Security Advisories
Browse security advisories and track which Dependabot PRs address them.
24,785
Total Advisories
1,792
With Dependabot PRs
3,506
Critical Severity
8,617
High Severity
Drupal Core Cross-Site Scripting (XSS) Vulnerability
GHSA-m4wj-hhwj-47qp CVE-2025-31675 LOW 8 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scriptin...
packagist
No PRs yet
Drupal Core Improperly Controlled Modification of Dynamically-Determined Object Attributes Vulnerability
GHSA-2qph-q8xw-gv7q CVE-2025-31674 MODERATE 8 months ago
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This iss...
packagist
No PRs yet
Drupal AI Missing Authorization vulnerability
GHSA-c8q6-wp7v-46r9 CVE-2025-31678 MODERATE 8 months ago
Missing Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Forceful Browsing. This issue affects AI (Artificial Intelligence...
packagist
No PRs yet
Drupal Core Vulnerable to Forceful Browsing
GHSA-wpp8-fjgf-pwc7 CVE-2025-31673 MODERATE 8 months ago
Incorrect Authorization vulnerability in Drupal core allows Forceful Browsing.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4....
packagist
No PRs yet
Drupal AI Cross-Site Request Forgery (CSRF) vulnerability
GHSA-9w85-x5hg-fr66 CVE-2025-31677 MODERATE 8 months ago
Cross-Site Request Forgery (CSRF) vulnerability in Drupal AI (Artificial Intelligence) allows Cross Site Request Forgery. This issue affects AI (Ar...
packagist
No PRs yet
ConcreteCMS Cross-Site Scripting (XSS) via HTML Block Text Field
GHSA-xfqf-5rhg-5c73 CVE-2025-2967 MODERATE 8 months ago
A vulnerability was found in ConcreteCMS up to 9.3.9. It has been classified as problematic. This affects the function Save of the component HTML B...
packagist
No PRs yet
ShopXO Vulnerable to Server-Side Request Forgery (SSRF) and Cross-Site Scripting (XSS)
GHSA-24cf-848g-762c CVE-2025-28094 MODERATE 8 months ago
shopxo v6.4.0 has a ssrf/xss vulnerability in multiple places.
packagist
No PRs yet
ShopXO Vulnerable to Server-Side Request Forgery (SSRF) via Image Upload
GHSA-p736-g6pg-hjhw CVE-2025-28092 MODERATE 8 months ago
ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) via image upload function.
packagist
No PRs yet
ShopXO Vulnerable to Server-Side Request Forgery (SSRF) via Email Settings
GHSA-gfhv-5rqh-7qx3 CVE-2025-28093 MODERATE 8 months ago
ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) in Email Settings.
packagist
No PRs yet
wp-svg-upload WordPress plugin vulnerable to Stored Cross-site Scripting
GHSA-v2rr-fhv8-mx74 CVE-2024-11847 MODERATE 8 months ago
The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with...
packagist
No PRs yet
Pixelfed may allow unauthorized actor to view private posts and private users
GHSA-7287-grhx-542x CVE-2025-30741 MODERATE 8 months ago
Pixelfed before 0.12.5 allows anyone to follow private accounts and see private posts on other Fediverse servers. This affects users elsewhere in t...
packagist
No PRs yet
API Platform Core does not call GraphQl securityAfterResolver
GHSA-7mxx-3cgm-xxv3 CVE-2025-23204 MODERATE 8 months ago
### Summary
A security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in this clause: https:/...
packagist
No PRs yet
yiisoft Yii2 Deserialization of Untrusted Data
GHSA-88m2-j94x-v4fx CVE-2025-2689 MODERATE 8 months ago
A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45. Affected by this issue is the function getIterator ...
packagist
No PRs yet
Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout
GHSA-hxg4-65p5-9w37 CVE-2025-30152 MODERATE 8 months ago
A discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a ...
packagist
No PRs yet
Clickstorm SEO Allows Cross-Site Scripting (XSS)
GHSA-vmgw-24w6-9v82 CVE-2025-30081 MODERATE 9 months ago
A cross-site scripting (XSS) vulnerability has been discovered in the Clickstorm SEO extension. This vulnerabily is exploitable by a logged in back...
packagist
No PRs yet
Additional TCA Allows Cross-Site Scripting (XSS)
GHSA-rrh3-cgmx-w62f CVE-2025-30083 MODERATE 9 months ago
A cross-site scripting (XSS) vulnerability has been discovered in the Additional TCA extension. This vulnerabily is exploitable by a logged in back...
packagist
No PRs yet
Contao Vulnerable to Cross-Site Scripting (XSS) through SVG uploads
GHSA-vqqr-fgmh-f626 CVE-2025-29790 MODERATE 9 months ago
### Impact
Users can upload SVG files with malicious code, which is then executed in the back end and/or front end.
### Patches
Update to Contao...
packagist
No PRs yet
TastyIgniter Has an Incorrect Access Control Vulnerability
GHSA-w5h7-mw56-4v7x CVE-2024-44314 MODERATE 9 months ago
TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the Orders Management System, allowing unauthorized users to update order ...
packagist
No PRs yet
TastyIgniter Has an Incorrect Access Control Vulnerability via `invoice()` Function
GHSA-gg2f-r4jh-vpmh CVE-2024-44313 HIGH 9 months ago
TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the invoice() function within Orders.php which allows unauthorized users t...
packagist
No PRs yet
Sylius PayPal Plugin Payment Amount Manipulation Vulnerability
GHSA-pqq3-q84h-pj6x CVE-2025-29788 MODERATE 9 months ago
A vulnerability allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping car...
packagist
No PRs yet
MODX allows cross-site scripting (XSS) via an SVG file
GHSA-hm54-fg2w-2g6j CVE-2025-28010 LOW 9 months ago
A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG f...
packagist
No PRs yet
Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite
GHSA-hg9j-64wp-m9px CVE-2025-27794 MODERATE 9 months ago
## **Summary**
A session hijacking vulnerability exists when an attacker-controlled **authoritative subdomain** under a parent domain (e.g., `sub...
packagist
No PRs yet
laravel-crud-wizard-free has File Validation Bypass
GHSA-3wgq-h4fr-cwg5 MODERATE 9 months ago
### Impact
Medium
### Patches
Version 3.4.17 fixes illuminate/validation v 8.0.0 to 11.44.0
### Workarounds
Register \MacropaySolutions\LaravelCr...
packagist
No PRs yet
Microweber vulnerable to XSS attack due to insure `group` component in its Settings handler
GHSA-hcgh-r5gq-6qc2 CVE-2025-2214 LOW 9 months ago
A vulnerability was found in Microweber 2.0.19. It has been rated as problematic. This issue affects some unknown processing of the file userfiles/...
packagist
2
Dependabot PRs
50%
Merged
Pimcore Vulnerable to SQL Injection in getRelationFilterCondition
GHSA-qjpx-5m2p-5pgh CVE-2025-27617 MODERATE 9 months ago
### Summary
Authenticated users can craft a filter string used to cause a SQL injection.
### Details
_Give all details on the vulnerability. Point...
packagist
No PRs yet
Froxlor has an HTML Injection Vulnerability
GHSA-26xq-m8xw-6373 CVE-2025-48958 MODERATE 9 months ago
### Summary
_An HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email secti...
packagist
No PRs yet
Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover
GHSA-7j6w-p859-464f CVE-2025-29773 MODERATE 9 months ago
### Summary
the vulnerability is that users (such as resellers or customers) are able to create accounts with the same email address as an existing...
packagist
No PRs yet
The SimpleSAMLphp SAML2 library incorrectly verifies signatures for HTTP-Redirect binding
GHSA-46r4-f8gj-xg56 CVE-2025-27773 HIGH 9 months ago
### Summary
There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect bindin...
packagist
6
Dependabot PRs
50%
Merged
Concrete CMS affected by a stored XSS in Folder Function.The "Add Folder" functionality
GHSA-pvmx-mjmh-jfcx CVE-2025-0660 MODERATE 9 months ago
Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, ...
packagist
No PRs yet
PocketMine-MP allows malicious client data to waste server resources due to lack of limits for explode()
GHSA-g274-c6jj-h78p MODERATE 9 months ago
### Impact
Due to lack of limits by default in the [`explode()`](https://www.php.net/manual/en/function.explode.php) function, malicious clients we...
packagist
No PRs yet
Laravel framework susceptible to reflected cross-site scripting
GHSA-546h-56qp-8jmw CVE-2024-13918 MODERATE 9 months ago
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request ...
packagist
No PRs yet
Laravel framework susceptible to reflected cross-site scripting
GHSA-83wp-f5c3-hqqr CVE-2024-13919 MODERATE 9 months ago
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route pa...
packagist
No PRs yet
GeSHi XSS possible in the get_var function of /contrib/cssgen.php
GHSA-pr6q-g5gv-qgr7 CVE-2025-2123 MODERATE 9 months ago
A vulnerability, which was classified as problematic, has been found in GeSHi up to 1.0.9.1. Affected by this issue is the function get_var of the ...
packagist
No PRs yet
Volt Allows RCE Via User-Crafted Requests
GHSA-v69f-5jxm-hwvv CVE-2025-27517 CRITICAL 9 months ago
Malicious, user-crafted request payloads could potentially lead to remote code execution within Volt components.
packagist
No PRs yet
Laravel has a File Validation Bypass
GHSA-78fx-h6xr-vch4 CVE-2025-27515 MODERATE 9 months ago
When using wildcard validation to validate a given file or image field array (`files.*`), a user-crafted malicious request could potentially bypass...
packagist
No PRs yet
REDAXO allows Authenticated Reflected Cross Site Scripting - packages installation
GHSA-8366-xmgf-334f CVE-2025-27412 MODERATE 9 months ago
### Summary
Reflected cross-site scripting (XSS) is a type of web vulnerability that occurs when a web application fails to properly sanitize user ...
packagist
No PRs yet
REDAXO allows Arbitrary File Upload in the mediapool page
GHSA-wppf-gqj5-fc4f CVE-2025-27411 MODERATE 9 months ago
### Summary
An arbitrary file upload vulnerability was identified in the redaxo. This flaw permits users to upload malicious files, which can lead ...
packagist
No PRs yet
Magento LTS vulnerable to stored XSS in theme config fields
GHSA-5pxh-89cx-4668 CVE-2025-27400 LOW 9 months ago
As reported by [Aakash Adhikari](https://hackerone.com/dark_haxor), Github: @justlife4x4, the Design > Themes > Skin (Images / CSS) config field al...
packagist
No PRs yet
Formwork improperly validates input of User role preventing site and panel availability
GHSA-c85w-x26q-ch87 HIGH 9 months ago
### Summary
Improper validation of select fields allows attackers to craft an input that crashes the system, resulting in a 500 status and making ...
packagist
No PRs yet
Formwork has a cross-site scripting (XSS) vulnerability in Site title
GHSA-vf6x-59hh-332f MODERATE 9 months ago
### Summary
The site title field at /panel/options/site/allows embedding JS tags, which can be used to attack all members of the system. This is a...
packagist
No PRs yet
Mautic allows Relative Path Traversal in assets file upload
GHSA-4w2w-36vm-c8hf CVE-2022-25773 MODERATE 9 months ago
### Summary
This advisory addresses a file placement vulnerability that could allow assets to be uploaded to unintended directories on the server....
packagist
No PRs yet
Mautic allows Improper Authorization in Reporting API
GHSA-8xv7-g2q3-fqgc CVE-2024-47053 HIGH 9 months ago
### Summary
This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow una...
packagist
No PRs yet
Mautic allows Remote Code Execution and File Deletion in Asset Uploads
GHSA-73gx-x7r9-77x2 CVE-2024-47051 CRITICAL 9 months ago
### Summary
This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be ...
packagist
No PRs yet
Moodle has a stored XSS in ddimageortext question type
GHSA-h697-w4ph-7pcx CVE-2025-26528 LOW 9 months ago
The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.
packagist
No PRs yet
Moodle allows teachers to evade trusttext config when restoring glossary entries
GHSA-cw24-f6fq-7j9v CVE-2025-26532 LOW 9 months ago
Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.
packagist
No PRs yet
Moodle has a stored XSS risk in admin live log
GHSA-wr88-x8cm-7cgq CVE-2025-26529 HIGH 9 months ago
Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.
packagist
No PRs yet
Moodle has an arbitrary file read risk through pdfTeX
GHSA-4hmr-39vp-xfrr CVE-2025-26525 HIGH 9 months ago
Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as
those with ...
packagist
No PRs yet
Moodle allows reflected XSS via question bank filter
GHSA-4w32-c9g7-27qx CVE-2025-26530 HIGH 9 months ago
The question bank filter required additional sanitizing to prevent a reflected XSS risk.
packagist
No PRs yet
Moodle's feedback response viewing and deletions did not respect Separate Groups mode
GHSA-pxg4-xjp7-w9c5 CVE-2025-26526 MODERATE 9 months ago
Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback
activities.
packagist
No PRs yet
Moodle's non-searchable tags can still be discovered on the tag search page and in the tags block
GHSA-5r85-6h7f-rg3r CVE-2025-26527 MODERATE 9 months ago
Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.
packagist
No PRs yet