Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Formie has XSS vulnerability for email notification content for preview
GHSA-2xm2-23ff-p8ww CVE-2025-32426 MODERATE 8 months ago
### Impact It is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is ...
packagist
No PRs yet
Formie has XSS vulnerability for importing forms
GHSA-p9hh-mh5x-wvx3 CVE-2025-32427 MODERATE 8 months ago
### Impact When importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when view...
packagist
No PRs yet
Yii does not prevent XSS in scenarios where fallback error renderer is used
GHSA-7r2v-8wxr-3ch5 CVE-2025-32027 MODERATE 8 months ago
### Impact Affected versions of yiisoft/yii are vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. ### P...
packagist
No PRs yet
Silverstripe Framework user enumeration via timing attack on login and password reset forms
GHSA-256q-hx8w-xcqx MODERATE 8 months ago
### Impact User enumeration is possible by performing a timing attack on the login or password reset pages with user credentials. This was origina...
packagist
No PRs yet
Silverstripe Framework has a XSS vulnerability in HTML editor
GHSA-rhx4-hvx9-j387 CVE-2025-30148 MODERATE 8 months ago
### Impact A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used...
packagist
1
Dependabot PRs
Silverstripe cross-site scripting (XSS) attack in elemental "Content blocks in use" report
GHSA-x8xm-c7p8-2pj2 CVE-2025-25197 MODERATE 8 months ago
An elemental block can include an XSS payload, which can be executed when viewing the "Content blocks in use" report. The vulnerability is specifi...
packagist
No PRs yet
ibexa/fieldtype-richtext allows access to external entities in XML
GHSA-cj3w-g42v-wcj6 HIGH 8 months ago
### Impact This security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XM...
packagist
No PRs yet
ezsystems/ezplatform-richtext allows access to external entities in XML
GHSA-2jqj-5qv2-xvcg HIGH 8 months ago
### Impact This security advisory resolves a vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText XM...
packagist
No PRs yet
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
GHSA-ggwg-cmwp-46r5 CVE-2024-58136 CRITICAL 8 months ago
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the w...
packagist
No PRs yet
Shopware default newsletter opt-in settings allow for mass sign-up abuse
GHSA-4h9w-7vfp-px8m CVE-2025-32378 LOW 8 months ago
### Impact Currently the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings...
packagist
No PRs yet
wallabag/wallabag Has Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities
GHSA-5pm7-cp8f-p2c2 MODERATE 8 months ago
## Impact wallabag versions prior to 2.6.11 were discovered to contain multiple Cross-Site Request Forgery (CSRF) vulnerabilities across several e...
packagist
No PRs yet
Magento Improper Access Control leads to Security feature bypass
GHSA-vhcq-4xrm-2cr2 CVE-2025-27191 MODERATE 8 months ago
Magento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that co...
packagist
No PRs yet
Magento Improper Authorization vulnerability
GHSA-rr2g-rrjj-xw86 CVE-2025-27188 MODERATE 8 months ago
Magento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Authorization vulnerability that cou...
packagist
No PRs yet
Magento does not properly protect credentials
GHSA-2r94-wm5v-4prx CVE-2025-27192 LOW 8 months ago
Magento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerab...
packagist
No PRs yet
Magento Improper Access Control leads to Security feature bypass
GHSA-6wq7-cg9h-mj6q CVE-2025-27190 MODERATE 8 months ago
Magento versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Improper Access Control vulnerability that co...
packagist
No PRs yet
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
GHSA-g9pc-8g42-g6vq CVE-2025-22871 CRITICAL 8 months ago
The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can per...
packagist
1
Dependabot PRs
Joomla Framework Database Package Vulnerable to SQL Injection
GHSA-44v2-prcf-pc3m CVE-2025-25226 MODERATE 8 months ago
Improper handling of identifiers lead to a SQL injection vulnerability in the quoteNameStr method of the database package. Please note: the affecte...
packagist
No PRs yet
Joomla CMS Multi-Factor Authentication Bypass
GHSA-6423-85cc-8gf6 CVE-2025-25227 HIGH 8 months ago
Insufficient state checks lead to a vector that allows to bypass 2FA checks.
packagist
No PRs yet
Shopware Broken ACL on Document retrieval to access other customers documents
GHSA-68wv-g3fw-pq7q MODERATE 8 months ago
### Impact It's possible to guess the deepLinkCode of an Document to open documents of other customers ### Patches Update to Shopware 6.6.10.3 or ...
packagist
No PRs yet
Shopware Vulnerable to Blind SQL-injection in DAL aggregations
GHSA-8g35-7rmw-7f59 CVE-2025-27892 HIGH 8 months ago
### Impact The Shopware application API contains a search functionality which enables users to search through information stored within their Shop...
packagist
No PRs yet
Pimcore's Admin Classic Bundle allows HTML Injection
GHSA-x82r-6j37-vrgg CVE-2025-30166 LOW 8 months ago
### Summary An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via ...
packagist
No PRs yet
Shopware allows Denial Of Service via password length
GHSA-cgfj-hj93-rmh2 CVE-2025-30151 HIGH 8 months ago
### Impact It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. ### Patches Update to...
packagist
No PRs yet
Shopware 6 allows attackers to check for registered accounts through the store-api
GHSA-hh7j-6x3q-f52h CVE-2025-30150 MODERATE 8 months ago
### Impact Through the store-api it is possible as a attacker to check if a specific e-mail address has an account in the shop. Using the store-ap...
packagist
No PRs yet
GraphQL grant on a property might be cached with different objects
GHSA-428q-q3vv-3fq3 CVE-2025-31485 HIGH 8 months ago
### Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like `#[ApiPrope...
packagist
25
Dependabot PRs
6%
Merged
GraphQL query operations security can be bypassed
GHSA-cg3c-245w-728m CVE-2025-31481 HIGH 8 months ago
### Summary Using the Relay special `node` type you can bypass the configured security on an operation. ### Details Here is an example of how to...
packagist
25
Dependabot PRs
6%
Merged
Browsershot Server-Side Request Forgery (SSRF) via setURL() Function
GHSA-qw64-6vcc-8ghx CVE-2025-3192 HIGH 8 months ago
Versions of the package spatie/browsershot from 0.0.0 to 5.0.3 are vulnerable to Server-side Request Forgery (SSRF) in the setUrl() function due to...
packagist
No PRs yet
API Platform Core can leak exceptions message that may contain sensitive information
GHSA-rfw5-cqjj-7v9r CVE-2023-47639 MODERATE 8 months ago
### Summary Exception messages, that are not HTTP exceptions, are visible in the JSON error response. ### Details While we wanted to make our er...
packagist
No PRs yet
Concrete CMS Vulnerable to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)
GHSA-cmm4-p9v2-q453 CVE-2025-3153 MODERATE 8 months ago
Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addres...
packagist
No PRs yet
Drupal Obfuscate Vulnerable to Stored Cross-Site Scripting (XSS)
GHSA-hphm-3x7f-g875 CVE-2025-3130 MODERATE 8 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Obfuscate allows Stored XSS. This issu...
packagist
No PRs yet
Yeswiki Path Traversal vulnerability allows arbitrary read of files
GHSA-w34w-fvp3-68xm CVE-2025-31131 HIGH 8 months ago
### Summary The `squelette` parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The payload `...
packagist
No PRs yet
Drupal Link field display mode formatter Cross-Site Scripting (XSS) vulnerability
GHSA-p2wg-8h29-874v CVE-2025-31695 LOW 8 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Link field display mode formatter allo...
packagist
No PRs yet
Drupal AI Vulnerable to OS Command Injection via Optional Automator Types
GHSA-pwjq-fx3v-8f9r CVE-2025-31692 MODERATE 8 months ago
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Drupal AI (Artificial Intelligence) all...
packagist
No PRs yet
Drupal Two-factor Authentication (TFA) Vulnerable to Forceful Browsing
GHSA-hf6c-fgp3-jfch CVE-2025-31694 HIGH 8 months ago
Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing. This issue affects Two-factor Authenticat...
packagist
No PRs yet
Drupal Formatter Suite Vulnerable to Cross-Site Scripting (XSS) via Link Element Attributes
GHSA-5r66-vgc7-2mm3 CVE-2025-31697 LOW 8 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Formatter Suite allows Cross-Site Scri...
packagist
No PRs yet
Drupal OAuth2 Server Missing Authorization vulnerability
GHSA-4f8q-mwgc-3mwc CVE-2025-31691 HIGH 8 months ago
Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing. This issue affects OAuth2 Server: from 0.0.0 before 2.1.0.
packagist
No PRs yet
Drupal RapiDoc OAS Field Formatter Cross-Site Scripting (XSS) vulnerability
GHSA-86h4-w859-3hhv CVE-2025-31696 LOW 8 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal RapiDoc OAS Field Formatter allows Cro...
packagist
No PRs yet
Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages
GHSA-39g6-x4x8-5jcm CVE-2025-3057 MODERATE 8 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scriptin...
packagist
No PRs yet
Drupal General Data Protection Regulation Cross-Site Request Forgery (CSRF) vulnerability
GHSA-jv6r-mj9p-9xff CVE-2025-31689 MODERATE 8 months ago
Cross-Site Request Forgery (CSRF) vulnerability in Drupal General Data Protection Regulation allows Cross Site Request Forgery. This issue affects ...
packagist
No PRs yet
Drupal AI Vulnerable to OS Command Injection
GHSA-vx9m-rfxq-gr74 CVE-2025-31693 MODERATE 8 months ago
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Drupal AI (Artificial Intelligence) all...
packagist
No PRs yet
Drupal Cache Utility Cross-Site Request Forgery (CSRF) vulnerability
GHSA-ccc9-jgj7-hxc7 CVE-2025-31690 MODERATE 8 months ago
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Cache Utility allows Cross Site Request Forgery. This issue affects Cache Utility: from 0...
packagist
No PRs yet
Drupal Open Social Missing Authorization vulnerability
GHSA-m9w8-wxvp-c9gv CVE-2025-31686 HIGH 8 months ago
Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing. This issue affects Open Social: from 0.0.0 before 12.3.11, from...
packagist
No PRs yet
Drupal Matomo Analytics Cross-Site Request Forgery (CSRF) vulnerability
GHSA-jh66-rjx8-8qqc CVE-2025-31680 LOW 8 months ago
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Matomo Analytics allows Cross Site Request Forgery. This issue affects Matomo Analytics: ...
packagist
No PRs yet
Drupal Google Tag Cross-Site Scripting (XSS) vulnerability
GHSA-36vv-q5jv-94cj CVE-2025-31682 MODERATE 8 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Google Tag allows Cross-Site Scripting...
packagist
No PRs yet
Drupal OAuth2 Client Cross-Site Request Forgery (CSRF)
GHSA-6chf-hhqf-749c CVE-2025-31684 LOW 8 months ago
Cross-Site Request Forgery (CSRF) vulnerability in Drupal OAuth2 Client allows Cross Site Request Forgery. This issue affects OAuth2 Client: from 0...
packagist
No PRs yet
Drupal Open Social Missing Authorization vulnerability
GHSA-gf72-h4cp-wcm4 CVE-2025-31685 MODERATE 8 months ago
Missing Authorization vulnerability in Drupal Open Social allows Forceful Browsing. This issue affects Open Social: from 0.0.0 before 12.3.11, from...
packagist
No PRs yet
Drupal Ignition Cross-Site Scripting (XSS) vulnerability
GHSA-rhxm-r44m-4325 CVE-2025-31679 MODERATE 8 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Ignition Error Pages allows Cross-Site...
packagist
No PRs yet
Drupal Google Tag Cross-Site Request Forgery (CSRF)
GHSA-qchr-8m24-7v66 CVE-2025-31683 MODERATE 8 months ago
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Google Tag allows Cross Site Request Forgery. This issue affects Google Tag: from 0.0.0 b...
packagist
No PRs yet
Drupal Authenticator Login Missing Authorization vulnerability
GHSA-jwpx-6c4p-q4jq CVE-2025-31681 HIGH 8 months ago
Missing Authorization vulnerability in Drupal Authenticator Login allows Forceful Browsing. This issue affects Authenticator Login: from 0.0.0 befo...
packagist
No PRs yet
Drupal SpamSpan Cross-Site Scripting (XSS) vulnerability
GHSA-8r2q-865v-wm8j CVE-2025-31687 LOW 8 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal SpamSpan filter allows Cross-Site Scri...
packagist
No PRs yet
Drupal Configuration Split Cross-Site Request Forgery (CSRF) vulnerability
GHSA-qq45-cqhg-jwx5 CVE-2025-31688 LOW 8 months ago
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Configuration Split allows Cross Site Request Forgery. This issue affects Configuration S...
packagist
No PRs yet