Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
lockfile-lint-api Vulnerable to Incorrect Behavior Order
GHSA-7cfr-5cjf-32p4 CVE-2025-4759 MODERATE 7 months ago
Versions of the package lockfile-lint-api before 5.9.2 are vulnerable to Incorrect Behavior Order: Early Validation via the resolved attribute of t...
npm
No PRs yet
Meteor Affected By Inefficient Regular Expression Complexity
GHSA-j3v9-6gc7-vf5f CVE-2025-4727 MODERATE 7 months ago
A vulnerability was found in Meteor up to 3.2.1 and classified as problematic. This issue affects the function Object.assign of the file packages/d...
npm
164
Dependabot PRs
21%
Merged
Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components
GHSA-q58r-hwc8-rm9j CVE-2025-1647 MODERATE 7 months ago
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting ...
npm
No PRs yet
undici Denial of Service attack via bad certificate data
GHSA-cxrh-j4jr-qwg3 CVE-2025-47279 LOW 7 months ago
### Impact Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certifi...
npm
146
Dependabot PRs
21%
Merged
Next.js Race Condition to Cache Poisoning
GHSA-qpjv-v59x-3qc4 CVE-2025-32421 LOW 7 months ago
**Summary** We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue...
npm
No PRs yet
Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data
GHSA-gv5r-9gxr-v74w CVE-2025-47204 MODERATE 7 months ago
An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary PO...
npm
No PRs yet
@lumieducation/h5p-server Fails to Sanitize Plain Text Strings
GHSA-m7gm-v253-56hh CVE-2025-47828 MODERATE 7 months ago
Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings.
npm
No PRs yet
code-server's session cookie can be extracted by having user visit specially crafted proxy URL
GHSA-p483-wpfp-42cj CVE-2025-47269 HIGH 7 months ago
### Summary A maliciously crafted URL using the `proxy` subpath can result in the attacker gaining access to the session token. ### Details Fail...
npm
No PRs yet
Trix vulnerable to Cross-site Scripting on copy & paste
GHSA-mcrw-746g-9q8h CVE-2025-46812 LOW 7 months ago
### Impact The Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user ...
npm
118
Dependabot PRs
34%
Merged
Passport-wsfed-saml2 allows SAML Authentication Bypass via Attribute Smuggling
GHSA-8gqj-226h-gm8r CVE-2025-46573 HIGH 7 months ago
### Overview This vulnerability allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This...
npm
No PRs yet
Passport-wsfed-saml2 allows SAML Authentication Bypass via Signature Wrapping
GHSA-wjmp-wphq-jvqf CVE-2025-46572 CRITICAL 7 months ago
### Overview This vulnerability allows an attacker to impersonate any user during SAML authentication by crafting a SAMLResponse. This can be done ...
npm
No PRs yet
@misskey-dev/summaly allows IP Filter Bypass via Redirect
GHSA-jqx4-9gpq-rppm MODERATE 7 months ago
### Summary Due to a validation error in `got.scpaping`, it is possible to use an HTTP redirect to avoid IP filtering. ### Details In `got.scpapin...
npm
7
Dependabot PRs
Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields
GHSA-hg9m-67mm-7pg3 CVE-2025-46720 LOW 7 months ago
# Summary `{field}.isFilterable` access control can be bypassed in `update` and `delete` mutations by adding additional unique filters. These fil...
npm
No PRs yet
@misskey-dev/summaly Redirect Filter Bypass
GHSA-7899-w6c4-vqc4 CVE-2025-46553 LOW 7 months ago
### Summary A logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn...
npm
7
Dependabot PRs
Information Disclosure via Flags override link
GHSA-892p-pqrr-hxqr CVE-2025-46332 MODERATE 7 months ago
## Summary An information disclosure vulnerability affecting Flags SDK has been addressed. It impacted `flags` ≤3.2.0 and `@vercel/flags` ≤3.1.1 a...
npm
No PRs yet
@cloudflare/workers-oauth-provider PKCE bypass via downgrade attack
GHSA-qgp8-v765-qxx9 CVE-2025-4144 MODERATE 7 months ago
### Summary PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of[ MCP framework](https://github.com/cloudflar...
npm
No PRs yet
@cloudflare/workers-oauth-provider missing validation of redirect_uri on authorize endpoint
GHSA-4pc9-x2fx-p7vj CVE-2025-4143 MODERATE 7 months ago
### Summary The OAuth implementation failed to check that redirect_uri was among the allowed set for the client_id. ### Impact Under certain circu...
npm
No PRs yet
Vite's server.fs.deny bypassed with /. for files under project root
GHSA-859w-5945-r5v3 CVE-2025-46565 MODERATE 7 months ago
### Summary The contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching patt...
npm
2
Dependabot PRs
Homograph attack allows Unicode lookalike characters to bypass validation.
GHSA-xq7p-g2vc-g82p CVE-2025-27611 HIGH 7 months ago
### Impact Attackers can deceive users into sending funds to an unintended address. ### Patches https://github.com/cryptocoinjs/base-x/pull/86
npm
No PRs yet
Auth0 NextJS SDK v4 Missing Session Invalidation
GHSA-pjr6-jx7r-j4r6 CVE-2025-46344 MODERATE 7 months ago
### Overview Auth0 NextJS `v4.0.1` to `v4.5.0` does not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the J...
npm
No PRs yet
AngularJS improperly sanitizes SVG elements
GHSA-j58c-ww9w-pwp5 CVE-2025-0716 LOW 7 months ago
Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS allows attackers to bypass comm...
npm
No PRs yet
@account-kit/smart-contracts Allowlist Module Bypass Vulnerability
GHSA-wfm2-rq5g-f8v5 MODERATE 7 months ago
### Summary Allowlist module contains a bypass vulnerability ### Details The logic for using an allowlist on a Modular Account V2 contained a bug ...
npm
No PRs yet
n8n Vulnerable to Stored XSS through Attachments View Endpoint
GHSA-c8hm-hr8h-5xjw CVE-2025-46343 MODERATE 7 months ago
### Impact n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there was no restriction on the MI...
npm
No PRs yet
NodeJS Driver for Snowflake has race condition when checking access to Easy Logging configuration file
GHSA-wmjq-jrm2-9wfr CVE-2025-46328 LOW 7 months ago
# Issue Snowflake discovered and remediated a vulnerability in the NodeJS Driver for Snowflake (“Driver”). When using the Easy Logging feature on L...
npm
23
Dependabot PRs
Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content
GHSA-75v8-2h7p-7m2m CVE-2025-46653 LOW 7 months ago
Formidable (aka node-formidable) 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable c...
npm
11
Dependabot PRs
GraphQL Armor Cost-Limit Plugin Bypass via Introspection Query Obfuscation
GHSA-733v-p3h5-qpq7 MODERATE 7 months ago
### Summary A query cost restriction using the `cost-limit` can be bypassed if `ignoreIntrospection` is enabled (which is the default configuration...
npm
1
Dependabot PRs
React Router allows pre-render data spoofing on React-Router framework mode
GHSA-cpj6-fhp6-mr6j CVE-2025-43865 HIGH 7 months ago
## Summary After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to compl...
npm
No PRs yet
React Router allows a DoS via cache poisoning by forcing SPA mode
GHSA-f46r-rw29-r322 CVE-2025-43864 HIGH 7 months ago
## Summary After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. I...
npm
No PRs yet
tRPC 11 WebSocket DoS Vulnerability
GHSA-pj3v-9cm8-gvj8 CVE-2025-43855 HIGH 7 months ago
### Summary An unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthent...
npm
No PRs yet
PostHog Plugin Server SQL Injection Vulnerability
GHSA-v64v-fq96-c5wv CVE-2025-1520 HIGH 7 months ago
PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execu...
npm
No PRs yet
pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting
GHSA-8cc4-rfj6-fhg4 CVE-2024-47829 MODERATE 7 months ago
The path shortening function is used in pnpm: ``` export function depPathToFilename (depPath: string, maxLengthWithoutHash: number): string { let...
npm
No PRs yet
Compromised xrpl.js versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2
GHSA-33qr-m49q-rxfx CVE-2025-32965 CRITICAL 7 months ago
### Impact Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. If...
npm
No PRs yet
QMarkdown Cross-Site Scripting (XSS) vulnerability
GHSA-wm65-ph3w-587c CVE-2025-43954 MODERATE 7 months ago
QMarkdown (aka quasar-ui-qmarkdown) before 2.0.5 allows XSS via headers even when when no-html is set.
npm
No PRs yet
ses's global contour bindings leak into Compartment lexical scope
GHSA-h9w6-f932-gq62 CVE-2025-32792 HIGH 8 months ago
### Impact Web pages and web extensions using `ses` and the `Compartment` API to evaluate third-party code in an isolated execution environment th...
npm
No PRs yet
Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass
GHSA-mg2h-6x62-wpwc CVE-2025-32442 HIGH 8 months ago
### Impact In applications that specify different validation strategies for different content types, it's possible to bypass the validation by pro...
npm
351
Dependabot PRs
14%
Merged
Permission policy information leakage in Backstage permission system
GHSA-f8j4-p5cr-p777 CVE-2025-32791 MODERATE 8 months ago
### Impact A vulnerability in the Backstage permission plugin backend allows callers to extract some information about the conditional decisions r...
npm
No PRs yet
aws-cdk-lib's aspect order change causes different Permissions Boundary assigned to Role
GHSA-qc59-cxj2-c2w4 LOW 8 months ago
### Summary The [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk/) is an open-source software development framework for defining c...
npm
No PRs yet
jquery-validation vulnerable to Cross-site Scripting
GHSA-rrj2-ph5q-jxw2 CVE-2025-3573 MODERATE 8 months ago
Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take in...
npm
No PRs yet
http-proxy-middleware can call writeBody twice because "else if" is not used
GHSA-4www-5p9h-95mh CVE-2025-32996 MODERATE 8 months ago
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
npm
No PRs yet
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
GHSA-9gqv-wp59-fq42 CVE-2025-32997 MODERATE 8 months ago
In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.
npm
No PRs yet
@sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params
GHSA-6q87-84jw-cjhp CVE-2025-32388 MODERATE 8 months ago
### Summary Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of `event.url.searchParams` i...
npm
No PRs yet
Directus inserts access token from query string into logs
GHSA-vw58-ph65-6rxp CVE-2024-47822 MODERATE 8 months ago
### Summary Access token from query string is not redacted and is potentially exposed in system logs which may be persisted. ### Details The acces...
npm
No PRs yet
Vite has an `server.fs.deny` bypass with an invalid `request-target`
GHSA-356w-63v5-8wf4 CVE-2025-32395 MODERATE 8 months ago
### Summary The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. ### Impact Only apps with ...
npm
4
Dependabot PRs
25%
Merged
Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function
GHSA-x2rg-q646-7m2v CVE-2025-32379 MODERATE 8 months ago
### Summary In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript co...
npm
No PRs yet
crud-query-parser SQL Injection vulnerability
GHSA-9r25-rp3p-h2w4 CVE-2025-32020 HIGH 8 months ago
### Impact Improper neutralization of the `order`/`sort` parameter in the TypeORM adapter, which allows SQL injection. You are impacted by this v...
npm
No PRs yet
Flowise Vulnerable to SQL Injection via `tableName` Parameter
GHSA-gjx9-wg9x-7gvp CVE-2025-29189 HIGH 8 months ago
Flowise <= 2.2.3 is vulnerable to SQL Injection. via tableName parameter at Postgres_VectorStores.
npm
No PRs yet
ts-asn1-der has Incorrect DER Encoding of Numbers Leading to Denial of Service and Incorrect Value Representation
GHSA-p4qw-7j9g-5h53 CVE-2025-32029 MODERATE 8 months ago
### Impact Incorrect `number` DER encoding can lead to denial on service for absolute values in the range `2**31` -- `2**32 - 1`. The arithmetic i...
npm
No PRs yet
estree-util-value-to-estree allows prototype pollution in generated ESTree
GHSA-f7f6-9jq7-3rqj CVE-2025-32014 MODERATE 8 months ago
### Impact When generating an ESTree from a value with a property named `__proto__`, `valueToEstree` would generate an object that specifies a prot...
npm
No PRs yet
Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Optimization Bypass
GHSA-p2q6-pwh5-m6jr CVE-2025-32031 HIGH 8 months ago
# Impact ## Summary A vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive...
npm
47
Dependabot PRs
50%
Merged
Apollo Gateway Query Planner Vulnerable to Excessive Resource Consumption via Named Fragment Expansion
GHSA-q2f9-x4p4-7xmh CVE-2025-32030 HIGH 8 months ago
# Impact ## Summary A vulnerability in Apollo Gateway allowed queries with deeply nested and reused named fragments to be prohibitively expensive...
npm
46
Dependabot PRs
50%
Merged