Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,823

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF'
GHSA-8wvc-869r-xfqf CVE-2025-65959 HIGH 4 days ago
## Summary A **Stored XSS vulnerability** has been discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown...
npm
No PRs yet
auth0/node-jws Improperly Verifies HMAC Signature
GHSA-869p-cjfg-cm3x CVE-2025-65945 HIGH 4 days ago
### Overview An improper signature verification vulnerability exists when using auth0/node-jws with the HS256 algorithm under specific conditions. ...
npm
678
Dependabot PRs
Claude Code Command Validation Bypass Allows Arbitrary Code Execution
GHSA-xq4m-mc3c-vvg3 CVE-2025-66032 HIGH 5 days ago
Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and tri...
npm
No PRs yet
Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default
GHSA-w48q-cv73-mx4w CVE-2025-66414 HIGH 6 days ago
The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP ...
npm
No PRs yet
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes
GHSA-v4hv-rgfq-gp49 CVE-2025-66412 HIGH 6 days ago
A **Stored Cross-Site Scripting ([XSS](https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss))** vulnerability has been i...
npm
No PRs yet
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements
GHSA-vghf-hv5q-vc2g CVE-2025-12758 HIGH 11 days ago
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLeng...
npm
No PRs yet
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
GHSA-58c5-g7wp-6w37 CVE-2025-66035 HIGH 12 days ago
The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token*...
npm
No PRs yet
node-forge has ASN.1 Unbounded Recursion
GHSA-554w-wpv2-vw27 CVE-2025-66031 HIGH 12 days ago
### Summary An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to ...
npm
1875
Dependabot PRs
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
GHSA-5gfm-wpxj-wjgq CVE-2025-12816 HIGH 12 days ago
### Summary CVE-2025-12816 has been reserved by CERT/CC **Description** An Interpretation Conflict (CWE-436) vulnerability in node-forge versions...
npm
1875
Dependabot PRs
Valibot has a ReDoS vulnerability in `EMOJI_REGEX`
GHSA-vqpr-j7v3-hqw9 CVE-2025-66020 HIGH 12 days ago
### Summary The `EMOJI_REGEX` used in the `emoji` action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciou...
npm
4
Dependabot PRs
OneUptime Unauthorized User Creation via API
GHSA-m449-vh5f-574g CVE-2025-65966 HIGH 12 days ago
### Summary A low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. ### ...
npm
No PRs yet
Better Auth Passkey Plugin allows passkey deletion through IDOR
GHSA-4vcf-q4xf-f48m HIGH 13 days ago
# Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using `...
npm
No PRs yet
authkit-nextjs may let session cookies be cached in CDNs
GHSA-p8pf-44ff-93gf CVE-2025-64762 HIGH 18 days ago
In `authkit-nextjs` version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN cach...
npm
No PRs yet
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
GHSA-7mv8-j34q-vp7q CVE-2025-64755 HIGH 18 days ago
Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host sys...
npm
No PRs yet
Claude Code vulnerable to command execution prior to startup trust dialog
GHSA-5hhx-v7f6-x7gv CVE-2025-65099 HIGH 19 days ago
When running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins befor...
npm
No PRs yet
Astro vulnerable to reflected XSS via the server islands feature
GHSA-wrwg-2hg8-v723 CVE-2025-64764 HIGH 19 days ago
## Summary After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted app...
npm
No PRs yet
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
GHSA-v5w9-prxf-w882 HIGH 21 days ago
### Summary An unauthenticated attacker can exploit the unprotected registration endpoint (/register) to create a new user and bypass authenticatio...
npm
No PRs yet
glob CLI: Command injection via -c/--cmd executes matches with shell:true
GHSA-5j98-mcp5-4vw2 CVE-2025-64756 HIGH 21 days ago
### Summary The glob CLI contains a command injection vulnerability in its `-c/--cmd` option that allows arbitrary command execution when processi...
npm
1021
Dependabot PRs
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
GHSA-m8jr-fxqx-8xx6 HIGH 24 days ago
# Summary A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through `@requires` and/...
npm
No PRs yet
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change
GHSA-fjh6-8679-9pch HIGH 24 days ago
### Summary Bypass of Password Confirmation - Unverified Password Change (authenticated change without current password) An authenticated user is ...
npm
No PRs yet
Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)
GHSA-x39m-3393-3qp4 HIGH 24 days ago
### Summary Unverified Email Change - Email as part of Credential / Unverified Account Recovery Channel Change The application allows changing the...
npm
No PRs yet
Flowise Fails to Invalidate Existing Sessions After Password Changes
GHSA-x7rp-qj2h-ghgw HIGH 24 days ago
### Summary Failure to Invalidate Existing Sessions After Password Change (Persistent Session / Session Invalidity Failure). ### Details After a u...
npm
No PRs yet
expr-eval vulnerable to Prototype Pollution
GHSA-8gw3-rxh4-v6jx CVE-2025-13204 HIGH 24 days ago
npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based ...
npm
No PRs yet
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields
GHSA-mx7m-j9xf-62hw CVE-2025-64530 HIGH 24 days ago
# Summary A vulnerability in Apollo Federation's composition logic allowed some queries to Apollo Router to improperly bypass access controls on ty...
npm
No PRs yet
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable
GHSA-7f2v-3qq3-vvjf CVE-2025-59840 HIGH 25 days ago
## Impact Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" [expressionInterpreter](https:...
npm
No PRs yet
AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance
GHSA-8wj8-cfxr-9374 HIGH 25 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. ...
npm
No PRs yet
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand
GHSA-g4mf-96x5-5m2c CVE-2025-12613 HIGH 28 days ago
Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containi...
npm
No PRs yet
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
GHSA-cm35-v4vp-5xvx CVE-2025-64496 HIGH about 1 month ago
### Summary Open WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external m...
npm pypi
No PRs yet
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
GHSA-w7xj-8fx7-wfch CVE-2025-64495 HIGH about 1 month ago
### Summary The functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabl...
npm pypi
No PRs yet
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
GHSA-x4qj-2f4q-r4rx CVE-2025-64430 HIGH about 1 month ago
### Impact A Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a `Parse.File` with `uri` par...
npm
No PRs yet
expr-eval does not restrict functions passed to the evaluate function
GHSA-jc85-fpwf-qm7x CVE-2025-12735 HIGH about 1 month ago
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variab...
npm
No PRs yet
n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook
GHSA-xgp7-7qjq-vg47 CVE-2025-62726 HIGH about 1 month ago
### Impact A remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a m...
npm
No PRs yet
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
GHSA-q2pj-6v73-8rgj CVE-2025-60542 HIGH about 1 month ago
### Summary SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring ...
npm
No PRs yet
Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
GHSA-qcpr-679q-rhm2 CVE-2025-59837 HIGH about 1 month ago
### Summary This is a patch bypass of CVE-2025-58179 in commit [9ecf359](https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047e...
npm
No PRs yet
Kottster app reinitialization can be re-triggered allowing command injection in development mode
GHSA-j3w7-9qc3-g96p CVE-2025-62713 HIGH about 2 months ago
### Impact **Development mode only**. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development...
npm
No PRs yet
Hono Improper Authorization vulnerability
GHSA-m732-5p4w-x69g CVE-2025-62610 HIGH about 2 months ago
### Improper Authorization in Hono (JWT Audience Validation) Hono’s JWT authentication middleware did not validate the `aud` (Audience) claim by d...
npm
No PRs yet
Angular SSR has a Server-Side Request Forgery (SSRF) flaw
GHSA-q63q-pgmf-mxhr CVE-2025-62427 HIGH about 2 months ago
### Impact The vulnerability is a **Server-Side Request Forgery (SSRF)** flaw within the URL resolution mechanism of Angular's Server-Side Renderin...
npm
No PRs yet
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
GHSA-495j-h493-42q2 CVE-2024-56143 HIGH about 2 months ago
### Summary It's possible to access any private fields by filtering through the lookup parameters ### Details Using the new lookup operator provi...
npm
No PRs yet
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
GHSA-hwmc-4c8j-xxj7 CVE-2025-62381 HIGH about 2 months ago
### Summary `sveltekit-superforms` v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the `parseFormData` function of ...
npm
No PRs yet
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
GHSA-r4hh-pcgx-j5r2 CVE-2025-34267 HIGH about 2 months ago
Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and nod...
npm
No PRs yet
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
GHSA-7mvr-c777-76hp CVE-2025-59288 HIGH about 2 months ago
### Summary Use of `curl` with the `-k` (or `--insecure`) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-th...
npm
No PRs yet
Flowise is vulnerable to arbitrary file exposure through its ReadFileTool
GHSA-j44m-5v8f-gc9c HIGH about 2 months ago
### Summary The ReadFileTool in Flowise does not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read...
npm
No PRs yet
n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
GHSA-365g-vjw2-grx8 HIGH about 2 months ago
### Impact The `Execute Command` node in n8n allows execution of arbitrary commands on the host system where n8n runs. While this functionality is...
npm
No PRs yet
FlowiseAI/Flosise has File Upload vulnerability
GHSA-35g6-rrw3-v6xc CVE-2025-61687 HIGH 2 months ago
### Summary A file upload vulnerability in FlowiseAI allows authenticated users to upload arbitrary files without proper validation. This enables a...
npm
No PRs yet
pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding
GHSA-rj3r-r7hh-jxfq CVE-2025-11362 HIGH 2 months ago
Versions of the package pdfmake from 0.3.0-beta.1 to before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling vi...
npm
No PRs yet
Claude Code can execute commands prior to the startup trust dialog
GHSA-4fgq-fpq9-mr3g CVE-2025-59536 HIGH 2 months ago
Due to a bug in the startup trust dialog implementation, Claude Code could be tricked to execute code contained in a project before the user accept...
npm
No PRs yet
@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
GHSA-m8rj-ppph-mj33 CVE-2025-61668 HIGH 2 months ago
### Impact When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error. ### Patches The prob...
npm
No PRs yet
Finance.js vulnerable to DoS via the seekZero() parameter
GHSA-5q7q-p8pc-782h CVE-2025-56572 HIGH 2 months ago
An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter.
npm
No PRs yet
Finance.js vulnerable to DoS via the IRR function’s depth parameter
GHSA-f8r4-mf27-rf7m CVE-2025-56571 HIGH 2 months ago
Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/itera...
npm
No PRs yet
figma-developer-mcp vulnerable to command injection in get_figma_data tool
GHSA-gxw4-4fc5-9gr5 CVE-2025-53967 HIGH 2 months ago
### Summary A command injection vulnerability exists in the `figma-developer-mcp` MCP Server. The vulnerability is caused by the unsanitized use o...
npm
No PRs yet