Security Advisories
Browse security advisories and track which Dependabot PRs address them.
24,785
Total Advisories
1,792
With Dependabot PRs
3,506
Critical Severity
8,617
High Severity
Fiora chat group avatar is vulnerable to XSS via SVG files
GHSA-2c6j-vw6r-mfch CVE-2025-56515 LOW about 2 months ago
File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file cont...
npm
No PRs yet
Fiora chat user avatar is vulnerable to XSS via SVG files
GHSA-hg3j-6pmh-mvjr CVE-2025-56514 LOW about 2 months ago
Cross Site Scripting (XSS) vulnerability in Fiora chat application 1.0.0 allows arbitrary JavaScript execution when malicious SVG files are rendere...
npm
No PRs yet
@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
GHSA-m8rj-ppph-mj33 CVE-2025-61668 HIGH about 2 months ago
### Impact
When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error.
### Patches
The prob...
npm
No PRs yet
validator.js has a URL validation bypass vulnerability in its isURL function
GHSA-9965-vmph-33xx CVE-2025-56200 MODERATE 2 months ago
A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse pro...
npm
66
Dependabot PRs
Finance.js vulnerable to DoS via the seekZero() parameter
GHSA-5q7q-p8pc-782h CVE-2025-56572 HIGH 2 months ago
An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter.
npm
No PRs yet
Finance.js vulnerable to DoS via the IRR function’s depth parameter
GHSA-f8r4-mf27-rf7m CVE-2025-56571 HIGH 2 months ago
Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/itera...
npm
No PRs yet
figma-developer-mcp vulnerable to command injection in get_figma_data tool
GHSA-gxw4-4fc5-9gr5 CVE-2025-53967 HIGH 2 months ago
### Summary
A command injection vulnerability exists in the `figma-developer-mcp` MCP Server. The vulnerability is caused by the unsanitized use o...
npm
No PRs yet
@nubosoftware/node-static failure to catch exception can result in server crash
GHSA-27w5-gj5q-82fv CVE-2025-11149 HIGH 2 months ago
This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exceptio...
npm
No PRs yet
check-branches is vulnerable to command Injection
GHSA-9c4g-fp4r-prrv CVE-2025-11148 CRITICAL 2 months ago
All versions of the package check-branches are vulnerable to Command Injection.
check-branches is a command-line tool that is interacted with loca...
npm
No PRs yet
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
GHSA-529q-4j3p-7c5r CVE-2025-3193 MODERATE 2 months ago
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in mer...
npm
No PRs yet
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
GHSA-w87v-7w53-wwxv CVE-2025-59845 HIGH 2 months ago
### Impact
A **Cross-Site Request Forgery (CSRF)** vulnerability was identified in Apollo’s **Embedded Sandbox** and **Embedded Explorer**.
The v...
npm
2
Dependabot PRs
express-xss-sanitizer has an unbounded recursion depth
GHSA-hvq2-wf92-j4f3 CVE-2025-59364 MODERATE 2 months ago
# Security Advisory: express-xss-sanitizer
## Overview
A vulnerability was discovered in express-xss-sanitizer that allowed unbounded recursion de...
npm
No PRs yet
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass
GHSA-qc2q-qhf3-235m CVE-2025-59936 CRITICAL 2 months ago
### Summary
A vulnerability in `get-jwks` can lead to cache poisoning in the JWKS key-fetching mechanism.
### Details
When the `iss` (issuer) cla...
npm
No PRs yet
cors-anywhere vulnerable to server-side request forgery
GHSA-r3jv-xfgx-gj24 CVE-2020-36851 CRITICAL 2 months ago
Rob -- W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to a...
npm
No PRs yet
apidoc-core is vulnerable to prototype pollution
GHSA-5q53-78f2-6gf8 CVE-2025-57317 HIGH 2 months ago
apidoc-core is the core parser library to generate apidoc result following the apidoc-spec. A Prototype Pollution vulnerability in the preProcess f...
npm
No PRs yet
dref is vulnerable to prototype pollution
GHSA-76g8-235f-gj6p CVE-2025-26278 HIGH 2 months ago
A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
npm
No PRs yet
lobe-chat has an Open Redirect
GHSA-xph5-278p-26qx CVE-2025-59426 MODERATE 2 months ago
### **Description**
---
> Vulnerability Overview
>
The project's OIDC redirect handling logic constructs the host and protocol of the final red...
npm
No PRs yet
csvjson vulnerable to prototype injection
GHSA-xq4f-3jxp-qv6m CVE-2025-57318 HIGH 2 months ago
A Prototype Pollution vulnerability in the toCsv function of csvjson versions thru 5.1.0 allows attackers to inject properties on Object.prototype ...
npm
No PRs yet
toggle-array vulnerable to prototype pollution
GHSA-34q3-8x9v-j957 CVE-2025-57328 LOW 2 months ago
toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A...
npm
No PRs yet
spmrc vulnerable to prototype pollution
GHSA-r2rv-8pp3-65xw CVE-2025-57327 LOW 2 months ago
spmrc is a package that provides the rc manager for spm. A Prototype Pollution vulnerability in the set and config function of spmrc version 1.2.0 ...
npm
No PRs yet
magix-combine-ex vulnerable to prototype pollution
GHSA-cr7h-93fh-whwm CVE-2025-57321 LOW 2 months ago
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject p...
npm
No PRs yet
ts-fns has prototype pollution vulnerability
GHSA-g7wq-wggw-vmhg CVE-2025-57351 MODERATE 2 months ago
A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in t...
npm
No PRs yet
messageformat has a prototype pollution vulnerability
GHSA-xfqm-j7pc-xrfc CVE-2025-57349 LOW 2 months ago
The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due ...
npm
No PRs yet
parse is vulnerable to prototype pollution
GHSA-9g8m-v378-pcg3 CVE-2025-57324 MODERATE 2 months ago
parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState funct...
npm
2
Dependabot PRs
50%
Merged
mpregular vulnerable to prototype pollution
GHSA-xx4g-r65p-3qf2 CVE-2025-57323 HIGH 2 months ago
mpregular is a package that provides a small program development framework based on RegularJS. A Prototype Pollution vulnerability in the mp.addEve...
npm
No PRs yet
json-schema-editor-visual vulnerable to prototype pollution
GHSA-3c3p-xh4f-pfh7 CVE-2025-57320 MODERATE 2 months ago
json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function ...
npm
No PRs yet
sassdoc-extras vulnerable to prototype pollution
GHSA-3mpm-jx38-9m8w CVE-2025-57326 LOW 2 months ago
A Prototype Pollution vulnerability in the byGroupAndType function of sassdoc-extras v2.5.1 and before allows attackers to inject properties on Obj...
npm
No PRs yet
web3-core-method is vulnerable to prototype pollution
GHSA-2j4c-9qqq-896r CVE-2025-57329 LOW 2 months ago
web3-core-method is a package designed to creates the methods on the web3 modules. A Prototype Pollution vulnerability in the attachToObject functi...
npm
No PRs yet
web3-core-subscriptions has a Prototype Pollution vulnerability
GHSA-hhf6-3xpg-pggx CVE-2025-57330 LOW 2 months ago
The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function...
npm
No PRs yet
node-cube vulnerable to prototype pollution
GHSA-8v65-5fw5-23wj CVE-2025-57348 LOW 2 months ago
The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an att...
npm
No PRs yet
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure
GHSA-xh92-rqrq-227v CVE-2025-61685 MODERATE 2 months ago
The Mastra Docs MCP Server package `@mastra/mcp-docs-server` is a server designed to provide documentation context to AI agentic workflows, such as...
npm
No PRs yet
Command Injection in adb-mcp MCP Server
GHSA-54j7-grvr-9xwg CVE-2025-59834 CRITICAL 2 months ago
# Command Injection in adb-mcp MCP Server
The MCP Server at https://github.com/srmorete/adb-mcp is written in a way that is vulnerable to command ...
npm
No PRs yet
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
GHSA-2jjv-qf24-vfm4 CVE-2025-59828 HIGH 2 months ago
### Summary
In Claude Code versions prior to **1.0.39**, when the tool is used with **Yarn 2.x or newer (Berry)**, Yarn plugins are automatically ...
npm
No PRs yet
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
GHSA-vj76-c3g6-qr5v CVE-2025-59343 HIGH 2 months ago
### Impact
v3.1.0, v2.1.3, v1.16.5 and below
### Patches
Has been patched in 3.1.1, 2.1.4, and 1.16.6
### Workarounds
You can use the ignore opt...
npm
1
Dependabot PRs
counterpart vulnerable to prototype pollution
GHSA-2488-w585-72ch CVE-2025-57354 MODERATE 2 months ago
A vulnerability exists in the `counterpart` library for Node.js and the browser due to insufficient sanitization of user-controlled input in transl...
npm
No PRs yet
messageformat prototype pollution vulnerability
GHSA-6xv4-9cqp-92rh CVE-2025-57353 MODERATE 2 months ago
The Runtime components of messageformat package for Node.js version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validati...
npm
10
Dependabot PRs
min-document vulnerable to prototype pollution
GHSA-rx8g-88g5-qh64 CVE-2025-57352 LOW 2 months ago
A vulnerability exists in the 'min-document' package prior to version 2.19.1, stemming from improper handling of namespace operations in the remove...
npm
No PRs yet
CSVTOJSON has a prototype pollution vulnerability
GHSA-vrw9-g62v-7fmf CVE-2025-57350 MODERATE 2 months ago
The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability ...
npm
3
Dependabot PRs
Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink
GHSA-vh3f-qppr-j97f CVE-2025-59430 HIGH 2 months ago
### Summary
The lack of sanitization of URLs protocols in the `createLink.openLink` function enables the execution of arbitrary JavaScript code wit...
npm
No PRs yet
Mailgen: HTML injection vulnerability in plaintext e-mails
GHSA-j2xj-h7w5-r7vp CVE-2025-59526 MODERATE 2 months ago
# HTML Injection and XSS Filter Bypass in Plaintext Emails
### Summary
An HTML injection vulnerability in plaintext emails generated by Mailgen ha...
npm
No PRs yet
`git-comiters` Command Injection vulnerability
GHSA-g38c-wxjf-xrh6 CVE-2025-59831 HIGH 2 months ago
## Background on the vulnerability
This vulnerability manifests with the library's primary exported API: `gitCommiters(options, callback)`
which a...
npm
No PRs yet
@conventional-changelog/git-client has Argument Injection vulnerability
GHSA-vh25-5764-9wcr CVE-2025-59433 MODERATE 2 months ago
## Background on exploitation
This vulnerability manifests with the library's `getTags()` API,
which allows specifying extra parameters passed to ...
npm
10
Dependabot PRs
Codex has sandbox bypass due to bug in path configuration logic
GHSA-w5fx-fh39-j5rw CVE-2025-59532 HIGH 2 months ago
Due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated `cwd` as the sandbox’s writable root, including paths outs...
npm
No PRs yet
@digitalocean/do-markdownit has Type Confusion vulnerability
GHSA-2h8j-8r9p-849f CVE-2025-59717 MODERATE 2 months ago
### Overview
A type confusion issue exists in the `@digitalocean/do-markdownit` package. In the `callout` and `fence_environment` plugins, the `all...
npm
No PRs yet
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages
GHSA-m79r-r765-5f9j CVE-2025-59417 MODERATE 2 months ago
### Summary
We identified a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code ...
npm
No PRs yet
@sequa-ai/sequa-mcp has Command Injection vulnerability
GHSA-9pw5-wx67-q964 CVE-2025-10619 MODERATE 2 months ago
A vulnerability was detected in sequa-ai sequa-mcp up to 1.0.13. This affects the function redirectToAuthorization of the file src/helpers/node-oau...
npm
No PRs yet
Parcel has an Origin Validation Error vulnerability
GHSA-qm9p-f9j5-w83w CVE-2025-56648 MODERATE 2 months ago
parcel versions 1.6.0 and above have an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's dev...
npm
No PRs yet
Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival
GHSA-p6jq-8vc4-79f6 CVE-2025-59414 LOW 2 months ago
### Summary
A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requ...
npm
No PRs yet
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another
GHSA-mp7c-m3rh-r56v CVE-2025-59160 MODERATE 2 months ago
### Impact
matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in `MatrixClient::getJoinedRooms`, allowing a remote a...
npm
No PRs yet
@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode
GHSA-65hm-pwj5-73pw CVE-2025-59333 HIGH 2 months ago
The MCP Server provided by ExecuteAutomation at https://github.com/executeautomation/mcp-database-server provides an MCP interface for agentic work...
npm
No PRs yet