Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
`chainId` may be outdated if user changes chains as part of connection in @web3-react
GHSA-8pf3-6fgr-3g3g CVE-2023-30543 MODERATE over 2 years ago
### Impact `chainId` may be outdated if the user changes chains as part of the connection flow. This means that the value of `chainId` returned by ...
npm
No PRs yet
Authentication Bypass in @strapi/plugin-users-permissions
GHSA-xv3q-jrmm-4fxv HIGH over 2 years ago
### Summary Strapi through 4.5.6 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used ...
npm
No PRs yet
@nuxtlabs/github-module made Use of Hard-coded Credentials
GHSA-fp2w-g92g-fgq4 CVE-2023-2138 CRITICAL over 2 years ago
https://nuxt.com had a hardcoded GitHub token in the source code of the page. This token had access to multiple repositories under `nuxt`, `nuxtlab...
npm
No PRs yet
OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated
GHSA-mx2q-35m2-x2rh CVE-2023-30541 MODERATE over 2 years ago
### Impact A function in the implementation contract may be inaccessible if its selector clashes with one of the proxy's own selectors. Specifical...
npm
No PRs yet
matrix-js-sdk vulnerable to invisible eavesdropping in group calls
GHSA-6g67-q39g-r79q CVE-2023-29529 MODERATE over 2 years ago
### Impact An attacker present in a room where an [MSC3401](https://github.com/matrix-org/matrix-spec-proposals/pull/3401) group call is taking pl...
npm
No PRs yet
vm2 Sandbox Escape vulnerability
GHSA-xj72-wvfv-8985 CVE-2023-29199 CRITICAL over 2 years ago
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypa...
npm
No PRs yet
safe-eval vulnerable to Sandbox Bypass due to improper input sanitization
GHSA-79xf-67r4-q2jj CVE-2023-26122 CRITICAL over 2 years ago
All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from protot...
npm
No PRs yet
safe-eval vulnerable to Prototype Pollution via the safeEval function
GHSA-hcg3-56jf-x4vh CVE-2023-26121 CRITICAL over 2 years ago
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper sanitization of its paramete...
npm
No PRs yet
vm2 vulnerable to sandbox escape
GHSA-7jxr-cg7f-gpgv CVE-2023-29017 CRITICAL over 2 years ago
vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. - vm2 version: ~3.9.14 - Node ve...
npm
No PRs yet
SvelteKit framework has Insufficient CSRF protection for CORS requests
GHSA-gv7g-x59x-wf8f CVE-2023-29008 HIGH over 2 years ago
### Summary The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containin...
npm
4
Dependabot PRs
33%
Merged
xml2js is vulnerable to prototype pollution
GHSA-776f-qx25-q3cc CVE-2023-0842 MODERATE over 2 years ago
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does ...
npm
2
Dependabot PRs
markdown-pdf vulnerable to local file read via server side cross-site scripting (XSS)
GHSA-qghr-877h-f9jh CVE-2023-0835 HIGH over 2 years ago
markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not...
npm
No PRs yet
SvelteKit vulnerable to Cross-Site Request Forgery
GHSA-5p75-vc5g-8rv2 CVE-2023-29003 HIGH over 2 years ago
### Summary The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a `+server.js` file, containin...
npm
3
Dependabot PRs
33%
Merged
Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter
GHSA-w974-rq9x-mh3v CVE-2020-19697 MODERATE over 2 years ago
Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script in the...
npm
No PRs yet
Directus API vulnerable to denial of service
GHSA-3gvp-54v2-2jrp CVE-2020-19850 MODERATE over 2 years ago
An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests.
npm
No PRs yet
Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter
GHSA-5p84-mmh9-pxgr CVE-2020-19698 MODERATE over 2 years ago
Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the...
npm
No PRs yet
Prototype pollution in matrix-js-sdk (part 2)
GHSA-mwq8-fjpf-c2gr CVE-2023-28427 HIGH over 2 years ago
### Impact In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Ob...
npm
No PRs yet
angular vulnerable to regular expression denial of service via the angular.copy() utility
GHSA-2vrf-hf26-jrp5 CVE-2023-26116 MODERATE over 2 years ago
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to t...
npm
No PRs yet
angular vulnerable to regular expression denial of service via the $resource service
GHSA-2qqx-w9hr-q5gx CVE-2023-26117 MODERATE over 2 years ago
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an...
npm
No PRs yet
angular vulnerable to regular expression denial of service via the <input type="url"> element
GHSA-qwqh-hm9m-p5hr CVE-2023-26118 MODERATE over 2 years ago
All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the us...
npm
No PRs yet
Prototype pollution in matrix-react-sdk
GHSA-6g43-88cp-w5gv CVE-2023-28103 HIGH over 2 years ago
### Impact In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the `Obj...
npm
No PRs yet
matrix-react-sdk Prototype pollution vulnerability
GHSA-2x9c-qwgf-94xr CVE-2022-36060 HIGH over 2 years ago
### Impact Events sent with special strings in key places can temporarily disrupt or impede the matrix-react-sdk from functioning properly, such as...
npm
No PRs yet
matrix-js-sdk Prototype Pollution vulnerability
GHSA-rfv9-x7hh-xc32 CVE-2022-36059 HIGH over 2 years ago
### Impact Events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentiall...
npm
No PRs yet
angular-server-side-configuration information disclosure vulnerability in monorepo with node.js backend
GHSA-gwvm-vrp4-4pp5 CVE-2023-28444 CRITICAL over 2 years ago
### Impact angular-server-side-configuration detects used environment variables in TypeScript (.ts) files during build time of an Angular CLI proje...
npm
No PRs yet
directus vulnerable to Insertion of Sensitive Information into Log File
GHSA-8vg2-wf3q-mwv7 CVE-2023-28443 MODERATE over 2 years ago
### Summary CWE-532: Insertion of Sensitive Information into Log File discovered in v9.23.1. The `directus_refresh_token` is not redacted properly...
npm
No PRs yet
code-server vulnerable to Missing Origin Validation in WebSockets
GHSA-frjg-g767-7363 CVE-2023-26114 CRITICAL over 2 years ago
Versions of the package code-server before 4.10.1 are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerabili...
npm
No PRs yet
Collection.js vulnerable to Prototype Pollution
GHSA-47pj-q2vm-46xc CVE-2023-26113 HIGH over 2 years ago
Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the `extend` function in `Collection.js/dist/node/iter...
npm
No PRs yet
Server-Side Request Forgery in Request
GHSA-p8p7-x288-28g6 CVE-2023-28155 MODERATE over 2 years ago
The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attack...
npm
5
Dependabot PRs
20%
Merged
Arbitrary local file read vulnerability during template rendering
GHSA-2rq5-699j-x7p6 CVE-2023-25345 HIGH over 2 years ago
Directory traversal vulnerability in swig-templates thru 2.0.4 and swig thru 1.4.2, allows attackers to read arbitrary files via the include or ext...
npm
No PRs yet
Missing proper state, nonce and PKCE checks for OAuth authentication
GHSA-7r7x-4c4q-c4qf CVE-2023-27490 HIGH over 2 years ago
### Impact `next-auth` applications using OAuth provider versions before `v4.20.1` are affected. A bad actor who can spy on the victim's network o...
npm
No PRs yet
sqlite vulnerable to code execution due to Object coercion
GHSA-jqv5-7xpx-qj74 CVE-2022-43441 HIGH over 2 years ago
### Impact Due to the underlying implementation of `.ToString()`, it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service...
npm
No PRs yet
Cross-realm object access in Webpack 5
GHSA-hc6q-2mpp-qw7j CVE-2023-28154 CRITICAL over 2 years ago
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who contr...
npm
29
Dependabot PRs
3%
Merged
stoqey/gnuplot is vulnerable to command injection
GHSA-795w-7426-m94j CVE-2021-33360 CRITICAL over 2 years ago
An issue found in Stoqey gnuplot v.0.0.3 and earlier allows attackers to execute arbitrary code via the src/index.ts, plotCallack, child_process, a...
npm
No PRs yet
node-bluetooth is vulnerable to Buffer Overflow via the findSerialPortChannel method due to improper user input length validation
GHSA-cxx3-36qc-m6qm CVE-2023-26110 CRITICAL over 2 years ago
All versions of the package node-bluetooth are vulnerable to Buffer Overflow via the findSerialPortChannel method due to improper user input length...
npm
No PRs yet
node-bluetooth-serial-port is vulnerable to Buffer Overflow via the findSerialPortChannel
GHSA-9jh3-4pc9-hq29 CVE-2023-26109 CRITICAL over 2 years ago
All versions of the package node-bluetooth-serial-port are vulnerable to Buffer Overflow via the findSerialPortChannel method due to improper user ...
npm
No PRs yet
builderio/qwik is vulnerable to code injection
GHSA-9wf9-qvvp-2929 CVE-2023-1283 CRITICAL over 2 years ago
Code Injection in GitHub repository builderio/qwik prior to 0.21.0. The Function deserializer can be accessed using the pureServerFunction feature....
npm
No PRs yet
Directus vulnerable to extraction of password hashes through export querying
GHSA-m5q3-8wgf-x8xf CVE-2023-27481 MODERATE over 2 years ago
### Impact Users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export f...
npm
No PRs yet
directus vulnerable to HTML Injection in Password Reset email to custom Reset URL
GHSA-4hmq-ggrm-qfc6 CVE-2023-27474 HIGH over 2 years ago
### Impact Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the re...
npm
No PRs yet
SketchSVG Arbitrary Code Injection vulnerability
GHSA-6722-xvq8-3254 CVE-2023-26107 HIGH over 2 years ago
All versions of the package sketchsvg are vulnerable to Arbitrary Code Injection when invoking `shell.exec` without sanitization nor parametrizatio...
npm
No PRs yet
node-static and @nubosoftware/node-static vulnerable to Directory Traversal
GHSA-5g97-whc9-8g7j CVE-2023-26111 HIGH over 2 years ago
node-static and its fork, @nubosoftware/node-static, are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith...
npm
No PRs yet
@nestjs/core vulnerable to Information Exposure via StreamableFile pipe
GHSA-4jpv-8r57-pv7j CVE-2023-26108 MODERATE over 2 years ago
Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. Exploiting this vulnerability...
npm
No PRs yet
dot-lens vulnerable to Prototype Pollution
GHSA-rmhg-2cvv-q7vx CVE-2023-26106 HIGH over 2 years ago
All versions of the package dot-lens are vulnerable to Prototype Pollution via the `set()` function in `index.js` file.
npm
No PRs yet
json-logic-js Command Injection vulnerability
GHSA-67j4-2mh6-8627 CVE-2021-4329 CRITICAL over 2 years ago
A vulnerability, which was classified as critical, has been found in json-logic-js 2.0.0. Affected by this issue is some unknown functionality of t...
npm
No PRs yet
Directus vulnerable to Server-Side Request Forgery On File Import
GHSA-j3rg-3rgm-537h CVE-2023-26492 MODERATE over 2 years ago
### Summary Directus versions <=9.22.4 is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to ...
npm
No PRs yet
OpenZeppelin Contracts contains Incorrect Calculation
GHSA-878m-3g6q-594q CVE-2023-26488 MODERATE over 2 years ago
### Impact The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a ...
npm
1
Dependabot PRs
Vega vulnerable to arbitrary code execution when clicking href links
GHSA-cp47-r258-q626 MODERATE over 2 years ago
Vega is vulnerable to arbitrary code execution when clicking href links. Versions 5.4.1 and 4.5.1 contain a patch.
npm
No PRs yet
keycloak-connect contains Open redirect vulnerability in the Node.js adapter
GHSA-59fq-727j-hm3f CVE-2022-2237 MODERATE over 2 years ago
There is an Open Redirect vulnerability in the Node.js adapter when forwarding requests to Keycloak using `checkSSO` with query param `prompt=none`.
npm
No PRs yet
Vega Expression Language `scale` expression function Cross Site Scripting
GHSA-4vq7-882g-wcg4 CVE-2023-26486 MODERATE over 2 years ago
### Summary The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploit...
npm
No PRs yet
Vega has Cross-site Scripting vulnerability in `lassoAppend` function
GHSA-w5m3-xh75-mp55 CVE-2023-26487 MODERATE over 2 years ago
### Summary Vega's `lassoAppend` function: `lassoAppend` accepts 3 arguments and internally invokes `push` function on the 1st argument specifying...
npm
No PRs yet
rsshub vulnerable to Cross-site Scripting via unvalidated URL parameters
GHSA-32gr-4cq6-5w5q CVE-2023-26491 MODERATE almost 3 years ago
### Impact When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities,...
npm
No PRs yet