Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,820

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
ezsystems/ezplatform-admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal
GHSA-99c7-c3mw-mxhv MODERATE about 2 months ago
### Impact This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back offi...
packagist
No PRs yet
ibexa/user login enumerates user accounts
GHSA-q3x8-6898-23g3 MODERATE about 2 months ago
### Impact In v5, error messages could provide enough information to tell whether a user exists or not. This is resolved by ensuring the error mess...
packagist
No PRs yet
bagisto has Cross Site Scripting (XSS) in Create New Customer
GHSA-r9xj-mvqf-jm7w CVE-2025-62414 MODERATE about 2 months ago
### Summary In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to reflected / stored Cross-Site Scripting (XSS...
packagist
No PRs yet
bagisto has CSV Formula Injection in Create New Product
GHSA-jqrp-58fv-w8cq CVE-2025-62417 CRITICAL about 2 months ago
### Summary When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved ...
packagist
No PRs yet
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
GHSA-fg89-g389-p346 CVE-2025-62418 MODERATE about 2 months ago
### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafte...
packagist
No PRs yet
bagisto has Server Side Template Injection (SSTI) in Product Description
GHSA-527q-4wqv-g9wj CVE-2025-62416 MODERATE about 2 months ago
### Summary Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side ...
packagist
No PRs yet
LibreNMS alert-rules has a Cross-Site Scripting Vulnerability
GHSA-6g2v-66ch-6xmh CVE-2025-62412 LOW about 2 months ago
## Executive Summary **Product:** LibreNMS **Vendor:** LibreNMS **Vulnerability Type:** Cross-Site Scripting (XSS) **CVSS Score:** 4.3 (AV:N...
packagist
No PRs yet
PrestaShop Checkout Target PayPal merchant account hijacking from backoffice
GHSA-wvpg-4wrh-5889 CVE-2025-61924 LOW about 2 months ago
### Impact Wrong usage of the PHP `array_search()` allows bypass of validation. ### Patches The problem has been patched in versions: - v4.4.1 for...
packagist
No PRs yet
PrestaShop Checkout Backoffice directory traversal allows arbitrary file disclosure
GHSA-fpxp-pfqm-x54w CVE-2025-61923 MODERATE about 2 months ago
# Impact Missing validation on input vulnerable to directory traversal. # Patches The problem has been patched in versions: v4.4.1 for PrestaShop...
packagist
No PRs yet
PrestaShop Checkout allows customer account takeover via email
GHSA-54hq-mf6h-48xh CVE-2025-61922 CRITICAL about 2 months ago
# Impact Missing validation on Express Checkout feature allows silent log-in ## Affected versions The issue was introduced in PrestaShop Checkout...
packagist
No PRs yet
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
GHSA-67px-r26w-598x CVE-2025-62415 MODERATE about 2 months ago
### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafte...
packagist
No PRs yet
LibreNMS has a Stored XSS vulnerability in its Alert Transport name field
GHSA-frc6-pwgr-c28w CVE-2025-62411 MODERATE about 2 months ago
### Summary LibreNMS <= 25.8.0 contains a **Stored Cross-Site Scripting (XSS)** vulnerability in the Alert Transports management functionality. Wh...
packagist
No PRs yet
Magento vulnerable to stored Cross-Site Scripting (XSS)
GHSA-2768-5wmv-cfff CVE-2025-54264 HIGH about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) ...
packagist
No PRs yet
Magento vulnerable to stored Cross-Site Scripting (XSS)
GHSA-pcrx-r49h-x2w5 CVE-2025-54266 MODERATE about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) ...
packagist
No PRs yet
Magento vulnerable to privilege escalation due to incorrect authorization
GHSA-qvwr-p3hj-j6jf CVE-2025-54267 MODERATE about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento provides incorrect authorization through a security feature bypass
GHSA-69x9-xp2j-w8g8 CVE-2025-54263 HIGH about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento allows incorrect authorization
GHSA-r355-75hw-r8jf CVE-2025-54265 MODERATE about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
LibreNMS is vulnerable to Reflected-XSS in `report_this` function
GHSA-86rg-8hc8-v82p CVE-2025-62365 MODERATE about 2 months ago
### Summary Reflected-XSS in `report_this` function in `librenms/includes/functions.php` ### Details Recently, it was discovered that the `report...
packagist
No PRs yet
Bagisto is vulnerable to XSS through Admin Panel's product creation path
GHSA-29mf-w486-v3vc CVE-2025-60880 HIGH about 2 months ago
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted...
packagist
No PRs yet
Alt Redirect: Potential Authentication Bypass by Spoofing through query-string stripping logic flaw
GHSA-rpjr-pcmr-9ppw CVE-2025-60868 MODERATE about 2 months ago
The Alt Redirect 1.6.3 addon for Statamic fails to consistently strip query string parameters when the "Query String Strip" feature is enabled. Cas...
packagist
No PRs yet
drupal-pattern-lab/unified-twig-extensions is vulnerable to XXS
GHSA-64mv-9655-37hx CVE-2025-11570 LOW about 2 months ago
Versions of the package drupal-pattern-lab/unified-twig-extensions from 0.0.0 are vulnerable to Cross-site Scripting (XSS) due to insufficient filt...
packagist
No PRs yet
VaahCMS is vulnerable to XSS through its Avatar Upload endpoint
GHSA-q769-phqg-263r CVE-2025-61183 MODERATE about 2 months ago
Cross-Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBas...
packagist
No PRs yet
Melis Platform CMS SQL Injection
GHSA-mrmx-jfw8-qhgv CVE-2025-10351 CRITICAL about 2 months ago
SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to ret...
packagist
No PRs yet
Melis Platform CMS Unauthenticated File Upload Leading to RCE
GHSA-chw4-gjvw-3gxc CVE-2025-10353 CRITICAL about 2 months ago
File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows...
packagist
No PRs yet
Melis Platform CMS Unauthenticated Admin Account Creation
GHSA-p3vc-g9f9-mgw4 CVE-2025-10352 CRITICAL about 2 months ago
Vulnerability in the melis-core module of Melis Technology's Melis Platform, which, if exploited, allows an unauthenticated attacker to create an a...
packagist
No PRs yet
NovoSGA: Manipulation of User Creation Page can lead to weak password requirements
GHSA-xgr2-5837-hf48 CVE-2025-11322 LOW 2 months ago
A flaw has been found in Mangati NovoSGA up to 2.2.12. The impacted element is an unknown function of the file /novosga.users/new of the component ...
packagist
No PRs yet
phpMyFAQ duplicate email registration allows multiple accounts with the same email
GHSA-9wj2-4hcm-r74j CVE-2025-59943 HIGH 2 months ago
### Summary phpMyFAQ does not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created ...
packagist
No PRs yet
Dolibarr vulnerable to RCE via the computed field parameter
GHSA-27hj-48r9-x2vx CVE-2025-56588 HIGH 2 months ago
Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed...
packagist
No PRs yet
Auth0 Symfony SDK Does Not Properly Handle File Types in Bulk User Import
GHSA-7jp2-5h22-m432 LOW 2 months ago
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
Auth0 Wordpress plugin Does Not Properly Handle File Types in Bulk User Import
GHSA-w22c-pw5m-482x LOW 2 months ago
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
laravel-auth0 SDK Does Not Properly Handle File Types in Bulk User Import
GHSA-hjfh-5jmm-xr24 LOW 2 months ago
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
auth0-PHP SDK Does Not Properly Handle File Types in Bulk User Import
GHSA-9mh6-g99m-ppcw CVE-2025-58769 LOW 2 months ago
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
Joomla! CMS vulnerable to XSS via the input filter
GHSA-fm22-g2q9-j3pw CVE-2025-54476 MODERATE 2 months ago
Improper handling of input could lead to a cross-site scripting (XSS) vector in the checkAttribute method of the input filter framework class.
packagist
No PRs yet
Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes
GHSA-4j5h-mvj3-m48v CVE-2025-59839 HIGH 2 months ago
### Summary The EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. ### Details ...
packagist
No PRs yet
Mangati NovoSGA XSS vulnerability in /admin
GHSA-4c44-r8rm-3p39 CVE-2025-10909 LOW 2 months ago
A security flaw has been discovered in Mangati NovoSGA up to 2.2.9. The impacted element is an unknown function of the file /admin of the component...
packagist
No PRs yet
GP247 and S-Cart have a stored cross-site scripting (XSS) vulnerability
GHSA-46v4-5mc8-q2cf CVE-2025-57407 LOW 2 months ago
A stored cross-site scripting (XSS) vulnerability in the Admin Log Viewer of S-Cart <=10.0.3 allows a remote authenticated attacker to inject arbit...
packagist
No PRs yet
Snipe-IT allows unsafe deserialization
GHSA-phwj-fgch-xvrj CVE-2025-59713 MODERATE 3 months ago
Snipe-IT before 8.1.18 allows unsafe deserialization.
packagist
No PRs yet
Snipe-IT allows XSS
GHSA-c9wp-pr7f-hfqm CVE-2025-59712 MODERATE 3 months ago
Snipe-IT before 8.1.18 allows XSS.
packagist
No PRs yet
TYPO3 "Form to Database" extension susceptible to Cross-site Scripting
GHSA-54pg-2x9h-cmx8 CVE-2025-10316 LOW 3 months ago
The extension "Form to Database" is susceptible to Cross-Site Scripting. This issue affects the following versions: before 2.2.5, from 3.0.0 before...
packagist
No PRs yet
Open Web Analytics Server is vulnerable to SQL Injection
GHSA-6w8r-xgqq-qg6g CVE-2025-59397 MODERATE 3 months ago
Open Web Analytics (OWA) before 1.8.1 allows SQL injection.
packagist
No PRs yet
Subrion CMS: Authenticated administrators are able to gain escalated access through Run SQL Query tool
GHSA-h8wv-vv58-468h CVE-2025-56556 MODERATE 3 months ago
An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature ...
packagist
No PRs yet
Shopware: Reflective Cross Site-Scripting (XSS) in CMS components
GHSA-9v82-vcjx-m76j HIGH 3 months ago
### Impact By exploiting XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the ...
packagist
No PRs yet
TinyEnv: Inline comments not stripped properly in .env values
GHSA-72cm-7236-h43r CVE-2025-58759 MODERATE 3 months ago
### Impact TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where var...
packagist
No PRs yet
TinyEnv: Missing .env file not required — may cause unexpected behavior
GHSA-3j7m-5g4q-gfpc CVE-2025-58758 MODERATE 3 months ago
### Impact TinyEnv did not require the `.env` file to exist when loading environment variables. This could lead to **unexpected behavior** where ...
packagist
No PRs yet
Maho is Vulnerable to Authenticated Remote Code Execution via File Upload
GHSA-vgmm-27fc-vmgp CVE-2025-58449 HIGH 3 months ago
### Summary In Maho 25.7.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Products` permissions can create a custo...
packagist
No PRs yet
YesWiki Cross Site Scripting vulnerability
GHSA-29cj-cxw4-v4j2 CVE-2025-52277 MODERATE 3 months ago
Cross Site Scripting vulnerability in YesWiki v.4.5.4 allows a remote attacker to execute arbitrary code via a crafted payload to the meta configur...
packagist
No PRs yet
Magento Community Edition Improper Input Validation vulnerability
GHSA-wh92-6q6g-px7j CVE-2025-54236 CRITICAL 3 months ago
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation ...
packagist
No PRs yet
TYPO3 backend modules have Broken Access Control
GHSA-2fhw-2j7m-mr4m CVE-2025-59017 MODERATE 3 months ago
Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑...
packagist
No PRs yet
TYPO3 CMS exposes sensitive information in an error message
GHSA-cvm2-5f78-g9m8 CVE-2025-59016 MODERATE 3 months ago
Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 1...
packagist
No PRs yet
TYPO3 CSV download feature information disclosure
GHSA-j8vm-7q52-2m2m CVE-2025-59019 MODERATE 3 months ago
Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend use...
packagist
No PRs yet