Security Advisories
Browse security advisories and track which Dependabot PRs address them.
24,784
Total Advisories
1,790
With Dependabot PRs
3,506
Critical Severity
8,617
High Severity
Soosyze CMS's /user/login endpoint missing rate-limiting and lockout mechanisms
GHSA-vq9x-w82r-rhmc CVE-2025-52392 HIGH 4 months ago
Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. An attacker can ...
packagist
No PRs yet
svg-sanitizer Bypasses Attribute Sanitization
GHSA-22wq-q86m-83fh CVE-2025-55166 MODERATE 4 months ago
#### Problem
The sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lowe...
packagist
No PRs yet
Magento vulnerable to denial of service
GHSA-xgfm-992v-h2hr CVE-2025-49554 HIGH 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnera...
packagist
No PRs yet
Magento Cross-Site Request Forgery (CSRF) vulnerability
GHSA-5777-jj7p-mpqw CVE-2025-49555 HIGH 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) ...
packagist
No PRs yet
Magento Cross-site Scripting vulnerability
GHSA-8mq8-c243-2335 CVE-2025-49557 HIGH 4 months ago
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting...
packagist
No PRs yet
Magento vulnerable to path traversal
GHSA-h4f4-gv6h-x824 CVE-2025-49559 MODERATE 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname...
packagist
No PRs yet
Magento has incorrect authorization issue that leads to arbitrary file system read
GHSA-7hrj-3c9x-xv5h CVE-2025-49556 HIGH 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
GHSA-wcmw-8xpp-rwfj CVE-2025-49558 MODERATE 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU)...
packagist
No PRs yet
Craft CMS has a theoretical bypass for CVE-2025-23209
GHSA-2vcf-qxv3-2mgw CVE-2025-54417 MODERATE 4 months ago
**Pre-requisites:**
* Have a compromised security key (https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret)
* Somehow, man...
packagist
No PRs yet
Shopware race condition bypasses voucher restrictions
GHSA-27gv-mg7w-mm34 CVE-2025-7954 MODERATE 4 months ago
A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended vouc...
packagist
No PRs yet
Concrete CMS vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page
GHSA-4pcg-pjp5-3mc6 CVE-2025-8571 MODERATE 4 months ago
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Pag...
packagist
No PRs yet
Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard page
GHSA-c5xf-rmv4-j85h CVE-2025-8573 LOW 4 months ago
Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue...
packagist
No PRs yet
ThinkPHP Path Traversal Vulnerability
GHSA-mrwc-mvr8-9xq5 CVE-2025-50706 CRITICAL 4 months ago
An issue in ThinkPHP Framework v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function.
packagist
No PRs yet
FPDI allows Memory Exhaustion (OOM) in PDF Parser which leads to Denial of Service
GHSA-jxhh-4648-vpp3 CVE-2025-54869 MODERATE 4 months ago
### Impact
This is a significant Denial of Service (DoS) vulnerability. Any application that uses FPDI to process
user-supplied PDF files is at ris...
packagist
27
Dependabot PRs
40%
Merged
The ADOdb sqlite3 driver allows SQL injection
GHSA-vf2r-cxg9-p7rf CVE-2025-54119 CRITICAL 4 months ago
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 da...
packagist
11
Dependabot PRs
18%
Merged
Microweber XSS Vulnerability in the homepage Endpoint
GHSA-2x2j-3c2v-g3c2 CVE-2025-51504 MODERATE 4 months ago
Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS) in the /projects/profile, homepage endpoint via the last name field.
packagist
No PRs yet
Microweber has Reflected XSS Vulnerability in the id Parameter
GHSA-8357-fjvx-xrm8 CVE-2025-51501 MODERATE 4 months ago
Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arb...
packagist
No PRs yet
Microweber has Reflected XSS Vulnerability in the layout Parameter
GHSA-mvj3-hc7j-vp74 CVE-2025-51502 MODERATE 4 months ago
Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript exec...
packagist
No PRs yet
Microweber Has Stored XSS Vulnerability in User Profile Fields
GHSA-782f-gxj5-xvqc CVE-2025-51503 LOW 4 months ago
A Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2.0 allows attackers to inject malicious scripts into user profile fields, lead...
packagist
No PRs yet
Bacula-web SQL Injection Vulnerability
GHSA-hq25-vp56-qr86 CVE-2025-45346 HIGH 4 months ago
SQL Injection vulnerability in Bacula-web before v.9.7.1 allows a remote attacker to execute arbitrary code via a crafted HTTP GET request.
packagist
No PRs yet
z-push/z-push-dev SQL Injection Vulnerability
GHSA-w832-w3p8-cw29 CVE-2025-8264 HIGH 4 months ago
Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attac...
packagist
No PRs yet
CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability
GHSA-9952-gv64-x94c CVE-2025-54418 CRITICAL 4 months ago
### Impact
This vulnerability affects applications that:
* Use the ImageMagick handler for image processing (`imagick` as the image library)
* **AN...
packagist
No PRs yet
HAX CMS API Lacks Authorization Checks
GHSA-9jr9-8ff3-m894 CVE-2025-54378 HIGH 4 months ago
### Summary
The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CM...
npm
packagist
No PRs yet
Powermail extension for TYPO3 allows Insecure Direct Object Reference
GHSA-x769-3cwv-f8hc CVE-2025-7899 MODERATE 4 months ago
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue a...
packagist
No PRs yet
Femanager extension for TYPO3 allows Insecure Direct Object Reference
GHSA-rc5f-3hfv-jxp2 CVE-2025-7900 MODERATE 4 months ago
The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects fe...
packagist
No PRs yet
HAX CMS application pages vulnerable to clickjacking
GHSA-54vw-f4xf-f92j CVE-2025-54139 MODERATE 4 months ago
### Summary
All pages within the HAX CMS application do not contain headers to stop other websites from loading the site within an iframe. This ap...
npm
packagist
No PRs yet
LibreNMS has Authenticated Remote File Inclusion in ajax_form.php that Allows RCE
GHSA-gq96-8w38-hhj2 CVE-2025-54138 HIGH 4 months ago
LibreNMS 25.6.0 contains an architectural vulnerability in the `ajax_form.php` endpoint that permits Remote File Inclusion based on user-controlled...
packagist
No PRs yet
Dolibarr has Remote Code Execution Vulnerability (Bypass)
GHSA-49xw-hw94-fmv2 HIGH 4 months ago
# Summary
The Dolibarr backend provides the function of adding Menu, and supports setting permissions for the added Menu:
 function of Filemanager v2.3.0 allows attackers to execute arbitrary code via ...
packagist
No PRs yet
Livewire is vulnerable to remote command execution during component property update hydration
GHSA-29cq-5w36-x7w3 CVE-2025-54068 CRITICAL 4 months ago
### Impact
In Livewire v3 (≤ 3.6.3), a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. Th...
packagist
No PRs yet
LaRecipe is vulnerable to Server-Side Template Injection attacks
GHSA-jv7x-xhv2-p5v2 CVE-2025-53833 CRITICAL 5 months ago
### Impact
Attackers could:
1. Execute arbitrary commands on the server
2. Access sensitive environment variables
3. Escalate access depending on s...
packagist
No PRs yet
phpThumb is vulnerable to Command Injection through its gif_outputAsJpeg function
GHSA-q745-cfqh-hcrw CVE-2025-52994 MODERATE 5 months ago
gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202...
packagist
No PRs yet
DynamicPageList3 vulnerability exposes hidden/suppressed usernames
GHSA-7pgw-q3qp-6pgq CVE-2025-53625 HIGH 5 months ago
### Summary
Several `#dpl` parameters can leak usernames that have been hidden using revision deletion, suppression, or the `hideuser` block flag.
...
packagist
No PRs yet
Cockpit - Content Platform vulnerable to XSS through name or email argument names
GHSA-j4rj-fgcq-wmqp CVE-2025-7053 MODERATE 5 months ago
A vulnerability was found in Cockpit versions up to 2.11.3. This issue affects some unknown processing instances of the file /system/users/save. Th...
packagist
No PRs yet
Citizen Short Description stored XSS vulnerability through wikitext
GHSA-p85q-mww9-gwqf CVE-2025-53369 HIGH 5 months ago
### Summary
Short descriptions are not properly sanitized by the ShortDescription before being inserted as HTML using `mw.util.addSubtitle`, allowi...
packagist
No PRs yet
Bolt CMS vulnerable to authenticated remote code execution
GHSA-p9qc-8jjx-g8cg CVE-2025-34086 HIGH 5 months ago
Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. ...
packagist
No PRs yet
Citizen vulnerable to Stored XSS through short descriptions
GHSA-prmv-7r8c-794g CVE-2025-53370 HIGH 5 months ago
### Summary
Short descriptions set via the [ShortDescription extension](https://www.mediawiki.org/wiki/Extension:ShortDescription) are inserted as ...
packagist
No PRs yet
starcitizentools/citizen-skin is vulnerable to Stored XSS attack in the legacy search bar through page descriptions
GHSA-rq6g-6g94-jfr4 CVE-2025-53368 HIGH 5 months ago
### Summary
Page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar.
### Detail...
packagist
No PRs yet
Microweber CMS API has authenticated local file inclusion vulnerability
GHSA-j64v-xh5w-8hqj CVE-2025-34076 MODERATE 5 months ago
An authenticated local file inclusion vulnerability exists in Microweber CMS versions < 1.2.11 through misuse of the backup management API. Authent...
packagist
No PRs yet
TabberNeue vulnerable to Stored XSS through wikitext
GHSA-jfj7-249r-7j2m CVE-2025-53093 HIGH 5 months ago
### Summary
Arbitrary HTML can be inserted into the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag.
### Details
The ...
packagist
No PRs yet
raspap-webgui has a Directory Traversal vulnerability
GHSA-277f-37gw-9gmq CVE-2025-44163 HIGH 5 months ago
RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST...
packagist
No PRs yet
JuzaWeb CMS is vulnerable to Incorrect Privilege Assignment when installing Import Page component
GHSA-rq7x-cfmc-rq3w CVE-2025-6735 LOW 5 months ago
A vulnerability classified as critical has been found in JuzaWeb CMS 3.4.2. Affected is an unknown function of the file /admin-cp/imports of the co...
packagist
No PRs yet
JuzaWeb CMS is vulnerable to Incorrect Privilege Assignment when installing certain components
GHSA-mrph-pjv2-34f4 CVE-2025-6736 LOW 5 months ago
A vulnerability classified as critical was found in juzaweb CMS 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admi...
packagist
No PRs yet
Magento Security feature bypass
GHSA-8hcx-xvww-6c6h CVE-2025-49550 MODERATE 5 months ago
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could r...
packagist
No PRs yet
Magento Authenticated Security feature bypass
GHSA-85jx-x9r4-45m2 CVE-2025-49549 LOW 5 months ago
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could r...
packagist
No PRs yet
Moodle Session Fixation allows unauthenticated users to hijack sessions via sesskey parameter
GHSA-cgvv-3455-824j CVE-2025-53021 MODERATE 5 months ago
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. ...
packagist
No PRs yet
Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
GHSA-24wv-6c99-f843 CVE-2025-49132 CRITICAL 5 months ago
## Impact
Using the `/locales/locale.json` with the `locale` and `namespace` query parameters, a malicious actor is able to execute arbitrary code...
packagist
No PRs yet
handcraftedinthealps/goodby-csv has Potential Gadget Chain allowing Remote Code Execution
GHSA-x3c7-22c8-prg7 CVE-2025-49597 LOW 6 months ago
### Impact
goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an ...
packagist
1
Dependabot PRs