Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
FlowiseDB vulnerable to SQL Injection by authenticated users
GHSA-9c4c-g95m-c8cp MODERATE 8 months ago
### Summary import functions are vulnerable. * [importChatflows](https://github.com/FlowiseAI/Flowise/blob/main/packages/server/src/services/chatfl...
npm
No PRs yet
js-object-utilities Vulnerable to Prototype Pollution
GHSA-hpqf-m68j-2pfx CVE-2025-28269 HIGH 8 months ago
**Vulnerability type:** Prototype Pollution **Affected Package:** * Product: js-object-utilities * Version: 2.2.0 **Remedy:** Update package to ...
npm
2
Dependabot PRs
tarteaucitron.js allows url scheme injection via unfiltered inputs
GHSA-p5g4-v748-6fh8 CVE-2025-31476 MODERATE 8 months ago
A vulnerability was identified in `tarteaucitron.js`, allowing a user with high privileges (access to the site's source code or a CMS plugin) to en...
npm
No PRs yet
tarteaucitron.js allows prototype pollution via custom text injection
GHSA-4hwx-xcc5-2hfc CVE-2025-31475 MODERATE 8 months ago
A vulnerability was identified in `tarteaucitron.js`, where the `addOrUpdate` function, used for applying custom texts, did not properly validate i...
npm
No PRs yet
tarteaucitron.js allows UI manipulation via unrestricted CSS injection
GHSA-7524-3396-fqv3 CVE-2025-31138 MODERATE 8 months ago
A vulnerability was identified in `tarteaucitron.js`, where user-controlled inputs for element dimensions (`width` and `height`) were not properly ...
npm
No PRs yet
Vite allows server.fs.deny to be bypassed with .svg or relative paths
GHSA-xcj6-pq6g-qj4x CVE-2025-31486 MODERATE 8 months ago
### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the ...
npm
2
Dependabot PRs
generator-jhipster-entity-audit vulnerable to Unsafe Reflection when having Javers selected as Entity Audit Framework
GHSA-7rmp-3g9f-cvq8 CVE-2025-31119 HIGH 8 months ago
### Summary CWE-470 (Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') when having Javers selected as Entity Audit...
npm
No PRs yet
expand-object Vulnerable to Prototype Pollution via the expand() Function
GHSA-4vjr-hfpp-2m7w CVE-2025-3197 MODERATE 8 months ago
Versions of the package expand-object from 0.0.0 to 0.4.2 are vulnerable to Prototype Pollution in the expand() function in index.js. This function...
npm
No PRs yet
React Draft Wysiwyg Cross-Site Scripting (XSS) via the Embedded Button
GHSA-fq5x-7292-2p5r CVE-2025-3191 LOW 8 months ago
All versions of the package react-draft-wysiwyg are vulnerable to Cross-site Scripting (XSS) via the Embedded button which will then result in savi...
npm
No PRs yet
bigint-buffer Vulnerable to Buffer Overflow via toBigIntLE() Function
GHSA-3gc7-fjrx-p6mg CVE-2025-3194 HIGH 8 months ago
Versions of the package bigint-buffer from 0.0.0 to 1.1.5 are vulnerable to Buffer Overflow in the toBigIntLE() function. Attackers can exploit thi...
npm
No PRs yet
Improper Scope Validation in the `open` Endpoint of `tauri-plugin-shell`
GHSA-c9pr-q8gx-3mgp CVE-2025-31477 CRITICAL 8 months ago
### Impact The Tauri [`shell`](https://tauri.app/plugin/shell/) plugin exposes functionality to execute code and open programs on the system. The...
cargo npm
No PRs yet
Next.js may leak x-middleware-subrequest-id to external hosts
GHSA-223j-4rm8-mrmf CVE-2025-30218 LOW 8 months ago
## Summary In the process of remediating [CVE-2025-29927](https://github.com/advisories/GHSA-f82v-jwr5-mffw), we looked at other possible exploits ...
npm
No PRs yet
image-size Denial of Service via Infinite Loop during Image Processing
GHSA-m5qc-5hw7-8vg7 HIGH 8 months ago
### Summary `image-size` is vulnerable to a Denial of Service vulnerability when processing specially crafted images. The issue occurs because of...
npm
No PRs yet
Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers
GHSA-4q56-crqp-v477 CVE-2025-31137 HIGH 8 months ago
### Impact We received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Expres...
npm
No PRs yet
@alizeait/unflatto Prototype Pollution
GHSA-q8jq-4rm5-4hm5 CVE-2024-38988 HIGH 8 months ago
### Impact alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This vulne...
npm
No PRs yet
aws-cdk-lib has Insertion of Sensitive Information into Log File vulnerability when using Cognito UserPoolClient Construct
GHSA-qq4x-c6h6-rfxh MODERATE 8 months ago
### Summary The [AWS Cloud Development Kit (CDK)](https://aws.amazon.com/cdk/) is an open-source framework for defining cloud infrastructure using ...
npm
6
Dependabot PRs
gifplayer XSS vulnerability
GHSA-gr7w-hmch-25g7 CVE-2025-31128 MODERATE 8 months ago
### Impact XSS vulnerability. All versions under 0.3.7 are impacted ### Patches Please upgrade to 0.3.7
npm
No PRs yet
Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query
GHSA-4r4m-qw57-chr8 CVE-2025-31125 MODERATE 8 months ago
### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the n...
npm
2
Dependabot PRs
Uptime Kuma's Regular Expression in pushdeeer and whapi file Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
GHSA-hx7h-9vf7-5xhg CVE-2025-26042 MODERATE 8 months ago
### Summary There is a `ReDoS vulnerability risk` in the system, specifically when administrators create `notification` through the web service(`pu...
npm
No PRs yet
Redoc Prototype Pollution via `Module.mergeObjects` Component
GHSA-9rhg-254w-fh9x CVE-2024-57083 HIGH 8 months ago
A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of S...
npm
No PRs yet
depath and cool-path vulnerable to Prototype Pollution via `set()` Method
GHSA-4h4x-4m75-47j4 CVE-2024-38985 HIGH 8 months ago
janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set() method at setIn (lib/index.js:...
npm
No PRs yet
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
GHSA-pq67-2wwv-3xjx CVE-2024-12905 HIGH 8 months ago
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"...
npm
5
Dependabot PRs
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]
GHSA-963h-3v39-3pqf CVE-2025-27793 MODERATE 8 months ago
## Impact Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with ...
npm
No PRs yet
Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter
GHSA-rcw3-wmx7-cphr CVE-2025-26619 MODERATE 8 months ago
### Impact In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression ...
npm
No PRs yet
Directus's webhook trigger flows can leak sensitive data
GHSA-fm3h-p9wm-h74h CVE-2025-30353 HIGH 8 months ago
### Describe the Bug In Directus, when a **Flow** with the "_Webhook_" trigger and the "_Data of Last Operation_" response body encounters a Vali...
npm
No PRs yet
Directus `search` query parameter allows enumeration of non permitted fields
GHSA-7wq3-jr35-275c CVE-2025-30352 MODERATE 8 months ago
### Summary The `search` query parameter allows users with access to a collection to filter items based on fields they do not have permission to v...
npm
No PRs yet
Suspended Directus user can continue to use session token to access API
GHSA-56p6-qw3c-fq2g CVE-2025-30351 LOW 8 months ago
### Summary Since the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode t...
npm
No PRs yet
Directus's S3 assets become unavailable after a burst of HEAD requests
GHSA-rv78-qqrq-73m5 CVE-2025-30350 MODERATE 8 months ago
### Summary There's some tools that use Directus to sync content and assets. Some of those tools use HEAD method, like Shopify, to check the existe...
npm
No PRs yet
Directus's S3 assets become unavailable after a burst of malformed transformations
GHSA-j8xj-7jff-46mx CVE-2025-30225 MODERATE 8 months ago
### Summary When making many malformed transformation requests at once, at some point, all assets are being served as 403. ### Details When I was ...
npm
No PRs yet
Shescape has potential environment variable exposure on Windows with CMD
GHSA-66pp-5p9w-q87j CVE-2025-30222 LOW 8 months ago
### Impact This impact users of Shescape on Windows that explicitly configure `shell: 'cmd.exe'` or `shell: true` using any of `quote`/`quoteAll`/...
npm
No PRs yet
@mozilla/readability Denial of Service through Regex
GHSA-3p6v-hrg8-8qj7 CVE-2025-2792 LOW 8 months ago
Specially crafted titles may have caused a regular expression to excessively backtrack and cause a local denial of service. Additional Details are...
npm
No PRs yet
Vite bypasses server.fs.deny when using ?raw??
GHSA-x574-m823-4x7w CVE-2025-30208 MODERATE 8 months ago
### Summary The contents of arbitrary files can be returned to the browser. ### Impact Only apps explicitly exposing the Vite dev server to the ne...
npm
2
Dependabot PRs
AWS CDK CodePipeline: trusted entities are too broad
GHSA-5pq3-h73f-66hr LOW 8 months ago
### Summary The [AWS Cloud Development Kit (CDK)](https://aws.amazon.com/cdk/) is an open-source framework for defining cloud infrastructure using...
npm
No PRs yet
GetmeUK ContentTools Cross-Site Scripting (XSS)
GHSA-4f2v-2gpq-qhjg CVE-2025-2699 MODERATE 8 months ago
A vulnerability was found in GetmeUK ContentTools up to 1.6.16. It has been rated as problematic. Affected by this issue is some unknown functional...
npm
No PRs yet
nossrf Server-Side Request Forgery (SSRF)
GHSA-vm77-mr48-27wj CVE-2025-2691 HIGH 8 months ago
Versions of the package nossrf before 1.0.4 are vulnerable to Server-Side Request Forgery (SSRF), where an attacker can provide a hostname that res...
npm
No PRs yet
AWS CDK CLI prints AWS credentials retrieved by custom credential plugins
GHSA-v63m-x9r9-8gqp CVE-2025-2598 MODERATE 8 months ago
## Summary The AWS Cloud Development Kit (AWS CDK) [1] is an open-source software development framework for defining cloud infrastructure in code ...
npm
No PRs yet
Parse Server has an OAuth login vulnerability
GHSA-837q-jhwx-cmpv CVE-2025-30168 MODERATE 8 months ago
### Impact The 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers t...
npm
7
Dependabot PRs
Authorization Bypass in Next.js Middleware
GHSA-f82v-jwr5-mffw CVE-2025-29927 CRITICAL 8 months ago
# Impact It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. # Patches * ...
npm
1973
Dependabot PRs
8%
Merged
Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability
GHSA-5ccf-884p-4jjq HIGH 8 months ago
A Denial of Service (DoS) vulnerability exists in open-webui/open-webui version 0.3.21. This vulnerability affects multiple endpoints, including `/...
npm pypi
No PRs yet
Open WebUI Uncontrolled Resource Consumption vulnerability
GHSA-g3mx-83mp-3rwc CVE-2024-12534 HIGH 8 months ago
In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign...
npm pypi
No PRs yet
Open WebUI Uncontrolled Resource Consumption vulnerability
GHSA-chf7-q7m5-fq92 CVE-2024-12537 HIGH 8 months ago
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/util...
npm pypi
No PRs yet
Nuxt allows DOS via cache poisoning with payload rendering response
GHSA-jvhm-gjrh-3h93 CVE-2025-27415 HIGH 9 months ago
### Summary By sending a crafted HTTP request to a server behind an CDN, it is possible in some circumstances to poison the CDN cache and highly i...
npm
No PRs yet
Fast-JWT Improperly Validates iss Claims
GHSA-gm45-q3v2-6cf8 CVE-2025-30144 MODERATE 9 months ago
### Summary The `fast-jwt` library does not properly validate the `iss` claim based on the RFC https://datatracker.ietf.org/doc/html/rfc7519#page-9...
npm
23
Dependabot PRs
13%
Merged
jsPDF Bypass Regular Expression Denial of Service (ReDoS)
GHSA-w532-jxjh-hjhj CVE-2025-29907 HIGH 9 months ago
### Impact User control of the first argument of the `addImage` method results in CPU utilization and denial of service. If given the possibility ...
npm
499
Dependabot PRs
13%
Merged
Mattermost Desktop App allows the bypass of Transparency, Consent, and Control (TCC) via code injection
GHSA-xmvv-w44w-j8wx CVE-2025-1398 LOW 9 months ago
Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass T...
npm
No PRs yet
JS Html Sanitizer allows XSS when used with contentEditable
GHSA-vhv4-fh94-jm5x CVE-2025-29771 MODERATE 9 months ago
### Impact XSS vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerHTML` to a sanitized string prod...
npm
No PRs yet
Flowise allows arbitrary file write to RCE
GHSA-8vvx-qvq9-5948 CRITICAL 9 months ago
### Summary An attacker could write files with arbitrary content to the filesystem via the `/api/v1/document-store/loader/process` API. An attacker...
npm
No PRs yet
nest allows a remote attacker to execute arbitrary code via the Content-Type header
GHSA-cj7v-w2c7-cp7c CVE-2024-29409 MODERATE 9 months ago
File Upload vulnerability in nestjs nest prior to v.11.0.16 allows a remote attacker to execute arbitrary code via the Content-Type header.
npm
No PRs yet
In Azle, calling `setTimer` causes infinite loop of timers
GHSA-xc76-5pf9-mx8m CVE-2025-29776 HIGH 9 months ago
### Impact Calling `setTimer` in Azle versions `0.27.0`, `0.28.0`, and `0.29.0` causes an immediate infinite loop of timers to be executed on the ...
npm
No PRs yet
xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment
GHSA-x3m8-899r-f7c3 CVE-2025-29775 CRITICAL 9 months ago
# Impact An attacker may be able to exploit this vulnerability to bypass authentication or authorization mechanisms in systems that rely on xml-cry...
npm
38
Dependabot PRs
10%
Merged