Security Advisories
Browse security advisories and track which Dependabot PRs address them.
24,784
Total Advisories
1,790
With Dependabot PRs
3,506
Critical Severity
8,617
High Severity
TYPO3 CMS Webhooks Server Side Request Forgery
GHSA-p4xx-m758-3hpx CVE-2025-47936 LOW 6 months ago
### Problem
Webhooks are inherently vulnerable to Server-Side Request Forgery (SSRF), which can be exploited by adversaries to target internal reso...
packagist
No PRs yet
Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes
GHSA-5j3w-5pcr-f8hg CVE-2025-47946 MODERATE 6 months ago
### Impact
Rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()...
packagist
No PRs yet
LibreNMS stored Cross-site Scripting vulnerability in poller group name
GHSA-hxw5-9cc5-cmw5 CVE-2025-47931 LOW 6 months ago
### LibreNMS v25.4.0 suffers from Stored Cross-Site Scripting (XSS) Vulnerability in the 'group name' parameter of the 'http://localhost/poller/gro...
packagist
No PRs yet
laravel-auth0 SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions
GHSA-9fwj-9mjf-rhj3 CRITICAL 6 months ago
**Overview**
Session cookies of applications using the laravel-auth0 SDK configured with CookieStore have authentication tags that can be brute for...
packagist
No PRs yet
Auth0 Wordpress plugin Vulnerable to Brute Force Authentication Tags of CookieStore Sessions
GHSA-2f4r-34m4-3w8q CRITICAL 6 months ago
**Overview**
Session cookies of applications using the Auth0 Wordpress plugin configured with CookieStore have authentication tags that can be brut...
packagist
No PRs yet
Auth0 Symfony SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions
GHSA-9wg9-93h9-j8ch CRITICAL 6 months ago
**Overview**
Session cookies of applications using the Auth0 symfony SDK configured with CookieStore have authentication tags that can be brute for...
packagist
No PRs yet
Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK
GHSA-g98g-r7gf-2r25 CVE-2025-47275 CRITICAL 6 months ago
**Overview**
Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced,...
packagist
10
Dependabot PRs
40%
Merged
tarteaucitron-wp WordPress Plugin Vulnerable to Stored Cross-Site Scripting
GHSA-fxpc-qmrh-7j2h CVE-2024-11718 MODERATE 7 months ago
The tarteaucitron-wp WordPress plugin before 0.3.0 allows author level and above users to add HTML into a post/page, which could allow users with t...
packagist
No PRs yet
Sulu vulnerable to XXE in SVG File upload Inspector
GHSA-f6rx-hf55-4255 CVE-2025-47778 MODERATE 7 months ago
### Impact
A admin user can upload SVG which may load external data via XML DOM library, specially this can be used for eventually reference none ...
packagist
4
Dependabot PRs
Kirby vulnerable to path traversal of snippet names in the `snippet()` helper
GHSA-fw82-87p8-v6hp CVE-2025-30159 MODERATE 7 months ago
### TL;DR
This vulnerability affects all Kirby sites that use the `snippet()` helper or `$kirby->snippet()` method with a dynamic snippet name (su...
packagist
13
Dependabot PRs
23%
Merged
Kirby vulnerable to path traversal in the router for PHP's built-in server
GHSA-9p3p-w5jf-8xxg CVE-2025-30207 LOW 7 months ago
### TL;DR
This vulnerability affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development....
packagist
15
Dependabot PRs
23%
Merged
Kirby vulnerable to path traversal of collection names during file system lookup
GHSA-x275-h9j4-7p4h CVE-2025-31493 MODERATE 7 months ago
### TL;DR
This vulnerability affects all Kirby sites that use the `collection()` helper or `$kirby->collection()` method with a dynamic collection...
packagist
15
Dependabot PRs
23%
Merged
OXID eShop May Display User Information
GHSA-qqcr-9jfc-35c4 CVE-2024-56526 HIGH 7 months ago
An issue was discovered in OXID eShop before 7. CMS pages in combination with Smarty may display user information if a CMS page contains a Smarty s...
packagist
No PRs yet
Craft CMS stores arbitrary content provided by unauthenticated users in session files
GHSA-7vrx-9684-xrf2 CVE-2025-35939 MODERATE 7 months ago
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using ...
packagist
No PRs yet
Koillection Cross Site Scripting vulnerability
GHSA-fxvx-gfmr-5xfj CVE-2025-29746 MODERATE 7 months ago
Cross Site Scripting vulnerability in Koillection v.1.6.10 allows a remote attacker to escalate privileges via the collection, Wishlist and album c...
packagist
No PRs yet
Easy!Appointments Denial of Service (DoS)
GHSA-hcjv-982c-5f29 CVE-2025-29448 MODERATE 7 months ago
Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a d...
packagist
No PRs yet
league/commonmark contains a XSS vulnerability in Attributes extension
GHSA-3527-qv2q-pfvx CVE-2025-46734 MODERATE 7 months ago
### Summary
Cross-site scripting (XSS) vulnerability in the [Attributes extension](https://commonmark.thephpleague.com/extensions/attributes/) of t...
packagist
565
Dependabot PRs
42%
Merged
Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
GHSA-7c58-g782-9j38 CVE-2025-46731 HIGH 7 months ago
Craft CMS contains a potential remote code execution vulnerability via Twig SSTI. You must have administrator access and `ALLOW_ADMIN_CHANGES` must...
packagist
No PRs yet
October CMS Allows Unprotected SVG Rename in Media Manager
GHSA-96hh-8hx5-cpw7 CVE-2024-51991 LOW 7 months ago
### Impact
This advisory affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configura...
packagist
No PRs yet
Grokability Snipe-IT has incorrect authorization for accessing asset information
GHSA-h3vp-qwmx-5j25 CVE-2025-47226 MODERATE 7 months ago
Grokability Snipe-IT before 8.1.0 has incorrect authorization for accessing asset information.
packagist
No PRs yet
SQL injection in ADOdb PostgreSQL driver pg_insert_id() method
GHSA-8x27-jwjr-8545 CVE-2025-46337 CRITICAL 7 months ago
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL...
packagist
10
Dependabot PRs
11%
Merged
ShowDoc unrestricted file upload vulnerability
GHSA-6jmr-r7p6-f5wr CVE-2025-0520 CRITICAL 7 months ago
An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to ...
packagist
No PRs yet
YesWiki Stored XSS Vulnerability in Comments
GHSA-59x8-cvxh-3mm4 CVE-2025-46346 LOW 7 months ago
### Summary
A stored cross-site scripting (XSS) vulnerability was discovered in the application’s comments feature. This issue allows a malicious ...
packagist
No PRs yet
YesWiki Remote Code Execution via Arbitrary PHP File Write and Execution
GHSA-88xg-v53p-fpvf CVE-2025-46347 HIGH 7 months ago
### Summary
An arbitrary file write can be used to write a file with a PHP extension, which then can be browsed to in order to execute arbitrary co...
packagist
No PRs yet
YesWiki Vulnerable to Unauthenticated Site Backup Creation and Download
GHSA-wc9g-6j9w-hr95 CVE-2025-46348 CRITICAL 7 months ago
### Summary
The request to commence a site backup can be performed without authentication. Then these backups can also be downloaded without authe...
packagist
No PRs yet
YesWiki Vulnerable to Unauthenticated Reflected Cross-site Scripting
GHSA-2f8p-qqx2-gwr2 CVE-2025-46349 HIGH 7 months ago
### Summary
Reflected XSS has been detected in the file upload form. Vulnerability can be exploited without authentication
This Proof of Concept h...
packagist
No PRs yet
Yeswiki Vulnerable to Authenticated Reflected Cross-site Scripting
GHSA-cg4f-cq8h-3ch8 CVE-2025-46350 LOW 7 months ago
### Summary
**Vulnerable Version:** Yeswiki < v4.5.4
**Vulnerable Endpoint:** `/?PagePrincipale%2Fdeletepage`
**Vulnerable Parameter:** `incomingur...
packagist
No PRs yet
Yeswiki Vulnerable to Unauthenticated Reflected Cross-site Scripting
GHSA-ggqx-43h2-55jp CVE-2025-46550 MODERATE 7 months ago
### Summary
**Vulnerable Version:** Yeswiki < v4.5.4
**Category:** Injection
**CWE: 79:** Improper Neutralization of Input During Web Page Generati...
packagist
No PRs yet
Yeswiki Vulnerable to Unauthenticated Reflected Cross-site Scripting
GHSA-r9gv-qffm-xw6f CVE-2025-46549 MODERATE 7 months ago
### Summary
**Vulnerable Version:** Yeswiki < v4.5.4
**Category:** Injection
**CWE: 79:** Improper Neutralization of Input During Web Page Generat...
packagist
No PRs yet
Moodle allows IDOR when accessing the cohorts report
GHSA-34g7-pg9j-pxgp CVE-2025-3647 MODERATE 7 months ago
A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.
packagist
No PRs yet
Moodle's mod_data edit/delete pages pass CSRF token in GET parameter
GHSA-9vc3-vm42-fjhm CVE-2025-3637 LOW 7 months ago
A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publ...
packagist
No PRs yet
Moodle allows IDOR in RSS block, which allows access to additional RSS feeds
GHSA-chmf-m33p-ph8m CVE-2025-3636 MODERATE 7 months ago
A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.
packagist
No PRs yet
Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository
GHSA-m367-445c-2xqr CVE-2025-3642 HIGH 7 months ago
A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available t...
packagist
No PRs yet
Moodle has reflected Cross-site Scripting risk in policy tool
GHSA-hxgg-4qww-85ph CVE-2025-3643 MODERATE 7 months ago
A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.
packagist
No PRs yet
Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository
GHSA-c8v6-vxhf-wcrr CVE-2025-3641 HIGH 7 months ago
A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available t...
packagist
No PRs yet
Moodle has an IDOR in web service which allows users enrolled in a course to access some details of other users
GHSA-6g5x-h5x7-q4mq CVE-2025-3640 MODERATE 7 months ago
A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the ful...
packagist
No PRs yet
Moodle has an IDOR in messaging web service which allows access to some user details
GHSA-pj96-xh2w-fgqx CVE-2025-3645 MODERATE 7 months ago
A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.
packagist
No PRs yet
Moodle has a CSRF risk in Brickfield tool's analysis request action
GHSA-m8qh-hx4c-h9hr CVE-2025-3638 LOW 7 months ago
A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request ...
packagist
No PRs yet
Moodle has a CSRF risk in user tours manager that allows tour duplication
GHSA-88xj-97gf-7wpq CVE-2025-3635 LOW 7 months ago
A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protect...
packagist
No PRs yet
Moodle's AJAX section delete does not respect course_can_delete_section()
GHSA-cpm7-mv33-jwf8 CVE-2025-3644 MODERATE 7 months ago
A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.
packagist
No PRs yet
Moodle makes some user data available before completing second factor with MFA enabled
GHSA-x45j-jq9q-gf3q CVE-2025-3627 MODERATE 7 months ago
A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish ve...
packagist
No PRs yet
Moodle self enrollment available before completing second factor with MFA enabled
GHSA-qhc7-xhc2-7p7w CVE-2025-3634 MODERATE 7 months ago
A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety ...
packagist
No PRs yet
Moodle allows unauthenticated REST API user data exposure
GHSA-345q-9jmq-g9q4 CVE-2025-32044 HIGH 7 months ago
A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact inf...
packagist
No PRs yet
Moodle reveals student identities through assignment submissions search on anonymous submissions
GHSA-69m9-rprc-2x7g CVE-2025-3628 MODERATE 7 months ago
A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized via search, revealing student identities.
packagist
No PRs yet
Moodle shows hidden grades to users without permission on some grade reports
GHSA-8m7c-hm88-2p97 CVE-2025-32045 MODERATE 7 months ago
A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions ...
packagist
No PRs yet
Craft CMS Allows Remote Code Execution
GHSA-f3gw-9ww9-jmc3 CVE-2025-32432 CRITICAL 7 months ago
### Impact
This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
This is a high-impact, low-compl...
packagist
No PRs yet
Laravel Starter Cross Site Scripting (XSS)
GHSA-fpx3-h2pc-88vf CVE-2025-26159 MODERATE 7 months ago
Laravel Starter 11.11.0 is vulnerable to Cross Site Scripting (XSS) in the tags feature. Any user with the ability of create or modify tags can inj...
packagist
No PRs yet
croogo Host header injection
GHSA-847x-x4jg-6gf4 CVE-2024-29643 MODERATE 7 months ago
An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component.
packagist
No PRs yet
PEAR HTTP_Request2 vulnerable to Cross-site Scripting
GHSA-w7gh-f2fm-9q8r CVE-2025-43717 MODERATE 7 months ago
In PEAR HTTP_Request2 before 2.7.0, multiple files in the tests directory, notably tests/_network/getparameters.php and tests/_network/postparamete...
packagist
No PRs yet
DevDojo Voyager Argument Injection vulnerability
GHSA-qq2h-m2hj-hrff CVE-2025-32931 CRITICAL 8 months ago
DevDojo Voyager 1.4.0 through 1.8.0, when Laravel 8 or later is used, allows authenticated administrators to execute arbitrary OS commands via a sp...
packagist
No PRs yet