Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
DevDojo Voyager vulnerable to reflected Cross-site Scripting
GHSA-mm49-4f2g-c3wf CVE-2024-55416 LOW 10 months ago
DevDojo Voyager through version 1.8.0 is vulnerable to reflected XSS via /admin/compass. By manipulating an authenticated user to click on a link, ...
packagist
No PRs yet
DevDojo Voyager vulnerable to path traversal
GHSA-j63m-2vr6-fv7m CVE-2024-55415 HIGH 10 months ago
DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass.
packagist
No PRs yet
Twig security issue where escaping was missing when using null coalesce operator
GHSA-3xg3-cgvq-2xwr CVE-2025-24374 MODERATE 10 months ago
When using the `??` operator, output escaping was missing for the expression on the left side of the operator.
packagist
No PRs yet
TYPO3-EXT-SA-2025-001: Account Takeover in extension "OpenID Connect Authentication" (oidc)
GHSA-hj78-p4h7-m5fv CVE-2025-24856 MODERATE 10 months ago
## Problem Description A vulnerability in the account linking logic of the extension allows a pre-hijacking attack leading to Account Takeover. The...
packagist
No PRs yet
pimcore/customer-data-framework vulnerable to SQL Injection
GHSA-q53r-9hh9-w277 CVE-2024-11956 MODERATE 10 months ago
An SQL injection vulnerability allows any authenticated user to execute arbitrary SQL commands on the server. This can lead to unauthorized access ...
packagist
No PRs yet
Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document
GHSA-xr3m-6gq6-22cg CVE-2024-11954 HIGH 10 months ago
### Summary A Stored Cross-Site Scripting (XSS) vulnerability in PIMCORE allows remote attackers to inject arbitrary web script or HTML via the P...
packagist
No PRs yet
Dolibarr Cross-site Scripting vulnerability
GHSA-2v3r-gvq5-qqgh CVE-2024-55227 LOW 10 months ago
A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts o...
packagist
No PRs yet
Dolibarr Cross-site Scripting vulnerability
GHSA-x2j8-vjg7-386r CVE-2024-55228 LOW 10 months ago
A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl...
packagist
No PRs yet
Reflected Cross Site Scripting (XSS) in error message
GHSA-74j9-xhqr-6qv3 LOW 10 months ago
If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resultin...
packagist
No PRs yet
phpMyAdmin XSS when checking tables
GHSA-222v-cx2c-q2f5 CVE-2025-24530 MODERATE 10 months ago
An issue was discovered in phpMyAdmin 5.x before 5.2.2. An XSS vulnerability has been discovered for the check tables feature. A crafted table or d...
packagist
No PRs yet
ps_contactinfo has a potential XSS due to usage of the nofilter tag in template
GHSA-35pq-7pv2-2rfw CVE-2025-24027 MODERATE 10 months ago
### Impact This can not be exploited in a fresh install of PrestaShop, only shops made vulnerable by third party modules are concerned. For examp...
packagist
No PRs yet
Missing validation of header name and value in codeigniter4/framework
GHSA-x5mq-jjr3-vmx6 CVE-2025-24013 MODERATE 10 months ago
### Impact Lack of proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with `Heade...
packagist
No PRs yet
Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet
GHSA-79xx-vf93-p7cx CVE-2025-22131 MODERATE 10 months ago
### Summary The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file in...
packagist
No PRs yet
Authenticated arbitrary file deletion in YesWiki
GHSA-43c9-gw4x-pcx6 CVE-2025-24019 HIGH 10 months ago
# Authenticated arbitrary file deletion in YesWiki <= 4.4.5 ### Summary It is possible for any authenticated user, through the use of the filemana...
packagist
No PRs yet
Authenticated Stored XSS in YesWiki
GHSA-w59h-3x3q-3p6j CVE-2025-24018 HIGH 10 months ago
# Authenticated Stored XSS in YesWiki <= 4.4.5 ### Summary It is possible for an authenticated user with rights to edit/create a page or comment t...
packagist
No PRs yet
Unauthenticated DOM Based XSS in YesWiki
GHSA-wphc-5f2j-jhvg CVE-2025-24017 HIGH 10 months ago
# Unauthenticated DOM Based XSS in YesWiki <= 4.4.5 ### Summary It is possible for any end-user to craft a DOM based XSS on all of YesWiki's pages...
packagist
No PRs yet
Craft CMS has a potential RCE with a compromised security key
GHSA-x684-96hh-833x CVE-2025-23209 HIGH 10 months ago
### Impact This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. https://craftcm...
packagist
No PRs yet
Librenms has a reflected XSS on error alert
GHSA-g84x-g96g-rcjc CVE-2025-23201 MODERATE 11 months ago
XSS on the parameters:`/addhost` -> param: community of Librenms versions 24.10.1 ([https://github.com/librenms/librenms](https://github.com/libr...
packagist
No PRs yet
LibreNMS Misc Section Stored Cross-site Scripting vulnerability
GHSA-c66p-64fj-jmc2 CVE-2025-23200 MODERATE 11 months ago
# StoredXSS-LibreNMS-MiscSection **Description:** Stored XSS on the parameter: `ajax_form.php` -> param: state Request: ```http POST /ajax_for...
packagist
No PRs yet
LibreNMS Ports Stored Cross-site Scripting vulnerability
GHSA-27vf-3g4f-6jp7 CVE-2025-23199 MODERATE 11 months ago
# StoredXSS-LibreNMS-Ports **Description:** Stored XSS on the parameter: `/ajax_form.php` -> param: descr Request: ```http POST /ajax_form.php...
packagist
No PRs yet
LibreNMS Display Name Stored Cross-site Scripting vulnerability
GHSA-pm8j-3v64-92cq CVE-2025-23198 MODERATE 11 months ago
**Description:** XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):`/device/$DEVICE_ID/edit` -> param: display of ...
packagist
No PRs yet
LibreNMS Display Name 2 Stored Cross-site Scripting vulnerability
GHSA-2f4w-6mc7-4w78 CVE-2024-56144 MODERATE 11 months ago
# StoredXSS-LibreNMS-Display Name 2 **Description:** XSS on the parameters (Replace $DEVICE_ID with your specific $DEVICE_ID value):`/device/$D...
packagist
No PRs yet
Crayfish allows Remote Code Execution via Homarus Authorization header
GHSA-mm6v-68qp-f9fw CVE-2025-25286 CRITICAL 11 months ago
### Impact Remote code execution may be possible in web-accessible installations of Homarus in certain configurations. ### Patches The issue has...
packagist
No PRs yet
Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message
GHSA-mqf3-qpc3-g26q LOW 11 months ago
> [!IMPORTANT] > This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has...
packagist
No PRs yet
Silverstripe Framework has a XSS in form messages
GHSA-ff6q-3c9c-6cf5 CVE-2024-53277 MODERATE 11 months ago
In some cases, form messages can contain HTML markup. This is an intentional feature, allowing links and other relevant HTML markup for the given m...
packagist
No PRs yet
Silverstripe Framework has a XSS via insert media remote file oembed
GHSA-7cmp-cgg8-4c82 CVE-2024-47605 MODERATE 11 months ago
### Impact When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. ...
packagist
No PRs yet
Mediawiki - DataTransfer Extension Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS)
GHSA-c3h5-h73c-29hq CVE-2025-23081 MODERATE 11 months ago
Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wik...
packagist
No PRs yet
TYPO3 DB Check Module vulnerable to Cross-Site Request Forgery
GHSA-8mv3-37rc-pvxj CVE-2024-55945 MODERATE 11 months ago
### Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality ...
packagist
No PRs yet
TYPO3 Scheduler Module vulnerable to Cross-Site Request Forgery
GHSA-7835-fcv3-g256 CVE-2024-55924 HIGH 11 months ago
### Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality ...
packagist
No PRs yet
TYPO3 Indexed Search Module vulnerable to Cross-Site Request Forgery
GHSA-7r5q-4qgx-v545 CVE-2024-55923 MODERATE 11 months ago
### Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality ...
packagist
No PRs yet
TYPO3 Form Framework Module vulnerable to Cross-Site Request Forgery
GHSA-ww7h-g2qf-7xv6 CVE-2024-55922 MODERATE 11 months ago
### Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality ...
packagist
No PRs yet
TYPO3 Extension Manager Module vulnerable to Cross-Site Request Forgery
GHSA-4g52-pq8j-6qv5 CVE-2024-55921 HIGH 11 months ago
### Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality ...
packagist
No PRs yet
TYPO3 Cross-Site Request Forgery in Dashboard Module
GHSA-qwx7-39pw-2mhr CVE-2024-55920 MODERATE 11 months ago
### Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality ...
packagist
No PRs yet
TYPO3 Cross-Site Request Forgery in Backend User Module
GHSA-6w4x-gcx3-8p7v CVE-2024-55894 MODERATE 11 months ago
### Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality ...
packagist
No PRs yet
TYPO3 Cross-Site Request Forgery in Log Module
GHSA-cjfr-9f5r-3q93 CVE-2024-55893 MODERATE 11 months ago
### Problem A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality ...
packagist
No PRs yet
TYPO3 Potential Open Redirect via Parsing Differences
GHSA-2fx5-pggv-6jjr CVE-2024-55892 MODERATE 11 months ago
### Problem Applications that use `TYPO3\CMS\Core\Http\Uri` to parse externally provided URLs (e.g., via a query parameter) and validate the host o...
packagist
No PRs yet
TYPO3 Information Disclosure via Exception Handling/Logger
GHSA-38x7-cc6w-j27q CVE-2024-55891 LOW 11 months ago
### Problem It has been discovered that the install tool password has been logged as plaintext in case the password hashing mechanism used for the ...
packagist
No PRs yet
Microweber Cross-site Scripting vulnerability
GHSA-j4v9-cm37-h7c2 CVE-2024-33297 MODERATE 11 months ago
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) f...
packagist
No PRs yet
Microweber Cross-site Scripting vulnerability
GHSA-w5g5-4jj3-8f6v CVE-2024-33298 MODERATE 11 months ago
Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup fu...
packagist
No PRs yet
Microweber Cross-site Scripting vulnerability
GHSA-97h9-p9f8-4p3r CVE-2024-33299 MODERATE 11 months ago
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parame...
packagist
No PRs yet
Drupal Open Social allows Functionality Misuse
GHSA-63wg-87qv-rw4r CVE-2024-13274 MODERATE 11 months ago
The distribution didn't validate the flood control limits on the password reset form correctly resulting in a potential attacker flooding the passw...
packagist
No PRs yet
Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale
GHSA-j3f9-p6hm-5w6q CVE-2025-22145 MODERATE 11 months ago
### Impact Application passing unsanitized user input to `Carbon::setLocale` are at risk of arbitrary file include, if the application allows users...
packagist
4
Dependabot PRs
25%
Merged
PHP-Textile has persistent XSS vulnerability in image link handling
GHSA-95m2-chm4-mq7m HIGH 11 months ago
### Details Persistent XSS vulnerability in image link handling of PHP-Textile versions 4.1.2 and older, when running the parser in restricted mod...
packagist
No PRs yet
REDAXO CMS Cross-site Scripting vulnerability
GHSA-2p95-8xvm-2pjx CVE-2024-46209 LOW 11 months ago
A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web...
packagist
No PRs yet
Grav Cross-site Scripting vulnerability
GHSA-m78c-qx99-mvw9 CVE-2024-35498 LOW 11 months ago
A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
packagist
No PRs yet
Guzzle OAuth Subscriber has insufficient nonce entropy
GHSA-237r-r8m4-4q88 CVE-2025-21617 MODERATE 11 months ago
### Impact Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source (https://github.com/guzzle/oauth-su...
packagist
2
Dependabot PRs
Extension:TabberNeue vulnerable to Cross-site Scripting
GHSA-4x6x-8rm8-c37j CVE-2025-21612 HIGH 11 months ago
### Summary There are several sources of arbitrary, unescaped user input being used to construct HTML, which allows any user that can edit pages or...
packagist
No PRs yet
PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters
GHSA-q9jv-mm3r-j47r CVE-2024-56412 MODERATE 11 months ago
# Bypass XSS sanitizer using the javascript protocol and special characters **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE...
packagist
No PRs yet
PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header
GHSA-hwcp-2h35-p66w CVE-2024-56411 MODERATE 11 months ago
# Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header **Product**: Phpspreadsheet **Version**: version 3.6.0 **...
packagist
No PRs yet
PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties
GHSA-wv23-996v-q229 CVE-2024-56410 MODERATE 11 months ago
# Cross-Site Scripting (XSS) vulnerability in custom properties **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Imprope...
packagist
No PRs yet