Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
willitmerge has a Command Injection vulnerability
GHSA-j9wj-m24m-7jj6 MODERATE 2 days ago
willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version ...
npm
No PRs yet
node-forge is vulnerable to ASN.1 OID Integer Truncation
GHSA-65ch-62r8-g69g CVE-2025-66030 MODERATE 2 days ago
### Summary **MITRE-Formatted CVE Description** An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote,...
npm
1571
Dependabot PRs
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
GHSA-675q-66gf-gqg8 CVE-2025-66028 MODERATE 3 days ago
### Summary During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter ...
npm
No PRs yet
body-parser is vulnerable to denial of service when url encoding is used
GHSA-wqch-xfxh-vrr4 CVE-2025-13466 MODERATE 3 days ago
### Impact body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of param...
npm
301
Dependabot PRs
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`
GHSA-6465-jgvq-jhgp CVE-2025-65944 MODERATE 4 days ago
### Impact In version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be add...
npm
No PRs yet
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage
GHSA-3mm3-wfpv-q85g CVE-2025-63700 MODERATE 8 days ago
An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verifi...
npm
No PRs yet
zx Uses Incorrectly-Resolved Name or Reference
GHSA-w87r-vg9q-crqm CVE-2025-13437 MODERATE 8 days ago
When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error...
npm
No PRs yet
@perfood/couch-auth may expose session tokens, passwords
GHSA-62vx-hpcr-m9ch CVE-2025-60794 MODERATE 8 days ago
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts li...
npm
No PRs yet
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
GHSA-fvmw-cj7j-j39q CVE-2025-65019 MODERATE 9 days ago
**Summary** A Cross-Site Scripting (XSS) vulnerability exists in Astro when using the **@astrojs/cloudflare** adapter with `output: 'server'`. Th...
npm
No PRs yet
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
GHSA-ggxq-hp9w-j794 CVE-2025-64765 MODERATE 9 days ago
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validati...
npm
No PRs yet
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
GHSA-7xvh-c266-cfr5 CVE-2025-64758 MODERATE 11 days ago
### Description Since version 4.12.0, Dependency-Track users with the `SYSTEM_CONFIGURATION` permission can configure a "welcome message", which i...
npm
No PRs yet
Directus is Vulnerable to Stored Cross-site Scripting
GHSA-vv2v-pw69-8crf CVE-2025-64747 MODERATE 14 days ago
### Summary A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject m...
npm
No PRs yet
Directus has Improper Permission Handling on Deleted Fields
GHSA-9x5g-62gj-wqf2 CVE-2025-64746 MODERATE 14 days ago
### Summary Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later...
npm
No PRs yet
js-yaml has prototype pollution in merge (<<)
GHSA-mh29-5h37-fv8m CVE-2025-64718 MODERATE 14 days ago
### Impact In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml doc...
npm
1
Dependabot PRs
Directus Vulnerable to Information Leakage in Existing Collections
GHSA-cph6-524f-3hgr CVE-2025-64749 MODERATE 15 days ago
### Summary: An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error...
npm
No PRs yet
Directus's conceal fields are searchable if read permissions enabled
GHSA-8jpw-gpr4-8cmh CVE-2025-64748 MODERATE 15 days ago
## Summary A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values re...
npm
No PRs yet
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
GHSA-hr2q-hp5q-x767 CVE-2025-64525 MODERATE 15 days ago
## Summary In impacted versions of Astro using [on-demand rendering](https://docs.astro.build/en/guides/on-demand-rendering/), request headers `x-...
npm
No PRs yet
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
GHSA-7cx5-254x-cgrq CVE-2025-64502 MODERATE 16 days ago
### Impact The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning be...
npm
No PRs yet
Nuxt DevTools vulnerable to cross-site scripting (XSS)
GHSA-xmq3-q5pm-rp26 CVE-2025-52662 MODERATE 22 days ago
A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain...
npm
No PRs yet
node-tar has a race condition leading to uninitialized memory exposure
GHSA-29xp-372q-xqph CVE-2025-64118 MODERATE 29 days ago
### Summary Using `.t` (aka `.list`) with `{ sync: true }` to read tar entry contents returns uninitialized memory contents if tar file was change...
npm
4
Dependabot PRs
NextAuthjs Email misdelivery Vulnerability
GHSA-5jpx-9hw9-2fx4 MODERATE about 1 month ago
### Summary NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in `nodemail...
npm
No PRs yet
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
GHSA-q7jf-gf43-6x6p MODERATE about 1 month ago
### Summary A flaw in the CORS middleware allowed request `Vary` headers to be reflected into the response, enabling attacker-controlled `Vary` v...
npm
3
Dependabot PRs
rollbar vulnerable to Prototype Pollution in merge()
GHSA-xcg2-9pp4-j82x CVE-2025-62517 MODERATE about 1 month ago
### Impact Prototype pollution vulnerability in merge(). If application code calls `rollbar.configure()` with untrusted input, prototype pollution...
npm
No PRs yet
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
GHSA-g8mr-fgfg-5qpc CVE-2025-62595 MODERATE about 1 month ago
### Summary: A bypass was discovered in the `Koa.js` framework affecting its back redirect functionality. In certain circumstances, an attacker ca...
npm
No PRs yet
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
GHSA-vffh-c9pq-4crh MODERATE about 1 month ago
### Summary In some Notification types (e.g., Webhook, Telegram), the `send()` function allows user-controlled renderTemplate input. This leads to...
npm
No PRs yet
vite allows server.fs.deny bypass via backslash on Windows
GHSA-93m4-6634-74q7 CVE-2025-62522 MODERATE about 1 month ago
### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` wh...
npm
No PRs yet
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
GHSA-xvp7-8vm8-xfxx MODERATE about 1 month ago
### Summary The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using `console.log`and `console.debug` ...
npm
No PRs yet
Mammoth is vulnerable to Directory Traversal
GHSA-rmjr-87wv-gf87 CVE-2025-11849 MODERATE about 1 month ago
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the packa...
maven npm nuget +1 more
No PRs yet
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
GHSA-9329-mxxw-qwf8 CVE-2025-53092 MODERATE about 1 month ago
### Summary A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly refle...
npm
No PRs yet
Strapi Password Hashing is Missing Maximum Password Length Validation
GHSA-2cjv-6wg9-f4f3 CVE-2025-25298 MODERATE about 1 month ago
## Summary Strapi's password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords ex...
npm
No PRs yet
Strapi is vulnerable to Insufficient Session Expiration
GHSA-4r8w-3jww-m2rp CVE-2025-3930 MODERATE about 1 month ago
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker wh...
npm
No PRs yet
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
GHSA-9f2h-7v79-mxw3 CVE-2025-62374 MODERATE about 2 months ago
### Summary Prototype pollution capabilities on various APIs. ### Details Injection of malicious payload allows attacker to remotely execute arb...
npm
2
Dependabot PRs
50%
Merged
CommandKit has incorrect command name exposure in context object for message command aliases
GHSA-fhwm-pc6r-4h2f CVE-2025-62378 MODERATE about 2 months ago
### Impact A logic flaw exists in the message command handler of CommandKit that affects how the `commandName` property is exposed to both middlew...
npm
No PRs yet
QGIS QWC2 Cross-Site Scripting vulnerability
GHSA-gxp8-m5rq-3m38 CVE-2025-11183 MODERATE about 2 months ago
Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 < 2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in...
npm
No PRs yet
Astro's `X-Forwarded-Host` is reflected without validation
GHSA-5ff5-9fcw-vg88 CVE-2025-61925 MODERATE about 2 months ago
### Summary When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an `X-Forwar...
npm
No PRs yet
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
GHSA-mm7p-fcc7-pg87 CVE-2025-13033 MODERATE about 2 months ago
The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extra...
npm
No PRs yet
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function
GHSA-v7c4-33vf-cqqq CVE-2025-11287 MODERATE about 2 months ago
A vulnerability was identified in samanhappy MCPHub up to 0.9.10. This vulnerability affects the function handleSseConnection of the file src/servi...
npm
No PRs yet
Flowise Stored XSS vulnerability through logs in chatbot
GHSA-7r4h-vmj9-wg42 CVE-2025-29192 MODERATE about 2 months ago
### Description In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject maliciou...
npm
No PRs yet
Flowise vulnerable to XSS
GHSA-4fr9-3x69-36wv MODERATE about 2 months ago
### Summary A XSS(cross-site scripting) vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this...
npm
No PRs yet
validator.js has a URL validation bypass vulnerability in its isURL function
GHSA-9965-vmph-33xx CVE-2025-56200 MODERATE about 2 months ago
A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse pro...
npm
66
Dependabot PRs
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
GHSA-529q-4j3p-7c5r CVE-2025-3193 MODERATE 2 months ago
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in mer...
npm
No PRs yet
express-xss-sanitizer has an unbounded recursion depth
GHSA-hvq2-wf92-j4f3 CVE-2025-59364 MODERATE 2 months ago
# Security Advisory: express-xss-sanitizer ## Overview A vulnerability was discovered in express-xss-sanitizer that allowed unbounded recursion de...
npm
No PRs yet
lobe-chat has an Open Redirect
GHSA-xph5-278p-26qx CVE-2025-59426 MODERATE 2 months ago
### **Description** --- > Vulnerability Overview > The project's OIDC redirect handling logic constructs the host and protocol of the final red...
npm
No PRs yet
ts-fns has prototype pollution vulnerability
GHSA-g7wq-wggw-vmhg CVE-2025-57351 MODERATE 2 months ago
A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in t...
npm
No PRs yet
parse is vulnerable to prototype pollution
GHSA-9g8m-v378-pcg3 CVE-2025-57324 MODERATE 2 months ago
parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState funct...
npm
2
Dependabot PRs
50%
Merged
json-schema-editor-visual vulnerable to prototype pollution
GHSA-3c3p-xh4f-pfh7 CVE-2025-57320 MODERATE 2 months ago
json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function ...
npm
No PRs yet
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure
GHSA-xh92-rqrq-227v CVE-2025-61685 MODERATE 2 months ago
The Mastra Docs MCP Server package `@mastra/mcp-docs-server` is a server designed to provide documentation context to AI agentic workflows, such as...
npm
No PRs yet
counterpart vulnerable to prototype pollution
GHSA-2488-w585-72ch CVE-2025-57354 MODERATE 2 months ago
A vulnerability exists in the `counterpart` library for Node.js and the browser due to insufficient sanitization of user-controlled input in transl...
npm
No PRs yet
messageformat prototype pollution vulnerability
GHSA-6xv4-9cqp-92rh CVE-2025-57353 MODERATE 2 months ago
The Runtime components of messageformat package for Node.js version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validati...
npm
10
Dependabot PRs
CSVTOJSON has a prototype pollution vulnerability
GHSA-vrw9-g62v-7fmf CVE-2025-57350 MODERATE 2 months ago
The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability ...
npm
3
Dependabot PRs