 MODERATE over 2 years ago
A stored cross-site scripting (XSS) vulnerability in TotalJS allows attackers to execute arbitrary web scripts or HTML via a crafted payload inject...
npm
No PRs yet
Ghost vulnerable to information disclosure of private API fields
GHSA-r97q-ghch-82j9 CVE-2023-31133 HIGH over 2 years ago
### Impact Due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attac...
npm
No PRs yet
engine.io Uncaught Exception vulnerability
GHSA-q9mw-68c2-j6m5 CVE-2023-31125 MODERATE over 2 years ago
### Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. ``` Type...
npm
No PRs yet
@mittwald/kubernetes's secret contents leaked via debug logging
GHSA-g35x-j6jj-8g7j MODERATE over 2 years ago
### Impact When debug logging is enabled (via `DEBUG` environment variable), the Kubernetes client may log all response bodies into the debug log ...
npm
No PRs yet
appium-desktop OS Command Injection vulnerability
GHSA-xq6j-x8pq-g3gr CVE-2023-2479 CRITICAL over 2 years ago
appium-desktop v1.14.1 and prior is vulnerable to OS Command Injection.
npm
No PRs yet
editor.md vulnerable to Cross-site Scripting
GHSA-847g-34c5-vvm8 CVE-2023-29641 MODERATE over 2 years ago
Cross Site Scripting (XSS) vulnerability in pandao editor.md thru 1.5.0 allows attackers to inject arbitrary web script or HTML via crafted markdow...
npm
No PRs yet
Possible prototype pollution in metadata record, when using meta decorator
GHSA-wwxh-74fx-33c6 CVE-2023-30857 LOW over 2 years ago
### Impact Possible prototype pollution for the `MetadataRecord`, when merged with a base class' metadata object, in `meta` decorator from the `@a...
npm
No PRs yet
Potential leak of authentication data to 3rd parties
GHSA-558p-m34m-vpmq CVE-2023-30846 CRITICAL over 2 years ago
### Impact Users of typed-rest-client library version 1.7.3 or lower are vulnerable to leak authentication data to 3rd parties. The flow of the v...
npm
No PRs yet
Prototype Pollution in vConsole
GHSA-f737-3fh6-jf6w CVE-2023-30363 CRITICAL over 2 years ago
vConsole was discovered to contain a prototype pollution due to incorrect key and value resolution in setOptions in core.ts.
npm
No PRs yet
Hidden fields can be leaked on readable collections in Payload
GHSA-35jj-vqcf-f2jf CVE-2023-30843 HIGH over 2 years ago
### Details If a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer tho...
npm
No PRs yet
@builder.io/qwik-city Cross-Site Request Forgery vulnerability
GHSA-c54w-7j5f-xg98 CVE-2023-2307 MODERATE over 2 years ago
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0.
npm
No PRs yet
HTML injection in search results via plaintext message highlighting
GHSA-xv83-x443-7rmw CVE-2023-30609 HIGH over 2 years ago
### Impact Plain text messages containing HTML tags are rendered as HTML in the search results. To exploit this, an attacker needs to trick a user ...
npm
No PRs yet
Remote code execution in broccoli-compass
GHSA-wq8f-xmq3-5vq9 CVE-2023-27848 CRITICAL over 2 years ago
broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.
npm
No PRs yet
Remote code execution in dawnsparks-node-tesseract
GHSA-88qf-5f3v-pm6m CVE-2023-29566 CRITICAL over 2 years ago
dawnsparks-node-tesseract before 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.
npm
No PRs yet
Uncaught Exception in yaml
GHSA-f9xv-q969-pqx4 CVE-2023-2251 HIGH over 2 years ago
Uncaught Exception in GitHub repository eemeli/yaml starting at version 2.0.0-5 and prior to 2.2.2.
npm
83
Dependabot PRs
13%
Merged
Prototype Pollution in sheetJS
GHSA-4r6h-8v6p-xvw6 CVE-2023-30533 HIGH over 2 years ago
All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read ...
npm
No PRs yet
Expo SDK has an OAuth vulnerability
GHSA-wr5g-q49g-548w CVE-2023-28131 CRITICAL over 2 years ago
A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured t...
npm
No PRs yet
Session fixation in fastify-passport
GHSA-4m3m-ppvx-xgw9 CVE-2023-29019 HIGH over 2 years ago
Applications using `@fastify/passport` for user authentication, in combination with `@fastify/session` as the underlying session management mechani...
npm
No PRs yet
CSRF token fixation in fastify-passport
GHSA-2ccf-ffrj-m4qw CVE-2023-29020 MODERATE over 2 years ago
The [CSRF](https://owasp.org/www-community/attacks/csrf) protection enforced by the `@fastify/csrf-protection` library, when combined with `@fastif...
npm
No PRs yet
Nunjucks autoescape bypass leads to cross site scripting
GHSA-x77j-w7wf-fjmw CVE-2023-2142 MODERATE over 2 years ago
### Impact In Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionali...
npm
71
Dependabot PRs
15%
Merged
Bypass of CSRF protection in the presence of predictable userInfo
GHSA-qrgf-9gpc-vrxw CVE-2023-27495 MODERATE over 2 years ago
## Description The [CSRF](https://owasp.org/www-community/attacks/csrf) protection enforced by the `@fastify/csrf-protection` library in combinatio...
npm
No PRs yet
Path traversal vulnerability in gatsby-plugin-sharp
GHSA-h2pm-378c-pcxx CVE-2023-30548 MODERATE over 2 years ago
### Impact The gatsby-plugin-sharp plugin prior to versions 5.8.1 and 4.25.1 contains a path traversal vulnerability exposed when running the Gats...
npm
No PRs yet
vm2 Sandbox Escape vulnerability
GHSA-ch3r-j5x3-6q2m CVE-2023-30547 CRITICAL over 2 years ago
There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception ...
npm
No PRs yet
GovernorCompatibilityBravo may trim proposal calldata
GHSA-93hq-5wgc-jc82 CVE-2023-30542 HIGH over 2 years ago
### Impact The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array...
npm
No PRs yet
eslint-detailed-reporter vulnerable to cross-site scripting
GHSA-4xr4-89m5-46c7 CVE-2022-4942 LOW over 2 years ago
A vulnerability was found in mportuga eslint-detailed-reporter up to 0.9.0 and classified as problematic. Affected by this issue is the function re...
npm
No PRs yet
Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin
GHSA-2h87-4q2w-v4hf CVE-2023-22621 CRITICAL over 2 years ago
### Summary Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the...
npm
No PRs yet
Strapi leaking sensitive user information by filtering on private fields
GHSA-jjqf-j4w7-92w8 CVE-2023-22894 HIGH over 2 years ago
### Summary Strapi through 4.7.1 allows unauthenticated attackers to discover sensitive user details for Strapi administrators and API users. ###...
npm
No PRs yet
Strapi does not verify the access or ID tokens issued during the OAuth flow
GHSA-583x-23h9-f5w7 CVE-2023-22893 MODERATE over 2 years ago
Strapi 3.2.1 until 4.6.0 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authe...
npm
No PRs yet