Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,748

Total Advisories

1,782

With Dependabot PRs

3,501

Critical Severity

8,601

High Severity

Clear All Filters
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
GHSA-7j46-f57w-76pj CVE-2025-65956 MODERATE about 16 hours ago
### Summary Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting (XSS). Any user with credenti...
packagist
No PRs yet
Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow
GHSA-8x9v-8qgj-945x CVE-2025-64027 MODERATE 5 days ago
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is...
packagist
No PRs yet
phppgadmin contains a SQL injection vulnerability
GHSA-g6xh-wrpf-v6j6 CVE-2025-60798 MODERATE 5 days ago
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from ...
packagist
No PRs yet
phppgadmin contains an incorrect access control vulnerability
GHSA-r63p-v37q-g74c CVE-2025-60799 MODERATE 5 days ago
phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized man...
packagist
No PRs yet
phppgadmin vulnerable to Cross-site Scripting
GHSA-h369-cpjj-qfff CVE-2025-60796 LOW 5 days ago
phpPgAdmin versions 7.13.0 and earlier contain multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied inputs ...
packagist
No PRs yet
phppgadmin contains a SQL injection vulnerability
GHSA-927w-vq5c-8gc3 CVE-2025-60797 MODERATE 5 days ago
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied...
packagist
No PRs yet
OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter
GHSA-2jm2-2p35-rp3j CVE-2025-65103 HIGH 6 days ago
### Summary An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queri...
packagist
No PRs yet
MongoDB driver extension affected by mongoc_bulk_operation_t's read of invalid memory
GHSA-mwcc-7vpp-xmv9 CVE-2025-12119 MODERATE 7 days ago
A mongoc_bulk_operation_t may read invalid memory if large options are passed.
packagist
No PRs yet
LibreNMS is vulnerable to SQL Injection (Boolean-Based Blind) in hostname parameter in ajax_output.php endpoint
GHSA-6pmj-xjxp-p8g9 CVE-2025-65093 MODERATE 7 days ago
## Summary A **Boolean-Based Blind SQL Injection** vulnerability was identified in the LibreNMS application at the `/ajax_output.php` endpoint. Th...
packagist
No PRs yet
Backdrop CMS Host Header Injection vulnerability
GHSA-ffpg-gm3h-4p5p CVE-2025-63828 MODERATE 7 days ago
Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to re...
packagist
No PRs yet
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
GHSA-mhpg-hpj5-73r2 CVE-2025-13083 LOW 7 days ago
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Contr...
packagist
No PRs yet
Drupal core allows Object Injection
GHSA-m6vv-vcj8-w8m7 CVE-2025-13081 MODERATE 7 days ago
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This is...
packagist
No PRs yet
Drupal core allows Forceful Browsing
GHSA-83v7-c2cf-p9c2 CVE-2025-13080 LOW 7 days ago
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: ...
packagist
No PRs yet
Drupal core allows Content Spoofing
GHSA-h89p-5896-f4q8 CVE-2025-13082 LOW 7 days ago
User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupa...
packagist
No PRs yet
Drupal Email TFA allows Functionality Bypass
GHSA-9jrw-jrrj-p6fr CVE-2025-12760 MODERATE 7 days ago
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass. This issue affects Email TF...
packagist
No PRs yet
Drupal Simple multi step form allows Cross-Site Scripting
GHSA-gg35-374m-9ph8 CVE-2025-12761 LOW 7 days ago
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Si...
packagist
No PRs yet
LibreNMS has Weak Password Policy
GHSA-5mrf-j8v6-f45g CVE-2025-65014 LOW 7 days ago
## Summary A **Weak Password Policy** vulnerability was identified in the user management functionality of the _LibreNMS_ application. This vulner...
packagist
No PRs yet
LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`
GHSA-j8cq-7f6p-256x CVE-2025-65013 MODERATE 7 days ago
## Summary A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the `/maps/nodeimage` endpoint. The ...
packagist
No PRs yet
Kirby CMS has cross-site scripting (XSS) in the changes dialog
GHSA-84hf-8gh5-575j CVE-2025-65012 MODERATE 7 days ago
### TL;DR This vulnerability affects all Kirby 5 sites that might have potential attackers in the group of authenticated Panel users or that allow...
packagist
No PRs yet
phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality
GHSA-fxm2-cmwj-qvx4 CVE-2025-62519 HIGH 8 days ago
### Summary An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ (v4.0.13 and prior) allows a p...
packagist
No PRs yet
Shopware 6's password recovery link does not expire after email change
GHSA-2w46-vq8h-98vh MODERATE 11 days ago
### Summary When a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email)...
packagist
No PRs yet
PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users
GHSA-r9x7-7ggj-fx9f CVE-2025-64711 LOW 11 days ago
## Summary Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a ...
packagist
No PRs yet
PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal
GHSA-g2j9-g8r5-rg82 CVE-2025-64714 MODERATE 11 days ago
## Summary An unauthenticated Local File Inclusion exists in the template-switching feature: if `templateselection` is enabled in the configuratio...
packagist
No PRs yet
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
GHSA-3rg7-wf37-54rm CVE-2025-64500 HIGH 13 days ago
### Description The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't ...
packagist
No PRs yet
TYPO3 Modules Extension has Improper Authentication vulnerability
GHSA-49qv-h8pm-73pf CVE-2025-12998 HIGH 13 days ago
Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules. This issue affects Extension "Modules": before 4.3.11, from 5....
packagist
No PRs yet
TorrentPier is Vulnerable to Authenticated SQL Injection through Moderator Control Panel's topic_id parameter
GHSA-4rwr-8c3m-55f6 CVE-2025-64519 HIGH 15 days ago
### Summary An authenticated SQL injection vulnerability exists in the moderator control panel (`modcp.php`). Users with moderator permissions can ...
packagist
No PRs yet
OpenMage vulnerable to XSS in Admin Notifications
GHSA-qv78-c8hc-438r CVE-2025-64174 MODERATE 22 days ago
### Summary OpenMage versions v20.15.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an adm...
packagist
No PRs yet
MantisBT unauthorized disclosure of private project column configuration
GHSA-g582-8vwr-68h2 CVE-2025-62520 MODERATE 22 days ago
### Impact Due to insufficient access-level checks, any non-admin user having access to _manage_config_columns_page.php_ (typically project manage...
packagist
No PRs yet
MantisBT lacks verification when changing a user's email address
GHSA-q747-c74m-69pr CVE-2025-55155 MODERATE 22 days ago
When a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. ### I...
packagist
No PRs yet
MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length
GHSA-r3jf-hm7q-qfw5 CVE-2025-46556 MODERATE 22 days ago
A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely lo...
packagist
No PRs yet
MantisBT vulnerable to authentication bypass for some passwords due to PHP type juggling
GHSA-4v8w-gg5j-ph37 CVE-2025-47776 HIGH 22 days ago
Due to an incorrect use of loose (`==`) instead of strict (`===`) comparison in the [authentication code][1], PHP type juggling will cause interpre...
packagist
No PRs yet
Statamic Vulnerable to Superadmin Account Takeover via Stored Cross-Site Scripting and Lack of Proper X-CSRF-TOKEN Server-Side Validation
GHSA-g59r-24g3-h7cm CVE-2025-64112 HIGH 26 days ago
### Impact Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject maliciou...
packagist
No PRs yet
Drupal Acquia DAM allows Forceful Browsing
GHSA-x957-32v9-m7vg CVE-2025-9954 HIGH 27 days ago
Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing. This issue affects Acquia DAM: from 0.0.0 before 1.1.5.
packagist
No PRs yet
Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypass
GHSA-jqmq-fpwv-p925 CVE-2025-12466 HIGH 27 days ago
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Simple OAuth (OAuth2) & OpenID Connect allows Authentication Bypas...
packagist
No PRs yet
Drupal CivicTheme Design System allows Cross-Site Scripting (XSS)
GHSA-h72q-cq3w-h3wc CVE-2025-12083 MODERATE 27 days ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-...
packagist
No PRs yet
Drupal Currency allows Cross Site Request Forgery
GHSA-27fv-rpgj-4c6m CVE-2025-10930 MODERATE 27 days ago
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery. This issue affects Currency: from 0.0.0 befor...
packagist
No PRs yet
Drupal JSON Field is vulnerable to XSS
GHSA-m3f2-xjgc-2wp2 CVE-2025-10926 MODERATE 27 days ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal JSON Field allows Cross-Site Scripting...
packagist
No PRs yet
Drupal Plausible tracking is vulnerable to XSS
GHSA-pr6m-qwrr-mrw9 CVE-2025-10927 MODERATE 27 days ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site S...
packagist
No PRs yet
Drupal CivicTheme Design System allows Forceful Browsing
GHSA-qxr9-f877-9842 CVE-2025-12082 HIGH 27 days ago
Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing. This issue affects CivicTheme Design System: fro...
packagist
No PRs yet
Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables
GHSA-fg8x-q69g-4qp3 CVE-2025-10929 MODERATE 27 days ago
Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables. This is...
packagist
No PRs yet
Drupal Access code allows Brute Force Attempts
GHSA-27mc-9399-r9mx CVE-2025-10928 MODERATE 27 days ago
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force. This issue affects Access code: f...
packagist
No PRs yet
Drupal Umami Analytics allows Cross-Site Scripting (XSS)
GHSA-jxp8-4jw5-5xjc CVE-2025-10931 LOW 27 days ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scri...
packagist
No PRs yet
Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
GHSA-9f58-4465-23c7 CVE-2025-62798 MODERATE 27 days ago
A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affect...
packagist
No PRs yet
PrivateBin is missing HTML sanitization of attached filename in file size hint
GHSA-867c-p784-5q6g CVE-2025-62796 MODERATE 28 days ago
We’ve identified an HTML injection/XSS vulnerability in PrivateBin service that allows the injection of arbitrary HTML markup via the attached file...
packagist
No PRs yet
Moodle vulnerable to brute-force password guesses
GHSA-m58f-9pvv-8mp2 CVE-2025-62399 HIGH about 1 month ago
Moodle's mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute...
packagist
No PRs yet
Moodle exposed the names of hidden groups to users
GHSA-422v-w6c5-vq42 CVE-2025-62400 MODERATE about 1 month ago
Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal pr...
packagist
No PRs yet
Moodle's error handling leads to sensitive information disclosure
GHSA-c5cj-xp43-qcc3 CVE-2025-62396 MODERATE about 1 month ago
An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers ...
packagist
No PRs yet
Moodle has a time restriction bypass
GHSA-w29j-8phw-ffjf CVE-2025-62401 MODERATE about 1 month ago
An issue in Moodle's timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to co...
packagist
No PRs yet
Moodle does not properly enforce MFA
GHSA-25wf-7x6c-wmpf CVE-2025-62398 MODERATE about 1 month ago
A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially ...
packagist
No PRs yet
Moodle sends quiz-related messages to inactive/suspended users
GHSA-8fcv-4qp9-pg32 CVE-2025-62394 MODERATE about 1 month ago
Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-rel...
packagist
No PRs yet