Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload
GHSA-hmvq-8p83-cq52 CVE-2025-64094 MODERATE 28 days ago
### Summary Sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. ### Details DNN validates the contents ...
nuget
No PRs yet
DNN CKEditor Provider allows unauthenticated upload out-of-the-box
GHSA-2374-6cvw-qmx6 CVE-2025-62802 MODERATE 28 days ago
### Summary The out-of-box experience for HTML editing allows unauthenticated users to upload files. This opens a potential vector to other securit...
nuget
No PRs yet
ImageMagick has Integer Overflow in BMP Decoder (ReadBMP)
GHSA-9pp9-cfwx-54rm CVE-2025-62171 MODERATE 29 days ago
## Summary CVE-2025-57803 claims to be patched in ImageMagick 7.1.2-2, but **the fix is incomplete and ineffective**. The latest version **7.1.2-5...
nuget
1
Dependabot PRs
ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)
GHSA-wpp4-vqfq-v4hp CVE-2025-62594 MODERATE about 1 month ago
## Summary A single root cause in the CLAHE implementation — tile width/height becoming zero — produces two distinct but related unsafe behaviors....
nuget
No PRs yet
Piranha CMS vulnerable to stored cross-site scripting (XSS)
GHSA-3qcp-9v8c-6jp7 CVE-2025-61413 MODERATE about 1 month ago
A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.0 allows attackers to execute arbitrary web sc...
nuget
No PRs yet
Mammoth is vulnerable to Directory Traversal
GHSA-rmjr-87wv-gf87 CVE-2025-11849 MODERATE about 1 month ago
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the packa...
maven npm nuget +1 more
No PRs yet
Smidge is vulnerable to Path Traversal
GHSA-9rvm-p3qm-f4vv CVE-2025-11842 MODERATE about 1 month ago
A security vulnerability has been detected in Shazwazza Smidge up to 4.5.1. The impacted element is an unknown function of the component Bundle Han...
nuget
No PRs yet
Microsoft Security Advisory CVE-2025-55248: .NET Information Disclosure Vulnerability
GHSA-gwq6-fmvp-qp68 CVE-2025-55248 MODERATE about 1 month ago
# Microsoft Security Advisory CVE-2025-55248 | .NET Information Disclosure Vulnerability ## <a name="executive-summary"></a>Executive summary Mic...
nuget
No PRs yet
FormCMS has an improper access control vulnerability in the /api/schemas/history/[schemaId] endpoint
GHSA-6cwx-42hw-w69c CVE-2025-55797 MODERATE about 2 months ago
An improper access control vulnerability in FormCms v0.5.4 in the /api/schemas/history/[schemaId] endpoint allows unauthenticated attackers to acce...
nuget
No PRs yet
PiranhaCMS stored XSS
GHSA-456v-f425-8mcv CVE-2025-57692 MODERATE 2 months ago
PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitr...
nuget
No PRs yet
DNN vulnerable to Reflected Cross-Site Scripting (XSS) using url to profile
GHSA-jc4g-c8ww-5738 CVE-2025-59821 MODERATE 2 months ago
# Summary A reflected cross-site scripting (XSS) vulnerability exists under certain conditions, using a specially crafter url to view a user profil...
nuget
No PRs yet
DNN affected by Stored Cross-Site Scripting (XSS) in Profile Biography field
GHSA-7rcc-q6rq-jpcm CVE-2025-59539 MODERATE 2 months ago
## Summary Users can use special syntax to inject javascript code in their profile biography field. Although there was sanitization in place, it di...
nuget
No PRs yet
DNN allows loading unused themes on anonymous clients through query parameters
GHSA-wq2j-w9pm-7x2p CVE-2025-59535 MODERATE 2 months ago
### Summary Arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page...
nuget
No PRs yet
Kubernetes C# client accepts certificates from any CA without properly verifying the trust chain
GHSA-w7r3-mgwf-4mqq CVE-2025-9708 MODERATE 2 months ago
A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certificates from any Certif...
nuget
No PRs yet
FormCms avatar upload feature has a stored cross-site scripting (XSS) vulnerability
GHSA-4fxf-xgrm-8fcj CVE-2025-56236 MODERATE 3 months ago
FormCms v0.5.5 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload feature. Authenticated users can upload .html files ...
nuget
No PRs yet
ImageMagick has Undefined Behavior (function-type-mismatch) in CloneSplayTree
GHSA-6hgw-6x87-578x CVE-2025-55160 MODERATE 3 months ago
## Summary - **Target:** ImageMagick (commit `ecc9a5eb456747374bae8e07038ba10b3d8821b3`) - **Type:** Undefined Behavior (function-type-mismatch) in...
nuget
No PRs yet
SixLabors ImageSharp Has Infinite Loop in GIF Decoder When Skipping Malformed Comment Extension Blocks
GHSA-rxmq-m78w-7wmc CVE-2025-54575 MODERATE 4 months ago
### Impact A specially crafted GIF file containing a malformed comment extension block (with a missing block terminator) can cause the ImageSharp G...
nuget
No PRs yet
Umbraco Delivery API allows for cached requests to be returned with an invalid API key
GHSA-75vq-qvhr-7ffr CVE-2025-54425 MODERATE 4 months ago
### Impact Umbraco's [content delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api) can be restricted from public acce...
nuget
18
Dependabot PRs
5%
Merged
Umbraco CMS disclosure of configured password requirements
GHSA-pgvc-6h2p-q4f6 CVE-2025-49147 MODERATE 5 months ago
### Impact Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirements....
nuget
7
Dependabot PRs
DNN.PLATFORM Allows Stored Cross-Site Scripting (XSS) in Activity Feed
GHSA-wwc9-wmm3-2pmf CVE-2025-52485 MODERATE 5 months ago
DNN.PLATFORM allows a specially crafted request can inject scripts in the Activity Feed Attachments endpoint which will then render in the feed, re...
nuget
No PRs yet
DNN.PLATFORM Allows Reflected Cross-Site Scripting (XSS) in some TokenReplace situations with SkinObjects
GHSA-pf4h-vrv6-cmvr CVE-2025-52486 MODERATE 5 months ago
DNN.PLATFORM allows specially crafted content in URLs could be used with TokenReplace and not be properly sanitized by some SkinObjects. This vulne...
nuget
No PRs yet
Couchbase .NET SDK (client library) does not properly enable hostname verification for TLS certificates
GHSA-px2c-r924-mwcc CVE-2025-49015 MODERATE 5 months ago
The Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also...
nuget
No PRs yet
Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
GHSA-fr6r-p8hv-x3c4 CVE-2025-48953 MODERATE 6 months ago
### Impact Via a manipulated API request it's possible to upload a file that doesn't adhere with the configured allowable file extensions. ### Pat...
nuget
4
Dependabot PRs
DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline
GHSA-m4hf-fxcg-cp34 CVE-2025-48378 MODERATE 6 months ago
Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks.
nuget
No PRs yet
Reflected Cross-Site Scripting (XSS) in module actions in edit mode
GHSA-79m3-rvx2-3qq9 CVE-2025-48377 MODERATE 6 months ago
A specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions.
nuget
No PRs yet
Umbraco Makes User Enumeration Feasible Based on Timing of Login Response
GHSA-4g8m-5mj5-c8xg CVE-2025-46736 MODERATE 7 months ago
### Impact Based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. ### Patches Patch...
nuget
8
Dependabot PRs
Microsoft Identity Web Exposes Client Secrets and Certificate Information in Service Logs
GHSA-rpq8-q44m-2rpg CVE-2025-32016 MODERATE 8 months ago
### Impact _What kind of vulnerability is it? Who is impacted?_ **Description:** This vulnerability affects confidential client applications, incl...
nuget
No PRs yet
DotNetNuke.Core Vulnerable to Server-Side Request Forgery (SSRF)
GHSA-3f7v-qx94-666m CVE-2025-32372 MODERATE 8 months ago
A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requ...
nuget
No PRs yet
Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content
GHSA-wx5h-wqfq-v698 CVE-2025-27602 MODERATE 9 months ago
### Impact Via manipulation of backoffice API URLs it's possible for authenticated backoffice users to retrieve or delete content or media held wit...
nuget
16
Dependabot PRs
6%
Merged
Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality
GHSA-6ffg-mjg7-585x CVE-2025-27601 MODERATE 9 months ago
### Impact An improper API access control issue has been identified, allowing low-privilege, authenticated users to create and update data type inf...
nuget
16
Dependabot PRs
6%
Merged
OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package
GHSA-8785-wc3w-h8q6 CVE-2025-27513 MODERATE 9 months ago
### Impact _What kind of vulnerability is it? Who is impacted?_ A vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a ...
nuget
No PRs yet
Security Update for the OPC UA .NET Standard Stack
GHSA-h958-fxgg-g7w3 CVE-2024-42512 MODERATE 9 months ago
This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows an unauthorized attacker to bypass application authenti...
nuget
No PRs yet
Security Update for the OPC UA .NET Standard Stack
GHSA-4rcc-7pg7-f57f CVE-2024-42513 MODERATE 9 months ago
This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows an unauthorized attacker to bypass application authenti...
nuget
No PRs yet
AutoQueryable leaks sensitive information
GHSA-m4mm-534h-5cp5 CVE-2024-57716 MODERATE 9 months ago
An issue in trenoncourt AutoQueryable v.1.7.0 allows a remote attacker to obtain sensitive information via the Unselectable function.
nuget
No PRs yet
Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
GHSA-qxj7-2x7w-3mpp CVE-2025-26620 MODERATE 9 months ago
### Summary Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requ...
nuget
1
Dependabot PRs
TShock allows chat while not fully connected, possible ban evasion
GHSA-f8mx-cwfh-7hr2 MODERATE 10 months ago
This issue was reported to TShock by @ohayo, but was found by the Discord user by the name of `sofurry.com`. Please note that this user **does not ...
nuget
No PRs yet
Snowflake.Data has weak temporary files permissions
GHSA-2mqw-rq5m-8hc8 CVE-2025-24788 MODERATE 10 months ago
### Issue Snowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET in which files downloaded from stages are tempora...
nuget
No PRs yet
XSS/HTML Injection Vulnerability in Umbraco Preview Badge
GHSA-69cg-w8vm-h229 CVE-2024-10761 MODERATE 10 months ago
### Impact Authenticated users are able to exploit an XSS vulnerability when viewing previewed content. ### Patches Will be patched in 10.8.8, 1...
nuget
2
Dependabot PRs
Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes
GHSA-hmg4-wwm5-p999 CVE-2025-24011 MODERATE 10 months ago
### Impact Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an accoun...
nuget
2
Dependabot PRs
XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
GHSA-wv8v-rmw2-25wc CVE-2025-24012 MODERATE 10 months ago
### Impact Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components. ### Patches Will be ...
npm nuget
2
Dependabot PRs
Umbraco Forms's Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length
GHSA-9v8m-qv22-f268 CVE-2025-23041 MODERATE 11 months ago
### Impact Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. ### Patches ...
nuget
No PRs yet
Piranha CMS Cross-site Scripting vulnerability
GHSA-mmx8-vrfg-hfmq CVE-2024-55341 MODERATE 11 months ago
A stored cross-site scripting (XSS) vulnerability in Piranha CMS 11.1 allows remote attackers to execute arbitrary JavaScript in the web browser of...
nuget
No PRs yet
Piranha CMS Cross-site Scripting vulnerability
GHSA-cmwp-442x-3rcv CVE-2024-55342 MODERATE 11 months ago
A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /manager/media. This PDF can ...
nuget
No PRs yet
Oqtane Framework Insecure Direct Object Reference vulnerability
GHSA-hhcw-wwxv-g95c CVE-2024-55471 MODERATE 11 months ago
Oqtane Framework is vulnerable to Insecure Direct Object Reference (IDOR) in Oqtane.Controllers.UserController. This allows unauthorized users to a...
nuget
No PRs yet
Devolutions.XTS.NET Vulnerable to Timing Attack on GF Multiplications
GHSA-j6vm-4r7g-x4gr CVE-2024-11862 MODERATE 12 months ago
### Impact Timing attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the secur...
nuget
No PRs yet
HTTP Client uses incorrect token after refresh
GHSA-7mr7-4f54-vcx5 CVE-2024-51987 MODERATE about 1 year ago
### Impact HTTP Clients created by `AddUserAccessTokenHttpClient` may use a different user's access token after a token refresh. This occurs becaus...
nuget
No PRs yet
ICG.AspNetCore.Utilities.CloudStorage's Secure Token Durations Different Than Expected
GHSA-24mc-gc52-47jv CVE-2024-50353 MODERATE about 1 year ago
### Impact Users of this library that set a duration for a SAS Uri with a value other than 1 hour may have generated a URL with a duration that is ...
nuget
No PRs yet
MPXJ has a Potential Path Traversal Vulnerability
GHSA-j945-c44v-97g6 CVE-2024-49771 MODERATE about 1 year ago
### Impact The patch for the historical vulnerability CVE-2020-35460 in MPXJ is incomplete as there is still a possibility that a malicious path co...
maven nuget pypi +1 more
No PRs yet
Umbraco CMS Has Incomplete Server Termination During Explicit Sign-Out
GHSA-wxw9-6pv9-c3xc CVE-2024-48929 MODERATE about 1 year ago
### Impact During an explicit sign-out, the server session is not fully terminated.
nuget
No PRs yet
Umbraco has a Potential Code Execution Risk When Viewing SVG Files in Full Screen in Backoffice
GHSA-5955-cwv4-h7qh CVE-2024-48927 MODERATE about 1 year ago
### Impact There is a potential risk of code execution for Backoffice users when they “preview” SVG files in full screen mode. ### Workarounds Ser...
nuget
No PRs yet