Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Next.js Improper Middleware Redirect Handling Leads to SSRF
GHSA-4342-x723-ch2f CVE-2025-57822 MODERATE 3 months ago
A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly pas...
npm
No PRs yet
AiondaDotCom mcp-ssh command injection vulnerability in SSH operations
GHSA-694p-3fxc-m92h CVE-2025-9654 MODERATE 3 months ago
A security flaw has been discovered in AiondaDotCom mcp-ssh up to 1.0.3. Affected by this issue is some unknown functionality of the file server-si...
npm
No PRs yet
Payload does not invalidate JWTs after log out
GHSA-5v66-m237-hwf7 CVE-2025-4643 MODERATE 3 months ago
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted...
npm
No PRs yet
Payload's SQLite adapter Session Fixation vulnerability
GHSA-26rv-h2hf-3fw4 CVE-2025-4644 MODERATE 3 months ago
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could cr...
npm
No PRs yet
Volto affected by possible DoS by invoking specific URL by anonymous user
GHSA-xjhf-7833-3pm5 CVE-2025-58047 HIGH 3 months ago
### Impact When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error. ### Patches The prob...
npm
No PRs yet
NodeBB SQL Injection vulnerability
GHSA-rfh2-8vxq-jqr8 CVE-2025-50979 HIGH 3 months ago
NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not p...
npm
No PRs yet
Malicious versions of Nx were published
GHSA-cxm3-wv7p-598c CVE-2025-10894 CRITICAL 3 months ago
## Summary Malicious versions of the [`nx` package](https://www.npmjs.com/package/nx), as well as some supporting plugin packages, were published ...
npm
No PRs yet
devalue prototype pollution vulnerability
GHSA-vj54-72f3-p5jv CVE-2025-57820 HIGH 3 months ago
## 1. `devalue.parse` allows `__proto__` to be set A string passed to `devalue.parse` could represent an object with a `__proto__` property, which...
npm
33
Dependabot PRs
24%
Merged
GraphQL Armor Max-Depth Plugin Bypass via fragment caching
GHSA-224p-v68g-5g8f MODERATE 3 months ago
### Summary A query depth restriction using the max-depth can be bypassed if `ignoreIntrospection` is enabled (which is the default configuration) ...
npm
No PRs yet
GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation
GHSA-hmfr-rx46-4jx2 MODERATE 3 months ago
### Summary A query depth restriction using the `max-depth` property can be bypassed if `ignoreIntrospection` is enabled (which is the default conf...
npm
No PRs yet
jsPDF Denial of Service (DoS)
GHSA-8mvj-3j78-4qmw CVE-2025-57810 HIGH 3 months ago
### Impact User control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to...
npm
31
Dependabot PRs
request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1
GHSA-pw25-c82r-75mm CVE-2025-57814 MODERATE 3 months ago
request-filtering-agent versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTT...
npm
No PRs yet
Liferay Portal Reflected XSS in CKeditor 4.21.0 endpoint
GHSA-3h7r-4xxj-3mfm CVE-2025-43761 MODERATE 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.4, 20...
maven npm
No PRs yet
@musistudio/claude-code-router has improper CORS configuration
GHSA-8hmm-4crw-vm2c CVE-2025-57755 HIGH 3 months ago
### Impact Due to improper Cross-Origin Resource Sharing (CORS) configuration, there is a risk that user API Keys or equivalent credentials may be ...
npm
No PRs yet
vite-plugin-static-copy files not included in `src` are possible to access with a crafted request
GHSA-pp7p-q8fx-2968 CVE-2025-57753 MODERATE 3 months ago
### Summary Files not included in `src` was possible to access with a crafted request. ### Impact Only apps explicitly exposing the Vite dev ser...
npm
4
Dependabot PRs
sha.js is missing type checks leading to hash rewind and passing on crafted data
GHSA-95m3-7q98-8xr5 CVE-2025-9288 CRITICAL 3 months ago
### Summary This is the same as [GHSA-cpq7-6gpm-g9rc](https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc) but just ...
npm
3
Dependabot PRs
cipher-base is missing type checks, leading to hash rewind and passing on crafted data
GHSA-cpq7-6gpm-g9rc CVE-2025-9287 CRITICAL 3 months ago
### Summary This affects e.g. `create-hash` (and `crypto-browserify`), so I'll describe the issue against that package Also affects `create-hmac` ...
npm
No PRs yet
wong2 mcp-cli Command Injection Vulnerability
GHSA-p6rm-483j-37jf CVE-2025-9262 LOW 3 months ago
A flaw has been found in wong2 mcp-cli 1.13.0. Affected is the function redirectToAuthorization of the file /src/oauth/provider.js of the component...
npm
No PRs yet
x402 SDK vulnerable in outdated versions in resource servers for builders
GHSA-3j63-5h8p-gf7c HIGH 3 months ago
### Impact There is a security vulnerability in outdated versions of the x402 SDK. This does not directly affect users' keys, smart contracts, or f...
npm
No PRs yet
n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted files
GHSA-ggjm-f3g4-rwmm CVE-2025-57749 MODERATE 3 months ago
### Impact A symlink traversal vulnerability was discovered in the `Read/Write File` node in n8n. While the node attempts to restrict access to sen...
npm
No PRs yet
Directus allows unauthenticated file upload and file modification due to lacking input sanitization
GHSA-mv33-9f6j-pfmc CVE-2025-55746 CRITICAL 3 months ago
## Summary A vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary conte...
npm
No PRs yet
elysia-cors Origin Validation Error
GHSA-f9qj-4c5x-cpcw CVE-2025-50864 MODERATE 3 months ago
An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The ...
npm
No PRs yet
screenshot-desktop vulnerable to command Injection via `format` option
GHSA-gjx4-2c7g-fm94 CVE-2025-55294 CRITICAL 3 months ago
## Impact This vulnerability is a **command injection** issue. When user-controlled input is passed into the `format` option of the screenshot fu...
npm
No PRs yet
Mermaid improperly sanitizes sequence diagram labels leading to XSS
GHSA-7rqq-prvp-x9jh CVE-2025-54881 MODERATE 3 months ago
### Summary In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to `innerHTML` during calcula...
npm
No PRs yet
Mermaid does not properly sanitize architecture diagram iconText leading to XSS
GHSA-8gwm-58g9-j8pw CVE-2025-54880 MODERATE 3 months ago
### Summary In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 `html()` method,...
npm
3
Dependabot PRs
Astro allows unauthorized third-party images in _image endpoint
GHSA-xf8x-j4p2-f749 CVE-2025-55303 MODERATE 3 months ago
### Summary In affected versions of `astro`, the image optimization endpoint in projects deployed with on-demand rendering allows images from unau...
npm
No PRs yet
Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source
GHSA-hfmv-hhh3-43f2 CVE-2025-52478 HIGH 3 months ago
### Impact A stored **Cross-Site Scripting (XSS)** vulnerability was identified in [n8n](https://github.com/n8n-io/n8n), specifically in the **For...
npm
No PRs yet
Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code
GHSA-x5gv-jw7f-j6xj CVE-2025-55284 HIGH 3 months ago
Due to an overly broad allowlist of safe commands, it was possible to bypass the Claude Code confirmation prompts to read a file and then send file...
npm
No PRs yet
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js
GHSA-q4rg-7cjj-5r86 CVE-2025-9095 MODERATE 3 months ago
A cross-site scripting (XSS) issue exists in ExpressGateway up to 1.16.10 in the REST endpoint implemented in lib/rest/routes/users.js. User-contro...
npm
No PRs yet
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js
GHSA-xfp8-x3j6-h67v CVE-2025-9096 MODERATE 3 months ago
A cross-site scripting (XSS) issue exists in ExpressGateway ≤ 1.16.10 in lib/rest/routes/apps.js. User-controlled data returned by the REST endpoin...
npm
No PRs yet
Template Secret leakage in logs in Scaffolder when using `fetch:template`
GHSA-3x3q-ghcp-whf7 CVE-2025-55285 LOW 4 months ago
A logging flaw in Backstage Scaffolder’s `fetch:template` action up to `@backstage/plugin-scaffolder-backend` **2.1.0** may write template secrets ...
npm
No PRs yet
@astrojs/node's trailing slash handling causes open redirect issue
GHSA-9x9c-ghc5-jhw9 CVE-2025-55207 MODERATE 4 months ago
### Summary Following https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in ...
npm
No PRs yet
Flowise OS command remote code execution
GHSA-2vv2-3x8x-4gv7 CVE-2025-8943 CRITICAL 4 months ago
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's i...
npm
No PRs yet
content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE
GHSA-w2cq-g8g3-gm83 CVE-2025-55164 HIGH 4 months ago
### Impact A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if you provide a policy name called `__proto__` you ca...
npm
No PRs yet
Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers
GHSA-r3v7-pc4g-7xp9 CVE-2025-55152 MODERATE 4 months ago
### Summary With specially crafted value of the `x-forwarded-proto` or `x-forwarded-for` headers, it's possible to significantly slow down an oak ...
npm
No PRs yet
HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit
GHSA-xcxh-6cv4-q8p8 LOW 4 months ago
### Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with `target="_blank"` but without the `rel="noopener nor...
npm
No PRs yet
The AuthKit Remix Library renders sensitive auth data in HTML
GHSA-v3gr-w9gf-23cx CVE-2025-55009 HIGH 4 months ago
### Summary Before `0.15.0`, `@workos-inc/authkit-remix` returned sensitive authentication artifacts from the `authkitLoader`, specifically `seale...
npm
No PRs yet
The AuthKit React Router Library rendered sensitive auth data in HTML
GHSA-vqvc-9q8x-vmq6 CVE-2025-55008 HIGH 4 months ago
In versions before `0.7.0`, `@workos-inc/authkit-react-router` exposed sensitive authentication artifacts — specifically `sealedSession` and `acces...
npm
No PRs yet
@fedify/fedify has Improper Authentication and Incorrect Authorization
GHSA-6jcc-xgcr-q3h4 CVE-2025-54888 HIGH 4 months ago
### Summary An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged acti...
npm
2
Dependabot PRs
50%
Merged
Astros's duplicate trailing slash feature leads to an open redirection security issue
GHSA-cq8c-xv66-36gw CVE-2025-54793 MODERATE 4 months ago
## Summary There is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows...
npm
No PRs yet
The Thinbus Javascript Secure Remote Password (SRP) Client Generates Fewer Bits of Entropy Than Intended
GHSA-8q6v-474h-whgg CVE-2025-54885 MODERATE 4 months ago
### Impact A protocol compliance bug in thinbus-srp-npm versions prior to 2.0.1 causes the client to generate a fixed 252 bits of entropy instead o...
npm
No PRs yet
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
GHSA-52f5-9888-hmc6 CVE-2025-54798 LOW 4 months ago
### Summary `tmp@0.2.3` is vulnerable to an Arbitrary temporary file / directory write via symbolic link `dir` parameter. ### Details According...
npm
7279
Dependabot PRs
20%
Merged
mcp-package-docs vulnerable to command injection in several tools
GHSA-vf9j-h32g-2764 CVE-2025-54073 HIGH 4 months ago
### Summary A command injection vulnerability exists in the `mcp-package-docs` MCP Server. The vulnerability is caused by the unsanitized use of i...
npm
No PRs yet
js-toml Prototype Pollution Vulnerability
GHSA-65fc-cr5f-v7r2 CVE-2025-54803 HIGH 4 months ago
A prototype pollution vulnerability in `js-toml` allows a remote attacker to add or modify properties of the global `Object.prototype` by parsing a...
npm
No PRs yet
Claude Code echo command allowed bypass of user approval prompt for command execution
GHSA-x56v-x2h6-7j34 CVE-2025-54795 HIGH 4 months ago
Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Rel...
npm
No PRs yet
Claude Code Research Preview has a Path Restriction Bypass which could allow unauthorized file access
GHSA-pmw4-pwvc-3hx2 CVE-2025-54794 HIGH 4 months ago
Due to a path validation flaw using prefix matching instead of canonical path comparison, it was possible to bypass directory restrictions and acce...
npm
No PRs yet
IPX Allows Path Traversal via Prefix Matching Bypass
GHSA-mm3p-j368-7jcr CVE-2025-54387 MODERATE 4 months ago
### Summary The approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directori...
npm
No PRs yet
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
GHSA-85cg-cmq5-qjm7 CVE-2025-54782 CRITICAL 4 months ago
## Summary A critical Remote Code Execution (RCE) vulnerability was discovered in the `@nestjs/devtools-integration` package. When enabled, the pac...
npm
No PRs yet
@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
GHSA-9qm3-6qrr-c76m CVE-2025-34146 HIGH 4 months ago
A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.p...
npm
No PRs yet
GitProxy Hidden Commits Injection
GHSA-v98g-8rqx-g93g CVE-2025-54586 HIGH 4 months ago
### Summary An attacker can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden...
npm
No PRs yet