Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Umbraco.Forms has HTML injection vulnerability in 'Send email' workflow
GHSA-2qrj-g9hq-chph CVE-2025-47280 LOW 7 months ago
### Impact The 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workf...
nuget
No PRs yet
Umbraco Makes User Enumeration Feasible Based on Timing of Login Response
GHSA-4g8m-5mj5-c8xg CVE-2025-46736 MODERATE 7 months ago
### Impact Based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. ### Patches Patch...
nuget
8
Dependabot PRs
Snowflake Connector for .NET has race condition when checking access to Easy Logging configuration file
GHSA-c82r-c9f7-f5mj CVE-2025-46326 LOW 7 months ago
# Issue Snowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET (“Connector”). When using the Easy Logging feature ...
nuget
No PRs yet
YoutubeDLSharp allows command injection on windows system due to non sanitized arguments
GHSA-2jh5-g5ch-43q5 CVE-2025-43858 CRITICAL 7 months ago
## Summary This vulnerability only apply when running on a Windows OS. An unsafe conversion of arguments allows the injection of a malicous command...
nuget
No PRs yet
Infinite loop condition in Amazon.IonDotnet
GHSA-gm2p-wf5c-w3pj CVE-2025-3857 HIGH 7 months ago
## Summary [Amazon.IonDotnet (ion-dotnet)](https://github.com/amazon-ion/ion-dotnet) is a .NET library with an implementation of the [Ion data ser...
nuget
No PRs yet
Apache ActiveMQ NMS OpenWire Client Deserialization of Untrusted Data vulnerability
GHSA-9g64-r942-fvmp CVE-2025-29953 CRITICAL 7 months ago
Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client bef...
nuget
No PRs yet
CefSharp affected by incorrect handle provided in unspecified circumstances in Mojo on Windows
GHSA-f87w-3j5w-v58p HIGH 8 months ago
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to per...
nuget
No PRs yet
Microsoft Identity Web Exposes Client Secrets and Certificate Information in Service Logs
GHSA-rpq8-q44m-2rpg CVE-2025-32016 MODERATE 8 months ago
### Impact _What kind of vulnerability is it? Who is impacted?_ **Description:** This vulnerability affects confidential client applications, incl...
nuget
No PRs yet
DotNetNuke.Core Vulnerable to Server-Side Request Forgery (SSRF)
GHSA-3f7v-qx94-666m CVE-2025-32372 MODERATE 8 months ago
A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requ...
nuget
No PRs yet
Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users
GHSA-q62r-8ppj-xvf4 CVE-2025-32017 HIGH 8 months ago
### Impact Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to up...
nuget
4
Dependabot PRs
25%
Merged
Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability
GHSA-2865-hh9g-w894 CVE-2025-24070 HIGH 9 months ago
# Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability ## Executive summary Microsoft is releasing this security...
nuget
No PRs yet
Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content
GHSA-wx5h-wqfq-v698 CVE-2025-27602 MODERATE 9 months ago
### Impact Via manipulation of backoffice API URLs it's possible for authenticated backoffice users to retrieve or delete content or media held wit...
nuget
16
Dependabot PRs
6%
Merged
Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality
GHSA-6ffg-mjg7-585x CVE-2025-27601 MODERATE 9 months ago
### Impact An improper API access control issue has been identified, allowing low-privilege, authenticated users to create and update data type inf...
nuget
16
Dependabot PRs
6%
Merged
Microsoft Security Advisory CVE-2025-24043 | WinDbg Remote Code Execution Vulnerability
GHSA-hpw7-8qpc-34p3 CVE-2025-24043 HIGH 9 months ago
# Microsoft Security Advisory CVE-2025-24043 | WinDbg Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Mi...
nuget
No PRs yet
DoS Vulnerability in TraceContextPropagator.Extract - OpenTelemetry.Api
GHSA-vc29-vg52-6643 HIGH 9 months ago
### Impact _What kind of vulnerability is it? Who is impacted?_ A vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a ...
nuget
No PRs yet
Out-of-bounds Write in SixLabors ImageSharp
GHSA-2cmq-823j-5qj8 CVE-2025-27598 HIGH 9 months ago
### Impact An Out-of-bounds Write vulnerability has been found in the ImageSharp gif decoder, allowing attackers to cause a crash using a specially...
nuget
16
Dependabot PRs
6%
Merged
OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package
GHSA-8785-wc3w-h8q6 CVE-2025-27513 MODERATE 9 months ago
### Impact _What kind of vulnerability is it? Who is impacted?_ A vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a ...
nuget
No PRs yet
Security Update for the OPC UA .NET Standard Stack
GHSA-h958-fxgg-g7w3 CVE-2024-42512 MODERATE 9 months ago
This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows an unauthorized attacker to bypass application authenti...
nuget
No PRs yet
Security Update for the OPC UA .NET Standard Stack
GHSA-4rcc-7pg7-f57f CVE-2024-42513 MODERATE 9 months ago
This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows an unauthorized attacker to bypass application authenti...
nuget
No PRs yet
AutoQueryable leaks sensitive information
GHSA-m4mm-534h-5cp5 CVE-2024-57716 MODERATE 9 months ago
An issue in trenoncourt AutoQueryable v.1.7.0 allows a remote attacker to obtain sensitive information via the Unselectable function.
nuget
No PRs yet
Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
GHSA-qxj7-2x7w-3mpp CVE-2025-26620 MODERATE 9 months ago
### Summary Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requ...
nuget
1
Dependabot PRs
AspNetCore Remote Authenticator for CIE3.0 Allows SAML Response Signature Verification Bypass
GHSA-vq63-8f72-f486 CVE-2025-24895 CRITICAL 9 months ago
### Description Authentication using Spid and CIE is based on the SAML2 standard which provides for two entities: Identity Provider (IdP): the sy...
nuget
No PRs yet
The AspNetCore Remote Authenticator for SPID Allows SAML Response Signature Verification Bypass
GHSA-36h8-r92j-w9vw CVE-2025-24894 CRITICAL 9 months ago
### Description Authentication using Spid and CIE is based on the SAML2 standard which provides for two entities: Identity Provider (IdP): the sy...
nuget
No PRs yet
TShock allows chat while not fully connected, possible ban evasion
GHSA-f8mx-cwfh-7hr2 MODERATE 10 months ago
This issue was reported to TShock by @ohayo, but was found by the Discord user by the name of `sofurry.com`. Please note that this user **does not ...
nuget
No PRs yet
Snowflake.Data has weak temporary files permissions
GHSA-2mqw-rq5m-8hc8 CVE-2025-24788 MODERATE 10 months ago
### Issue Snowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET in which files downloaded from stages are tempora...
nuget
No PRs yet
Property reflection in System.Linq.Dynamic.Core
GHSA-4cv2-4hjh-77rx CVE-2024-51417 HIGH 10 months ago
An issue in System.Linq.Dynamic.Core versions before v.1.6.0 allow remote access to properties on reflection types and static properties/fields.
nuget
8
Dependabot PRs
37%
Merged
XSS/HTML Injection Vulnerability in Umbraco Preview Badge
GHSA-69cg-w8vm-h229 CVE-2024-10761 MODERATE 10 months ago
### Impact Authenticated users are able to exploit an XSS vulnerability when viewing previewed content. ### Patches Will be patched in 10.8.8, 1...
nuget
2
Dependabot PRs
Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes
GHSA-hmg4-wwm5-p999 CVE-2025-24011 MODERATE 10 months ago
### Impact Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an accoun...
nuget
2
Dependabot PRs
XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
GHSA-wv8v-rmw2-25wc CVE-2025-24012 MODERATE 10 months ago
### Impact Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components. ### Patches Will be ...
npm nuget
2
Dependabot PRs
Microsoft Security Advisory CVE-2025-21176 | .NET and Visual Studio Remote Code Execution Vulnerability
GHSA-gjf6-3w4p-7xfh CVE-2025-21176 HIGH 11 months ago
# Microsoft Security Advisory CVE-2025-21176 | .NET and Visual Studio Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Execu...
nuget
No PRs yet
Microsoft Security Advisory CVE-2025-21172 | .NET and Visual Studio Remote Code Execution Vulnerability
GHSA-jjcv-wr2g-4rv4 CVE-2025-21172 HIGH 11 months ago
# Microsoft Security Advisory CVE-2025-21172 | .NET and Visual Studio Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Execu...
nuget
No PRs yet
Microsoft Security Advisory CVE-2025-21171 | .NET Remote Code Execution Vulnerability
GHSA-p54p-p3qm-8vgj CVE-2025-21171 HIGH 11 months ago
# Microsoft Security Advisory CVE-2025-21171 | .NET Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Micr...
nuget
No PRs yet
Umbraco Forms's Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length
GHSA-9v8m-qv22-f268 CVE-2025-23041 MODERATE 11 months ago
### Impact Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. ### Patches ...
nuget
No PRs yet
Git Credential Manager carriage-return character in remote URL allows malicious repository to leak credentials
GHSA-86c2-4x57-wc8g CVE-2024-50338 HIGH 11 months ago
### Description The [Git credential protocol](https://git-scm.com/docs/git-credential#IOFMT) is text-based over standard input/output, and consists...
nuget
No PRs yet
The Umbraco Heartcore headless client library uses a vulnerable Refit dependency package
GHSA-mgr7-5782-6jh9 LOW 11 months ago
### Impact The Heartcore headless client library depends on [Refit ](https://github.com/reactiveui/refit) to assist in making HTTP requests to Hear...
nuget
No PRs yet
Piranha CMS Cross-site Scripting vulnerability
GHSA-mmx8-vrfg-hfmq CVE-2024-55341 MODERATE 11 months ago
A stored cross-site scripting (XSS) vulnerability in Piranha CMS 11.1 allows remote attackers to execute arbitrary JavaScript in the web browser of...
nuget
No PRs yet
Piranha CMS Cross-site Scripting vulnerability
GHSA-cmwp-442x-3rcv CVE-2024-55342 MODERATE 11 months ago
A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /manager/media. This PDF can ...
nuget
No PRs yet
Oqtane Framework Insecure Direct Object Reference vulnerability
GHSA-2hr5-cvwp-jr5w CVE-2024-55186 LOW 11 months ago
An IDOR (Insecure Direct Object Reference) vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of ot...
nuget
No PRs yet
Oqtane Framework Insecure Direct Object Reference vulnerability
GHSA-hhcw-wwxv-g95c CVE-2024-55471 MODERATE 11 months ago
Oqtane Framework is vulnerable to Insecure Direct Object Reference (IDOR) in Oqtane.Controllers.UserController. This allows unauthorized users to a...
nuget
No PRs yet
Oqtane Framework Incorrect Access Control vulnerability
GHSA-995c-qww8-64fj CVE-2024-55470 HIGH 11 months ago
Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation ...
nuget
No PRs yet
TShock Security Escalation Exploit
GHSA-hvm9-wc8j-mgrc HIGH 11 months ago
### Impact An issue with the way OTAPI manages client connections results in stale UUIDs remaining on `RemoteClient` instances after a player disco...
nuget
No PRs yet
Devolutions.XTS.NET Vulnerable to Timing Attack on GF Multiplications
GHSA-j6vm-4r7g-x4gr CVE-2024-11862 MODERATE 12 months ago
### Impact Timing attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the secur...
nuget
No PRs yet
DotNetZip Directory Traversal vulnerability
GHSA-xhg6-9j5j-w4vf CVE-2024-48510 HIGH about 1 year ago
Directory Traversal vulnerability in DotNetZip v.1.16.0 and before allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEnt...
nuget
No PRs yet
.NET Remote Code Execution Vulnerability
GHSA-v7vf-f5q6-m899 CVE-2024-43498 CRITICAL about 1 year ago
# Microsoft Security Advisory CVE-2024-43498 | .NET Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Micr...
nuget
No PRs yet
.NET Denial of Service Vulnerability
GHSA-6x36-qxmj-rv4p CVE-2024-43499 HIGH about 1 year ago
# Microsoft Security Advisory CVE-2024-43499 | .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsof...
nuget
No PRs yet
HTTP Client uses incorrect token after refresh
GHSA-7mr7-4f54-vcx5 CVE-2024-51987 MODERATE about 1 year ago
### Impact HTTP Clients created by `AddUserAccessTokenHttpClient` may use a different user's access token after a token refresh. This occurs becaus...
nuget
No PRs yet
CRLF injection in Refit's [Header], [HeaderCollection] and [Authorize] attributes
GHSA-3hxg-fxwm-8gf7 CVE-2024-51501 CRITICAL about 1 year ago
### Summary The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection. ### Details The...
nuget
No PRs yet
Apache Lucene.Net.Replicator Deserialization of Untrusted Data vulnerability
GHSA-2qw8-ppr5-m96c CVE-2024-43383 HIGH about 1 year ago
Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4...
nuget
7
Dependabot PRs
ICG.AspNetCore.Utilities.CloudStorage's Secure Token Durations Different Than Expected
GHSA-24mc-gc52-47jv CVE-2024-50353 MODERATE about 1 year ago
### Impact Users of this library that set a duration for a SAS Uri with a value other than 1 hour may have generated a URL with a duration that is ...
nuget
No PRs yet
Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs
GHSA-v9xq-2mvm-x8xc CVE-2024-49755 LOW about 1 year ago
### Impact IdentityServer's local API authentication handler performs insufficient validation of the `cnf` claim in DPoP access tokens. This allows...
nuget
4
Dependabot PRs
66%
Merged