Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values
GHSA-4249-gjr8-jpq3 HIGH 24 days ago
### Impact The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag cont...
rubygems
No PRs yet
SpiceDB WriteRelationships fails silently if payload is too big
GHSA-pm3x-jrhh-qcr7 CVE-2025-64529 LOW 24 days ago
### Impact Users who: 1. Use the exclusion operator somewhere in their authorization schema. 1. Have configured their SpiceDB server such that `--...
go
No PRs yet
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
GHSA-hr2q-hp5q-x767 CVE-2025-64525 MODERATE 24 days ago
## Summary In impacted versions of Astro using [on-demand rendering](https://docs.astro.build/en/guides/on-demand-rendering/), request headers `x-...
npm
No PRs yet
Astro development server error page is vulnerable to reflected Cross-site Scripting
GHSA-w2vj-39qv-7vh7 CVE-2025-64745 LOW 24 days ago
## Summary A Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configur...
npm
No PRs yet
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
GHSA-6jqf-mv7m-3q7p CRITICAL 24 days ago
The standard library `net/http` package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-siz...
go
No PRs yet
File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function
GHSA-6cqf-cfhv-659g CVE-2025-64523 HIGH 24 days ago
### Summary It has been found an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionalit...
go
No PRs yet
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable
GHSA-7f2v-3qq3-vvjf CVE-2025-59840 HIGH 24 days ago
## Impact Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" [expressionInterpreter](https:...
npm
No PRs yet
AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance
GHSA-8wj8-cfxr-9374 HIGH 24 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. ...
npm
No PRs yet
AWS Advanced Go Wrapper: Privilege Escalation in Aurora PostgreSQL Instance
GHSA-7wq2-32h4-9hc9 HIGH 24 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. ...
go
No PRs yet
Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance
GHSA-7xw4-g7mm-r4hh HIGH 24 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A...
maven
No PRs yet
AWS Advanced Python Wrapper: Privilege Escalation in Aurora PostgreSQL instance
GHSA-4jvf-wx3f-2x8q CVE-2025-12967 HIGH 24 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. ...
pypi
No PRs yet
Mattermost Incorrect Authorization vulnerability
GHSA-mqcj-8c2g-h97q CVE-2025-11777 LOW 24 days ago
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, whic...
go
No PRs yet
Incus vulnerable to local privilege escalation through custom storage volumes
GHSA-56mx-8g9f-5crf CVE-2025-64507 HIGH 24 days ago
### Impact This affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom sto...
go
No PRs yet
Milvus Proxy has a Critical Authentication Bypass Vulnerability
GHSA-mhjq-8c7m-3f7p CVE-2025-64513 CRITICAL 24 days ago
### Impact _What kind of vulnerability is it? Who is impacted?_ An unauthenticated attacker can exploit this vulnerability to bypass all authentica...
go
No PRs yet
sudo-rs doesn't record authenticating user properly in timestamp
GHSA-q428-6v73-fc4q CVE-2025-64517 MODERATE 24 days ago
### Summary When `Defaults targetpw` (or `Defaults rootpw`) is enabled, the password of the target account (or root account) instead of the invokin...
cargo
No PRs yet
pgAdmin is affected by an LDAP injection vulnerability
GHSA-cvf4-f829-762v CVE-2025-12764 HIGH 24 days ago
pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP charac...
pypi
No PRs yet
pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode
GHSA-w2p4-p4rh-qcm3 CVE-2025-12762 CRITICAL 24 days ago
pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing resto...
pypi
No PRs yet
pgAdmin has vulnerability in LDAP authentication mechanism that allows bypassing TLS certificate verification
GHSA-g4r8-3qmh-pmch CVE-2025-12765 HIGH 24 days ago
pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification.
pypi
No PRs yet
pgAdmin 4 has command injection vulnerability on Windows systems
GHSA-rm79-x4g6-hvg5 CVE-2025-12763 MODERATE 24 days ago
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True du...
pypi
No PRs yet
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)
GHSA-rrx3-2x4g-mq2h CVE-2025-64509 HIGH 25 days ago
### Impact In affected versions, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, le...
pypi
No PRs yet
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input
GHSA-fc2v-vcwj-269v CVE-2025-64508 HIGH 25 days ago
### Impact In affected versions, brotli "bombs" (highly compressed brotli streams, such as many zeros) can be sent to the server. Since the server...
pypi
No PRs yet
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
GHSA-7cx5-254x-cgrq CVE-2025-64502 MODERATE 25 days ago
### Impact The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning be...
npm
No PRs yet
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
GHSA-3rg7-wf37-54rm CVE-2025-64500 HIGH 25 days ago
### Description The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't ...
packagist
No PRs yet
Evervault Go SDK: Incomplete PCR Validation in Enclave Attestation for non-Evervault hosted Enclaves
GHSA-88h9-77c7-p6w4 CVE-2025-64186 HIGH 25 days ago
### Summary A vulnerability was identified in the `evervault-go` SDK’s attestation verification logic that may allow incomplete documents to pass ...
go
No PRs yet
OAuth2-Proxy is vulnerable to header smuggling via underscore leading to potential privilege escalation
GHSA-vjrc-mh2v-45x6 CVE-2025-64484 HIGH 25 days ago
### Impact All deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based framewor...
go
No PRs yet
Wasmtime provides unsound API access to a WebAssembly shared linear memory
GHSA-hc7m-r6v8-hg9q CVE-2025-64345 LOW 25 days ago
### Impact Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which p...
cargo
3
Dependabot PRs
sudo-rs: Partial password reveal is possible after timeout
GHSA-c978-wq47-pvvw CVE-2025-64170 LOW 25 days ago
### Summary If a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens,...
cargo
No PRs yet
OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
GHSA-39hr-239p-fhqc CVE-2025-64099 HIGH 25 days ago
### Summary If the "claims_parameter_supported" parameter is activated, it is possible through the "oidc-claims-extension.groovy" script, to inject...
maven
No PRs yet
changedetection.io: Stored XSS in Watch update via API
GHSA-4c3j-3h7v-22q9 CVE-2025-62780 LOW 25 days ago
### Summary A Stored Cross Site Scripting is present in the changedetection.io Watch update API due to unsufficient security checks. ### Details ...
pypi
No PRs yet
jose2go is vulnerable to a JWT bomb attack through its decode function
GHSA-9mj6-hxhv-w67j CVE-2025-63811 HIGH 25 days ago
An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encry...
go
No PRs yet
Observability Operator is vulnerable to Incorrect Privilege Assignment through its Custom Resource MonitorStack
GHSA-mj6p-p843-x5wc CVE-2025-2843 HIGH 25 days ago
A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* ...
go
No PRs yet
TYPO3 Modules Extension has Improper Authentication vulnerability
GHSA-49qv-h8pm-73pf CVE-2025-12998 HIGH 25 days ago
Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules. This issue affects Extension "Modules": before 4.3.11, from 5....
packagist
No PRs yet
Soft Serve is vulnerable to SSRF through its Webhooks
GHSA-vwq2-jx9q-9h9f CVE-2025-64522 CRITICAL 27 days ago
SUMMARY We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create w...
go
No PRs yet
TorrentPier is Vulnerable to Authenticated SQL Injection through Moderator Control Panel's topic_id parameter
GHSA-4rwr-8c3m-55f6 CVE-2025-64519 HIGH 27 days ago
### Summary An authenticated SQL injection vulnerability exists in the moderator control panel (`modcp.php`). Users with moderator permissions can ...
packagist
No PRs yet
CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection
GHSA-6fhj-vr9j-g45r CVE-2025-64518 HIGH 27 days ago
### Impact The XML [`Validator`](https://docs.oracle.com/javase/8/docs/api/javax/xml/validation/Validator.html) used by cyclonedx-core-java was no...
maven
2
Dependabot PRs
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand
GHSA-g4mf-96x5-5m2c CVE-2025-12613 HIGH 27 days ago
Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containi...
npm
No PRs yet
EverShop is vulnerable to Unauthorized Order Information Access (IDOR)
GHSA-c73g-mx2w-cc93 CVE-2025-12919 LOW 28 days ago
A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolv...
npm
No PRs yet
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc
GHSA-f83h-ghpp-7wcc HIGH 30 days ago
### 🚀 Overview This report **demonstrates a real-world privilege escalation** vulnerability in [pdfminer.six](https://github.com/pdfminer/pdfminer...
pypi
No PRs yet
Arbitrary Code Execution in pdfminer.six via Crafted PDF Input
GHSA-wf5f-4jwr-ppcp CVE-2025-64512 HIGH 30 days ago
### Summary pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()`...
pypi
2
Dependabot PRs
KubeVirt Vulnerable to Arbitrary Host File Read and Write
GHSA-46xp-26xh-hpqh CVE-2025-64324 HIGH 30 days ago
### Summary The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, the impl...
go
No PRs yet
AstrBot has an arbitrary file read vulnerability in function _encode_image_bs64
GHSA-vm2f-46xc-5jc3 CVE-2025-57697 MODERATE 30 days ago
AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Since the _encode_image_bs64 function defined in e...
pypi
No PRs yet
AstrBot contains a directory traversal vulnerability
GHSA-xrj9-mw57-j34v CVE-2025-57698 HIGH 30 days ago
AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-...
pypi
No PRs yet
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
GHSA-cm35-v4vp-5xvx CVE-2025-64496 HIGH 30 days ago
### Summary Open WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external m...
npm pypi
No PRs yet
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
GHSA-w7xj-8fx7-wfch CVE-2025-64495 HIGH 30 days ago
### Summary The functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabl...
npm pypi
No PRs yet
Nuxt DevTools vulnerable to cross-site scripting (XSS)
GHSA-xmq3-q5pm-rp26 CVE-2025-52662 MODERATE about 1 month ago
A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain...
npm
No PRs yet
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files
GHSA-rwvc-j5jr-mgvh CVE-2025-48985 LOW about 1 month ago
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass fil...
npm
No PRs yet
Soft Serve does not sanitize ANSI escape sequences in user input
GHSA-fv2r-r8mp-pg48 CVE-2025-64494 MODERATE about 1 month ago
### Impact In several places where the user can insert data (e.g. names), ANSI escape sequences are not being removed, which can then be used, for ...
go
No PRs yet
KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes
GHSA-2r4r-5x78-mvqf CVE-2025-64437 MODERATE about 1 month ago
### Summary _Short summary of the problem. Make the impact and severity as clear as possible. It is possible to trick the `virt-handler` component...
go
No PRs yet
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
GHSA-7xgm-5prm-v5gc CVE-2025-64436 MODERATE about 1 month ago
### Summary The permissions granted to the `virt-handler` service account, such as the ability to update VMI and patch nodes, could be abused to f...
go
No PRs yet
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
GHSA-9m94-w2vq-hcf9 CVE-2025-64435 MODERATE about 1 month ago
### Summary _Short summary of the problem. Make the impact and severity as clear as possible. A logic flaw in the `virt-controller` allows an atta...
go
No PRs yet