Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,793

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Directory Traversal vulnerability in serve-lite
GHSA-5qq4-m6c3-xxmf CVE-2022-21192 HIGH almost 3 years ago
All versions of the package serve-lite are vulnerable to Directory Traversal due to missing input sanitization or other checks and protections empl...
npm
No PRs yet
Command injection in smartctl
GHSA-69f2-4375-qv9h CVE-2022-21810 HIGH almost 3 years ago
All versions of the package smartctl are vulnerable to Command Injection via the info method due to improper input sanitization.
npm
No PRs yet
Remote code execution in simple-git
GHSA-9w5j-4mwv-2wj8 CVE-2022-25860 CRITICAL almost 3 years ago
Versions of the package simple-git before 3.16.0 are vulnerable to Remote Code Execution (RCE) via the clone(), pull(), push() and listRemote() met...
npm
No PRs yet
Command Injection in create-choo-electron
GHSA-j8wr-fwf2-vvr9 CVE-2022-25908 CRITICAL almost 3 years ago
All versions of the package create-choo-electron are vulnerable to Command Injection via the devInstall function due to improper user-input sanitiz...
npm
No PRs yet
Cross-site Scripting (XSS) in serve-lite
GHSA-j8x7-qcw4-xx85 CVE-2022-25847 MODERATE almost 3 years ago
All versions of the package serve-lite are vulnerable to Cross-site Scripting (XSS) because when it detects a request to a directory, it renders a ...
npm
No PRs yet
Command Injection in puppet-facter
GHSA-g5qr-xgg7-8q2w CVE-2022-25350 HIGH almost 3 years ago
All versions of the package puppet-facter are vulnerable to Command Injection via the getFact function due to improper input sanitization.
npm
No PRs yet
Command injection in vagrant.js
GHSA-54jw-jqr9-6cj9 CVE-2022-25962 CRITICAL almost 3 years ago
All versions of the package vagrant.js are vulnerable to Command Injection via the boxAdd function due to improper input sanitization.
npm
No PRs yet
ReDoS Vulnerability in ua-parser-js version
GHSA-fhg7-m89q-25r3 CVE-2022-25927 HIGH almost 3 years ago
### Description: A regular expression denial of service (ReDoS) vulnerability has been discovered in `ua-parser-js`. ### Impact: This vulnerabilit...
npm
No PRs yet
Code injection in electerm
GHSA-x73w-g8hx-v7rp CVE-2020-23256 CRITICAL almost 3 years ago
An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request to electerms service.
npm
No PRs yet
@builder.io/qwik vulnerable to Cross-site Scripting
GHSA-hm7f-rq7q-j9xp CVE-2023-0410 MODERATE almost 3 years ago
@builder.io/qwik prior to version 0.16.2 is vulnerable to cross-site scripting due to attribute names and the class attribute values not being prop...
npm
No PRs yet
cookiejar Regular Expression Denial of Service via Cookie.parse function
GHSA-h452-7996-h45h CVE-2022-25901 MODERATE almost 3 years ago
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and o...
maven npm
No PRs yet
Path Traversal in web-node-server
GHSA-3fwq-qv5v-2wxf CVE-2020-36651 HIGH almost 3 years ago
A vulnerability has been found in youngerheart nodeserver and classified as critical. Affected by this vulnerability is an unknown functionality of...
npm
No PRs yet
mel-spintax has Inefficient Regular Expression Complexity
GHSA-qjm7-55vv-3c5f CVE-2018-25077 MODERATE almost 3 years ago
A vulnerability was found in melnaron mel-spintax. It has been rated as problematic. Affected by this issue is some unknown functionality of the fi...
npm
No PRs yet
a12nserver vulnerable to potential SQL Injections via Knex dependency
GHSA-crhg-xgrg-vvcc MODERATE almost 3 years ago
### Impact Users of a12nserver that use MySQL might be vulnerable to SQL injection bugs. If you use a12nserver and MySQL, update as soon as poss...
npm
No PRs yet
global-modules-path Command Injection vulnerability
GHSA-vvj3-85vf-fgmw CVE-2022-21191 CRITICAL almost 3 years ago
Versions of the package global-modules-path before 3.0.0 are vulnerable to Command Injection due to missing input sanitization or other checks and ...
npm
No PRs yet
RSSHub SSRF vulnerability
GHSA-64wp-jh9p-5cg2 CVE-2023-22493 HIGH almost 3 years ago
## Summary RSSHub is vulnerable to Server-Side Request Forgery (SSRF) attacks. This vulnerability allows an attacker to send arbitrary HTTP reques...
npm
No PRs yet
gry vulnerable to Command Injection
GHSA-w5mw-f2hq-5fw8 CVE-2020-36650 HIGH almost 3 years ago
A vulnerability, which was classified as critical, was found in IonicaBizau node-gry up to 5.x. This affects an unknown part. The manipulation lead...
npm
No PRs yet
gatsby-transformer-remark has possible unsanitized JavaScript code injection
GHSA-7ch4-rr99-cqcw CVE-2023-22491 HIGH almost 3 years ago
### Impact The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is ...
npm
No PRs yet
skeemas Inefficient Regular Expression Complexity vulnerability
GHSA-qv66-f876-vjvr CVE-2018-25074 HIGH almost 3 years ago
A vulnerability was found in Prestaul skeemas and classified as problematic. This issue affects some unknown processing of the file validators/base...
npm
No PRs yet
convict vulnerable to Prototype Pollution
GHSA-4jrm-c32x-w4jf CVE-2023-0163 HIGH almost 3 years ago
### Impact * An attacker can inject attributes that are used in other components * An attacker can override existing attributes with ones that hav...
npm
No PRs yet
phoenix_html allows Cross-site Scripting in HEEx class attributes
GHSA-5g2h-9x5v-5h3x CVE-2021-46871 MODERATE almost 3 years ago
tag.ex in Phoenix Phoenix.HTML (aka phoenix_html) before 3.0.4 allows XSS in HEEx class attributes
hex npm
No PRs yet
mercurius has Uncaught Exception when using subscriptions
GHSA-cm8h-q92v-xcfc CVE-2023-22477 MODERATE almost 3 years ago
### Impact Any users of Mercurius until version v11.5.0 are subjected to a denial of service attack by sending a malformed packet over WebSocket t...
npm
1
Dependabot PRs
@okta/oidc-middlewareOpen Redirect vulnerability
GHSA-58h4-9m7m-j9m4 CVE-2022-3145 MODERATE almost 3 years ago
An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL. ...
npm
No PRs yet
Luxon Inefficient Regular Expression Complexity vulnerability
GHSA-3xq5-wjfh-ppjc CVE-2023-22467 HIGH almost 3 years ago
# Impact Luxon's `DateTime.fromRFC2822() has quadratic (N^2) complexity on some specific inputs. This causes a noticeable slowdown for inputs with ...
npm
1
Dependabot PRs
100%
Merged
debug Inefficient Regular Expression Complexity vulnerability
GHSA-9vvw-cc9w-f27h CVE-2017-20165 HIGH almost 3 years ago
A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js...
npm
No PRs yet
wifey vulnerable to Command Injection due to improper input sanitization
GHSA-xj9v-6q2f-vqhx CVE-2022-25890 CRITICAL almost 3 years ago
All versions of the package wifey are vulnerable to Command Injection via the `connect()` function due to improper input sanitization.
npm
No PRs yet
Baobab vulnerable to Prototype Pollution
GHSA-wvr2-q86m-6whp CVE-2021-4307 CRITICAL almost 3 years ago
A vulnerability was found in Yomguithereal Baobab up to 2.6.0. It has been declared as critical. Affected by this vulnerability is an unknown funct...
npm
No PRs yet
terminal-kit Inefficient Regular Expression Complexity vulnerability
GHSA-wxgh-8gmr-3qh3 CVE-2021-4306 HIGH almost 3 years ago
A vulnerability classified as problematic has been found in cronvel terminal-kit up to 2.1.7. Affected is an unknown function. The manipulation lea...
npm
No PRs yet
nodebatis SQL Injection vulnerability
GHSA-8ph8-9q2j-c3rq CVE-2018-25066 CRITICAL almost 3 years ago
A vulnerability was found in PeterMu nodebatis up to 2.1.x. It has been classified as critical. Affected is an unknown function. The manipulation l...
npm
No PRs yet
exec-local-bin vulnerable to Command Injection
GHSA-f259-h6m8-hm8m CVE-2022-25923 CRITICAL almost 3 years ago
Versions of the package exec-local-bin before 1.2.0 are vulnerable to Command Injection via the `theProcess()` functionality due to improper user-i...
npm
No PRs yet
robots-txt-guard Inefficient Regular Expression Complexity vulnerability
GHSA-6g33-8w2q-4hxv CVE-2021-4305 HIGH almost 3 years ago
A vulnerability was found in Woorank robots-txt-guard. It has been rated as problematic. Affected by this issue is the function makePathPattern of ...
npm
No PRs yet
Vercel ms Inefficient Regular Expression Complexity vulnerability
GHSA-w9mr-4mfr-499f CVE-2017-20162 MODERATE almost 3 years ago
A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file inde...
npm
No PRs yet
@mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)
GHSA-h857-2g56-468g CVE-2023-22461 HIGH almost 3 years ago
### Impact The *sanitize-svg* package uses a deny-list-pattern to sanitize SVGs to prevent cross-site scripting (XSS). In doing so, literal `<scrip...
npm
No PRs yet
Uniswap Universal Router Incorrect Authorization vulnerability
GHSA-7m37-cx35-qgmr CVE-2022-48216 HIGH almost 3 years ago
Uniswap Universal Router before 1.1.0 mishandles reentrancy. This would have allowed theft of funds.
npm
No PRs yet
window-control vulnerable to Command Injection due to improper input sanitization
GHSA-9mjx-wfqp-j5ph CVE-2022-25926 HIGH almost 3 years ago
window-control is an npm package that provides tools to manage window focus. Versions before 1.4.5 are vulnerable to Command Injection via the `sen...
npm
No PRs yet
MooTools Regular Expression Denial of Service
GHSA-v63q-hgqc-qvpg CVE-2021-32821 HIGH almost 3 years ago
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to ...
npm
No PRs yet
string-kit Inefficient Regular Expression Complexity vulnerability
GHSA-pfrm-4rjw-g9q5 CVE-2021-4299 HIGH almost 3 years ago
A vulnerability classified as problematic was found in cronvel string-kit up to 0.12.7. This vulnerability affects the function naturalSort of the ...
npm
No PRs yet
rgb2hex vulnerable to inefficient regular expression complexity
GHSA-7599-fqgm-v84p CVE-2018-25061 HIGH almost 3 years ago
A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation le...
npm
No PRs yet
express-param vulnerable to Improper Handling of Extra Parameters
GHSA-fr54-72wr-cqvq CVE-2017-20160 CRITICAL almost 3 years ago
A vulnerability was found in flitto express-param up to 0.x. It has been classified as critical. This affects an unknown part of the file `lib/fetc...
npm
No PRs yet
Twitter-Post-Fetcher vulnerable to Use of Web Link to Untrusted Target with window.opener Access
GHSA-m688-cx2p-rgq9 CVE-2018-25058 MODERATE almost 3 years ago
A vulnerability classified as problematic has been found in Twitter-Post-Fetcher up to 17.x. This affects an unknown part of the file `js/twitterFe...
npm
No PRs yet
Prototype Pollution in JSON5 via Parse Method
GHSA-9c47-m6qq-7p4h CVE-2022-46175 HIGH almost 3 years ago
The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing speciall...
npm
17
Dependabot PRs
5%
Merged
Json2html vulnerable to cross-site scripting
GHSA-79mp-cxp4-9p6r CVE-2018-25053 MODERATE almost 3 years ago
Json2html is a client side javascript HTML templating library with wrappers for both jQuery and Node.js. A vulnerability was found in moappi Json2h...
npm
No PRs yet
markdown-it vulnerable to Inefficient Regular Expression Complexity
GHSA-j5p7-jf4q-742q CVE-2015-10005 HIGH almost 3 years ago
A vulnerability was found in markdown-it up to 2.x. It has been classified as problematic. Affected is an unknown function of the file `lib/common/...
npm
No PRs yet
email-existence Inefficient Regular Expression Complexity vulnerability
GHSA-p27h-4cpf-fw48 CVE-2018-25049 HIGH almost 3 years ago
A vulnerability was found in email-existence. It has been rated as problematic. Affected by this issue is some unknown functionality of the file `i...
npm
No PRs yet
json-pointer vulnerable to Prototype Pollution
GHSA-6xrf-q977-5vgc CVE-2022-4742 CRITICAL almost 3 years ago
A vulnerability, which was classified as critical, has been found in json-pointer up to 0.6.1. Affected by this issue is the function set of the fi...
npm
No PRs yet
flat vulnerable to Prototype Pollution
GHSA-2j2x-2gpw-g8fm CVE-2020-36632 CRITICAL almost 3 years ago
flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. Th...
npm
No PRs yet
Starcounter-Jack JSON-Patch Prototype Pollution vulnerability
GHSA-8gh8-hqwg-xf34 CVE-2021-4279 HIGH almost 3 years ago
A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. This vulnerability affects unknown code. T...
npm
No PRs yet
tree-kit vulnerable to Prototype Pollution
GHSA-mw4x-g2x8-qcvf CVE-2021-4278 HIGH almost 3 years ago
A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to i...
npm
No PRs yet
SimbCo httpster vulnerable to Path Traversal
GHSA-p8j8-wxvp-h695 CVE-2020-36629 HIGH almost 3 years ago
A vulnerability classified as critical was found in SimbCo httpster. This vulnerability affects the function fs.realpathSync of the file src/server...
npm
No PRs yet
liquidjs may leak properties of a prototype
GHSA-45rm-2893-5f49 CVE-2022-25948 MODERATE almost 3 years ago
The package liquidjs before 10.0.0 is vulnerable to Information Exposure when `ownPropertyOnly` parameter is set to `False`, which results in leaki...
npm
No PRs yet