Security Advisories
Browse security advisories and track which Dependabot PRs address them.
24,784
Total Advisories
1,790
With Dependabot PRs
3,506
Critical Severity
8,617
High Severity
Contao is vulnerable to cross-site scripting in templates
GHSA-68q5-78xp-cwwc CVE-2025-65961 LOW 1 day ago
### Impact
It is possible to inject code into the template output that will be executed in the browser in the front end and back end.
### Patches...
packagist
No PRs yet
phppgadmin vulnerable to Cross-site Scripting
GHSA-h369-cpjj-qfff CVE-2025-60796 LOW 7 days ago
phpPgAdmin versions 7.13.0 and earlier contain multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied inputs ...
packagist
No PRs yet
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
GHSA-mhpg-hpj5-73r2 CVE-2025-13083 LOW 8 days ago
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Contr...
packagist
No PRs yet
Drupal core allows Forceful Browsing
GHSA-83v7-c2cf-p9c2 CVE-2025-13080 LOW 8 days ago
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: ...
packagist
No PRs yet
Drupal core allows Content Spoofing
GHSA-h89p-5896-f4q8 CVE-2025-13082 LOW 8 days ago
User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupa...
packagist
No PRs yet
Drupal Simple multi step form allows Cross-Site Scripting
GHSA-gg35-374m-9ph8 CVE-2025-12761 LOW 8 days ago
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Si...
packagist
No PRs yet
LibreNMS has Weak Password Policy
GHSA-5mrf-j8v6-f45g CVE-2025-65014 LOW 8 days ago
## Summary
A **Weak Password Policy** vulnerability was identified in the user management functionality of the _LibreNMS_ application. This vulner...
packagist
No PRs yet
PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users
GHSA-r9x7-7ggj-fx9f CVE-2025-64711 LOW 12 days ago
## Summary
Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a ...
packagist
No PRs yet
Drupal Umami Analytics allows Cross-Site Scripting (XSS)
GHSA-jxp8-4jw5-5xjc CVE-2025-10931 LOW 28 days ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scri...
packagist
No PRs yet
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
GHSA-3cpp-fv95-mpr5 LOW about 1 month ago
### Impact
This vulnerability allows malicious actors to force the application server to send HTTP requests to both external and internal servers. ...
packagist
No PRs yet
Shopware vulnerable to path traversal via Plugin upload
GHSA-6wh5-mw9h-5c3w LOW about 1 month ago
### Impact
Malicious actors can exploit this vulnerability to write files within arbitrary directories on the filesystem of the Shopware web contai...
packagist
No PRs yet
TastyIgniter vulnerable to Cross-Site Scripting
GHSA-4vrf-42cm-7xfw CVE-2025-61417 LOW about 1 month ago
Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicio...
packagist
No PRs yet
LibreNMS alert-rules has a Cross-Site Scripting Vulnerability
GHSA-6g2v-66ch-6xmh CVE-2025-62412 LOW about 1 month ago
## Executive Summary
**Product:** LibreNMS
**Vendor:** LibreNMS
**Vulnerability Type:** Cross-Site Scripting (XSS)
**CVSS Score:** 4.3 (AV:N...
packagist
No PRs yet
PrestaShop Checkout Target PayPal merchant account hijacking from backoffice
GHSA-wvpg-4wrh-5889 CVE-2025-61924 LOW about 1 month ago
### Impact
Wrong usage of the PHP `array_search()` allows bypass of validation.
### Patches
The problem has been patched in versions:
- v4.4.1 for...
packagist
No PRs yet
drupal-pattern-lab/unified-twig-extensions is vulnerable to XXS
GHSA-64mv-9655-37hx CVE-2025-11570 LOW about 2 months ago
Versions of the package drupal-pattern-lab/unified-twig-extensions from 0.0.0 are vulnerable to Cross-site Scripting (XSS) due to insufficient filt...
packagist
No PRs yet
NovoSGA: Manipulation of User Creation Page can lead to weak password requirements
GHSA-xgr2-5837-hf48 CVE-2025-11322 LOW about 2 months ago
A flaw has been found in Mangati NovoSGA up to 2.2.12. The impacted element is an unknown function of the file /novosga.users/new of the component ...
packagist
No PRs yet
Auth0 Symfony SDK Does Not Properly Handle File Types in Bulk User Import
GHSA-7jp2-5h22-m432 LOW about 2 months ago
### Overview
In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
Auth0 Wordpress plugin Does Not Properly Handle File Types in Bulk User Import
GHSA-w22c-pw5m-482x LOW about 2 months ago
### Overview
In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
laravel-auth0 SDK Does Not Properly Handle File Types in Bulk User Import
GHSA-hjfh-5jmm-xr24 LOW about 2 months ago
### Overview
In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
auth0-PHP SDK Does Not Properly Handle File Types in Bulk User Import
GHSA-9mh6-g99m-ppcw CVE-2025-58769 LOW about 2 months ago
### Overview
In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
Mangati NovoSGA XSS vulnerability in /admin
GHSA-4c44-r8rm-3p39 CVE-2025-10909 LOW 2 months ago
A security flaw has been discovered in Mangati NovoSGA up to 2.2.9. The impacted element is an unknown function of the file /admin of the component...
packagist
No PRs yet
GP247 and S-Cart have a stored cross-site scripting (XSS) vulnerability
GHSA-46v4-5mc8-q2cf CVE-2025-57407 LOW 2 months ago
A stored cross-site scripting (XSS) vulnerability in the Admin Log Viewer of S-Cart <=10.0.3 allows a remote authenticated attacker to inject arbit...
packagist
No PRs yet
TYPO3 "Form to Database" extension susceptible to Cross-site Scripting
GHSA-54pg-2x9h-cmx8 CVE-2025-10316 LOW 2 months ago
The extension "Form to Database" is susceptible to Cross-Site Scripting. This issue affects the following versions: before 2.2.5, from 3.0.0 before...
packagist
No PRs yet
Mautic vulnerable to SSRF via webhook function
GHSA-hj6f-7hp7-xg69 CVE-2025-9821 LOW 3 months ago
### Summary
Users with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request r...
packagist
No PRs yet
UnoPim has CSV Injection on Quick Export feature
GHSA-74rg-6f92-g6wx CVE-2025-55745 LOW 3 months ago
### Summary
Description:
`CSV Injection` or `Formula Injection` is a security vulnerability that occurs when malicious content is inserted into a C...
packagist
No PRs yet
Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard page
GHSA-c5xf-rmv4-j85h CVE-2025-8573 LOW 4 months ago
Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue...
packagist
No PRs yet
Microweber Has Stored XSS Vulnerability in User Profile Fields
GHSA-782f-gxj5-xvqc CVE-2025-51503 LOW 4 months ago
A Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2.0 allows attackers to inject malicious scripts into user profile fields, lead...
packagist
No PRs yet
JuzaWeb CMS is vulnerable to Incorrect Privilege Assignment when installing Import Page component
GHSA-rq7x-cfmc-rq3w CVE-2025-6735 LOW 5 months ago
A vulnerability classified as critical has been found in JuzaWeb CMS 3.4.2. Affected is an unknown function of the file /admin-cp/imports of the co...
packagist
No PRs yet
JuzaWeb CMS is vulnerable to Incorrect Privilege Assignment when installing certain components
GHSA-mrph-pjv2-34f4 CVE-2025-6736 LOW 5 months ago
A vulnerability classified as critical was found in juzaweb CMS 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admi...
packagist
No PRs yet
Magento Authenticated Security feature bypass
GHSA-85jx-x9r4-45m2 CVE-2025-49549 LOW 5 months ago
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could r...
packagist
No PRs yet
handcraftedinthealps/goodby-csv has Potential Gadget Chain allowing Remote Code Execution
GHSA-x3c7-22c8-prg7 CVE-2025-49597 LOW 6 months ago
### Impact
goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an ...
packagist
1
Dependabot PRs
The Backup Plus extension for TYPO3 (ns_backup) allows XSS
GHSA-xg53-mhh9-3cq7 CVE-2025-48206 LOW 6 months ago
The ns_backup extension through 13.0.0 for TYPO3 allows XSS.
packagist
No PRs yet
TYPO3 Unverified Password Change for Backend Users
GHSA-3jrg-97f3-rqh9 CVE-2025-47938 LOW 6 months ago
### Problem
The backend user management interface allows password changes without requiring the current password. When an administrator updates the...
packagist
No PRs yet
TYPO3 Allows Information Disclosure via DBAL Restriction Handling
GHSA-x8pv-fgxp-8v3x CVE-2025-47937 LOW 6 months ago
### Problem
When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are...
packagist
No PRs yet
TYPO3 CMS Webhooks Server Side Request Forgery
GHSA-p4xx-m758-3hpx CVE-2025-47936 LOW 6 months ago
### Problem
Webhooks are inherently vulnerable to Server-Side Request Forgery (SSRF), which can be exploited by adversaries to target internal reso...
packagist
No PRs yet
LibreNMS stored Cross-site Scripting vulnerability in poller group name
GHSA-hxw5-9cc5-cmw5 CVE-2025-47931 LOW 6 months ago
### LibreNMS v25.4.0 suffers from Stored Cross-Site Scripting (XSS) Vulnerability in the 'group name' parameter of the 'http://localhost/poller/gro...
packagist
No PRs yet
Kirby vulnerable to path traversal in the router for PHP's built-in server
GHSA-9p3p-w5jf-8xxg CVE-2025-30207 LOW 7 months ago
### TL;DR
This vulnerability affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development....
packagist
15
Dependabot PRs
23%
Merged
October CMS Allows Unprotected SVG Rename in Media Manager
GHSA-96hh-8hx5-cpw7 CVE-2024-51991 LOW 7 months ago
### Impact
This advisory affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configura...
packagist
No PRs yet
YesWiki Stored XSS Vulnerability in Comments
GHSA-59x8-cvxh-3mm4 CVE-2025-46346 LOW 7 months ago
### Summary
A stored cross-site scripting (XSS) vulnerability was discovered in the application’s comments feature. This issue allows a malicious ...
packagist
No PRs yet
Yeswiki Vulnerable to Authenticated Reflected Cross-site Scripting
GHSA-cg4f-cq8h-3ch8 CVE-2025-46350 LOW 7 months ago
### Summary
**Vulnerable Version:** Yeswiki < v4.5.4
**Vulnerable Endpoint:** `/?PagePrincipale%2Fdeletepage`
**Vulnerable Parameter:** `incomingur...
packagist
No PRs yet
Moodle's mod_data edit/delete pages pass CSRF token in GET parameter
GHSA-9vc3-vm42-fjhm CVE-2025-3637 LOW 7 months ago
A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publ...
packagist
No PRs yet
Moodle has a CSRF risk in Brickfield tool's analysis request action
GHSA-m8qh-hx4c-h9hr CVE-2025-3638 LOW 7 months ago
A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request ...
packagist
No PRs yet
Moodle has a CSRF risk in user tours manager that allows tour duplication
GHSA-88xj-97gf-7wpq CVE-2025-3635 LOW 7 months ago
A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protect...
packagist
No PRs yet
Shopware default newsletter opt-in settings allow for mass sign-up abuse
GHSA-4h9w-7vfp-px8m CVE-2025-32378 LOW 8 months ago
### Impact
Currently the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation.
Default settings...
packagist
No PRs yet
Magento does not properly protect credentials
GHSA-2r94-wm5v-4prx CVE-2025-27192 LOW 8 months ago
Magento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerab...
packagist
No PRs yet
Pimcore's Admin Classic Bundle allows HTML Injection
GHSA-x82r-6j37-vrgg CVE-2025-30166 LOW 8 months ago
### Summary
An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via ...
packagist
No PRs yet
Drupal Formatter Suite Vulnerable to Cross-Site Scripting (XSS) via Link Element Attributes
GHSA-5r66-vgc7-2mm3 CVE-2025-31697 LOW 8 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Formatter Suite allows Cross-Site Scri...
packagist
No PRs yet
Drupal RapiDoc OAS Field Formatter Cross-Site Scripting (XSS) vulnerability
GHSA-86h4-w859-3hhv CVE-2025-31696 LOW 8 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal RapiDoc OAS Field Formatter allows Cro...
packagist
No PRs yet
Drupal Link field display mode formatter Cross-Site Scripting (XSS) vulnerability
GHSA-p2wg-8h29-874v CVE-2025-31695 LOW 8 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Link field display mode formatter allo...
packagist
No PRs yet
Drupal Matomo Analytics Cross-Site Request Forgery (CSRF) vulnerability
GHSA-jh66-rjx8-8qqc CVE-2025-31680 LOW 8 months ago
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Matomo Analytics allows Cross Site Request Forgery. This issue affects Matomo Analytics: ...
packagist
No PRs yet