Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Vercel ms Inefficient Regular Expression Complexity vulnerability
GHSA-w9mr-4mfr-499f CVE-2017-20162 MODERATE almost 3 years ago
A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file inde...
npm
No PRs yet
@mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)
GHSA-h857-2g56-468g CVE-2023-22461 HIGH almost 3 years ago
### Impact The *sanitize-svg* package uses a deny-list-pattern to sanitize SVGs to prevent cross-site scripting (XSS). In doing so, literal `<scrip...
npm
No PRs yet
Uniswap Universal Router Incorrect Authorization vulnerability
GHSA-7m37-cx35-qgmr CVE-2022-48216 HIGH almost 3 years ago
Uniswap Universal Router before 1.1.0 mishandles reentrancy. This would have allowed theft of funds.
npm
No PRs yet
window-control vulnerable to Command Injection due to improper input sanitization
GHSA-9mjx-wfqp-j5ph CVE-2022-25926 HIGH almost 3 years ago
window-control is an npm package that provides tools to manage window focus. Versions before 1.4.5 are vulnerable to Command Injection via the `sen...
npm
No PRs yet
MooTools Regular Expression Denial of Service
GHSA-v63q-hgqc-qvpg CVE-2021-32821 HIGH almost 3 years ago
MooTools is a collection of JavaScript utilities for JavaScript developers. All known versions include a CSS selector parser that is vulnerable to ...
npm
No PRs yet
string-kit Inefficient Regular Expression Complexity vulnerability
GHSA-pfrm-4rjw-g9q5 CVE-2021-4299 HIGH almost 3 years ago
A vulnerability classified as problematic was found in cronvel string-kit up to 0.12.7. This vulnerability affects the function naturalSort of the ...
npm
No PRs yet
rgb2hex vulnerable to inefficient regular expression complexity
GHSA-7599-fqgm-v84p CVE-2018-25061 HIGH almost 3 years ago
A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation le...
npm
No PRs yet
express-param vulnerable to Improper Handling of Extra Parameters
GHSA-fr54-72wr-cqvq CVE-2017-20160 CRITICAL almost 3 years ago
A vulnerability was found in flitto express-param up to 0.x. It has been classified as critical. This affects an unknown part of the file `lib/fetc...
npm
No PRs yet
Twitter-Post-Fetcher vulnerable to Use of Web Link to Untrusted Target with window.opener Access
GHSA-m688-cx2p-rgq9 CVE-2018-25058 MODERATE almost 3 years ago
A vulnerability classified as problematic has been found in Twitter-Post-Fetcher up to 17.x. This affects an unknown part of the file `js/twitterFe...
npm
No PRs yet
Prototype Pollution in JSON5 via Parse Method
GHSA-9c47-m6qq-7p4h CVE-2022-46175 HIGH almost 3 years ago
The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing speciall...
npm
18
Dependabot PRs
5%
Merged
Json2html vulnerable to cross-site scripting
GHSA-79mp-cxp4-9p6r CVE-2018-25053 MODERATE almost 3 years ago
Json2html is a client side javascript HTML templating library with wrappers for both jQuery and Node.js. A vulnerability was found in moappi Json2h...
npm
No PRs yet
markdown-it vulnerable to Inefficient Regular Expression Complexity
GHSA-j5p7-jf4q-742q CVE-2015-10005 HIGH almost 3 years ago
A vulnerability was found in markdown-it up to 2.x. It has been classified as problematic. Affected is an unknown function of the file `lib/common/...
npm
No PRs yet
email-existence Inefficient Regular Expression Complexity vulnerability
GHSA-p27h-4cpf-fw48 CVE-2018-25049 HIGH almost 3 years ago
A vulnerability was found in email-existence. It has been rated as problematic. Affected by this issue is some unknown functionality of the file `i...
npm
No PRs yet
json-pointer vulnerable to Prototype Pollution
GHSA-6xrf-q977-5vgc CVE-2022-4742 CRITICAL almost 3 years ago
A vulnerability, which was classified as critical, has been found in json-pointer up to 0.6.1. Affected by this issue is the function set of the fi...
npm
No PRs yet
flat vulnerable to Prototype Pollution
GHSA-2j2x-2gpw-g8fm CVE-2020-36632 CRITICAL almost 3 years ago
flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. Th...
npm
No PRs yet
Starcounter-Jack JSON-Patch Prototype Pollution vulnerability
GHSA-8gh8-hqwg-xf34 CVE-2021-4279 HIGH almost 3 years ago
A vulnerability has been found in Starcounter-Jack JSON-Patch up to 3.1.0 and classified as problematic. This vulnerability affects unknown code. T...
npm
No PRs yet
tree-kit vulnerable to Prototype Pollution
GHSA-mw4x-g2x8-qcvf CVE-2021-4278 HIGH almost 3 years ago
A vulnerability classified as problematic has been found in cronvel tree-kit up to 0.6.x. This affects an unknown part. The manipulation leads to i...
npm
No PRs yet
SimbCo httpster vulnerable to Path Traversal
GHSA-p8j8-wxvp-h695 CVE-2020-36629 HIGH almost 3 years ago
A vulnerability classified as critical was found in SimbCo httpster. This vulnerability affects the function fs.realpathSync of the file src/server...
npm
No PRs yet
liquidjs may leak properties of a prototype
GHSA-45rm-2893-5f49 CVE-2022-25948 MODERATE almost 3 years ago
The package liquidjs before 10.0.0 is vulnerable to Information Exposure when `ownPropertyOnly` parameter is set to `False`, which results in leaki...
npm
No PRs yet
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
GHSA-hjrf-2m68-5959 CVE-2022-23541 MODERATE almost 3 years ago
# Overview Versions `<=8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function (referrin...
npm
750
Dependabot PRs
13%
Merged
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
GHSA-qwph-4952-7xr6 CVE-2022-23540 MODERATE almost 3 years ago
# Overview In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the `jwt.verify()` function can ...
npm
749
Dependabot PRs
13%
Merged
jsonwebtoken unrestricted key type could lead to legacy keys usage
GHSA-8cf7-32gw-wr33 CVE-2022-23539 HIGH almost 3 years ago
# Overview Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verificat...
npm
749
Dependabot PRs
13%
Merged
dustjs-linkedin vulnerable to Prototype Pollution
GHSA-c6rp-wrp9-qr4q CVE-2021-4264 HIGH almost 3 years ago
A vulnerability was found in LinkedIn dustjs prior to version 3.0.0 and classified as problematic. Affected by this issue is some unknown functiona...
npm
No PRs yet
vm2 vulnerable to Arbitrary Code Execution
GHSA-4w2j-2rg4-5mjw CVE-2022-25893 CRITICAL almost 3 years ago
The package vm2 before 3.9.10 is vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. ...
npm
No PRs yet
abacus-ext-cmdline vulnerable to Command Injection
GHSA-m5v8-wpw4-rj3x CVE-2022-24431 HIGH almost 3 years ago
All versions of package abacus-ext-cmdline are vulnerable to Command Injection via the execute function due to improper user-input sanitization.
npm
No PRs yet
lite-dev-server vulnerable to Directory Traversal
GHSA-pppv-ch8p-rp2w CVE-2022-25895 HIGH almost 3 years ago
All versions of package lite-dev-server are vulnerable to Directory Traversal due to missing input sanitization and sandboxes being employed to the...
npm
No PRs yet
Smoothie vulnerable to Cross-site Scripting when tooltipLabel or strokeStyle are controlled by users
GHSA-g662-qq45-ppwm CVE-2022-25929 MODERATE almost 3 years ago
The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization in strokeSt...
npm
No PRs yet
safe-eval vulnerable to Prototype Pollution
GHSA-33vh-7x8q-mg35 CVE-2022-25904 CRITICAL almost 3 years ago
All versions of package safe-eval are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototyp...
npm
No PRs yet
p4 vulnerable to Command Injection due to improper input sanitization
GHSA-jfm8-hwhg-r6gg CVE-2022-25171 HIGH almost 3 years ago
The package p4 before 0.0.7 is vulnerable to Command Injection via the run() function due to improper input sanitization
npm
No PRs yet
easy-static-server vulnerable to Directory Traversal
GHSA-wcwm-c3mr-pxcr CVE-2022-25931 HIGH almost 3 years ago
All versions of package easy-static-server are vulnerable to Directory Traversal due to missing input sanitization and sandboxes being employed to ...
npm
No PRs yet
lite-server vulnerable to Denial of Service
GHSA-89w7-5q45-r53w CVE-2022-25940 HIGH almost 3 years ago
All versions of package lite-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control character...
maven npm
No PRs yet
Oils JS vulnerable to Open Redirect
GHSA-v279-v2xm-whq9 CVE-2021-4260 MODERATE almost 3 years ago
A vulnerability was found in oils-js. This vulnerability affects unknown code of the file core/Web.js. The manipulation leads to open redirect and ...
npm
No PRs yet
FurqanSoftware/node-whois vulnerable to Prototype Pollution
GHSA-97jv-c342-5xhc CVE-2020-36618 CRITICAL almost 3 years ago
A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file `index.coffee`. The manipul...
npm
No PRs yet
Knex.js has a limited SQL injection vulnerability
GHSA-4jv9-3563-23j3 CVE-2016-20018 HIGH almost 3 years ago
Knex Knex.js through 2.3.0 has a limited SQL injection vulnerability that can be exploited to ignore the WHERE clause of a SQL query. This vulnerab...
npm
No PRs yet
replicator vulnerable to Deserialization of Untrusted Data
GHSA-hw46-vg6w-88fj CVE-2021-33420 CRITICAL almost 3 years ago
A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable funct...
npm
No PRs yet
easywebpack-cli Path Traversal vulnerability
GHSA-252h-2cmq-pmr6 CVE-2020-24855 MODERATE almost 3 years ago
Directory Traversal vulnerability in easywebpack-cli before 4.5.2 allows attackers to obtain sensitive information via crafted GET request.
npm
No PRs yet
npm package rfc6902 vulnerable to Prototype Pollution
GHSA-p495-jxh2-wrfg CVE-2021-4245 CRITICAL almost 3 years ago
A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation ...
npm
No PRs yet
cycle-import-check vulnerable to Command Injection
GHSA-995x-33wq-8gc9 CVE-2022-24377 CRITICAL almost 3 years ago
The package cycle-import-check before version 1.3.2 is vulnerable to Command Injection via the `writeFileToTmpDirAndOpenIt` function due to imprope...
npm
No PRs yet
Authentication Bypass for passport-wsfed-saml2
GHSA-ppjq-qxhx-m25f CVE-2022-23505 MODERATE almost 3 years ago
# Overview A remote attacker can bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacke...
npm
No PRs yet
@cubejs-backend/api-gateway row level security bypass
GHSA-6jqm-3c9g-pch7 CVE-2022-23510 HIGH almost 3 years ago
### Impact All authenticated Cube clients could bypass row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. ...
npm
No PRs yet
Cross-site scripting vulnerability in TinyMCE alerts
GHSA-gg8r-xjwq-4w92 CVE-2022-23494 MODERATE almost 3 years ago
### Impact A cross-site scripting (XSS) vulnerability was discovered in the alert and confirm dialogs when these dialogs were provided with malicio...
npm nuget packagist
15
Dependabot PRs
16%
Merged
libp2p DoS vulnerability from lack of resource management
GHSA-f44q-634c-jvwv CVE-2022-23487 HIGH almost 3 years ago
### Impact Versions older than `v0.38.0` of js-libp2p are vulnerable to targeted resource exhaustion attacks. These attacks target libp2p’s connect...
npm
No PRs yet
simple-git vulnerable to Remote Code Execution when enabling the ext transport protocol
GHSA-9p95-fxvg-qgq2 CVE-2022-25912 HIGH about 3 years ago
The package simple-git before 3.15.0 is vulnerable to Remote Code Execution (RCE) when enabling the `ext` transport protocol, which makes it exploi...
npm
No PRs yet
NodeBB vulnerable to account takeover via prototype vulnerability
GHSA-rf3g-v8p5-p675 CVE-2022-46164 CRITICAL about 3 years ago
### Impact Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate o...
npm
No PRs yet
muhammara and hummus vulnerable to Unchecked Return Value to NULL Pointer Dereference
GHSA-2r7v-cmch-5x26 CVE-2022-41957 HIGH about 3 years ago
### Impact The package muhammara before 2.6.2, from 3.0.0 and before 3.3.0; all versions of package hummus are vulnerable to Denial of Service (DoS...
npm
No PRs yet
nadesiko3 vulnerable to OS Command Injection
GHSA-7249-8x22-4rg4 CVE-2022-42496 CRITICAL about 3 years ago
OS command injection vulnerability in Nako3edit, editor component of nadesiko3 (PC Version) v3.3.74 and earlier allows a remote attacker to obtain ...
npm
No PRs yet
nadesiko3 allows remote attacker to inject invalid value to decodeURIComponent of nako3edit
GHSA-x2jx-w3wm-9p3p CVE-2022-41777 MODERATE about 3 years ago
Nako3edit is the editor component of Nadeshiko 3, a programming language developed based on Japanese. Improper check or handling of exceptional con...
npm
No PRs yet
Nadesiko3 OS Command Injection vulnerability
GHSA-m8r5-7wf4-63mw CVE-2022-41642 CRITICAL about 3 years ago
OS command injection vulnerability in Nadesiko3 (PC Version) v3.3.68 and earlier allows a remote attacker to execute an arbitrary OS command when p...
npm
No PRs yet
Snyk plugins vulnerable to Command Injection
GHSA-4x6g-3cmx-w76r CVE-2022-22984 MODERATE about 3 years ago
The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-c...
npm
No PRs yet
static-dev-server vulnerable to path traversal
GHSA-7fxm-c848-89q8 CVE-2022-25848 HIGH about 3 years ago
A path traversal vulnerability affects all versions of package static-dev-server. This is because when paths from users to the root directory are j...
npm
No PRs yet