Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Anthropic Sandbox Runtime Incorrectly Implemented Network Sandboxing
GHSA-9gqj-5w7c-vx47 CVE-2025-66479 LOW 3 days ago
Due to a bug in sandboxing logic, `sandbox-runtime` did not properly enforce a network sandbox if the sandbox policy did not configure any allowed ...
npm
No PRs yet
Better Auth affected by external request basePath modification DoS
GHSA-569q-mpph-wgww LOW 6 days ago
# Summary Affected versions of Better Auth allow an external request to configure `baseURL` when it isn’t defined through any other means. This ca...
npm
No PRs yet
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls
GHSA-rcmh-qjqh-p98v LOW 6 days ago
### Summary A DoS can occur that immediately halts the system due to the use of an unsafe function. ### Details According to **RFC 5322**, nested ...
npm
No PRs yet
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
GHSA-wmjr-v86c-m9jj LOW 11 days ago
## Summary - Vulnerable component: `multi-session` plugin’s `/sign-out` after-hook (`packages/better-auth/src/plugins/multi-session/index.ts`) - Is...
npm
No PRs yet
Astro Development Server has Arbitrary Local File Read
GHSA-x3h8-62x9-952g CVE-2025-64757 LOW 18 days ago
### Summary A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through th...
npm
No PRs yet
Astro development server error page is vulnerable to reflected Cross-site Scripting
GHSA-w2vj-39qv-7vh7 CVE-2025-64745 LOW 24 days ago
## Summary A Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configur...
npm
No PRs yet
EverShop is vulnerable to Unauthorized Order Information Access (IDOR)
GHSA-c73g-mx2w-cc93 CVE-2025-12919 LOW 28 days ago
A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolv...
npm
No PRs yet
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files
GHSA-rwvc-j5jr-mgvh CVE-2025-48985 LOW about 1 month ago
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass fil...
npm
No PRs yet
rollbar vulnerable to prototype pollution
GHSA-r8c2-2qwq-94p6 CVE-2025-57325 LOW about 2 months ago
### Impact Prototype pollution potential with the utility function `rollbar/src/utility`.`set()`. No impact when using the published public interf...
npm
No PRs yet
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
GHSA-fgx4-p8xf-qhp9 CVE-2025-62505 LOW about 2 months ago
### Vulnerability Description --- Vulnerability Overview - When the client sends an arbitrary URL array and impl: ["naive"] to the tRPC endpoint...
npm
No PRs yet
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails
GHSA-q4w9-x3rv-4c8j CVE-2025-62380 LOW about 2 months ago
### Summary An HTML injection vulnerability in plaintext emails generated by Mailgen has been discovered. Projecta are affected if the `Mailgen.ge...
npm
No PRs yet
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails
GHSA-xw6r-chmh-vpmj CVE-2025-62366 LOW about 2 months ago
### Summary An HTML injection vulnerability in plaintext emails generated by Mailgen has been discovered. Your project is affected if you use the ...
npm
No PRs yet
MCPHub's ServerController is vulnerable to Command Injection
GHSA-5q2p-3jg8-2m98 CVE-2025-11285 LOW 2 months ago
A vulnerability was found in samanhappy MCPHub up to 0.9.10. Affected by this issue is some unknown functionality of the file src/controllers/serve...
npm
No PRs yet
Claude Code permission deny bypass through symlink
GHSA-66m2-gx93-v996 CVE-2025-59829 LOW 2 months ago
Claude Code failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude...
npm
No PRs yet
Fiora chat group avatar is vulnerable to XSS via SVG files
GHSA-2c6j-vw6r-mfch CVE-2025-56515 LOW 2 months ago
File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file cont...
npm
No PRs yet
Fiora chat user avatar is vulnerable to XSS via SVG files
GHSA-hg3j-6pmh-mvjr CVE-2025-56514 LOW 2 months ago
Cross Site Scripting (XSS) vulnerability in Fiora chat application 1.0.0 allows arbitrary JavaScript execution when malicious SVG files are rendere...
npm
No PRs yet
toggle-array vulnerable to prototype pollution
GHSA-34q3-8x9v-j957 CVE-2025-57328 LOW 2 months ago
toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A...
npm
No PRs yet
web3-core-subscriptions has a Prototype Pollution vulnerability
GHSA-hhf6-3xpg-pggx CVE-2025-57330 LOW 2 months ago
The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function...
npm
No PRs yet
web3-core-method is vulnerable to prototype pollution
GHSA-2j4c-9qqq-896r CVE-2025-57329 LOW 2 months ago
web3-core-method is a package designed to creates the methods on the web3 modules. A Prototype Pollution vulnerability in the attachToObject functi...
npm
No PRs yet
spmrc vulnerable to prototype pollution
GHSA-r2rv-8pp3-65xw CVE-2025-57327 LOW 2 months ago
spmrc is a package that provides the rc manager for spm. A Prototype Pollution vulnerability in the set and config function of spmrc version 1.2.0 ...
npm
No PRs yet
node-cube vulnerable to prototype pollution
GHSA-8v65-5fw5-23wj CVE-2025-57348 LOW 2 months ago
The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an att...
npm
No PRs yet
magix-combine-ex vulnerable to prototype pollution
GHSA-cr7h-93fh-whwm CVE-2025-57321 LOW 2 months ago
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject p...
npm
No PRs yet
sassdoc-extras vulnerable to prototype pollution
GHSA-3mpm-jx38-9m8w CVE-2025-57326 LOW 2 months ago
A Prototype Pollution vulnerability in the byGroupAndType function of sassdoc-extras v2.5.1 and before allows attackers to inject properties on Obj...
npm
No PRs yet
messageformat has a prototype pollution vulnerability
GHSA-xfqm-j7pc-xrfc CVE-2025-57349 LOW 2 months ago
The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due ...
npm
No PRs yet
min-document vulnerable to prototype pollution
GHSA-rx8g-88g5-qh64 CVE-2025-57352 LOW 2 months ago
A vulnerability exists in the 'min-document' package prior to version 2.19.1, stemming from improper handling of namespace operations in the remove...
npm
No PRs yet
Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival
GHSA-p6jq-8vc4-79f6 CVE-2025-59414 LOW 3 months ago
### Summary A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requ...
npm
No PRs yet
Vite middleware may serve files starting with the same name with the public directory
GHSA-g4jq-h2w9-997c CVE-2025-58751 LOW 3 months ago
### Summary Files starting with the same name with the public directory were served bypassing the `server.fs` settings. ### Impact Only apps that ...
npm
No PRs yet
Vite's `server.fs` settings were not applied to HTML files
GHSA-jqfw-vq24-v9c3 CVE-2025-58752 LOW 3 months ago
### Summary Any HTML files on the machine were served regardless of the `server.fs` settings. ### Impact Only apps that match the following condi...
npm
No PRs yet
CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package
GHSA-x9gp-vjh6-3wv6 CVE-2025-58064 LOW 3 months ago
### Impact A Cross-Site Scripting (XSS) vulnerability has been discovered in the CKEditor 5 clipboard package. This vulnerability could be triggere...
npm
No PRs yet
wong2 mcp-cli Command Injection Vulnerability
GHSA-p6rm-483j-37jf CVE-2025-9262 LOW 4 months ago
A flaw has been found in wong2 mcp-cli 1.13.0. Affected is the function redirectToAuthorization of the file /src/oauth/provider.js of the component...
npm
No PRs yet
Template Secret leakage in logs in Scaffolder when using `fetch:template`
GHSA-3x3q-ghcp-whf7 CVE-2025-55285 LOW 4 months ago
A logging flaw in Backstage Scaffolder’s `fetch:template` action up to `@backstage/plugin-scaffolder-backend` **2.1.0** may write template secrets ...
npm
No PRs yet
HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit
GHSA-xcxh-6cv4-q8p8 LOW 4 months ago
### Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with `target="_blank"` but without the `rel="noopener nor...
npm
No PRs yet
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
GHSA-52f5-9888-hmc6 CVE-2025-54798 LOW 4 months ago
### Summary `tmp@0.2.3` is vulnerable to an Arbitrary temporary file / directory write via symbolic link `dir` parameter. ### Details According...
npm
7316
Dependabot PRs
20%
Merged
Koa Open Redirect via Referrer Header (User-Controlled)
GHSA-jgmv-j7ww-jx2x CVE-2025-8129 LOW 4 months ago
## Summary In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-contro...
npm
33
Dependabot PRs
3%
Merged
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
GHSA-xffm-g5w8-qvg7 LOW 5 months ago
### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only a...
npm
No PRs yet
on-headers is vulnerable to http response header manipulation
GHSA-76c9-3jph-rj3q CVE-2025-7339 LOW 5 months ago
### Impact A bug in on-headers versions `< 1.1.0` may result in response headers being inadvertently modified when an array is passed to `response...
npm
50441
Dependabot PRs
5%
Merged
Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes
GHSA-36rg-gfq2-3h56 CVE-2025-53535 LOW 5 months ago
### Summary An open redirect has been found in the `originCheck` middleware function, which affects the following routes: `/verify-email`, `/reset...
npm
No PRs yet
Next.js has a Cache poisoning vulnerability due to omission of the Vary header
GHSA-r2fc-ccr8-96c4 CVE-2025-49005 LOW 5 months ago
### Summary A cache poisoning issue in **Next.js App Router >=15.3.0 and < 15.3.3** may have allowed RSC payloads to be cached and served in place...
npm
No PRs yet
string-math's string-math.js vulnerability can cause Regex Denial of Service (ReDoS)
GHSA-994j-5c83-r424 CVE-2025-45143 LOW 5 months ago
string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input.
npm
No PRs yet
Taylor has race condition in /get-patch that allows purchase token replay
GHSA-vh5j-5fhq-9xwg LOW 5 months ago
Hi team, I was looking at the recent fix and you limited the exploitability of race conditions but unfortunately it is still possible to exploit t...
npm
No PRs yet
Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or DEBUG/TRACE mode
GHSA-6hwc-9h8r-3vmf CVE-2025-6624 LOW 5 months ago
Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. ...
go npm
No PRs yet
pm2 Regular Expression Denial of Service vulnerability
GHSA-x5gf-qvw8-r2rm CVE-2025-5891 LOW 6 months ago
A vulnerability classified as problematic was found in Unitech pm2 up to 6.0.8. This vulnerability affects unknown code of the file /lib/tools/Conf...
npm
No PRs yet
brace-expansion Regular Expression Denial of Service vulnerability
GHSA-v6h2-p8h4-qcjw CVE-2025-5889 LOW 6 months ago
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue ...
npm
19
Dependabot PRs
52%
Merged
Information exposure in Next.js dev server due to lack of origin verification
GHSA-3h52-269p-cp9r CVE-2025-48068 LOW 6 months ago
## Summary A low-severity vulnerability in **Next.js** has been fixed in **version 15.2.2**. This issue may have allowed limited source code expos...
npm
No PRs yet
auth-js Vulnerable to Insecure Path Routing from Malformed User Input
GHSA-8r88-6cj9-9fh5 CVE-2025-48370 LOW 6 months ago
### Impact The library functions `getUserById`, `deleteUser`, `updateUserById`, `listFactors` and `deleteFactor` did not require the user supplied ...
npm
7
Dependabot PRs
14%
Merged
undici Denial of Service attack via bad certificate data
GHSA-cxrh-j4jr-qwg3 CVE-2025-47279 LOW 7 months ago
### Impact Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certifi...
npm
146
Dependabot PRs
21%
Merged
Next.js Race Condition to Cache Poisoning
GHSA-qpjv-v59x-3qc4 CVE-2025-32421 LOW 7 months ago
**Summary** We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue...
npm
No PRs yet
Trix vulnerable to Cross-site Scripting on copy & paste
GHSA-mcrw-746g-9q8h CVE-2025-46812 LOW 7 months ago
### Impact The Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user ...
npm
119
Dependabot PRs
34%
Merged
Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields
GHSA-hg9m-67mm-7pg3 CVE-2025-46720 LOW 7 months ago
# Summary `{field}.isFilterable` access control can be bypassed in `update` and `delete` mutations by adding additional unique filters. These fil...
npm
No PRs yet
@misskey-dev/summaly Redirect Filter Bypass
GHSA-7899-w6c4-vqc4 CVE-2025-46553 LOW 7 months ago
### Summary A logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn...
npm
9
Dependabot PRs