Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Ibexa RichText Field Type XSS vulnerabilities in back office
GHSA-9qv6-4pwm-m68f MODERATE 6 months ago
### Impact This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa D...
packagist
No PRs yet
Ibexa Admin UI XSS vulnerabilities in back office
GHSA-5r6x-g6jv-4v87 MODERATE 6 months ago
### Impact This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa D...
packagist
No PRs yet
Ibexa Admin UI assets XSS vulnerabilities in back office
GHSA-vhgq-r8gx-5fpv MODERATE 6 months ago
### Impact This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa D...
packagist
No PRs yet
Ibexa eZ Platform Admin UI assets XSS vulnerabilities in back office
GHSA-r5rx-53g9-25rj MODERATE 6 months ago
### Impact This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa D...
packagist
No PRs yet
Ibexa eZ Platform Admin UI XSS vulnerabilities in back office
GHSA-r7pm-mw8g-p7px MODERATE 6 months ago
### Impact This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa D...
packagist
No PRs yet
starcitizentools/citizen-skin allows stored XSS in user registration date message
GHSA-2v3v-3whp-953h CVE-2025-49578 MODERATE 6 months ago
### Summary Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to inse...
packagist
No PRs yet
starcitizentools/citizen-skin allows stored XSS in menu heading message
GHSA-g3cp-pq72-hjpv CVE-2025-49579 MODERATE 6 months ago
### Summary All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those mes...
packagist
No PRs yet
starcitizentools/citizen-skin allows stored XSS in preference menu heading messages
GHSA-jwr7-992g-68mh CVE-2025-49577 MODERATE 6 months ago
### Summary Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the...
packagist
No PRs yet
starcitizentools/citizen-skin allows stored XSS in search no result messages
GHSA-86xf-2mgp-gv3g CVE-2025-49576 MODERATE 6 months ago
### Summary The `citizen-search-noresults-title` and `citizen-search-noresults-desc` system messages are inserted into raw HTML, allowing anybody w...
packagist
No PRs yet
Citizen skin vulnerable to stored XSS through multiple system messages
GHSA-4c2h-67qq-vm87 CVE-2025-49575 MODERATE 6 months ago
### Summary Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert...
packagist
No PRs yet
Drupal Admin Audit Trail Allocation of Resources Without Limits or Throttling vulnerability
GHSA-pwj7-5c7c-mwjc CVE-2025-48448 HIGH 6 months ago
Allocation of Resources Without Limits or Throttling vulnerability in Drupal Admin Audit Trail allows Excessive Allocation. This issue affects Admi...
packagist
No PRs yet
Drupal Lightgallery Cross-site Scripting vulnerability
GHSA-w5px-5878-m9x4 CVE-2025-48447 MODERATE 6 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Lightgallery allows Cross-Site Scripti...
packagist
No PRs yet
Drupal Commerce Eurobank (Redirect) Incorrect Authorization vulnerability
GHSA-q9h3-r6wr-p3j3 CVE-2025-48445 HIGH 6 months ago
Incorrect Authorization vulnerability in Drupal Commerce Eurobank (Redirect) allows Functionality Misuse. This issue affects Commerce Eurobank (Red...
packagist
No PRs yet
Drupal Commerce Alphabank Redirect Incorrect Authorization vulnerability
GHSA-48wx-8736-jgx2 CVE-2025-48446 HIGH 6 months ago
Incorrect Authorization vulnerability in Drupal Commerce Alphabank Redirect allows Functionality Misuse. This issue affects Commerce Alphabank Redi...
packagist
No PRs yet
Drupal Quick Node Block Missing Authorization vulnerability
GHSA-c424-hgg9-9c4w CVE-2025-48444 MODERATE 6 months ago
Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing. This issue affects Quick Node Block: from 0.0.0 before 2.0.0.
packagist
No PRs yet
Drupal Quick Node Block Missing Authorization vulnerability
GHSA-r6xj-43cf-9f88 CVE-2025-48013 MODERATE 6 months ago
Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing. This issue affects Quick Node Block: from 0.0.0 before 2.0.0.
packagist
No PRs yet
Magento Improper Authorization leading to security feature bypass
GHSA-r487-9vv5-75gg CVE-2025-43585 HIGH 6 months ago
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could re...
packagist
No PRs yet
Magneto contains stored XSS vulnerability
GHSA-j934-vjh5-vf9r CVE-2025-47110 CRITICAL 6 months ago
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability tha...
packagist
No PRs yet
Magento Improper Access Control leads to security feature bypass
GHSA-g2pj-xmxq-3r9q CVE-2025-27206 MODERATE 6 months ago
Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Access Control vulnerability that ...
packagist
No PRs yet
HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter
GHSA-hxrr-x32w-cg8g CVE-2025-49138 MODERATE 6 months ago
### Summary An authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbit...
packagist
No PRs yet
Hax CMS Stored Cross-Site Scripting vulnerability
GHSA-2vc4-3hx7-v7v7 CVE-2025-49137 HIGH 6 months ago
### Summary The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and...
packagist
No PRs yet
Laravel Translation Manager Vulnerable to Stored Cross-site Scripting
GHSA-j226-63j7-qrqh CVE-2025-49130 MODERATE 6 months ago
### Impact The application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input dat...
packagist
No PRs yet
laravel-auth0 SDK Deserialization of Untrusted Data vulnerability
GHSA-c42h-56wx-h85q CRITICAL 6 months ago
**Overview** The laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs proce...
packagist
No PRs yet
Auth0 Symfony SDK Deserialization of Untrusted Data vulnerability
GHSA-98j6-67v3-mw34 CRITICAL 6 months ago
**Overview** The Auth0 Symfony SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs proce...
packagist
No PRs yet
Yii 2 Redis may expose AUTH parameters in logs in case of connection failure
GHSA-g3p6-82vc-43jh CVE-2025-48493 MODERATE 6 months ago
### Impact On failing connection extension writes commands sequence to logs. AUTH parameters are written in plain text exposing username and passw...
packagist
5
Dependabot PRs
Auth0 Wordpress Plugin vulnerable to Deserialization of Untrusted Data
GHSA-862m-5253-832r CRITICAL 6 months ago
**Overview** The Auth0 Wordpress plugin contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs ...
packagist
No PRs yet
Auth0-PHP SDK Deserialization of Untrusted Data vulnerability
GHSA-v9m8-9xxp-q492 CVE-2025-48951 CRITICAL 6 months ago
**Overview** The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie con...
packagist
No PRs yet
Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization
GHSA-8j8w-wwqc-x596 CVE-2025-49113 CRITICAL 6 months ago
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is...
packagist
1
Dependabot PRs
juzaweb CMS allows cross-site scripting by uploading an SVG file
GHSA-49rr-34j5-r8mw CVE-2025-5420 MODERATE 6 months ago
A vulnerability classified as problematic was found in juzaweb CMS up to 3.4.2. Affected by this vulnerability is an unknown functionality of the f...
packagist
No PRs yet
PHPOffice Math allows XXE when processing an XML file in the MathML format
GHSA-42hm-pq2f-3r7m CVE-2025-48882 HIGH 6 months ago
**Product:** Math **Version:** 0.2.0 **CWE-ID:** CWE-611: Improper Restriction of XML External Entity Reference **CVSS vector v.4.0:** 8.7 (AV:N/AC...
packagist
1
Dependabot PRs
Mautic has an Open Redirect vulnerability on user unlock path.
GHSA-6vx9-9r2g-8373 CVE-2025-5256 MODERATE 6 months ago
### Summary This advisory addresses an Open Redirection vulnerability in Mautic's user unlocking endpoint. This vulnerability could be exploited by...
packagist
90
Dependabot PRs
Mautic segment cloning doesn't have a proper permission check
GHSA-vph5-ghq3-q782 CVE-2024-47055 MODERATE 6 months ago
### Summary This advisory addresses a security vulnerability in Mautic related to the segment cloning functionality. This vulnerability allows any ...
packagist
No PRs yet
Mautic allows user name enumeration due to response time difference on password reset form
GHSA-424x-cxvh-wq9p CVE-2024-47057 MODERATE 6 months ago
### Summary This advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability cou...
packagist
No PRs yet
Mautic does not shield .env files from web traffic
GHSA-h2wg-v8wg-jhxh CVE-2024-47056 MODERATE 6 months ago
### Summary This advisory addresses a security vulnerability in Mautic where sensitive `.env` configuration files may be directly accessible via a...
packagist
No PRs yet
Mautic's Predictable Page Indexing Might Lead to Sensitive Data Exposure
GHSA-cqx4-9vqf-q3m8 CVE-2025-5257 MODERATE 6 months ago
### Summary This advisory addresses a security vulnerability in Mautic where unpublished page previews could be accessed by unauthenticated users a...
packagist
No PRs yet
Chrome PHP is missing encoding in `CssSelector`
GHSA-3432-fmrf-7vmh CVE-2025-48883 MODERATE 6 months ago
### Impact CSS Selector expressions are not properly encoded, which can lead to XSS (cross-site scripting) vulnerabilities. ### Patches This is ...
packagist
No PRs yet
Laravel Rest Api has a Search Validation Bypass
GHSA-69rh-hccr-cxrj CVE-2025-48490 MODERATE 6 months ago
A validation bypass vulnerability was discovered prior to version 2.13.0, where multiple validations defined for the same attribute could be silen...
packagist
No PRs yet
The Front End User Registration extension for TYPO3 (sr_feuser_register) Remote Code Execution
GHSA-qfm8-78qf-p75j CVE-2025-48200 CRITICAL 6 months ago
The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution via unsafe deserialization.
packagist
No PRs yet
The Backup Plus extension for TYPO3 (ns_backup) has a Predictable Resource Location
GHSA-hq4f-5qjv-fwrg CVE-2025-48201 HIGH 6 months ago
The ns_backup extension through 13.0.0 for TYPO3 has a Predictable Resource Location. This allows an unauthenticated remote user to download create...
packagist
No PRs yet
The Backup Plus extension for TYPO3 (ns_backup) allows command injections
GHSA-463c-jhp2-4mm7 CVE-2025-48204 MODERATE 6 months ago
The ns_backup extension through 13.0.0 for TYPO3 allows command injection when creating a backup. An authenticated backend user with access to the ...
packagist
No PRs yet
The Backup Plus extension for TYPO3 (ns_backup) allows XSS
GHSA-xg53-mhh9-3cq7 CVE-2025-48206 LOW 6 months ago
The ns_backup extension through 13.0.0 for TYPO3 allows XSS.
packagist
No PRs yet
The Front End User Registration extension for TYPO3 (sr_feuser_register) allows Insecure Direct Object Reference
GHSA-cvgc-mx2w-h3w8 CVE-2025-48205 HIGH 6 months ago
The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. This allows attackers to read arbitrary files.
packagist
No PRs yet
reint_downloadmanager TYPO3 Extension is susceptible to Insecure Direct Object Reference
GHSA-jjwh-4x89-7f5w CVE-2025-48207 MODERATE 6 months ago
Insecure Direct Object Reference in the reint_downloadmanager TYPO3 extension allows remote attackers to read arbitrary files via the downloaduid p...
packagist
No PRs yet
The femanager TYPO3 extension allows Insecure Direct Object Reference
GHSA-xxwr-wv9g-7jw3 CVE-2025-48202 MODERATE 6 months ago
Insecure Direct Object Reference (IDOR) in the femanager TYPO3 extension allows attackers to view frontend user data via a user parameter in the ne...
packagist
No PRs yet
[clickstorm] SEO (cs_seo) TYPO3 extension Cross-site Scripting (XSS) vulnerability
GHSA-6p8w-pc35-mqv8 CVE-2025-48203 MODERATE 6 months ago
Cross-site scripting (XSS) vulnerability in the [clickstorm] SEO (cs_seo) TYPO3 extension allows backend users to execute arbitrary script via the ...
packagist
No PRs yet
The TYPO3 CMS Backend has Broken Authentication in Backend MFA
GHSA-744g-7qm9-hjh9 CVE-2025-47941 HIGH 6 months ago
### Problem The multifactor authentication (MFA) dialog presented during backend login can be bypassed due to insufficient enforcement of access re...
packagist
No PRs yet
TYPO3 Allows Privilege Escalation to System Maintainer
GHSA-6frx-j292-c844 CVE-2025-47940 HIGH 6 months ago
### Problem Administrator-level backend users without system maintainer privileges can escalate their privileges and gain system maintainer access....
packagist
No PRs yet
TYPO3 Allows Unrestricted File Upload in File Abstraction Layer
GHSA-9hq9-cr36-4wpj CVE-2025-47939 MODERATE 6 months ago
### Problem By design, the file management module in TYPO3’s backend user interface has historically allowed the upload of any file type, with the ...
packagist
No PRs yet
TYPO3 Unverified Password Change for Backend Users
GHSA-3jrg-97f3-rqh9 CVE-2025-47938 LOW 6 months ago
### Problem The backend user management interface allows password changes without requiring the current password. When an administrator updates the...
packagist
No PRs yet
TYPO3 Allows Information Disclosure via DBAL Restriction Handling
GHSA-x8pv-fgxp-8v3x CVE-2025-47937 LOW 6 months ago
### Problem When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are...
packagist
No PRs yet