Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
GitProxy New Branch Approval Exploit
GHSA-39p2-8hq9-fwj6 CVE-2025-54585 HIGH 4 months ago
### Summary An attacker can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. Bec...
npm
No PRs yet
GitProxy Backfile Parsing Exploit
GHSA-xxmh-rf63-qwjv CVE-2025-54584 HIGH 4 months ago
### Summary An attacker can craft a malicious Git packfile to exploit the PACK signature detection in the `parsePush.ts`. By embedding a misleading...
npm
No PRs yet
GitProxy Approval Bypass When Pushing Multiple Branches
GHSA-qr93-8wwf-22g4 CVE-2025-54583 HIGH 4 months ago
### Summary This vulnerability allows a user to push to the remote repository while bypassing policies and explicit approval. Since checks and plug...
npm
No PRs yet
Koa Open Redirect via Referrer Header (User-Controlled)
GHSA-jgmv-j7ww-jx2x CVE-2025-8129 LOW 4 months ago
## Summary In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-contro...
npm
33
Dependabot PRs
3%
Merged
Node-SAML SAML Signature Verification Vulnerability
GHSA-4mxg-3p6v-xgq3 CVE-2025-54419 CRITICAL 4 months ago
Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking sign...
npm
No PRs yet
webfinger.js Blind SSRF Vulnerability
GHSA-8xq3-w9fx-74rv CVE-2025-54590 MODERATE 4 months ago
### Description The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.o...
npm
No PRs yet
ssrfcheck has Incomplete IP Address Deny List that leads to Server-Side Request Forgery Vulnerability
GHSA-c2fv-2fmj-9xrx CVE-2025-8267 HIGH 4 months ago
Versions of the package ssrfcheck below 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address rang...
npm
No PRs yet
Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
GHSA-95jq-xph2-cx9h CVE-2025-8101 HIGH 4 months ago
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting...
npm
No PRs yet
HAX CMS API Lacks Authorization Checks
GHSA-9jr9-8ff3-m894 CVE-2025-54378 HIGH 4 months ago
### Summary The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CM...
npm packagist
No PRs yet
Node-SAML SAML Authentication Bypass
GHSA-m837-g268-mmv7 CVE-2025-54369 CRITICAL 4 months ago
Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking sign...
npm
No PRs yet
files-bucket-server vulnerable to Directory Traversal
GHSA-3r3j-4vrw-884j CVE-2025-8021 HIGH 4 months ago
All versions of the package files-bucket-server are vulnerable to Directory Traversal, where an attacker can traverse the file system and access fi...
npm
No PRs yet
private-ip vulnerable to Server-Side Request Forgery
GHSA-9h3q-32c7-r533 CVE-2025-8020 HIGH 4 months ago
All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF), where an attacker can provide an IP or hostname that r...
npm
No PRs yet
HAX CMS application pages vulnerable to clickjacking
GHSA-54vw-f4xf-f92j CVE-2025-54139 MODERATE 4 months ago
### Summary All pages within the HAX CMS application do not contain headers to stop other websites from loading the site within an iframe. This ap...
npm packagist
No PRs yet
NodeJS version of the HAX CMS application is distributed with Default Secrets
GHSA-5fpv-5qvh-7cf3 CVE-2025-54137 HIGH 4 months ago
### Summary The NodeJS version of the HAX CMS application is distributed with hardcoded default credentials for the user and superuser accounts. A...
npm
No PRs yet
HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service
GHSA-pjj3-j5j6-qj27 CVE-2025-54134 HIGH 4 months ago
### Summary The HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vul...
npm
No PRs yet
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
GHSA-59g8-h59f-8hjp CVE-2025-54128 HIGH 4 months ago
### Summary The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application...
npm
No PRs yet
NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
GHSA-f38f-jvqj-mfg6 CVE-2025-54127 CRITICAL 4 months ago
### Summary The NodeJS version of HAX CMS uses an insecure default configuration designed for local development. The default configuration does not...
npm
No PRs yet
form-data uses unsafe random function in form-data for choosing boundary
GHSA-fjxv-7rqg-78g4 CVE-2025-7783 CRITICAL 4 months ago
### Summary form-data uses `Math.random()` to select a boundary value for multipart form-encoded data. This can lead to a security issue if an att...
npm
313
Dependabot PRs
17%
Merged
Alchemy Non-SMA and Webauthn Account Security Advisory
GHSA-56r6-ccm5-8hg3 HIGH 4 months ago
### Impact A potential security issue has been mitigated on old account deployment functions from the factory. Smart wallets in use on all existing...
npm
No PRs yet
@translated/lara-mcp vulnerable to command injection in import_tmx tool
GHSA-xj5p-8h7g-76m7 CVE-2025-53832 HIGH 4 months ago
### Summary A command injection vulnerability exists in the `@translated/lara-mcp` MCP Server. The vulnerability is caused by the unsanitized use ...
npm
No PRs yet
Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering
GHSA-cj6r-rrr9-fg82 CVE-2025-54075 HIGH 4 months ago
### Summary A **remote script-inclusion / stored XSS** vulnerability in **@nuxtjs/mdc** lets a Markdown author inject a `<base href="https://attack...
npm
38
Dependabot PRs
23%
Merged
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
GHSA-f29h-pxvx-f335 CVE-2025-54313 HIGH 4 months ago
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package ...
npm
No PRs yet
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
GHSA-xffm-g5w8-qvg7 LOW 4 months ago
### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only a...
npm
No PRs yet
OpenZeppelin Contracts Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffers
GHSA-9rcw-c2f9-2j55 CVE-2025-54070 MODERATE 4 months ago
### Impact The `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when the following two condit...
npm
No PRs yet
on-headers is vulnerable to http response header manipulation
GHSA-76c9-3jph-rj3q CVE-2025-7339 LOW 4 months ago
### Impact A bug in on-headers versions `< 1.1.0` may result in response headers being inadvertently modified when an array is passed to `response...
npm
50405
Dependabot PRs
5%
Merged
Multer vulnerable to Denial of Service via unhandled exception from malformed request
GHSA-fjgf-rc76-4x9p CVE-2025-7338 HIGH 4 months ago
### Impact A vulnerability in Multer versions >= 1.4.4-lts.1, < 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malform...
npm
1953
Dependabot PRs
26%
Merged
DiracX-Web is vulnerable to attack through an Open Redirect on its login page
GHSA-hfj7-542q-8fvv CVE-2025-54066 MODERATE 4 months ago
### Summary An attacker can forge a request to redirect an authenticated user to any arbitrary website. ### Details On the login page, we have a...
npm
No PRs yet
vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes
GHSA-x8qp-wqqm-57ph CVE-2025-53892 MODERATE 5 months ago
### Summary The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated paramete...
npm
1161
Dependabot PRs
4%
Merged
GitHub Kanban MCP Server vulnerable to Command Injection
GHSA-6jx8-rcjx-vmwf CVE-2025-53818 HIGH 5 months ago
The MCP Server at https://github.com/Sunwood-ai-labs/github-kanban-mcp-server/ is written in a way that is vulnerable to command injection vulnerab...
npm
No PRs yet
Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows
GHSA-7cvf-pxgp-42fc CVE-2025-53889 MODERATE 5 months ago
### Summary Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as ...
npm
No PRs yet
Directus' exact version number is exposed by the OpenAPI Spec
GHSA-rmjh-cf9q-pv7q CVE-2025-53887 MODERATE 5 months ago
### Summary The exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/serve...
npm
No PRs yet
Directus tokens are not redacted in flow logs, exposing session credentials to all admin
GHSA-f24x-rm6g-3w5v CVE-2025-53886 MODERATE 5 months ago
### Summary When using Directus Flows with the WebHook trigger, all incoming request details are logged including security sensitive data like acc...
npm
No PRs yet
Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged
GHSA-x3vm-88hf-gpxp CVE-2025-53885 MODERATE 5 months ago
### Summary When using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console...
npm
No PRs yet
Better Call routing bug can lead to Cache Deception
GHSA-hq75-xg7r-rx6c MODERATE 5 months ago
### Summary Using a CDN that caches (`/**/*.png`, `/**/*.json`, `/**/*.css`, etc...) requests, a cache deception can emerge. This could lead to un...
npm
No PRs yet
@pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation
GHSA-54xv-94qv-2gfg CVE-2025-53626 MODERATE 5 months ago
## Summary The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and p...
npm
No PRs yet
Parse Server exposes the data schema via GraphQL API
GHSA-48q3-prgv-gm4w CVE-2025-53364 MODERATE 5 months ago
### Impact The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key...
npm
28
Dependabot PRs
7%
Merged
docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token
GHSA-qf34-qpr4-5pph CVE-2025-53624 CRITICAL 5 months ago
## GitHub Personal Access Token Exposure in docusaurus-plugin-content-gists ### Summary docusaurus-plugin-content-gists versions prior to 4.0.0 a...
npm
No PRs yet
Qwik's unhandled exception vulnerabilty can cause server crashes from malicious requests
GHSA-qr9h-j6xg-2j72 CVE-2025-53620 CRITICAL 5 months ago
### Summary Possibility to craft a request that will crash the Qwik Server in the default configuration. ### Details When a Qwik Server Action Q...
npm
No PRs yet
@clerk/backend Performs Insufficient Verification of Data Authenticity
GHSA-9mp4-77wg-rwx9 CVE-2025-53548 HIGH 5 months ago
### Impact Applications that use the `verifyWebhook()` helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed web...
npm
No PRs yet
mcp-remote exposed to OS command injection via untrusted MCP server connections
GHSA-6xpm-ggf7-wc3p CVE-2025-6514 CRITICAL 5 months ago
mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint respons...
npm
1
Dependabot PRs
MCP Server Kubernetes vulnerable to command injection in several tools
GHSA-gjv4-ghm7-q58q CVE-2025-53355 HIGH 5 months ago
### Summary A command injection vulnerability exists in the `mcp-server-kubernetes` MCP Server. The vulnerability is caused by the unsanitized use...
npm
No PRs yet
Cloudflare Vite plugin exposes secrets over the built-in dev server
GHSA-4pfg-2mw5-f8jx CVE-2025-59427 MODERATE 5 months ago
### Summary Note: [originally posted on H1](https://hackerone.com/reports/3117837) but closed. Cross-posting over to here in abundance of caution ...
npm
No PRs yet
Node.js Sandbox MCP Server vulnerability can lead to Sandbox Escape via Command Injection
GHSA-5w57-2ccq-8w95 CVE-2025-53372 HIGH 5 months ago
### Summary A command injection vulnerability exists in the `node-code-sandbox-mcp` MCP Server. The vulnerability is caused by the unsanitized use...
npm
No PRs yet
Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes
GHSA-36rg-gfq2-3h56 CVE-2025-53535 LOW 5 months ago
### Summary An open redirect has been found in the `originCheck` middleware function, which affects the following routes: `/verify-email`, `/reset...
npm
No PRs yet
Next.JS vulnerability can lead to DoS via cache poisoning
GHSA-67rr-84xm-4c7r CVE-2025-49826 HIGH 5 months ago
### Summary A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug lea...
npm
No PRs yet
Next.js has a Cache poisoning vulnerability due to omission of the Vary header
GHSA-r2fc-ccr8-96c4 CVE-2025-49005 LOW 5 months ago
### Summary A cache poisoning issue in **Next.js App Router >=15.3.0 and < 15.3.3** may have allowed RSC payloads to be cached and served in place...
npm
No PRs yet
n8n is vulnerable to Improper Authorization through its `/stop` endpoint
GHSA-gq57-v332-7666 CVE-2025-52554 MODERATE 5 months ago
## Summary An authorization vulnerability was discovered in the `/rest/executions/:id/stop` endpoint of n8n. An authenticated user can stop workfl...
npm
No PRs yet
tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript
GHSA-q43x-79jr-cq98 CVE-2025-48939 MODERATE 5 months ago
A vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual `<scrip...
npm
No PRs yet
n8n Vulnerable to Denial of Service via Malformed Binary Data Requests
GHSA-pr9r-gxgp-9rm8 CVE-2025-49595 MODERATE 5 months ago
## Summary Denial of Service vulnerability in `/rest/binary-data` endpoint when processing empty filesystem URIs (`filesystem://` or `filesystem-v2...
npm
No PRs yet
@modelcontextprotocol/server-filesystem vulnerability allows for path validation bypass via colliding path prefix
GHSA-hc55-p739-j48w CVE-2025-53110 HIGH 5 months ago
Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files in cases where the prefix matches an allowed directory. Use...
npm
No PRs yet