Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Mautic user without privileged access to the Marketplace can install and uninstall composer packages
GHSA-3fq7-c5m8-g86x CVE-2025-13828 CRITICAL 5 days ago
### Summary A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in updat...
packagist
No PRs yet
bagisto has CSV Formula Injection in Create New Product
GHSA-jqrp-58fv-w8cq CVE-2025-62417 CRITICAL about 2 months ago
### Summary When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved ...
packagist
No PRs yet
PrestaShop Checkout allows customer account takeover via email
GHSA-54hq-mf6h-48xh CVE-2025-61922 CRITICAL about 2 months ago
# Impact Missing validation on Express Checkout feature allows silent log-in ## Affected versions The issue was introduced in PrestaShop Checkout...
packagist
No PRs yet
Melis Platform CMS SQL Injection
GHSA-mrmx-jfw8-qhgv CVE-2025-10351 CRITICAL 2 months ago
SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to ret...
packagist
No PRs yet
Melis Platform CMS Unauthenticated Admin Account Creation
GHSA-p3vc-g9f9-mgw4 CVE-2025-10352 CRITICAL 2 months ago
Vulnerability in the melis-core module of Melis Technology's Melis Platform, which, if exploited, allows an unauthenticated attacker to create an a...
packagist
No PRs yet
Melis Platform CMS Unauthenticated File Upload Leading to RCE
GHSA-chw4-gjvw-3gxc CVE-2025-10353 CRITICAL 2 months ago
File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows...
packagist
No PRs yet
Magento Community Edition Improper Input Validation vulnerability
GHSA-wh92-6q6g-px7j CVE-2025-54236 CRITICAL 3 months ago
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation ...
packagist
No PRs yet
The Freeform CraftCMS plugin contains an Server-side template injection (SSTI) vulnerability
GHSA-9hp3-f5g8-rccg CVE-2025-52122 CRITICAL 3 months ago
Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary co...
packagist
No PRs yet
ThinkPHP Path Traversal Vulnerability
GHSA-mrwc-mvr8-9xq5 CVE-2025-50706 CRITICAL 4 months ago
An issue in ThinkPHP Framework v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function.
packagist
No PRs yet
The ADOdb sqlite3 driver allows SQL injection
GHSA-vf2r-cxg9-p7rf CVE-2025-54119 CRITICAL 4 months ago
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 da...
packagist
11
Dependabot PRs
18%
Merged
CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability
GHSA-9952-gv64-x94c CVE-2025-54418 CRITICAL 4 months ago
### Impact This vulnerability affects applications that: * Use the ImageMagick handler for image processing (`imagick` as the image library) * **AN...
packagist
No PRs yet
nova-tiptap has Unauthenticated Arbitrary File Upload Vulnerability
GHSA-96c2-h667-9fxp CVE-2025-54082 CRITICAL 5 months ago
A vulnerability was discovered in the marshmallow-packages/nova-tiptap Laravel Nova package that allows unauthenticated users to upload arbitrary f...
packagist
No PRs yet
simogeo/filemanager arbitrary file upload vulnerability
GHSA-m5hw-rhvr-f47c CVE-2025-46001 CRITICAL 5 months ago
An arbitrary file upload vulnerability in the is_allowed_file_type() function of Filemanager v2.3.0 allows attackers to execute arbitrary code via ...
packagist
No PRs yet
Livewire is vulnerable to remote command execution during component property update hydration
GHSA-29cq-5w36-x7w3 CVE-2025-54068 CRITICAL 5 months ago
### Impact In Livewire v3 (≤ 3.6.3), a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. Th...
packagist
No PRs yet
LaRecipe is vulnerable to Server-Side Template Injection attacks
GHSA-jv7x-xhv2-p5v2 CVE-2025-53833 CRITICAL 5 months ago
### Impact Attackers could: 1. Execute arbitrary commands on the server 2. Access sensitive environment variables 3. Escalate access depending on s...
packagist
No PRs yet
Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution
GHSA-24wv-6c99-f843 CVE-2025-49132 CRITICAL 6 months ago
## Impact Using the `/locales/locale.json` with the `locale` and `namespace` query parameters, a malicious actor is able to execute arbitrary code...
packagist
No PRs yet
Magneto contains stored XSS vulnerability
GHSA-j934-vjh5-vf9r CVE-2025-47110 CRITICAL 6 months ago
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability tha...
packagist
No PRs yet
laravel-auth0 SDK Deserialization of Untrusted Data vulnerability
GHSA-c42h-56wx-h85q CRITICAL 6 months ago
**Overview** The laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs proce...
packagist
No PRs yet
Auth0 Symfony SDK Deserialization of Untrusted Data vulnerability
GHSA-98j6-67v3-mw34 CRITICAL 6 months ago
**Overview** The Auth0 Symfony SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs proce...
packagist
No PRs yet
Auth0 Wordpress Plugin vulnerable to Deserialization of Untrusted Data
GHSA-862m-5253-832r CRITICAL 6 months ago
**Overview** The Auth0 Wordpress plugin contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs ...
packagist
No PRs yet
Auth0-PHP SDK Deserialization of Untrusted Data vulnerability
GHSA-v9m8-9xxp-q492 CVE-2025-48951 CRITICAL 6 months ago
**Overview** The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie con...
packagist
No PRs yet
Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization
GHSA-8j8w-wwqc-x596 CVE-2025-49113 CRITICAL 6 months ago
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is...
packagist
1
Dependabot PRs
The Front End User Registration extension for TYPO3 (sr_feuser_register) Remote Code Execution
GHSA-qfm8-78qf-p75j CVE-2025-48200 CRITICAL 7 months ago
The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution via unsafe deserialization.
packagist
No PRs yet
laravel-auth0 SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions
GHSA-9fwj-9mjf-rhj3 CRITICAL 7 months ago
**Overview** Session cookies of applications using the laravel-auth0 SDK configured with CookieStore have authentication tags that can be brute for...
packagist
No PRs yet
Auth0 Wordpress plugin Vulnerable to Brute Force Authentication Tags of CookieStore Sessions
GHSA-2f4r-34m4-3w8q CRITICAL 7 months ago
**Overview** Session cookies of applications using the Auth0 Wordpress plugin configured with CookieStore have authentication tags that can be brut...
packagist
No PRs yet
Auth0 Symfony SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions
GHSA-9wg9-93h9-j8ch CRITICAL 7 months ago
**Overview** Session cookies of applications using the Auth0 symfony SDK configured with CookieStore have authentication tags that can be brute for...
packagist
No PRs yet
Brute Force Authentication Tags of CookieStore Sessions in Auth0-PHP SDK
GHSA-g98g-r7gf-2r25 CVE-2025-47275 CRITICAL 7 months ago
**Overview** Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced,...
packagist
10
Dependabot PRs
40%
Merged
SQL injection in ADOdb PostgreSQL driver pg_insert_id() method
GHSA-8x27-jwjr-8545 CVE-2025-46337 CRITICAL 7 months ago
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a PostgreSQL...
packagist
10
Dependabot PRs
11%
Merged
ShowDoc unrestricted file upload vulnerability
GHSA-6jmr-r7p6-f5wr CVE-2025-0520 CRITICAL 7 months ago
An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to ...
packagist
No PRs yet
YesWiki Vulnerable to Unauthenticated Site Backup Creation and Download
GHSA-wc9g-6j9w-hr95 CVE-2025-46348 CRITICAL 7 months ago
### Summary The request to commence a site backup can be performed without authentication. Then these backups can also be downloaded without authe...
packagist
No PRs yet
Craft CMS Allows Remote Code Execution
GHSA-f3gw-9ww9-jmc3 CVE-2025-32432 CRITICAL 8 months ago
### Impact This is an additional fix for https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g This is a high-impact, low-compl...
packagist
No PRs yet
DevDojo Voyager Argument Injection vulnerability
GHSA-qq2h-m2hj-hrff CVE-2025-32931 CRITICAL 8 months ago
DevDojo Voyager 1.4.0 through 1.8.0, when Laravel 8 or later is used, allows authenticated administrators to execute arbitrary OS commands via a sp...
packagist
No PRs yet
yiisoft/yii2 Mishandles the Attaching of Behavior Defined by a `__class` Array Key
GHSA-ggwg-cmwp-46r5 CVE-2024-58136 CRITICAL 8 months ago
Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the w...
packagist
No PRs yet
RoadRunner is at risk of HTTP Request/Response Smuggling through vulnerable dependency
GHSA-g9pc-8g42-g6vq CVE-2025-22871 CRITICAL 8 months ago
The net/http package dependency used by RoadRunner improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can per...
packagist
1
Dependabot PRs
Volt Allows RCE Via User-Crafted Requests
GHSA-v69f-5jxm-hwvv CVE-2025-27517 CRITICAL 9 months ago
Malicious, user-crafted request payloads could potentially lead to remote code execution within Volt components.
packagist
No PRs yet
Mautic allows Remote Code Execution and File Deletion in Asset Uploads
GHSA-73gx-x7r9-77x2 CVE-2024-47051 CRITICAL 9 months ago
### Summary This advisory addresses two critical security vulnerabilities present in Mautic versions before 5.2.3. These vulnerabilities could be ...
packagist
No PRs yet
Easy!Appointments Improper Restriction of Excessive Authentication Attempts
GHSA-8fc2-fhh6-f6m5 CVE-2024-57602 CRITICAL 10 months ago
An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file.
packagist
No PRs yet
Crayfish Allows Remote Code Execution via hypercube X-Islandora-Args Header
GHSA-c2p2-hgjg-9r3f CRITICAL 10 months ago
### Impact _What kind of vulnerability is it? Who is impacted?_ Remote code execution is possible in web-accessible installations of hypercube. ...
packagist
No PRs yet
Improper Authorization vulnerability in Magento and Adobe Commerce
GHSA-fppq-f2m6-xv5c CVE-2025-24434 CRITICAL 10 months ago
Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability t...
packagist
No PRs yet
Multiple rtmpdump vulnerabilities
GHSA-vrpv-vw92-328g CRITICAL 10 months ago
The version of rtmpdump contained in this package has multiple known vulnerabilities. ### Patches This package is abandoned and should not be used...
packagist
No PRs yet
Crayfish allows Remote Code Execution via Homarus Authorization header
GHSA-mm6v-68qp-f9fw CVE-2025-25286 CRITICAL 11 months ago
### Impact Remote code execution may be possible in web-accessible installations of Homarus in certain configurations. ### Patches The issue has...
packagist
No PRs yet
TeamPass privileges issue
GHSA-9wmc-988h-2mv2 CVE-2024-50703 CRITICAL 11 months ago
TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.
packagist
No PRs yet
Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled
GHSA-2p6p-9rc9-62j9 CVE-2024-56145 CRITICAL 12 months ago
### Impact You are affected if your php.ini configuration has `register_argc_argv` enabled. ### Patches Update to 3.9.14, 4.13.2, or 5.5.2. ### W...
packagist
No PRs yet
LibreNMS has an Authenticated OS Command Injection
GHSA-x645-6pf9-xwxw CVE-2024-51092 CRITICAL about 1 year ago
### Summary An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the w...
packagist
No PRs yet
Deserialization of Untrusted Data in dompdf/dompdf
GHSA-577p-7j7h-2jgf CVE-2021-3838 CRITICAL about 1 year ago
DomPDF before version 2.0.0 is vulnerable to PHAR (PHP Archive) deserialization due to a lack of checking on the protocol before passing it into th...
packagist
No PRs yet
Improper Restriction of XML External Entity Reference in dompdf/dompdf
GHSA-3vjh-xrhf-v9xh CVE-2021-3902 CRITICAL about 1 year ago
An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and de...
packagist
No PRs yet
Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting
GHSA-9h9q-qhxg-89xr CVE-2024-47186 CRITICAL about 1 year ago
### Summary If values passed to a `ColorColumn` or `ColumnEntry` are not valid and contain a specific set of characters, applications are vulnerab...
packagist
No PRs yet
ThinkPHP deserialization vulnerability
GHSA-f4wh-359g-4pq7 CVE-2024-44902 CRITICAL about 1 year ago
A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
packagist
No PRs yet
Admidio Vulnerable to RCE via Arbitrary File Upload in Message Attachment
GHSA-g872-jwwr-vggm CVE-2024-38529 CRITICAL over 1 year ago
### Description: Remote Code Execution Vulnerability has been identified in the Message module of the Admidio Application, where it is possible to ...
packagist
No PRs yet
Admidio has Blind SQL Injection in ecard_send.php
GHSA-69wx-xc6j-28v3 CVE-2024-37906 CRITICAL over 1 year ago
### Description: An SQL Injection has been identified in the `/adm_program/modules/ecards/ecard_send.php` source file of the Admidio Application. T...
packagist
No PRs yet