Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
@modelcontextprotocol/server-filesystem allows for path validation bypass via prefix matching and symlink handling
GHSA-q66q-fx2p-7w4m CVE-2025-53109 HIGH 5 months ago
Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files via symlinks within allowed directories. Users are advised ...
npm
No PRs yet
@cyanheads/git-mcp-server vulnerable to command injection in several tools
GHSA-3q26-f695-pp76 CVE-2025-53107 HIGH 5 months ago
### Summary A command injection vulnerability exists in the `git-mcp-server` MCP Server. The vulnerability is caused by the unsanitized use of inp...
npm
No PRs yet
Electron vulnerable to Heap Buffer Overflow in NativeImage
GHSA-6r2x-8pq8-9489 CVE-2024-46993 MODERATE 5 months ago
### Impact The `nativeImage.createFromPath()` and `nativeImage.createFromBuffer()` functions call a function downstream that is vulnerable to a hea...
npm
No PRs yet
string-math's string-math.js vulnerability can cause Regex Denial of Service (ReDoS)
GHSA-994j-5c83-r424 CVE-2025-45143 LOW 5 months ago
string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.
npm
No PRs yet
electron ASAR Integrity bypass by just modifying the content
GHSA-xw5q-g62x-2qjc CVE-2024-46992 HIGH 5 months ago
electron's ASAR Integrity can be bypass by modifying the content. ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation...
npm
No PRs yet
tiny-secp256k1 allows for verify() bypass when running in bundled environment
GHSA-5vhg-9xg4-cv9m CVE-2024-49365 HIGH 5 months ago
### Summary A malicious JSON-stringifyable message can be made passing on `verify()`, when global Buffer is [`buffer` package](https://www.npmjs.c...
npm
No PRs yet
tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment
GHSA-7mc2-6phr-23xc CVE-2024-49364 HIGH 5 months ago
### Summary Private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is [`buffer` package](https://www.np...
npm
No PRs yet
Taylor has race condition in /get-patch that allows purchase token replay
GHSA-vh5j-5fhq-9xwg LOW 5 months ago
Hi team, I was looking at the recent fix and you limited the exploitability of race conditions but unfortunately it is still possible to exploit t...
npm
No PRs yet
n8n allows open redirects via the /signin endpoint
GHSA-5vj6-wjr7-5v9f CVE-2025-49592 MODERATE 5 months ago
### Impact This is an Open Redirect (CWE-601) vulnerability in the login flow of n8n. Authenticated users can be redirected to untrusted, attacker...
npm
No PRs yet
iOS Simulator MCP Command Injection allowed via exec API
GHSA-6f6r-m9pv-67jw CVE-2025-52573 MODERATE 5 months ago
# Command Injection in MCP Server The MCP Server at https://github.com/joshuayoes/ios-simulator-mcp/ is written in a way that is vulnerable to com...
npm
No PRs yet
Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or DEBUG/TRACE mode
GHSA-6hwc-9h8r-3vmf CVE-2025-6624 LOW 5 months ago
Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. ...
go npm
No PRs yet
pbkdf2 silently disregards Uint8Array input, returning static keys
GHSA-v62p-rq8g-8h59 CVE-2025-6547 CRITICAL 5 months ago
### Summary On historic but declared as supported Node.js versions (0.12-2.x), pbkdf2 silently disregards Uint8Array input This only affects Node...
npm
2
Dependabot PRs
50%
Merged
pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
GHSA-h7cp-r72f-jxh6 CVE-2025-6545 CRITICAL 5 months ago
### Summary This affects both: 1. Unsupported algos (e.g. `sha3-256` / `sha3-512` / `sha512-256`) 2. Supported but non-normalized algos (e.g. `S...
npm
2
Dependabot PRs
50%
Merged
Claude Code Improper Authorization via websocket connections from arbitrary origins
GHSA-9f65-56v6-gxw7 CVE-2025-52882 HIGH 5 months ago
Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) ...
npm
No PRs yet
Taylored webhook validation vulnerabilities
GHSA-8g98-m4j9-qww5 CRITICAL 5 months ago
### Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5 #### Summary A series of moderate to high-severity security vulnerabil...
npm
No PRs yet
OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer
GHSA-2hw3-h8qx-hqqp CVE-2025-50183 MODERATE 5 months ago
XSS via `.py` file containing script tag interpreted as HTML ## Summary A vulnerability exists in the file preview/browsing feature of the applic...
npm
No PRs yet
OpenNext for Cloudflare (opennextjs-cloudflare) has a SSRF vulnerability via /_next/image endpoint
GHSA-rvpw-p7vw-wj3m CVE-2025-6087 HIGH 6 months ago
A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplem...
npm
No PRs yet
MCP Inspector proxy server lacks authentication between the Inspector client and proxy
GHSA-7f8r-222p-6f5g CVE-2025-49596 CRITICAL 6 months ago
Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy...
npm
No PRs yet
pg-promise SQL Injection vulnerability
GHSA-ff9h-848c-4xfj CVE-2025-29744 MODERATE 6 months ago
pg-promise before 11.5.5 is vulnerable to SQL Injection due to improper handling of negative numbers.
npm
No PRs yet
@nx/azure-cache Vulnerable to Build Cache Poisoning via Untrusted Pull Requests
GHSA-rrr2-jcr8-7q3x CVE-2025-36852 CRITICAL 6 months ago
A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache (such as those usi...
npm
No PRs yet
Erxes Path Traversal vulnerability
GHSA-2977-5php-6789 CVE-2024-57189 MODERATE 6 months ago
In Erxes <1.6.2, an authenticated attacker can write to arbitrary files on the system using a Path Traversal vulnerability in the importHistoriesCr...
npm
No PRs yet
Erxes Path Traversal vulnerability
GHSA-rq9r-qvwg-829q CVE-2024-57186 HIGH 6 months ago
In Erxes <1.6.2, an unauthenticated attacker can read arbitrary files from the system using a Path Traversal vulnerability in the /read-file endpoi...
npm
No PRs yet
Erxes Incorrect Access Control vulnerability
GHSA-7rhv-xm4q-wh42 CVE-2024-57190 HIGH 6 months ago
Erxes <1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any u...
npm
No PRs yet
@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability
GHSA-79vf-hf9f-j9q8 CVE-2025-5897 MODERATE 6 months ago
A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file...
npm
No PRs yet
taro-css-to-react-native Regular Expression Denial of Service vulnerability
GHSA-f5xg-cfpj-2mw6 CVE-2025-5896 MODERATE 6 months ago
A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro...
npm
No PRs yet
pm2 Regular Expression Denial of Service vulnerability
GHSA-x5gf-qvw8-r2rm CVE-2025-5891 LOW 6 months ago
A vulnerability classified as problematic was found in Unitech pm2 up to 6.0.8. This vulnerability affects unknown code of the file /lib/tools/Conf...
npm
No PRs yet
brace-expansion Regular Expression Denial of Service vulnerability
GHSA-v6h2-p8h4-qcjw CVE-2025-5889 LOW 6 months ago
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue ...
npm
19
Dependabot PRs
52%
Merged
HaxCMS-PHP Command Injection Vulnerability
GHSA-g4cf-pp4x-hqgw CVE-2025-49141 HIGH 6 months ago
### Summary The 'gitImportSite' functionality obtains a URL string from a POST request and insufficiently validates user input. The ’set_remote’ fu...
npm
No PRs yet
@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability
GHSA-v3ph-2q5q-cg88 CVE-2025-49139 MODERATE 6 months ago
### Summary In the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a t...
npm
No PRs yet
react-native-keys insecurely stores encryption cipher and Base64 chunks
GHSA-fj44-h6xw-896g CVE-2025-45001 HIGH 6 months ago
react-native-keys 0.7.11 is vulnerable to sensitive information disclosure (remote) as encryption cipher and Base64 chunks are stored as plaintext ...
npm
No PRs yet
Multer vulnerable to Denial of Service via unhandled exception
GHSA-g5hg-p3ph-g8qg CVE-2025-48997 HIGH 6 months ago
### Impact A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload f...
npm
3692
Dependabot PRs
21%
Merged
Unauthenticated Disclosure of PSU HAX CMS Site Listings via haxPsuUsage API Endpoint
GHSA-fvx2-x7ff-fc56 CVE-2025-48996 MODERATE 6 months ago
### Summary An **unauthenticated information disclosure vulnerability** exists in the PSU deployment of HAX CMS via the `haxPsuUsage` API endpoint....
npm
No PRs yet
NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies
GHSA-f3fg-mf2q-fj3f CVE-2025-48947 HIGH 6 months ago
**Overview** In Auth0 Next.js SDK versions 4.0.1 to 4.6.0, __session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Con...
npm
27
Dependabot PRs
19%
Merged
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
GHSA-9jgg-88mc-972h CVE-2025-30360 MODERATE 6 months ago
### Summary Source code may be stolen when you access a malicious web site with non-Chromium based browser. ### Details The `Origin` header is che...
npm
No PRs yet
webpack-dev-server users' source code may be stolen when they access a malicious web site
GHSA-4v9v-hfq4-rm2v CVE-2025-30359 MODERATE 6 months ago
### Summary Source code may be stolen when you access a malicious web site. ### Details Because the request for classic script by a script tag is ...
npm
No PRs yet
AngularJS Incomplete Filtering of Special Elements vulnerability
GHSA-4p4w-6hg8-63wx CVE-2025-2336 MODERATE 6 months ago
Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS's 'ngSanitize' module allows at...
npm
No PRs yet
billboard.js allows prototype pollution via the function generate
GHSA-65p9-j6pg-72hj CVE-2025-49223 CRITICAL 6 months ago
billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitr...
npm
No PRs yet
tar-fs can extract outside the specified dir with a specific tarball
GHSA-8cj5-5rvv-wf4v CVE-2025-48387 HIGH 6 months ago
### Impact v3.0.8, v2.1.2, v1.16.4 and below ### Patches Has been patched in 3.0.9, 2.1.3, and 1.16.5 ### Workarounds You can use the ignore opt...
npm
No PRs yet
Markdownify MCP Server allows Server-Side Request Forgery (SSRF) via the Markdownify.get() function
GHSA-frq9-3hp2-xvxg CVE-2025-5276 MODERATE 6 months ago
All versions of the package mcp-markdownify-server are vulnerable to Server-Side Request Forgery (SSRF) via the Markdownify.get() function. An atta...
npm
No PRs yet
Markdownify MCP Server allows attackers to read arbitrary files
GHSA-22v8-p7h2-rj7p CVE-2025-5273 MODERATE 6 months ago
All versions of the package mcp-markdownify-server are vulnerable to Files or Directories Accessible to External Parties via the get-markdown-file ...
npm
No PRs yet
Information exposure in Next.js dev server due to lack of origin verification
GHSA-3h52-269p-cp9r CVE-2025-48068 LOW 6 months ago
## Summary A low-severity vulnerability in **Next.js** has been fixed in **version 15.2.2**. This issue may have allowed limited source code expos...
npm
No PRs yet
auth-js Vulnerable to Insecure Path Routing from Malformed User Input
GHSA-8r88-6cj9-9fh5 CVE-2025-48370 LOW 6 months ago
### Impact The library functions `getUserById`, `deleteUser`, `updateUserById`, `listFactors` and `deleteFactor` did not require the user supplied ...
npm
7
Dependabot PRs
14%
Merged
Strapi allows Server-Side Request Forgery in Webhook function
GHSA-v8wj-f5c7-pvxf CVE-2024-52588 MODERATE 6 months ago
## Description In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook con...
npm
No PRs yet
radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
GHSA-2xv9-ghh9-xc69 CVE-2025-48054 MODERATE 6 months ago
### Impact This is a prototype pollution vulnerability. It impacts users of the `set` function within the Radashi library. If an attacker can cont...
npm
No PRs yet
Marked allows Regular Expression Denial of Service (ReDoS) attacks
GHSA-p9wx-2529-fp83 CVE-2018-25110 MODERATE 6 months ago
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several r...
npm
No PRs yet
samlify SAML Signature Wrapping attack
GHSA-r683-v43c-6xqv CVE-2025-47949 CRITICAL 6 months ago
A Signature Wrapping attack has been found in samlify <v2.10.0, allowing an attacker to forge a SAML Response to authenticate as any user. An atta...
npm
11
Dependabot PRs
18%
Merged
Multer vulnerable to Denial of Service from maliciously crafted requests
GHSA-4pg4-qvpc-4q3h CVE-2025-47944 HIGH 6 months ago
### Impact A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-pa...
npm
3797
Dependabot PRs
21%
Merged
Multer vulnerable to Denial of Service via memory leaks from unclosed streams
GHSA-44fp-w29j-9vj5 CVE-2025-47935 HIGH 6 months ago
### Impact Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request strea...
npm
4215
Dependabot PRs
21%
Merged
OpenPGP.js's message signature verification can be spoofed
GHSA-8qff-qr5q-5pr8 CVE-2025-47934 HIGH 6 months ago
### Impact A maliciously modified message can be passed to either `openpgp.verify` or `openpgp.decrypt`, causing these functions to return a valid ...
npm
131
Dependabot PRs
22%
Merged
Cocotais Bot has builtin .echo command injection
GHSA-mj2c-8hxf-ffvq CVE-2025-47948 MODERATE 6 months ago
### Summary  A command echoing feature in the framework allows users to indirectly trigger privileged behavior by injecting special platform tags....
npm
No PRs yet