Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,768

Total Advisories

1,787

With Dependabot PRs

3,504

Critical Severity

8,609

High Severity

Clear All Filters
Moodle has a time restriction bypass
GHSA-w29j-8phw-ffjf CVE-2025-62401 MODERATE about 1 month ago
An issue in Moodle's timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to co...
packagist
No PRs yet
Moodle does not properly enforce MFA
GHSA-25wf-7x6c-wmpf CVE-2025-62398 MODERATE about 1 month ago
A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially ...
packagist
No PRs yet
Moodle sends quiz-related messages to inactive/suspended users
GHSA-8fcv-4qp9-pg32 CVE-2025-62394 MODERATE about 1 month ago
Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-rel...
packagist
No PRs yet
Moodle course access permissions are not properly checked in course_output_fragment_course_overview
GHSA-rjcm-7v2p-9265 CVE-2025-62393 MODERATE about 1 month ago
A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users ...
packagist
No PRs yet
Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality
GHSA-2v5m-cq9w-fc33 CVE-2025-62617 HIGH about 1 month ago
### Summary An authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticate...
packagist
No PRs yet
code16 Sharp vulnerable to Cross Site Scripting (XSS)
GHSA-9778-v769-qvjf CVE-2025-61457 MODERATE about 1 month ago
code16 Sharp v9.6.6 is vulnerable to Cross Site Scripting (XSS) src/Form/Fields/SharpFormUploadField.php.
packagist
No PRs yet
ProcessWire CMS vulnerable to resource-exhaustion Denial of Service
GHSA-9p44-q66p-xm6p CVE-2025-60790 MODERATE about 1 month ago
ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limi...
packagist
No PRs yet
Shopware Customer Orders can be canceled, even if refunds are disabled
GHSA-r2vg-hvjm-fg38 MODERATE about 1 month ago
Refunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hi...
packagist
No PRs yet
Shopware exposes sensitive user information via CSV export mapping
GHSA-27c9-vp3w-6ww8 MODERATE about 1 month ago
### Impact Malicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashe...
packagist
No PRs yet
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
GHSA-3cpp-fv95-mpr5 LOW about 1 month ago
### Impact This vulnerability allows malicious actors to force the application server to send HTTP requests to both external and internal servers. ...
packagist
No PRs yet
Shopware vulnerable to path traversal via Plugin upload
GHSA-6wh5-mw9h-5c3w LOW about 1 month ago
### Impact Malicious actors can exploit this vulnerability to write files within arbitrary directories on the filesystem of the Shopware web contai...
packagist
No PRs yet
Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually
GHSA-m895-2hj3-8cg9 MODERATE about 1 month ago
In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber a...
packagist
No PRs yet
Citizen vulnerable to stored XSS in sticky header button messages
GHSA-g955-vw6w-v6pp CVE-2025-62508 MODERATE about 1 month ago
### Summary The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored...
packagist
No PRs yet
TastyIgniter vulnerable to Cross-Site Scripting
GHSA-4vrf-42cm-7xfw CVE-2025-61417 LOW about 1 month ago
Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicio...
packagist
No PRs yet
Cargo Mediawiki Extension vulnerable to Cross-site Scripting
GHSA-gr6v-3pmp-996p CVE-2025-62671 MODERATE about 1 month ago
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - C...
packagist
No PRs yet
ibexa/fieldtype-richtext has an XSS vulnerability via acronym custom tag in Rich Text
GHSA-8c2g-f8jm-5cr7 MODERATE about 1 month ago
### Impact This security advisory resolves an XSS vulnerability in acronym custom tag in Rich Text, in the back office of the DXP. Back office acce...
packagist
No PRs yet
ibexa/admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal
GHSA-2mx6-fq24-g2mh MODERATE about 1 month ago
### Impact This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back offi...
packagist
No PRs yet
ezsystems/ezplatform-admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal
GHSA-99c7-c3mw-mxhv MODERATE about 1 month ago
### Impact This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back offi...
packagist
No PRs yet
ibexa/user login enumerates user accounts
GHSA-q3x8-6898-23g3 MODERATE about 1 month ago
### Impact In v5, error messages could provide enough information to tell whether a user exists or not. This is resolved by ensuring the error mess...
packagist
No PRs yet
bagisto has Cross Site Scripting (XSS) in Create New Customer
GHSA-r9xj-mvqf-jm7w CVE-2025-62414 MODERATE about 1 month ago
### Summary In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to reflected / stored Cross-Site Scripting (XSS...
packagist
No PRs yet
bagisto has CSV Formula Injection in Create New Product
GHSA-jqrp-58fv-w8cq CVE-2025-62417 CRITICAL about 1 month ago
### Summary When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved ...
packagist
No PRs yet
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
GHSA-fg89-g389-p346 CVE-2025-62418 MODERATE about 1 month ago
### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafte...
packagist
No PRs yet
bagisto has Server Side Template Injection (SSTI) in Product Description
GHSA-527q-4wqv-g9wj CVE-2025-62416 MODERATE about 1 month ago
### Summary Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side ...
packagist
No PRs yet
LibreNMS alert-rules has a Cross-Site Scripting Vulnerability
GHSA-6g2v-66ch-6xmh CVE-2025-62412 LOW about 1 month ago
## Executive Summary **Product:** LibreNMS **Vendor:** LibreNMS **Vulnerability Type:** Cross-Site Scripting (XSS) **CVSS Score:** 4.3 (AV:N...
packagist
No PRs yet
PrestaShop Checkout Target PayPal merchant account hijacking from backoffice
GHSA-wvpg-4wrh-5889 CVE-2025-61924 LOW about 1 month ago
### Impact Wrong usage of the PHP `array_search()` allows bypass of validation. ### Patches The problem has been patched in versions: - v4.4.1 for...
packagist
No PRs yet
PrestaShop Checkout Backoffice directory traversal allows arbitrary file disclosure
GHSA-fpxp-pfqm-x54w CVE-2025-61923 MODERATE about 1 month ago
# Impact Missing validation on input vulnerable to directory traversal. # Patches The problem has been patched in versions: v4.4.1 for PrestaShop...
packagist
No PRs yet
PrestaShop Checkout allows customer account takeover via email
GHSA-54hq-mf6h-48xh CVE-2025-61922 CRITICAL about 1 month ago
# Impact Missing validation on Express Checkout feature allows silent log-in ## Affected versions The issue was introduced in PrestaShop Checkout...
packagist
No PRs yet
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
GHSA-67px-r26w-598x CVE-2025-62415 MODERATE about 1 month ago
### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafte...
packagist
No PRs yet
LibreNMS has a Stored XSS vulnerability in its Alert Transport name field
GHSA-frc6-pwgr-c28w CVE-2025-62411 MODERATE about 1 month ago
### Summary LibreNMS <= 25.8.0 contains a **Stored Cross-Site Scripting (XSS)** vulnerability in the Alert Transports management functionality. Wh...
packagist
No PRs yet
Magento vulnerable to stored Cross-Site Scripting (XSS)
GHSA-2768-5wmv-cfff CVE-2025-54264 HIGH about 1 month ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) ...
packagist
No PRs yet
Magento vulnerable to privilege escalation due to incorrect authorization
GHSA-qvwr-p3hj-j6jf CVE-2025-54267 MODERATE about 1 month ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento vulnerable to stored Cross-Site Scripting (XSS)
GHSA-pcrx-r49h-x2w5 CVE-2025-54266 MODERATE about 1 month ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) ...
packagist
No PRs yet
Magento provides incorrect authorization through a security feature bypass
GHSA-69x9-xp2j-w8g8 CVE-2025-54263 HIGH about 1 month ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento allows incorrect authorization
GHSA-r355-75hw-r8jf CVE-2025-54265 MODERATE about 1 month ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
LibreNMS is vulnerable to Reflected-XSS in `report_this` function
GHSA-86rg-8hc8-v82p CVE-2025-62365 MODERATE about 1 month ago
### Summary Reflected-XSS in `report_this` function in `librenms/includes/functions.php` ### Details Recently, it was discovered that the `report...
packagist
No PRs yet
Bagisto is vulnerable to XSS through Admin Panel's product creation path
GHSA-29mf-w486-v3vc CVE-2025-60880 HIGH about 2 months ago
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted...
packagist
No PRs yet
Alt Redirect: Potential Authentication Bypass by Spoofing through query-string stripping logic flaw
GHSA-rpjr-pcmr-9ppw CVE-2025-60868 MODERATE about 2 months ago
The Alt Redirect 1.6.3 addon for Statamic fails to consistently strip query string parameters when the "Query String Strip" feature is enabled. Cas...
packagist
No PRs yet
drupal-pattern-lab/unified-twig-extensions is vulnerable to XXS
GHSA-64mv-9655-37hx CVE-2025-11570 LOW about 2 months ago
Versions of the package drupal-pattern-lab/unified-twig-extensions from 0.0.0 are vulnerable to Cross-site Scripting (XSS) due to insufficient filt...
packagist
No PRs yet
VaahCMS is vulnerable to XSS through its Avatar Upload endpoint
GHSA-q769-phqg-263r CVE-2025-61183 MODERATE about 2 months ago
Cross-Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBas...
packagist
No PRs yet
Melis Platform CMS SQL Injection
GHSA-mrmx-jfw8-qhgv CVE-2025-10351 CRITICAL about 2 months ago
SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to ret...
packagist
No PRs yet
Melis Platform CMS Unauthenticated File Upload Leading to RCE
GHSA-chw4-gjvw-3gxc CVE-2025-10353 CRITICAL about 2 months ago
File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows...
packagist
No PRs yet
Melis Platform CMS Unauthenticated Admin Account Creation
GHSA-p3vc-g9f9-mgw4 CVE-2025-10352 CRITICAL about 2 months ago
Vulnerability in the melis-core module of Melis Technology's Melis Platform, which, if exploited, allows an unauthenticated attacker to create an a...
packagist
No PRs yet
NovoSGA: Manipulation of User Creation Page can lead to weak password requirements
GHSA-xgr2-5837-hf48 CVE-2025-11322 LOW about 2 months ago
A flaw has been found in Mangati NovoSGA up to 2.2.12. The impacted element is an unknown function of the file /novosga.users/new of the component ...
packagist
No PRs yet
phpMyFAQ duplicate email registration allows multiple accounts with the same email
GHSA-9wj2-4hcm-r74j CVE-2025-59943 HIGH about 2 months ago
### Summary phpMyFAQ does not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created ...
packagist
No PRs yet
Dolibarr vulnerable to RCE via the computed field parameter
GHSA-27hj-48r9-x2vx CVE-2025-56588 HIGH about 2 months ago
Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed...
packagist
No PRs yet
Auth0 Symfony SDK Does Not Properly Handle File Types in Bulk User Import
GHSA-7jp2-5h22-m432 LOW about 2 months ago
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
Auth0 Wordpress plugin Does Not Properly Handle File Types in Bulk User Import
GHSA-w22c-pw5m-482x LOW about 2 months ago
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
laravel-auth0 SDK Does Not Properly Handle File Types in Bulk User Import
GHSA-hjfh-5jmm-xr24 LOW about 2 months ago
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
auth0-PHP SDK Does Not Properly Handle File Types in Bulk User Import
GHSA-9mh6-g99m-ppcw CVE-2025-58769 LOW about 2 months ago
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
Joomla! CMS vulnerable to XSS via the input filter
GHSA-fm22-g2q9-j3pw CVE-2025-54476 MODERATE about 2 months ago
Improper handling of input could lead to a cross-site scripting (XSS) vector in the checkAttribute method of the input filter framework class.
packagist
No PRs yet