Security Advisories
Browse security advisories and track which Dependabot PRs address them.
24,830
Total Advisories
1,801
With Dependabot PRs
3,510
Critical Severity
8,627
High Severity
Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass
GHSA-jqmq-fpwv-p925 CVE-2025-12466 HIGH about 1 month ago
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypas...
packagist
No PRs yet
Drupal CivicTheme Design System allows Cross-Site Scripting (XSS)
GHSA-h72q-cq3w-h3wc CVE-2025-12083 MODERATE about 1 month ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-...
packagist
No PRs yet
Drupal Umami Analytics allows Cross-Site Scripting (XSS)
GHSA-jxp8-4jw5-5xjc CVE-2025-10931 LOW about 1 month ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scri...
packagist
No PRs yet
Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables
GHSA-fg8x-q69g-4qp3 CVE-2025-10929 MODERATE about 1 month ago
Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables. This is...
packagist
No PRs yet
Drupal Access code allows Brute Force Attempts
GHSA-27mc-9399-r9mx CVE-2025-10928 MODERATE about 1 month ago
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force. This issue affects Access code: f...
packagist
No PRs yet
Drupal Currency allows Cross Site Request Forgery
GHSA-27fv-rpgj-4c6m CVE-2025-10930 MODERATE about 1 month ago
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery. This issue affects Currency: from 0.0.0 befor...
packagist
No PRs yet
Drupal JSON Field is vulnerable to XSS
GHSA-m3f2-xjgc-2wp2 CVE-2025-10926 MODERATE about 1 month ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal JSON Field allows Cross-Site Scripting...
packagist
No PRs yet
Drupal Plausible tracking is vulnerable to XSS
GHSA-pr6m-qwrr-mrw9 CVE-2025-10927 MODERATE about 1 month ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site S...
packagist
No PRs yet
Drupal CivicTheme Design System allows Forceful Browsing
GHSA-qxr9-f877-9842 CVE-2025-12082 HIGH about 1 month ago
Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing. This issue affects CivicTheme Design System: fro...
packagist
No PRs yet
Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
GHSA-9f58-4465-23c7 CVE-2025-62798 MODERATE about 1 month ago
A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component.
In affect...
packagist
No PRs yet
PrivateBin is missing HTML sanitization of attached filename in file size hint
GHSA-867c-p784-5q6g CVE-2025-62796 MODERATE about 1 month ago
We’ve identified an HTML injection/XSS vulnerability in PrivateBin service that allows the injection of arbitrary HTML markup via the attached file...
packagist
No PRs yet
Moodle vulnerable to brute-force password guesses
GHSA-m58f-9pvv-8mp2 CVE-2025-62399 HIGH about 1 month ago
Moodle's mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute...
packagist
No PRs yet
Moodle exposed the names of hidden groups to users
GHSA-422v-w6c5-vq42 CVE-2025-62400 MODERATE about 1 month ago
Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal pr...
packagist
No PRs yet
Moodle's error handling leads to sensitive information disclosure
GHSA-c5cj-xp43-qcc3 CVE-2025-62396 MODERATE about 1 month ago
An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers ...
packagist
No PRs yet
Moodle has a time restriction bypass
GHSA-w29j-8phw-ffjf CVE-2025-62401 MODERATE about 1 month ago
An issue in Moodle's timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to co...
packagist
No PRs yet
Moodle does not properly enforce MFA
GHSA-25wf-7x6c-wmpf CVE-2025-62398 MODERATE about 1 month ago
A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially ...
packagist
No PRs yet
Moodle sends quiz-related messages to inactive/suspended users
GHSA-8fcv-4qp9-pg32 CVE-2025-62394 MODERATE about 1 month ago
Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-rel...
packagist
No PRs yet
Moodle course access permissions are not properly checked in course_output_fragment_course_overview
GHSA-rjcm-7v2p-9265 CVE-2025-62393 MODERATE about 1 month ago
A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users ...
packagist
No PRs yet
Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality
GHSA-2v5m-cq9w-fc33 CVE-2025-62617 HIGH about 1 month ago
### Summary
An authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticate...
packagist
No PRs yet
code16 Sharp vulnerable to Cross Site Scripting (XSS)
GHSA-9778-v769-qvjf CVE-2025-61457 MODERATE about 1 month ago
code16 Sharp v9.6.6 is vulnerable to Cross Site Scripting (XSS) src/Form/Fields/SharpFormUploadField.php.
packagist
No PRs yet
ProcessWire CMS vulnerable to resource-exhaustion Denial of Service
GHSA-9p44-q66p-xm6p CVE-2025-60790 MODERATE about 1 month ago
ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limi...
packagist
No PRs yet
Shopware Customer Orders can be canceled, even if refunds are disabled
GHSA-r2vg-hvjm-fg38 MODERATE about 1 month ago
Refunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hi...
packagist
No PRs yet
Shopware exposes sensitive user information via CSV export mapping
GHSA-27c9-vp3w-6ww8 MODERATE about 1 month ago
### Impact
Malicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashe...
packagist
No PRs yet
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
GHSA-3cpp-fv95-mpr5 LOW about 1 month ago
### Impact
This vulnerability allows malicious actors to force the application server to send HTTP requests to both external and internal servers. ...
packagist
No PRs yet
Shopware vulnerable to path traversal via Plugin upload
GHSA-6wh5-mw9h-5c3w LOW about 1 month ago
### Impact
Malicious actors can exploit this vulnerability to write files within arbitrary directories on the filesystem of the Shopware web contai...
packagist
No PRs yet
Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually
GHSA-m895-2hj3-8cg9 MODERATE about 1 month ago
In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber a...
packagist
No PRs yet
Citizen vulnerable to stored XSS in sticky header button messages
GHSA-g955-vw6w-v6pp CVE-2025-62508 MODERATE about 1 month ago
### Summary
The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored...
packagist
No PRs yet
TastyIgniter vulnerable to Cross-Site Scripting
GHSA-4vrf-42cm-7xfw CVE-2025-61417 LOW about 1 month ago
Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicio...
packagist
No PRs yet
Cargo Mediawiki Extension vulnerable to Cross-site Scripting
GHSA-gr6v-3pmp-996p CVE-2025-62671 MODERATE about 1 month ago
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - C...
packagist
No PRs yet
ibexa/fieldtype-richtext has an XSS vulnerability via acronym custom tag in Rich Text
GHSA-8c2g-f8jm-5cr7 MODERATE about 2 months ago
### Impact
This security advisory resolves an XSS vulnerability in acronym custom tag in Rich Text, in the back office of the DXP. Back office acce...
packagist
No PRs yet
ibexa/admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal
GHSA-2mx6-fq24-g2mh MODERATE about 2 months ago
### Impact
This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back offi...
packagist
No PRs yet
ezsystems/ezplatform-admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal
GHSA-99c7-c3mw-mxhv MODERATE about 2 months ago
### Impact
This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back offi...
packagist
No PRs yet
ibexa/user login enumerates user accounts
GHSA-q3x8-6898-23g3 MODERATE about 2 months ago
### Impact
In v5, error messages could provide enough information to tell whether a user exists or not. This is resolved by ensuring the error mess...
packagist
No PRs yet
bagisto has Cross Site Scripting (XSS) in Create New Customer
GHSA-r9xj-mvqf-jm7w CVE-2025-62414 MODERATE about 2 months ago
### Summary
In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to reflected / stored Cross-Site Scripting (XSS...
packagist
No PRs yet
bagisto has CSV Formula Injection in Create New Product
GHSA-jqrp-58fv-w8cq CVE-2025-62417 CRITICAL about 2 months ago
### Summary
When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved ...
packagist
No PRs yet
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
GHSA-fg89-g389-p346 CVE-2025-62418 MODERATE about 2 months ago
### Summary
In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafte...
packagist
No PRs yet
bagisto has Server Side Template Injection (SSTI) in Product Description
GHSA-527q-4wqv-g9wj CVE-2025-62416 MODERATE about 2 months ago
### Summary
Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side ...
packagist
No PRs yet
LibreNMS alert-rules has a Cross-Site Scripting Vulnerability
GHSA-6g2v-66ch-6xmh CVE-2025-62412 LOW about 2 months ago
## Executive Summary
**Product:** LibreNMS
**Vendor:** LibreNMS
**Vulnerability Type:** Cross-Site Scripting (XSS)
**CVSS Score:** 4.3 (AV:N...
packagist
No PRs yet
PrestaShop Checkout Target PayPal merchant account hijacking from backoffice
GHSA-wvpg-4wrh-5889 CVE-2025-61924 LOW about 2 months ago
### Impact
Wrong usage of the PHP `array_search()` allows bypass of validation.
### Patches
The problem has been patched in versions:
- v4.4.1 for...
packagist
No PRs yet
PrestaShop Checkout Backoffice directory traversal allows arbitrary file disclosure
GHSA-fpxp-pfqm-x54w CVE-2025-61923 MODERATE about 2 months ago
# Impact
Missing validation on input vulnerable to directory traversal.
# Patches
The problem has been patched in versions:
v4.4.1 for PrestaShop...
packagist
No PRs yet
PrestaShop Checkout allows customer account takeover via email
GHSA-54hq-mf6h-48xh CVE-2025-61922 CRITICAL about 2 months ago
# Impact
Missing validation on Express Checkout feature allows silent log-in
## Affected versions
The issue was introduced in PrestaShop Checkout...
packagist
No PRs yet
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
GHSA-67px-r26w-598x CVE-2025-62415 MODERATE about 2 months ago
### Summary
In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafte...
packagist
No PRs yet
LibreNMS has a Stored XSS vulnerability in its Alert Transport name field
GHSA-frc6-pwgr-c28w CVE-2025-62411 MODERATE about 2 months ago
### Summary
LibreNMS <= 25.8.0 contains a **Stored Cross-Site Scripting (XSS)** vulnerability in the Alert Transports management functionality. Wh...
packagist
No PRs yet
Magento vulnerable to stored Cross-Site Scripting (XSS)
GHSA-pcrx-r49h-x2w5 CVE-2025-54266 MODERATE about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) ...
packagist
No PRs yet
Magento provides incorrect authorization through a security feature bypass
GHSA-69x9-xp2j-w8g8 CVE-2025-54263 HIGH about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento vulnerable to stored Cross-Site Scripting (XSS)
GHSA-2768-5wmv-cfff CVE-2025-54264 HIGH about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) ...
packagist
No PRs yet
Magento allows incorrect authorization
GHSA-r355-75hw-r8jf CVE-2025-54265 MODERATE about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento vulnerable to privilege escalation due to incorrect authorization
GHSA-qvwr-p3hj-j6jf CVE-2025-54267 MODERATE about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
LibreNMS is vulnerable to Reflected-XSS in `report_this` function
GHSA-86rg-8hc8-v82p CVE-2025-62365 MODERATE about 2 months ago
### Summary
Reflected-XSS in `report_this` function in `librenms/includes/functions.php`
### Details
Recently, it was discovered that the `report...
packagist
No PRs yet
Bagisto is vulnerable to XSS through Admin Panel's product creation path
GHSA-29mf-w486-v3vc CVE-2025-60880 HIGH about 2 months ago
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted...
packagist
No PRs yet