Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Imperative CLI vulnerable to Command Injection
GHSA-6q8m-42qq-64r7 CVE-2021-4326 LOW almost 3 years ago
A vulnerability in Imperative framework which allows already-privileged local actors to execute arbitrary shell commands via plugin install/update ...
npm
No PRs yet
mde utilities contains Prototype Pollution
GHSA-wxfj-84xf-7gxv CVE-2023-26105 HIGH almost 3 years ago
All versions of the package utilities are vulnerable to Prototype Pollution via the _mix function.
npm
No PRs yet
Denial of Service vulnerability in lite-web-server
GHSA-8237-3q5g-99fv CVE-2023-26104 HIGH almost 3 years ago
All versions of the package lite-web-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control c...
npm
No PRs yet
ecdh vulnerable to Exposure of Resource to Wrong Sphere
GHSA-p2hp-3wv3-4w74 CVE-2022-44310 HIGH almost 3 years ago
In Development IL ecdh before 0.2.0, an attacker can send an invalid point (not on the curve) as the public key, and obtain the derived shared secret.
npm
No PRs yet
Sequelize - Default support for “raw attributes” when using parentheses
GHSA-f598-mfpv-gmfx CVE-2023-22578 CRITICAL almost 3 years ago
### Impact Sequelize 6.28.2 and prior has a dangerous feature where using parentheses in the attribute option would make Sequelize use the string ...
npm
115
Dependabot PRs
8%
Merged
@braintree/sanitize-url Cross-site Scripting vulnerability
GHSA-q8gg-vj6m-hgmj CVE-2022-48345 MODERATE almost 3 years ago
sanitize-url (aka @braintree/sanitize-url) before 6.0.1 allows XSS via HTML entities.
npm
No PRs yet
rangy vulnerable to Prototype Pollution
GHSA-65rp-mhqf-8gj3 CVE-2023-26102 HIGH almost 3 years ago
All versions of the package rangy are vulnerable to Prototype Pollution when using the `extend()` function in file `rangy-core.js`.The function use...
npm
4
Dependabot PRs
Unsafe fall-through in getWhereConditions
GHSA-vqfx-gj96-3w95 CVE-2023-22579 CRITICAL almost 3 years ago
### Impact Providing an invalid value to the `where` option of a query caused Sequelize to ignore that option instead of throwing an error. A fi...
npm
No PRs yet
Sequelize vulnerable to SQL Injection via replacements
GHSA-wrh9-cjv3-2hpw CVE-2023-25813 CRITICAL almost 3 years ago
### Impact The SQL injection exploit is related to replacements. Here is such an example: In the following query, some parameters are passed thr...
npm
No PRs yet
Versionn Command Injection Vulnerability
GHSA-fj78-2vc5-f6cm CVE-2023-25805 CRITICAL almost 3 years ago
### Impact Command Injection Vulnerability. All versions <1.1.0 are affected. ### Patches Please upgrade to versionn@1.1.0
npm
No PRs yet
iziModal Cross-site Scripting vulnerability
GHSA-h685-83w4-3ph3 CVE-2021-32860 MODERATE almost 3 years ago
iziModal is a modal plugin with jQuery. Versions prior to 1.6.1 are vulnerable to cross-site scripting (XSS) when handling untrusted modal titles. ...
npm
No PRs yet
Baremetrics date range picker vulnerable to Cross-site Scripting
GHSA-465f-mxxh-grc4 CVE-2021-32859 MODERATE almost 3 years ago
The Baremetrics date range picker is a solution for selecting both date ranges and single dates from a single calender view. Versions 1.0.14 and pr...
npm
No PRs yet
textAngular Cross-site Scripting vulnerability
GHSA-7h4w-6p98-r3wx CVE-2021-32854 MODERATE almost 3 years ago
textAngular is a text editor for Angular.js. Version 1.5.16 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular ...
npm
No PRs yet
Vditor Cross-site Scripting vulnerability
GHSA-vfmp-9999-6wqj CVE-2021-32855 MODERATE almost 3 years ago
Vditor is a browser-side Markdown editor. Versions prior to 3.8.7 are vulnerable to copy-paste cross-site scripting (XSS). For this particular type...
npm
No PRs yet
@claviska/jquery-minicolors vulnerable to Cross-site Scripting
GHSA-crh5-vv2v-c82q CVE-2021-32850 MODERATE almost 3 years ago
jQuery MiniColors is a color picker built on jQuery. Prior to version 2.3.6, jQuery MiniColors is prone to cross-site scripting when handling untru...
npm
No PRs yet
Erxes vulnerable to Cross-site Scripting
GHSA-g9ph-r9hc-34r8 CVE-2021-32853 MODERATE almost 3 years ago
Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in all versions. This results in client-si...
npm
No PRs yet
Mind-elixir Cross-site Scripting vulnerability
GHSA-m22q-97p5-79v2 CVE-2021-32851 MODERATE almost 3 years ago
Mind-elixir is a free, open source mind map core. Prior to version 0.18.1, mind-elixir is prone to cross-site scripting when handling untrusted men...
npm
No PRs yet
generator-hottowel Cross-site Scripting vulnerability
GHSA-f8hv-rx9p-f9r4 CVE-2016-15025 MODERATE almost 3 years ago
A vulnerability, which was classified as problematic, was found in generator-hottowel 0.0.11. Affected is an unknown function of the file app/templ...
npm
No PRs yet
Cross-site Scripting in jspreadsheet
GHSA-q82h-q47j-f492 CVE-2022-48115 MODERATE almost 3 years ago
The dropdown menu in jspreadsheet before v4.6.0 was discovered to be vulnerable to cross-site scripting (XSS).
npm
No PRs yet
CRLF Injection in Nodejs ‘undici’ via host
GHSA-5r9g-qh6m-jxff CVE-2023-23936 MODERATE almost 3 years ago
### Impact undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. ### Patches This issue was patched in Undici ...
npm
30
Dependabot PRs
4%
Merged
Regular Expression Denial of Service in Headers
GHSA-r6ch-mqf9-qc9w CVE-2023-24807 HIGH almost 3 years ago
### Impact The `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted...
npm
30
Dependabot PRs
4%
Merged
Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)
GHSA-5h4j-qrvg-9xhw CVE-2023-25653 HIGH almost 3 years ago
### Description When using the non-default "fallback" crypto back-end, ECC operations in `node-jose` can trigger a Denial-of-Service (DoS) conditi...
npm
5
Dependabot PRs
Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler
GHSA-j2wh-wrv3-4x4g CVE-2025-27098 MODERATE almost 3 years ago
### Summary Missing check vulnerability in the static file handler allows any client to access the files in the server's file system ### Details W...
npm
No PRs yet
Sequelize information disclosure vulnerability
GHSA-8c25-f3mj-v6h8 CVE-2023-22580 MODERATE almost 3 years ago
Due to improper input filtering in the sequelize js library, can malicious queries lead to sensitive information disclosure.
npm
No PRs yet
Denial of service due to unlimited number of parts
GHSA-hpp2-2cr5-pf6g CVE-2023-25576 HIGH almost 3 years ago
### Impact * The multipart body parser accepts an unlimited number of file parts. * The multipart body parser accepts an unlimited number of field...
npm
No PRs yet
Cross site scripting Vulnerability in backstage Software Catalog
GHSA-7hv8-3fr9-j2hv CVE-2023-25571 MODERATE almost 3 years ago
### Impact This vulnerability allows a malicious actor with access to add or modify content in an instance of the Backstage software catalog to in...
npm
No PRs yet
Cross-Site-Scripting attack on `<RichTextField>`
GHSA-5jcr-82fh-339v CVE-2023-25572 MODERATE almost 3 years ago
### Impact All React applications built with react-admin and using the `<RichTextField>` are affected. `<RichTextField>` outputs the field value...
npm
No PRs yet
Path traversal vulnerability in glance
GHSA-3hjh-5hgx-f5wh CVE-2022-25937 MODERATE almost 3 years ago
Versions of the package glance before 3.0.9 are vulnerable to Directory Traversal that allows users to read files outside the public root directory...
npm
No PRs yet
Regular Expression Denial of Service in simple-markdown
GHSA-j533-2g8v-pmpg CVE-2019-25102 HIGH almost 3 years ago
A vulnerability, which was classified as problematic, was found in simple-markdown 0.6.0. Affected is an unknown function of the file simple-markdo...
npm
No PRs yet
Regular Expression Denial of Service in simple-markdown
GHSA-gpvj-gp8c-c7p2 CVE-2019-25103 HIGH almost 3 years ago
A vulnerability has been found in simple-markdown 0.5.1 and classified as problematic. Affected by this vulnerability is an unknown functionality o...
npm
No PRs yet
@sideway/formula contains Regular Expression Denial of Service (ReDoS) Vulnerability
GHSA-c2jc-4fpr-4vhg CVE-2023-25166 MODERATE almost 3 years ago
### Impact User-provided strings to formula's parser might lead to polynomial execution time. ### Patches Users should upgrade to 3.0.1+. ### W...
npm
No PRs yet
Sensitive Information leak via Script File in TinaCMS
GHSA-pc2q-jcxq-rjrr CVE-2023-25164 HIGH almost 3 years ago
### Impact Sensitive Information leaked via script File in TinaCMS. Sites building with @tinacms/cli >= 1.0.0 && < 1.0.9 that store sensitive valu...
npm
No PRs yet
semver-tags is vulnerable to Command Injection via the getGitTagsRemote function
GHSA-8h3g-hcwp-6hxq CVE-2022-25853 HIGH almost 3 years ago
All versions of the package semver-tags are vulnerable to Command Injection via the getGitTagsRemote function due to improper input sanitization.
npm
No PRs yet
create-choo-app3 is vulnerable to Command Injection via the devInstall function
GHSA-rj7m-2p3g-fjxg CVE-2022-25855 HIGH almost 3 years ago
All versions of the package create-choo-app3 are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization.
npm
No PRs yet
is-url Inefficient Regular Expression Complexity vulnerability
GHSA-p9w8-2mpq-49h9 CVE-2018-25079 HIGH almost 3 years ago
A vulnerability was found in Segmentio is-url up to 1.2.2. It has been rated as problematic. Affected by this issue is an unknown functionality of ...
npm
No PRs yet
Jellyfin Web Cross-Site Scripting (XSS) via Playlist Name
GHSA-2h5r-cqfc-45v6 CVE-2023-23636 MODERATE almost 3 years ago
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the loca...
npm
No PRs yet
Jellyfin Web Cross-Site Scripting (XSS) via Collection Name
GHSA-749c-pc87-4qcw CVE-2023-23635 MODERATE almost 3 years ago
In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the lo...
npm
No PRs yet
Switcher Client contains Regular Expression Denial of Service (ReDoS)
GHSA-wqxw-8h5g-hq56 CVE-2023-23925 HIGH almost 3 years ago
### Impact Unsanitized input flows into Strategy match operation (EXIST), where it is used to build a regular expression. This may result in a Regu...
npm
No PRs yet
mt7688-wiscan is vulnerable to Command Injection due to improper input sanitization
GHSA-5h8c-8ccp-8gmh CVE-2022-25916 HIGH almost 3 years ago
Versions of the package mt7688-wiscan before 0.8.3 are vulnerable to Command Injection due to improper input sanitization in the 'wiscan.scan' func...
npm
No PRs yet
is-http2 vulnerable to Improper Input Validation
GHSA-2275-rpf5-xv8h CVE-2022-25906 HIGH almost 3 years ago
All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being emp...
npm
No PRs yet
XSS Attack with Express API
GHSA-xrh7-m5pp-39r6 CVE-2023-23630 HIGH almost 3 years ago
### Impact XSS attack - anyone using the Express API is impacted ### Patches The problem has been resolved. Users should upgrade to version 2.0.0....
npm
No PRs yet
Parse Server option `masterKeyIps` vulnerability to IP spoofing
GHSA-vm5r-c87r-pf6x CVE-2023-22474 HIGH almost 3 years ago
### Impact Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy s...
npm
No PRs yet
Joplin Desktop App vulnerable to Cross-site Scripting
GHSA-h6c2-879r-jffh CVE-2022-45598 MODERATE almost 3 years ago
Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization.
npm
No PRs yet
http-cache-semantics vulnerable to Regular Expression Denial of Service
GHSA-rc47-6667-2j5j CVE-2022-25881 HIGH almost 3 years ago
http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package htt...
maven npm
12
Dependabot PRs
nemo-appium vulnerable to OS Command Injection
GHSA-c6rx-gxqv-vr5j CVE-2022-21129 CRITICAL almost 3 years ago
Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setu...
npm
No PRs yet
jSuites subect to Cross-site Scripting
GHSA-r4hg-4cpq-q57c CVE-2022-25979 MODERATE almost 3 years ago
Versions of the package jsuites before 5.0.1 are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the Editor() f...
npm
No PRs yet
Servst vulnerable to Path Traversal
GHSA-88v8-v46g-6c9w CVE-2022-25936 HIGH almost 3 years ago
Versions of the package servst before 2.0.3 are vulnerable to Directory Traversal due to improper sanitization of its filePath variable.
npm
No PRs yet
Eta vulnerable to Code Injection via templates rendered with user-defined data
GHSA-mf6x-hrgr-658f CVE-2022-25967 HIGH almost 3 years ago
Versions of the package eta before 2.0.0 are vulnerable to Remote Code Execution (RCE) by overwriting template engine configuration variables with ...
npm
No PRs yet
JSZip contains Path Traversal via loadAsync
GHSA-36fh-84j7-cv5h CVE-2022-48285 MODERATE almost 3 years ago
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.
npm
No PRs yet
Cross-site Scripting in yapi-vendor
GHSA-4jqw-vfmj-9rmh CVE-2021-36686 MODERATE almost 3 years ago
Cross Site Scripting (XSS) vulnerability in yapi 1.9.1 allows attackers to execute arbitrary code via the /interface/api edit page.
npm
No PRs yet