Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,842

Total Advisories

1,804

With Dependabot PRs

3,510

Critical Severity

8,633

High Severity

Clear All Filters
Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
GHSA-8535-hvm8-2hmv CVE-2025-66298 HIGH about 3 hours ago
### Summary Having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the corr...
packagist
No PRs yet
Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass
GHSA-662m-56v4-3r8f CVE-2025-66294 HIGH about 3 hours ago
### Summary A Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to exe...
packagist
No PRs yet
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab
GHSA-7g78-5g5g-mvfj CVE-2025-66310 MODERATE about 3 hours ago
## Summary A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This ...
packagist
No PRs yet
Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab
GHSA-65mj-f7p4-wggq CVE-2025-66309 MODERATE about 3 hours ago
## Summary A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. Th...
packagist
No PRs yet
Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
GHSA-858q-77wx-hhx6 CVE-2025-66297 HIGH about 3 hours ago
### Summary A user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. ...
packagist
No PRs yet
Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`
GHSA-gqxx-248x-g29f CVE-2025-66308 MODERATE about 3 hours ago
## Summary A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/config/site` endpoint of the _Grav_ application. This v...
packagist
No PRs yet
Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption
GHSA-h756-wh59-hhjv CVE-2025-66295 HIGH about 3 hours ago
### Summary When a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal s...
packagist
No PRs yet
Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter
GHSA-m8vh-v6r6-w7p6 CVE-2025-66305 HIGH about 4 hours ago
**Endpoint**: `admin/config/system` **Submenu**: `Languages` **Parameter**: `Supported` **Application**: Grav v 1.7.48 --- ## Summary A De...
packagist
No PRs yet
Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel
GHSA-4cwq-j7jv-qmwg CVE-2025-66306 MODERATE about 4 hours ago
## **Summary** An **IDOR (Insecure Direct Object Reference)** vulnerability in the Grav CMS Admin Panel allows **low-privilege users to access sen...
packagist
No PRs yet
Grav vulnerable to Path Traversal allowing server files backup
GHSA-j422-qmxp-hv94 CVE-2025-66302 MODERATE about 4 hours ago
### Summary ``` A path traversal vulnerability has been identified in Grav CMS, versions 1.7.49.5 , allowing authenticated attackers with administ...
packagist
No PRs yet
Grav Admin Plugin vulnerable to User Enumeration & Email Disclosure
GHSA-q3qx-cp62-f6m7 CVE-2025-66307 MODERATE about 4 hours ago
# Grav v1.7.49.5 / Admin v1.10.49.1 – User Enumeration & Email Disclosure ### Summary A **user enumeration and email disclosure vulnerability** ex...
packagist
No PRs yet
Grav Admin Plugin is vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/accounts/groups/[group]` parameter `data[readableName]`
GHSA-rmw5-f87r-w988 CVE-2025-66312 MODERATE about 4 hours ago
## Summary A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/accounts/groups/Grupo` endpoint of the _Grav_ applicati...
packagist
No PRs yet
Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` in Multiples parameters
GHSA-mpjj-4688-3fxg CVE-2025-66311 MODERATE about 4 hours ago
## Summary A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This ...
packagist
No PRs yet
Grav Exposes Password Hashes Leading to privilege escalation
GHSA-gq3g-666w-7h85 CVE-2025-66304 MODERATE about 4 hours ago
# Exposure of Password Hashes Leading to privilege escalation **Severity Rating:** Medium **Vector:** Privilege Escalation **CVE:** XXX **CWE:*...
packagist
No PRs yet
Grav is vulnerable to a DOS on the admin panel
GHSA-x62q-p736-3997 CVE-2025-66303 MODERATE about 4 hours ago
# DOS on the admin panel **Severity Rating:** Medium **Vector:** Denial Of Service **CVE:** XXX **CWE:** 400 - Uncontrolled Resource Consumptio...
packagist
No PRs yet
Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
GHSA-v8x2-fjv7-8hjh CVE-2025-66301 HIGH about 4 hours ago
### Summary Due to a broken access control vulnerability in the `/admin/pages/{page_name}` endpoint, an editor ( user with full permissions to page...
packagist
No PRs yet
Grav is vulnerable to Arbitrary File Read
GHSA-p4ww-mcp9-j6f2 CVE-2025-66300 HIGH about 4 hours ago
### Summary - A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. - This includes Grav us...
packagist
No PRs yet
Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)
GHSA-gjc5-8cfh-653x CVE-2025-66299 HIGH about 4 hours ago
## Summary Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute...
packagist
No PRs yet
Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover
GHSA-cjcp-qxvg-4rjm CVE-2025-66296 HIGH about 4 hours ago
### Summary A privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating u...
packagist
No PRs yet
REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]
GHSA-x6vr-q3vf-vqgq CVE-2025-66026 MODERATE 6 days ago
### Summary A reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter `args[types]` is rendered...
packagist
No PRs yet
Contao is vulnerable to cross-site scripting in templates
GHSA-68q5-78xp-cwwc CVE-2025-65961 LOW 6 days ago
### Impact It is possible to inject code into the template output that will be executed in the browser in the front end and back end. ### Patches...
packagist
No PRs yet
Contao is vulnerable to remote code execution in template closures
GHSA-98vj-mm79-v77r CVE-2025-65960 MODERATE 6 days ago
### Impact Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required...
packagist
No PRs yet
REDAXO CMS is vulnerable to RCE attack through its template management component
GHSA-xj9j-gjxg-7jvq CVE-2025-64050 HIGH 6 days ago
A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to...
packagist
No PRs yet
REDAXO CMS is vulnerable to XSS through its module management component
GHSA-vqc7-7fj4-3fm3 CVE-2025-64049 MODERATE 6 days ago
A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary w...
packagist
No PRs yet
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
GHSA-7j46-f57w-76pj CVE-2025-65956 MODERATE 7 days ago
### Summary Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting (XSS). Any user with credenti...
packagist
No PRs yet
Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow
GHSA-8x9v-8qgj-945x CVE-2025-64027 MODERATE 11 days ago
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is...
packagist
No PRs yet
phppgadmin contains an incorrect access control vulnerability
GHSA-r63p-v37q-g74c CVE-2025-60799 MODERATE 12 days ago
phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized man...
packagist
No PRs yet
phppgadmin contains a SQL injection vulnerability
GHSA-g6xh-wrpf-v6j6 CVE-2025-60798 MODERATE 12 days ago
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from ...
packagist
No PRs yet
phppgadmin vulnerable to Cross-site Scripting
GHSA-h369-cpjj-qfff CVE-2025-60796 LOW 12 days ago
phpPgAdmin versions 7.13.0 and earlier contain multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied inputs ...
packagist
No PRs yet
phppgadmin contains a SQL injection vulnerability
GHSA-927w-vq5c-8gc3 CVE-2025-60797 MODERATE 12 days ago
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied...
packagist
No PRs yet
OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter
GHSA-2jm2-2p35-rp3j CVE-2025-65103 HIGH 12 days ago
### Summary An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queri...
packagist
No PRs yet
MongoDB driver extension affected by mongoc_bulk_operation_t's read of invalid memory
GHSA-mwcc-7vpp-xmv9 CVE-2025-12119 MODERATE 13 days ago
A mongoc_bulk_operation_t may read invalid memory if large options are passed.
packagist
No PRs yet
LibreNMS is vulnerable to SQL Injection (Boolean-Based Blind) in hostname parameter in ajax_output.php endpoint
GHSA-6pmj-xjxp-p8g9 CVE-2025-65093 MODERATE 13 days ago
## Summary A **Boolean-Based Blind SQL Injection** vulnerability was identified in the LibreNMS application at the `/ajax_output.php` endpoint. Th...
packagist
No PRs yet
Backdrop CMS Host Header Injection vulnerability
GHSA-ffpg-gm3h-4p5p CVE-2025-63828 MODERATE 13 days ago
Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to re...
packagist
No PRs yet
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
GHSA-mhpg-hpj5-73r2 CVE-2025-13083 LOW 13 days ago
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Contr...
packagist
No PRs yet
Drupal core allows Object Injection
GHSA-m6vv-vcj8-w8m7 CVE-2025-13081 MODERATE 13 days ago
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This is...
packagist
No PRs yet
Drupal core allows Forceful Browsing
GHSA-83v7-c2cf-p9c2 CVE-2025-13080 LOW 13 days ago
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: ...
packagist
No PRs yet
Drupal core allows Content Spoofing
GHSA-h89p-5896-f4q8 CVE-2025-13082 LOW 13 days ago
User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupa...
packagist
No PRs yet
Drupal Email TFA allows Functionality Bypass
GHSA-9jrw-jrrj-p6fr CVE-2025-12760 MODERATE 13 days ago
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass. This issue affects Email TF...
packagist
No PRs yet
Drupal Simple multi step form allows Cross-Site Scripting
GHSA-gg35-374m-9ph8 CVE-2025-12761 LOW 13 days ago
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Si...
packagist
No PRs yet
LibreNMS has Weak Password Policy
GHSA-5mrf-j8v6-f45g CVE-2025-65014 LOW 13 days ago
## Summary A **Weak Password Policy** vulnerability was identified in the user management functionality of the _LibreNMS_ application. This vulner...
packagist
No PRs yet
LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`
GHSA-j8cq-7f6p-256x CVE-2025-65013 MODERATE 13 days ago
## Summary A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the `/maps/nodeimage` endpoint. The ...
packagist
No PRs yet
Kirby CMS has cross-site scripting (XSS) in the changes dialog
GHSA-84hf-8gh5-575j CVE-2025-65012 MODERATE 13 days ago
### TL;DR This vulnerability affects all Kirby 5 sites that might have potential attackers in the group of authenticated Panel users or that allow...
packagist
No PRs yet
phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality
GHSA-fxm2-cmwj-qvx4 CVE-2025-62519 HIGH 14 days ago
### Summary An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ (v4.0.13 and prior) allows a p...
packagist
No PRs yet
Shopware 6's password recovery link does not expire after email change
GHSA-2w46-vq8h-98vh MODERATE 17 days ago
### Summary When a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email)...
packagist
No PRs yet
PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users
GHSA-r9x7-7ggj-fx9f CVE-2025-64711 LOW 17 days ago
## Summary Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a ...
packagist
No PRs yet
PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal
GHSA-g2j9-g8r5-rg82 CVE-2025-64714 MODERATE 17 days ago
## Summary An unauthenticated Local File Inclusion exists in the template-switching feature: if `templateselection` is enabled in the configuratio...
packagist
No PRs yet
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
GHSA-3rg7-wf37-54rm CVE-2025-64500 HIGH 19 days ago
### Description The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't ...
packagist
No PRs yet
TYPO3 Modules Extension has Improper Authentication vulnerability
GHSA-49qv-h8pm-73pf CVE-2025-12998 HIGH 20 days ago
Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules. This issue affects Extension "Modules": before 4.3.11, from 5....
packagist
No PRs yet
TorrentPier is Vulnerable to Authenticated SQL Injection through Moderator Control Panel's topic_id parameter
GHSA-4rwr-8c3m-55f6 CVE-2025-64519 HIGH 21 days ago
### Summary An authenticated SQL injection vulnerability exists in the moderator control panel (`modcp.php`). Users with moderator permissions can ...
packagist
No PRs yet