Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

23,521

Total Advisories

1,600

With Dependabot PRs

3,384

Critical Severity

8,238

High Severity

Clear All Filters
SixLabors ImageSharp Has Infinite Loop in GIF Decoder When Skipping Malformed Comment Extension Blocks
GHSA-rxmq-m78w-7wmc CVE-2025-54575 MODERATE about 1 month ago
### Impact A specially crafted GIF file containing a malformed comment extension block (with a missing block terminator) can cause the ImageSharp G...
nuget
No PRs yet
Umbraco Delivery API allows for cached requests to be returned with an invalid API key
GHSA-75vq-qvhr-7ffr CVE-2025-54425 MODERATE about 1 month ago
### Impact Umbraco's [content delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api) can be restricted from public acce...
nuget
13
Dependabot PRs
7%
Merged
ImageMagick has XMP profile write that triggers hang due to unbounded loop
GHSA-vmhh-8rxq-fp9g CVE-2025-53015 HIGH about 2 months ago
### Summary Infinite lines occur when writing during a specific XMP file conversion command ### Details ``` #0 GetXmpNumeratorAndDenominator (deno...
nuget
1
Dependabot PRs
Umbraco CMS disclosure of configured password requirements
GHSA-pgvc-6h2p-q4f6 CVE-2025-49147 MODERATE 3 months ago
### Impact Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirements....
nuget
3
Dependabot PRs
DNN.PLATFORM leaks NTLM hash via SMB Share Interaction with malicious user input
GHSA-mgfv-2362-jq96 CVE-2025-52488 HIGH 3 months ago
DNN.PLATFORM allows a specially crafted series of malicious interaction can expose NTLM hashes to a third party SMB server. This vulnerability is f...
nuget
1
Dependabot PRs
DNN.PLATFORM possibly allows bypass of IP Filters
GHSA-fjhg-3mrh-mm7h CVE-2025-52487 HIGH 3 months ago
DNN.PLATFORM allows a specially crafted request or proxy to be created that would bypass the design of DNN Login IP Filters allowing login attempts...
nuget
No PRs yet
DNN.PLATFORM Allows Stored Cross-Site Scripting (XSS) in Activity Feed
GHSA-wwc9-wmm3-2pmf CVE-2025-52485 MODERATE 3 months ago
DNN.PLATFORM allows a specially crafted request can inject scripts in the Activity Feed Attachments endpoint which will then render in the feed, re...
nuget
No PRs yet
DNN.PLATFORM Allows Reflected Cross-Site Scripting (XSS) in some TokenReplace situations with SkinObjects
GHSA-pf4h-vrv6-cmvr CVE-2025-52486 MODERATE 3 months ago
DNN.PLATFORM allows specially crafted content in URLs could be used with TokenReplace and not be properly sanitized by some SkinObjects. This vulne...
nuget
No PRs yet
DotVVM allows path traversal when deployed in Debug mode
GHSA-6q65-j4jw-9cg8 HIGH 3 months ago
### Description There is a path traversal vulnerability in any DotVVM application started in Debug mode, if at least one resource with the `FileRe...
nuget
No PRs yet
Couchbase .NET SDK (client library) does not properly enable hostname verification for TLS certificates
GHSA-px2c-r924-mwcc CVE-2025-49015 MODERATE 3 months ago
The Couchbase .NET SDK (client library) before 3.7.1 does not properly enable hostname verification for TLS certificates. In fact, the SDK was also...
nuget
No PRs yet
Microsoft Security Advisory CVE-2025-30399 | .NET Remote Code Vulnerability
GHSA-266m-wp2v-x7mq CVE-2025-30399 HIGH 3 months ago
# Microsoft Security Advisory CVE-2025-30399 | .NET Remote Code Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is r...
nuget
No PRs yet
Umbraco Vulnerable to By-Pass of Configured Allowed Extensions for File Uploads
GHSA-fr6r-p8hv-x3c4 CVE-2025-48953 MODERATE 3 months ago
### Impact Via a manipulated API request it's possible to upload a file that doesn't adhere with the configured allowable file extensions. ### Pat...
nuget
1
Dependabot PRs
DNN allows Stored Cross-Site Scripting (XSS) with svg files rendered inline
GHSA-m4hf-fxcg-cp34 CVE-2025-48378 MODERATE 4 months ago
Uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks.
nuget
No PRs yet
Reflected Cross-Site Scripting (XSS) in module actions in edit mode
GHSA-79m3-rvx2-3qq9 CVE-2025-48377 MODERATE 4 months ago
A specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions.
nuget
No PRs yet
DNN site Import could use an external source with a crafted request
GHSA-62mf-vhhw-xmf8 CVE-2025-48376 LOW 4 months ago
A malicious SuperUser (Host) could craft a request to use an external url for a site export to then be imported.
nuget
No PRs yet
Microsoft.Build.Tasks.Core .NET Spoofing Vulnerability
GHSA-h4j7-5rxr-p4wc CVE-2025-26646 HIGH 4 months ago
# Microsoft Security Advisory CVE-2025-26646: .NET Spoofing Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is relea...
nuget
No PRs yet
Umbraco.Forms has HTML injection vulnerability in 'Send email' workflow
GHSA-2qrj-g9hq-chph CVE-2025-47280 LOW 4 months ago
### Impact The 'Send email' workflow does not HTML encode the user-provided field values in the sent email message, making any form with this workf...
nuget
No PRs yet
Umbraco Makes User Enumeration Feasible Based on Timing of Login Response
GHSA-4g8m-5mj5-c8xg CVE-2025-46736 MODERATE 4 months ago
### Impact Based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. ### Patches Patch...
nuget
4
Dependabot PRs
Snowflake Connector for .NET has race condition when checking access to Easy Logging configuration file
GHSA-c82r-c9f7-f5mj CVE-2025-46326 LOW 4 months ago
# Issue Snowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET (“Connector”). When using the Easy Logging feature ...
nuget
No PRs yet
YoutubeDLSharp allows command injection on windows system due to non sanitized arguments
GHSA-2jh5-g5ch-43q5 CVE-2025-43858 CRITICAL 5 months ago
## Summary This vulnerability only apply when running on a Windows OS. An unsafe conversion of arguments allows the injection of a malicous command...
nuget
No PRs yet
Infinite loop condition in Amazon.IonDotnet
GHSA-gm2p-wf5c-w3pj CVE-2025-3857 HIGH 5 months ago
## Summary [Amazon.IonDotnet (ion-dotnet)](https://github.com/amazon-ion/ion-dotnet) is a .NET library with an implementation of the [Ion data ser...
nuget
No PRs yet
Apache ActiveMQ NMS OpenWire Client Deserialization of Untrusted Data vulnerability
GHSA-9g64-r942-fvmp CVE-2025-29953 CRITICAL 5 months ago
Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client bef...
nuget
No PRs yet
CefSharp affected by incorrect handle provided in unspecified circumstances in Mojo on Windows
GHSA-f87w-3j5w-v58p HIGH 5 months ago
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to per...
nuget
No PRs yet
Microsoft Identity Web Exposes Client Secrets and Certificate Information in Service Logs
GHSA-rpq8-q44m-2rpg CVE-2025-32016 MODERATE 5 months ago
### Impact _What kind of vulnerability is it? Who is impacted?_ **Description:** This vulnerability affects confidential client applications, incl...
nuget
No PRs yet
DotNetNuke.Core Vulnerable to Server-Side Request Forgery (SSRF)
GHSA-3f7v-qx94-666m CVE-2025-32372 MODERATE 5 months ago
A bypass has been identified for the previously known vulnerability CVE-2017-0929, allowing unauthenticated attackers to execute arbitrary GET requ...
nuget
No PRs yet
Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users
GHSA-q62r-8ppj-xvf4 CVE-2025-32017 HIGH 5 months ago
### Impact Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to up...
nuget
2
Dependabot PRs
50%
Merged
Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability
GHSA-2865-hh9g-w894 CVE-2025-24070 HIGH 6 months ago
# Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability ## <a name="executive-summary"></a>Executive summary Micr...
nuget
No PRs yet
Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content
GHSA-wx5h-wqfq-v698 CVE-2025-27602 MODERATE 6 months ago
### Impact Via manipulation of backoffice API URLs it's possible for authenticated backoffice users to retrieve or delete content or media held wit...
nuget
8
Dependabot PRs
12%
Merged
Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality
GHSA-6ffg-mjg7-585x CVE-2025-27601 MODERATE 6 months ago
### Impact An improper API access control issue has been identified, allowing low-privilege, authenticated users to create and update data type inf...
nuget
8
Dependabot PRs
12%
Merged
Microsoft Security Advisory CVE-2025-24043 | WinDbg Remote Code Execution Vulnerability
GHSA-hpw7-8qpc-34p3 CVE-2025-24043 HIGH 6 months ago
# Microsoft Security Advisory CVE-2025-24043 | WinDbg Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Mi...
nuget
No PRs yet
DoS Vulnerability in TraceContextPropagator.Extract - OpenTelemetry.Api
GHSA-vc29-vg52-6643 HIGH 6 months ago
### Impact _What kind of vulnerability is it? Who is impacted?_ A vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a ...
nuget
No PRs yet
Out-of-bounds Write in SixLabors ImageSharp
GHSA-2cmq-823j-5qj8 CVE-2025-27598 HIGH 6 months ago
### Impact An Out-of-bounds Write vulnerability has been found in the ImageSharp gif decoder, allowing attackers to cause a crash using a specially...
nuget
8
Dependabot PRs
12%
Merged
OpenTelemetry .NET has Denial of Service (DoS) Vulnerability in API Package
GHSA-8785-wc3w-h8q6 CVE-2025-27513 MODERATE 6 months ago
### Impact _What kind of vulnerability is it? Who is impacted?_ A vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a ...
nuget
No PRs yet
Security Update for the OPC UA .NET Standard Stack
GHSA-h958-fxgg-g7w3 CVE-2024-42512 MODERATE 6 months ago
This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows an unauthorized attacker to bypass application authenti...
nuget
No PRs yet
Security Update for the OPC UA .NET Standard Stack
GHSA-4rcc-7pg7-f57f CVE-2024-42513 MODERATE 6 months ago
This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows an unauthorized attacker to bypass application authenti...
nuget
No PRs yet
AutoQueryable leaks sensitive information
GHSA-m4mm-534h-5cp5 CVE-2024-57716 MODERATE 7 months ago
An issue in trenoncourt AutoQueryable v.1.7.0 allows a remote attacker to obtain sensitive information via the Unselectable function.
nuget
No PRs yet
Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
GHSA-qxj7-2x7w-3mpp CVE-2025-26620 MODERATE 7 months ago
### Summary Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requ...
nuget
No PRs yet
AspNetCore Remote Authenticator for CIE3.0 Allows SAML Response Signature Verification Bypass
GHSA-vq63-8f72-f486 CVE-2025-24895 CRITICAL 7 months ago
### Description Authentication using Spid and CIE is based on the SAML2 standard which provides for two entities: Identity Provider (IdP): the sy...
nuget
No PRs yet
The AspNetCore Remote Authenticator for SPID Allows SAML Response Signature Verification Bypass
GHSA-36h8-r92j-w9vw CVE-2025-24894 CRITICAL 7 months ago
### Description Authentication using Spid and CIE is based on the SAML2 standard which provides for two entities: Identity Provider (IdP): the sy...
nuget
No PRs yet
TShock allows chat while not fully connected, possible ban evasion
GHSA-f8mx-cwfh-7hr2 MODERATE 7 months ago
This issue was reported to TShock by @ohayo, but was found by the Discord user by the name of `sofurry.com`. Please note that this user **does not ...
nuget
No PRs yet
Snowflake.Data has weak temporary files permissions
GHSA-2mqw-rq5m-8hc8 CVE-2025-24788 MODERATE 7 months ago
### Issue Snowflake discovered and remediated a vulnerability in the Snowflake Connector for .NET in which files downloaded from stages are tempora...
nuget
No PRs yet
Property reflection in System.Linq.Dynamic.Core
GHSA-4cv2-4hjh-77rx CVE-2024-51417 HIGH 8 months ago
An issue in System.Linq.Dynamic.Core versions before v.1.6.0 allow remote access to properties on reflection types and static properties/fields.
nuget
6
Dependabot PRs
50%
Merged
XSS/HTML Injection Vulnerability in Umbraco Preview Badge
GHSA-69cg-w8vm-h229 CVE-2024-10761 MODERATE 8 months ago
### Impact Authenticated users are able to exploit an XSS vulnerability when viewing previewed content. ### Patches Will be patched in 10.8.8, 1...
nuget
1
Dependabot PRs
Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes
GHSA-hmg4-wwm5-p999 CVE-2025-24011 MODERATE 8 months ago
### Impact Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an accoun...
nuget
1
Dependabot PRs
XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
GHSA-wv8v-rmw2-25wc CVE-2025-24012 MODERATE 8 months ago
### Impact Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components. ### Patches Will be ...
npm nuget
1
Dependabot PRs
Microsoft Security Advisory CVE-2025-21176 | .NET and Visual Studio Remote Code Execution Vulnerability
GHSA-gjf6-3w4p-7xfh CVE-2025-21176 HIGH 8 months ago
# Microsoft Security Advisory CVE-2025-21176 | .NET and Visual Studio Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Execu...
nuget
No PRs yet
Microsoft Security Advisory CVE-2025-21172 | .NET and Visual Studio Remote Code Execution Vulnerability
GHSA-jjcv-wr2g-4rv4 CVE-2025-21172 HIGH 8 months ago
# Microsoft Security Advisory CVE-2025-21172 | .NET and Visual Studio Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Execu...
nuget
No PRs yet
Microsoft Security Advisory CVE-2025-21171 | .NET Remote Code Execution Vulnerability
GHSA-p54p-p3qm-8vgj CVE-2025-21171 HIGH 8 months ago
# Microsoft Security Advisory CVE-2025-21171 | .NET Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Micr...
nuget
No PRs yet
Umbraco Forms's Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length
GHSA-9v8m-qv22-f268 CVE-2025-23041 MODERATE 8 months ago
### Impact Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. ### Patches ...
nuget
No PRs yet
Git Credential Manager carriage-return character in remote URL allows malicious repository to leak credentials
GHSA-86c2-4x57-wc8g CVE-2024-50338 HIGH 8 months ago
### Description The [Git credential protocol](https://git-scm.com/docs/git-credential#IOFMT) is text-based over standard input/output, and consists...
nuget
No PRs yet