Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Open Web Analytics Server is vulnerable to SQL Injection
GHSA-6w8r-xgqq-qg6g CVE-2025-59397 MODERATE 3 months ago
Open Web Analytics (OWA) before 1.8.1 allows SQL injection.
packagist
No PRs yet
Liferay Portal vulnerable to Cross-site Scripting
GHSA-5c6v-fqcw-w6q5 CVE-2025-43791 MODERATE 3 months ago
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3...
maven
No PRs yet
Apache Fory Deserialization of Untrusted Data vulnerability
GHSA-5hmf-8wx5-4qq3 CVE-2025-59328 MODERATE 3 months ago
A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of un...
maven
No PRs yet
FUSE-Rust: Uninitalized memory read and leak caused by fuser crate
GHSA-cvmj-47v9-35m9 HIGH 3 months ago
During the creation of a new libfuse session with `fuse_session_new`, the operation list was passed as NULL incorrectly. libfuse expects this argum...
cargo
No PRs yet
Stored XSS in n8n LangChain Chat Trigger Node via initialMessages Parameter
GHSA-mvh4-2cm2-6hpg CVE-2025-58177 MODERATE 3 months ago
### Impact A stored Cross-Site Scripting (XSS) vulnerability was identified in the `@n8n/n8n-nodes-langchain.chatTrigger` node in n8n. If an author...
npm
No PRs yet
Envoy: Race condition in Dynamic Forward Proxy leads to use-after-free and segmentation faults
GHSA-g9vw-6pvx-7gmw CVE-2025-54588 HIGH 3 months ago
### Summary A use-after-free (UAF) vulnerability in Envoy's DNS cache causes abnormal process termination. Envoy may reallocate memory when proces...
go
No PRs yet
Before action, Ash's hooks may execute in certain scenarios despite a request being forbidden
GHSA-jj4j-x5ww-cwh9 CVE-2025-48042 HIGH 3 months ago
### Summary Certain bulk action calls with a `before_transaction` hook and no `after_transaction` hook, will call the `before_transaction` hook bef...
hex
No PRs yet
Temporal OSS Server Vulnerable to Allocation of Resources Without Limits or Throttling
GHSA-p768-c3pr-6459 CVE-2025-8396 MODERATE 3 months ago
Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to exce...
go
No PRs yet
mcp-kubernetes-server has an OS Command Injection vulnerability
GHSA-4hqq-7q79-932p CVE-2025-59377 CRITICAL 3 months ago
`feiskyer/mcp-kubernetes-server` through **0.1.11** allows **OS command injection** via the `/mcp/kubectl` endpoint. The handler constructs a shell...
pypi
No PRs yet
mcp-kubernetes-server has a Command Injection vulnerability
GHSA-hjm5-xgj8-vwj6 CVE-2025-59376 MODERATE 3 months ago
`mcp-kubernetes-server` does not correctly enforce the `--disable-write` / `--disable-delete` protections when commands are chained. The server onl...
pypi
No PRs yet
serde_yml crate is unsound and unmaintained
GHSA-hhw4-xg65-fp2x MODERATE 3 months ago
Using `serde_yml::ser::Serializer.emitter` can cause a segmentation fault, which is unsound. The GitHub project for `serde_yml` was archived after...
cargo
No PRs yet
LibYML: `libyml::string::yaml_string_extend` is unsound and unmaintained
GHSA-gfxp-f68g-8x78 HIGH 3 months ago
In version 0.0.4, `libyml::string::yaml_string_extend` was revised resulting in undefined behaviour, which is unsound. The GitHub project for `lib...
cargo
No PRs yet
MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency
GHSA-qj3p-xc97-xw74 MODERATE 3 months ago
### Who is affected? This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC...
npm
1
Dependabot PRs
fast-able is vulnerable to DoS attack through insecure method
GHSA-95hm-pr6q-298w HIGH 3 months ago
The public accessible struct SyncVec has a public safe method get_unchecked. It accept a parameter index and used in the get_unchecked without suff...
cargo
No PRs yet
Chaos Controller Manager is vulnerable to OS command injection
GHSA-369h-6j28-wwcg CVE-2025-59359 CRITICAL 3 months ago
The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenti...
go
No PRs yet
Chaos Controller Manager is vulnerable to OS command injection
GHSA-xv9f-728h-9jgv CVE-2025-59360 CRITICAL 3 months ago
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unaut...
go
No PRs yet
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
GHSA-2gg8-85m5-8r2p CVE-2025-59358 HIGH 3 months ago
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provid...
go
No PRs yet
Mattermost Open Redirect vulnerability
GHSA-69j8-prx2-vx98 CVE-2025-9072 HIGH 3 months ago
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craf...
go
No PRs yet
Liferay Portal has stored cross-site scripting (XSS) vulnerability
GHSA-r45v-2289-jgr4 CVE-2025-43794 MODERATE 3 months ago
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4....
maven
No PRs yet
Chaos Controller Manager is vulnerable to OS command injection
GHSA-2gcv-3qpf-c5qr CVE-2025-59361 CRITICAL 3 months ago
The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unaut...
go
No PRs yet
Mattermost makes Use of Weak Hash
GHSA-9p92-x77w-9fw2 CVE-2025-9078 MODERATE 3 months ago
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache key...
go
No PRs yet
Mattermost Open Redirect vulnerability
GHSA-hm95-jx66-g2gh CVE-2025-9084 LOW 3 months ago
Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafte...
go
No PRs yet
Mattermost Missing Authorization vulnerability
GHSA-3vcm-c42p-3hhf CVE-2025-9076 MODERATE 3 months ago
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious...
go
No PRs yet
Hugging Face Transformers library has Regular Expression Denial of Service
GHSA-rcv9-qm8p-9p6j CVE-2025-6051 MODERATE 3 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `norm...
pypi
No PRs yet
Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect
GHSA-m55r-9fx8-725j CVE-2025-43795 MODERATE 3 months ago
Open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA ...
maven
No PRs yet
Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack
GHSA-f3hf-r62c-mfrj CVE-2025-43796 HIGH 3 months ago
Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not ...
maven
No PRs yet
Hono has Body Limit Middleware Bypass
GHSA-92vj-g62v-jqhh CVE-2025-59139 MODERATE 3 months ago
### Summary A flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were pr...
npm
2
Dependabot PRs
httpsig-rs: HMAC verification is vulnerable to timing attack
GHSA-q7pg-9pr4-mrp2 CVE-2025-59058 MODERATE 3 months ago
### Summary HMAC signature comparison is not timing-safe and is vulnerable to timing attacks. ### Details `SharedKey::sign()` returns a `Vec<u8>` ...
cargo
No PRs yet
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
GHSA-wgpv-6j63-x5ph CVE-2025-58434 CRITICAL 3 months ago
### Summary The `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentic...
npm
No PRs yet
Liferay Portal's selection modal is vulnerable to XSS
GHSA-g8fh-pfw3-8rmr CVE-2025-43787 MODERATE 3 months ago
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12...
maven
No PRs yet
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
GHSA-59p9-h35m-wg4g CVE-2025-6638 MODERATE 3 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the Ma...
pypi
No PRs yet
Liferay Portal's Organization Selector exposes organization data to remote authenticated users
GHSA-v53g-736w-mgw4 CVE-2025-43788 MODERATE 3 months ago
The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update ...
maven
No PRs yet
Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution
GHSA-q86r-gwqc-jx85 CVE-2025-43789 LOW 3 months ago
JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSG...
maven
No PRs yet
Neo4j Cypher MCP server is vulnerable to DNS rebinding
GHSA-vcqx-v2mg-7chx CVE-2025-10193 HIGH 3 months ago
### Impact DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute un...
pypi
No PRs yet
SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions
GHSA-7vm2-j586-vcvc CVE-2025-11060 MODERATE 3 months ago
`LIVE SELECT` statements are used to capture changes to data within a table in real time. Documents included in `WHERE` conditions and `DELETE` not...
cargo
No PRs yet
Subrion CMS: Authenticated administrators are able to gain escalated access through Run SQL Query tool
GHSA-h8wv-vv58-468h CVE-2025-56556 MODERATE 3 months ago
An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature ...
packagist
No PRs yet
matrix-sdk-base: Panic in the `RoomMember::normalized_power_level()` method
GHSA-qhj8-q5r6-8q6j CVE-2025-59047 LOW 3 months ago
In matrix-sdk-base before 0.14.1, calling the `RoomMember::normalized_power_level()` method can cause a panic if a room member has a power level of...
cargo
No PRs yet
Axios is vulnerable to DoS attack through lack of data size check
GHSA-4hjh-wcwx-xvwj CVE-2025-58754 HIGH 3 months ago
## Summary When Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes...
npm
4
Dependabot PRs
Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name
GHSA-wr8m-5h2p-4432 CVE-2025-43782 MODERATE 3 months ago
Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024....
maven
No PRs yet
Liferay Portal is vulnerable to Insecure Direct Object Reference (IDOR) attack through Authentication Bypass
GHSA-5wxc-3jfw-w94p CVE-2025-43790 HIGH 3 months ago
Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024....
maven
No PRs yet
Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods
GHSA-765j-9r45-w2q2 CVE-2025-58065 MODERATE 3 months ago
### Impact When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remain...
pypi
No PRs yet
Prebid-universal-creative latest on npm briefly compromised
GHSA-m662-56rj-8fmm CVE-2025-59039 CRITICAL 3 months ago
### Impact Npm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware detailed in the blog post below. This includes the...
npm
No PRs yet
Prebid.js NPM package briefly compromised
GHSA-jwq7-6j4r-2f92 CVE-2025-59038 HIGH 3 months ago
### Impact NPM users of prebid 10.9.2. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. ### Patch...
npm
No PRs yet
jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin
GHSA-33vc-wfww-vjfv CVE-2025-9910 MODERATE 3 months ago
### Vulnerability in jsondiffpatch Versions of `jsondiffpatch` prior to `0.7.2` are vulnerable to Cross-site Scripting (XSS) in the `HtmlFormatter...
npm
No PRs yet
Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage
GHSA-68x2-mx4q-78m7 CVE-2025-59052 HIGH 3 months ago
### Impact Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reaso...
npm
134
Dependabot PRs
0%
Merged
interactive-git-checkout has a Command Injection vulnerability
GHSA-4wcm-7hjf-6xw5 CVE-2025-59046 CRITICAL 3 months ago
The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the ...
npm
No PRs yet
Liferay Portal's Incorrect Authorization vulnerability can lead to guest users to obtaining sensitive data
GHSA-fvp7-jj9m-3qpf CVE-2025-43784 MODERATE 3 months ago
Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 20...
maven
No PRs yet
Liferay Portal is vulnerable to Reflected XSS attack through get_editor path
GHSA-jhgr-j9cj-8j62 CVE-2025-43783 MODERATE 3 months ago
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024....
maven
No PRs yet
Infrahub: Deleted and expired API tokens can still authenticate
GHSA-v2p7-4pv4-3wwh CVE-2025-59036 MODERATE 3 months ago
### Impact A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API...
pypi
No PRs yet
Shopware: Reflective Cross Site-Scripting (XSS) in CMS components
GHSA-9v82-vcjx-m76j HIGH 3 months ago
### Impact By exploiting XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the ...
packagist
No PRs yet