Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,820

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
OpenMLS improper persistence of the secret tree during message processing
GHSA-qr9h-x63w-vqfm MODERATE 2 months ago
### Summary A bug in the OpenMLS library prevented private key material from being updated in storage during message processing. The key material ...
cargo
No PRs yet
kcp is missing update validation allows arbitrary LogicalCluster status patches through initializingworkspaces Virtual Workspace
GHSA-q6hv-wcjr-wp8h LOW 2 months ago
### Impact Because UPDATE validation is not being applied, it is possible for an actor with access to an instance of the [initializingworkspaces v...
go
No PRs yet
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
GHSA-w87v-7w53-wwxv CVE-2025-59845 HIGH 2 months ago
### Impact A **Cross-Site Request Forgery (CSRF)** vulnerability was identified in Apollo’s **Embedded Sandbox** and **Embedded Explorer**. The v...
npm
2
Dependabot PRs
express-xss-sanitizer has an unbounded recursion depth
GHSA-hvq2-wf92-j4f3 CVE-2025-59364 MODERATE 2 months ago
# Security Advisory: express-xss-sanitizer ## Overview A vulnerability was discovered in express-xss-sanitizer that allowed unbounded recursion de...
npm
No PRs yet
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass
GHSA-qc2q-qhf3-235m CVE-2025-59936 CRITICAL 2 months ago
### Summary A vulnerability in `get-jwks` can lead to cache poisoning in the JWKS key-fetching mechanism. ### Details When the `iss` (issuer) cla...
npm
No PRs yet
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute
GHSA-vvfj-2jqx-52jm CVE-2025-59842 LOW 2 months ago
Links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the `noopener` attri...
pypi
No PRs yet
Rancher update on users can deny the service to the admin
GHSA-q82v-h4rq-5c86 CVE-2024-58260 HIGH 2 months ago
### Impact A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher c...
go
No PRs yet
Rancher CLI SAML authentication is vulnerable to phishing attacks
GHSA-v3vj-5868-2ch2 CVE-2024-58267 HIGH 2 months ago
### Impact A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to ...
go
No PRs yet
Rancher sends sensitive information to external services through the `/meta/proxy` endpoint
GHSA-mjcp-rj3c-36fr CVE-2025-54468 MODERATE 2 months ago
### Impact A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, ...
go
No PRs yet
Argument injection vulnerability in SonarQube Scan Action
GHSA-5xq9-5g24-4g6f CVE-2025-59844 HIGH 2 months ago
A command injection vulnerability exists in SonarQube GitHub Action prior to v6.0.0 when workflows pass user-controlled input to the args parameter...
actions
No PRs yet
Apache Airflow: Connection sensitive details exposed to users with READ permissions
GHSA-q475-2pgm-7hvp CVE-2025-54831 MODERATE 2 months ago
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connec...
pypi
No PRs yet
WSO2's Input Validation Management Service contains Observable Discrepancy when Multi-Attribute Login is enabled
GHSA-w82p-r9vw-4rg5 CVE-2025-1396 LOW 2 months ago
A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system retu...
maven
No PRs yet
Hutool allows remote code execution (RCE) via the QLExpressEngine class
GHSA-gcfh-36x4-mgj6 CVE-2025-56769 HIGH 2 months ago
An issue was discovered in chinabugotech hutool before 5.8.40 allowing attackers to execute arbitrary expressions that lead to arbitrary method inv...
maven
No PRs yet
Liferay Portal and DXP vulnerable to a memory leak
GHSA-hrqm-qpw9-w8rv CVE-2025-43816 MODERATE 2 months ago
A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP...
maven
No PRs yet
ml-logger file handler allows reading arbitrary files
GHSA-9x36-c74v-fgr6 CVE-2025-10952 MODERATE 2 months ago
A security flaw has been discovered in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Affected by this issue is the function stre...
pypi
No PRs yet
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
GHSA-625h-95r8-8xpm CVE-2025-59830 HIGH 2 months ago
## Summary `Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on bo...
rubygems
4
Dependabot PRs
Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning
GHSA-227x-7mh8-3cf6 CVE-2025-59823 CRITICAL 2 months ago
### Impact A security vulnerability was discovered in Gardener when [Terraformer](https://github.com/gardener/terraformer) is used for infrastruct...
go
No PRs yet
ml-logger has path traversal in the file argument
GHSA-8x9j-2p8r-7xc6 CVE-2025-10951 MODERATE 2 months ago
A vulnerability was identified in geyang ml-logger 0.10.36 and prior. Affected by this vulnerability is the function log_handler of the file ml_log...
pypi
No PRs yet
ml-logger deserialization vulnerability
GHSA-57hm-8rjv-498w CVE-2025-10950 LOW 2 months ago
A vulnerability was determined in geyang ml-logger 0.10.36 and prior. Affected is the function log_handler of the file ml_logger/server.py of the c...
pypi
No PRs yet
cors-anywhere vulnerable to server-side request forgery
GHSA-r3jv-xfgx-gj24 CVE-2020-36851 CRITICAL 2 months ago
Rob -- W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to a...
npm
No PRs yet
apidoc-core is vulnerable to prototype pollution
GHSA-5q53-78f2-6gf8 CVE-2025-57317 HIGH 2 months ago
apidoc-core is the core parser library to generate apidoc result following the apidoc-spec. A Prototype Pollution vulnerability in the preProcess f...
npm
No PRs yet
dref is vulnerable to prototype pollution
GHSA-76g8-235f-gj6p CVE-2025-26278 HIGH 2 months ago
A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
npm
No PRs yet
lobe-chat has an Open Redirect
GHSA-xph5-278p-26qx CVE-2025-59426 MODERATE 2 months ago
### **Description** --- > Vulnerability Overview > The project's OIDC redirect handling logic constructs the host and protocol of the final red...
npm
No PRs yet
csvjson vulnerable to prototype injection
GHSA-xq4f-3jxp-qv6m CVE-2025-57318 HIGH 2 months ago
A Prototype Pollution vulnerability in the toCsv function of csvjson versions thru 5.1.0 allows attackers to inject properties on Object.prototype ...
npm
No PRs yet
toggle-array vulnerable to prototype pollution
GHSA-34q3-8x9v-j957 CVE-2025-57328 LOW 2 months ago
toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A...
npm
No PRs yet
ts-fns has prototype pollution vulnerability
GHSA-g7wq-wggw-vmhg CVE-2025-57351 MODERATE 2 months ago
A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in t...
npm
No PRs yet
web3-core-subscriptions has a Prototype Pollution vulnerability
GHSA-hhf6-3xpg-pggx CVE-2025-57330 LOW 2 months ago
The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function...
npm
No PRs yet
web3-core-method is vulnerable to prototype pollution
GHSA-2j4c-9qqq-896r CVE-2025-57329 LOW 2 months ago
web3-core-method is a package designed to creates the methods on the web3 modules. A Prototype Pollution vulnerability in the attachToObject functi...
npm
No PRs yet
json-schema-editor-visual vulnerable to prototype pollution
GHSA-3c3p-xh4f-pfh7 CVE-2025-57320 MODERATE 2 months ago
json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function ...
npm
No PRs yet
spmrc vulnerable to prototype pollution
GHSA-r2rv-8pp3-65xw CVE-2025-57327 LOW 2 months ago
spmrc is a package that provides the rc manager for spm. A Prototype Pollution vulnerability in the set and config function of spmrc version 1.2.0 ...
npm
No PRs yet
node-cube vulnerable to prototype pollution
GHSA-8v65-5fw5-23wj CVE-2025-57348 LOW 2 months ago
The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an att...
npm
No PRs yet
magix-combine-ex vulnerable to prototype pollution
GHSA-cr7h-93fh-whwm CVE-2025-57321 LOW 2 months ago
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject p...
npm
No PRs yet
parse is vulnerable to prototype pollution
GHSA-9g8m-v378-pcg3 CVE-2025-57324 MODERATE 2 months ago
parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState funct...
npm
2
Dependabot PRs
50%
Merged
Llama Stack could potentially allow for remote code execution
GHSA-x75h-m6jj-6cj2 CVE-2025-55178 MODERATE 2 months ago
Llama Stack prior to version v0.2.20 accepted unverified parameters in the resolve_ast_by_type function which could potentially allow for remote co...
pypi
No PRs yet
mpregular vulnerable to prototype pollution
GHSA-xx4g-r65p-3qf2 CVE-2025-57323 HIGH 2 months ago
mpregular is a package that provides a small program development framework based on RegularJS. A Prototype Pollution vulnerability in the mp.addEve...
npm
No PRs yet
sassdoc-extras vulnerable to prototype pollution
GHSA-3mpm-jx38-9m8w CVE-2025-57326 LOW 2 months ago
A Prototype Pollution vulnerability in the byGroupAndType function of sassdoc-extras v2.5.1 and before allows attackers to inject properties on Obj...
npm
No PRs yet
messageformat has a prototype pollution vulnerability
GHSA-xfqm-j7pc-xrfc CVE-2025-57349 LOW 2 months ago
The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due ...
npm
No PRs yet
Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes
GHSA-4j5h-mvj3-m48v CVE-2025-59839 HIGH 2 months ago
### Summary The EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. ### Details ...
packagist
No PRs yet
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure
GHSA-xh92-rqrq-227v CVE-2025-61685 MODERATE 2 months ago
The Mastra Docs MCP Server package `@mastra/mcp-docs-server` is a server designed to provide documentation context to AI agentic workflows, such as...
npm
No PRs yet
Command Injection in adb-mcp MCP Server
GHSA-54j7-grvr-9xwg CVE-2025-59834 CRITICAL 2 months ago
# Command Injection in adb-mcp MCP Server The MCP Server at https://github.com/srmorete/adb-mcp is written in a way that is vulnerable to command ...
npm
No PRs yet
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
GHSA-2jjv-qf24-vfm4 CVE-2025-59828 HIGH 2 months ago
### Summary In Claude Code versions prior to **1.0.39**, when the tool is used with **Yarn 2.x or newer (Berry)**, Yarn plugins are automatically ...
npm
No PRs yet
Omni Wireguard SideroLink potential escape
GHSA-hqrf-67pm-wgfq CVE-2025-59824 LOW 2 months ago
## Overview Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and authoriz...
go
No PRs yet
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
GHSA-vj76-c3g6-qr5v CVE-2025-59343 HIGH 2 months ago
### Impact v3.1.0, v2.1.3, v1.16.5 and below ### Patches Has been patched in 3.1.1, 2.1.4, and 1.16.6 ### Workarounds You can use the ignore opt...
npm
1
Dependabot PRs
counterpart vulnerable to prototype pollution
GHSA-2488-w585-72ch CVE-2025-57354 MODERATE 2 months ago
A vulnerability exists in the `counterpart` library for Node.js and the browser due to insufficient sanitization of user-controlled input in transl...
npm
No PRs yet
CSVTOJSON has a prototype pollution vulnerability
GHSA-vrw9-g62v-7fmf CVE-2025-57350 MODERATE 2 months ago
The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability ...
npm
5
Dependabot PRs
Mangati NovoSGA XSS vulnerability in /admin
GHSA-4c44-r8rm-3p39 CVE-2025-10909 LOW 2 months ago
A security flaw has been discovered in Mangati NovoSGA up to 2.2.9. The impacted element is an unknown function of the file /admin of the component...
packagist
No PRs yet
min-document vulnerable to prototype pollution
GHSA-rx8g-88g5-qh64 CVE-2025-57352 LOW 2 months ago
A vulnerability exists in the 'min-document' package prior to version 2.19.1, stemming from improper handling of namespace operations in the remove...
npm
No PRs yet
messageformat prototype pollution vulnerability
GHSA-6xv4-9cqp-92rh CVE-2025-57353 MODERATE 2 months ago
The Runtime components of messageformat package for Node.js version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validati...
npm
14
Dependabot PRs
pip's fallback tar extraction doesn't check symbolic links point to extraction directory
GHSA-4xh5-x5gv-qwph CVE-2025-8869 MODERATE 2 months ago
### Summary In the fallback extraction path for source distributions, `pip` used Python’s `tarfile` module without verifying that symbolic/hard li...
pypi
4
Dependabot PRs
Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands
GHSA-2hmj-97jw-28jh CVE-2025-58457 MODERATE 2 months ago
Improper permission checks in the AdminServer allow an authenticated client with insufficient privileges to invoke the `snapshot` and `restore` com...
maven
No PRs yet