Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Jenkins Nexus Task Runner Plugin vulnerable to cross-site request forgery
GHSA-x2pv-fph3-phfx CVE-2025-64141 MODERATE about 1 month ago
Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Rea...
maven
No PRs yet
Jenkins JDepend Plugin vulnerable to XML external entity attacks
GHSA-jfg6-4gx3-3v7w CVE-2025-64134 HIGH about 1 month ago
Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML...
maven
No PRs yet
Jenkins SAML Plugin does not implement a replay cache
GHSA-j7r7-7qmf-xq87 CVE-2025-64131 HIGH about 1 month ago
Jenkins SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache. This allows attackers able to obtain information about the...
maven
No PRs yet
Jenkins Azure CLI Plugin does not restrict the commands it executes
GHSA-rh72-238f-g26q CVE-2025-64140 HIGH about 1 month ago
Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller. This allows attackers with Item/C...
maven
No PRs yet
Jenkins Themis Plugin vulnerable to cross-site request forgery
GHSA-93mh-mx9w-m69q CVE-2025-64136 MODERATE about 1 month ago
Jenkins Themis Plugin 1.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permissio...
maven
No PRs yet
Jenkins Curseforge Publisher Plugin stores API Keys unencrypted in job config.xml files
GHSA-23vj-j6jc-w892 CVE-2025-64146 MODERATE about 1 month ago
Jenkins Curseforge Publisher Plugin 1.0 and earlier stores API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its ...
maven
No PRs yet
Jenkins Start Windocks Containers Plugin is missing a permission check
GHSA-mj6v-4wr4-gj57 CVE-2025-64139 MODERATE about 1 month ago
Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overa...
maven
No PRs yet
Jenkins Start Windocks Containers Plugin vulnerable to cross-site request forgery
GHSA-6mgr-3374-4p3c CVE-2025-64138 MODERATE about 1 month ago
Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overa...
maven
No PRs yet
Jenkins ByteGuard Build Actions Plugin stores API tokens unencrypted in job config.xml files
GHSA-2vmr-8c82-x8xq CVE-2025-64144 MODERATE about 1 month ago
Jenkins ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job `config.xml` files on the Jenkins controller as part of...
maven
No PRs yet
Jenkins Eggplant Runner Plugin protection mechanism disabled
GHSA-w5r3-gr8w-7fj5 CVE-2025-64135 MODERATE about 1 month ago
Jenkins Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property `jdk.http.auth.tunneling.disabledSchemes` to an e...
maven
No PRs yet
Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
GHSA-9f58-4465-23c7 CVE-2025-62798 MODERATE about 1 month ago
A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affect...
packagist
No PRs yet
NextAuthjs Email misdelivery Vulnerability
GHSA-5jpx-9hw9-2fx4 MODERATE about 1 month ago
### Summary NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in `nodemail...
npm
No PRs yet
Keras is vulnerable to arbitrary local file loading and Server-Side Request Forgery
GHSA-mq84-hjqx-cwf2 CVE-2025-12058 MODERATE about 1 month ago
The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local f...
pypi
No PRs yet
Consul event endpoint is vulnerable to denial of service
GHSA-qh7p-pfq3-677h CVE-2025-11375 MODERATE about 1 month ago
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Lengt...
go
3
Dependabot PRs
Consul key/value endpoint is vulnerable to denial of service
GHSA-7g3r-8c6v-hfmr CVE-2025-11374 MODERATE about 1 month ago
Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header valida...
go
3
Dependabot PRs
Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``
GHSA-7f5h-v6xp-fcq8 CVE-2025-62727 HIGH about 1 month ago
### Summary An unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's `FileResponse` ...
pypi
33
Dependabot PRs
PrivateBin is missing HTML sanitization of attached filename in file size hint
GHSA-867c-p784-5q6g CVE-2025-62796 MODERATE about 1 month ago
We’ve identified an HTML injection/XSS vulnerability in PrivateBin service that allows the injection of arbitrary HTML markup via the attached file...
packagist
No PRs yet
Contrast has insecure LUKS2 persistent storage partitions may be opened and used
GHSA-f5p4-p5q5-jv3h MODERATE about 1 month ago
### Summary A malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the [secure persistent volume](https://docs.edgeles...
go
No PRs yet
InventoryGui allows item duplication in GUIs which use GuiStorageElement
GHSA-7whh-79j3-7c55 CVE-2025-62784 MODERATE about 1 month ago
### Impact Any plugin using a GUI with the GuiStorageElement and allows taking out items out of that element. ### Patches InventoryGui 1.6.5 (incl...
maven
No PRs yet
Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
GHSA-qcpr-679q-rhm2 CVE-2025-59837 HIGH about 1 month ago
### Summary This is a patch bypass of CVE-2025-58179 in commit [9ecf359](https://github.com/withastro/astro/commit/9ecf3598e2b29dd74614328fde3047e...
npm
No PRs yet
Silver has unrestricted traffic between Wireguard clients
GHSA-q8j9-34qf-7vq7 CVE-2025-27093 MODERATE about 1 month ago
### Summary Sliver's custom Wireguard netstack doesn't limit traffic between Wireguard clients, this could lead to: 1. Leaked/recovered keypair (fr...
go
No PRs yet
Keycloak vulnerable to session takeovers due to reuse of session identifiers
GHSA-rg35-5v25-mqvp CVE-2025-12390 MODERATE about 1 month ago
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browse...
maven
No PRs yet
ImageMagick has Integer Overflow in BMP Decoder (ReadBMP)
GHSA-9pp9-cfwx-54rm CVE-2025-62171 MODERATE about 1 month ago
## Summary CVE-2025-57803 claims to be patched in ImageMagick 7.1.2-2, but **the fix is incomplete and ineffective**. The latest version **7.1.2-5...
nuget
2
Dependabot PRs
Liferay Portal Vulnerable to DoS via Crafted Headless API Request
GHSA-vgqx-447m-wvcj CVE-2025-62260 HIGH about 1 month ago
Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older u...
maven
No PRs yet
Liferay Portal Vulnerable to CSRF in Headless APIs
GHSA-gh4w-8qgq-8w9r CVE-2025-62258 HIGH about 1 month ago
CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92...
maven
No PRs yet
Liferay Portal Does Not Limit Access to APIs Before Email Verification
GHSA-gv7w-jh8g-vr73 CVE-2025-62259 MODERATE about 1 month ago
Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 ...
maven
No PRs yet
Liferay Portal Stores Password Reset Tokens in Plain Text
GHSA-xcj6-xpjg-c4xr CVE-2025-62261 MODERATE about 1 month ago
Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 G...
maven
No PRs yet
ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)
GHSA-wpp4-vqfq-v4hp CVE-2025-62594 MODERATE about 1 month ago
## Summary A single root cause in the CLAHE implementation — tile width/height becoming zero — produces two distinct but related unsafe behaviors....
nuget
1
Dependabot PRs
Liferay Portal Vulnerable to Information Exposure Through a Log File Vulnerability in LDAP Import Feature
GHSA-cw79-fq4f-9r96 CVE-2025-62262 MODERATE about 1 month ago
Information exposure through log file vulnerability in LDAP import feature in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions...
maven
No PRs yet
Liferay Portal Vulnerable to Open Redirect via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_redirect parameter
GHSA-2pwh-9q9q-5r9c CVE-2025-62253 MODERATE about 1 month ago
Open redirect vulnerability in page administration in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q...
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting
GHSA-8mgf-rgg5-w38q CVE-2025-62263 MODERATE about 1 month ago
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA ...
maven
No PRs yet
Keycloak TLS Client-Initiated Renegotiation Denial of Service
GHSA-q8hq-4h99-fj7x CVE-2025-11419 HIGH about 1 month ago
Keycloak is vulnerable to a Denial of Service (DoS) attack due to the default JDK setting that permits Client-Initiated Renegotiation in TLS 1.2. A...
maven
No PRs yet
Docker Compose Vulnerable to Path Traversal via OCI Artifact Layer Annotations
GHSA-gv8h-7v7w-r22q CVE-2025-62725 HIGH about 1 month ago
Docker Compose trusts the path information embedded in remote OCI compose artifacts. When a layer includes the annotations com.docker.compose.exten...
go
No PRs yet
Wasmtime vulnerable to segfault when using component resources
GHSA-4h67-722j-5pmc CVE-2025-62711 LOW about 1 month ago
### Impact The implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully cra...
cargo
2
Dependabot PRs
BBOT's gitlab.py exposes globally configured "gitlab" API key
GHSA-p3v4-c93g-cmhw CVE-2025-10282 MODERATE about 1 month ago
### Summary bbot's `gitlab.py` sends the user's "gitlab" API key to on-premise GitLab instances. If a user has configured a gitlab.com API key us...
pypi
No PRs yet
InventoryGui allows item duplication with experimental "Bundle" item in GUIs which use GuiStorageElement
GHSA-rgvh-4m82-fvjq CVE-2025-62782 MODERATE about 1 month ago
### Impact Any plugin using the GuiStorageElement is impacted when used on a server which allows the (currently experimental) Bundle items. ### Pa...
maven
No PRs yet
InventoryGui affected by item duplication in GUIs which use GuiStorageElement
GHSA-598q-jw82-5w66 CVE-2025-62783 MODERATE about 1 month ago
### Impact Any plugin using the `GuiStorageElement` is impacted. ### Patches Patched with https://github.com/Phoenix616/InventoryGui/commit/27a52e...
maven
No PRs yet
Apache Tomcat Vulnerable to Relative Path Traversal
GHSA-wmwf-9ccg-fff5 CVE-2025-55752 HIGH about 1 month ago
The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, f...
maven
No PRs yet
Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences
GHSA-vfww-5hm6-hx2j CVE-2025-55754 LOW about 1 month ago
Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supp...
maven
No PRs yet
pg8000 SQL injection vulnerability via a specially crafted Python list input
GHSA-wq2g-r956-j8cc CVE-2025-61385 HIGH about 1 month ago
SQL injection vulnerability in tlocke pg8000 1.31.4 allows remote attackers to execute arbitrary SQL commands via a specially crafted Python list i...
pypi
1
Dependabot PRs
Apache Tomcat Vulnerable to Improper Resource Shutdown or Release
GHSA-hgrr-935x-pq79 CVE-2025-61795 LOW about 1 month ago
If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to di...
maven
No PRs yet
Constellation has insecure LUKS2 persistent storage partitions which may be opened and used
GHSA-hq76-6gh2-5g4q CVE-2025-58356 HIGH about 1 month ago
### Summary A malicious host may provide a crafted LUKS2 volume to a confidential computing guest that is using the [OpenCryptDevice](https://githu...
go
No PRs yet
LangGraph's SQLite store implementation has a SQL Injection Vulnerability
GHSA-4h97-wpxp-3757 CVE-2025-8709 HIGH about 1 month ago
A SQL injection vulnerability exists in the langchain-ai/langgraph repository, specifically in the LangGraph's SQLite store implementation. The aff...
pypi
No PRs yet
Bouncy Castle Vulnerable to Uncontrolled Resource Consumption
GHSA-jv6h-4262-q663 CVE-2025-12194 MODERATE about 1 month ago
Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legio...
maven
No PRs yet
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
GHSA-q7jf-gf43-6x6p MODERATE about 1 month ago
### Summary A flaw in the CORS middleware allowed request `Vary` headers to be reflected into the response, enabling attacker-controlled `Vary` v...
npm
6
Dependabot PRs
Rancher exposes sensitive information through audit logs
GHSA-mw39-9qc2-f7mg CVE-2024-58269 MODERATE about 1 month ago
### Impact **Note: The exploitation of this issue requires that the malicious user have access to Rancher’s audit log storage.** A vulnerability h...
go
No PRs yet
Karmada Dashboard API Unauthorized Access Vulnerability
GHSA-5qjg-9mjh-4r92 CVE-2025-62714 CRITICAL about 1 month ago
### Impact This is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/se...
go
No PRs yet
Rancher user retains access to clusters despite Global Role removal
GHSA-j4vr-pcmw-hx59 CVE-2023-32199 MODERATE about 1 month ago
### Impact A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or...
go
No PRs yet
Liferay Portal ComboServlet denial of service via large file combination
GHSA-q95h-87j6-273x CVE-2025-62254 MODERATE about 1 month ago
The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 ...
maven
No PRs yet
Hashicorp Vault and Vault Enterprise vulnerable to a denial of service when processing JSON
GHSA-vp5w-xcfc-73wf CVE-2025-12044 HIGH about 1 month ago
Vault and Vault Enterprise ("Vault") are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a reg...
go
No PRs yet