Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,050

Total Advisories

1,846

With Dependabot PRs

3,534

Critical Severity

8,712

High Severity

Clear All Filters
Apache Airflow: Connection sensitive details exposed to users with READ permissions
GHSA-q475-2pgm-7hvp CVE-2025-54831 MODERATE 3 months ago
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connec...
pypi
No PRs yet
Liferay Portal and DXP vulnerable to a memory leak
GHSA-hrqm-qpw9-w8rv CVE-2025-43816 MODERATE 3 months ago
A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP...
maven
No PRs yet
ml-logger file handler allows reading arbitrary files
GHSA-9x36-c74v-fgr6 CVE-2025-10952 MODERATE 3 months ago
A security flaw has been discovered in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Affected by this issue is the function stre...
pypi
No PRs yet
ml-logger has path traversal in the file argument
GHSA-8x9j-2p8r-7xc6 CVE-2025-10951 MODERATE 3 months ago
A vulnerability was identified in geyang ml-logger 0.10.36 and prior. Affected by this vulnerability is the function log_handler of the file ml_log...
pypi
No PRs yet
lobe-chat has an Open Redirect
GHSA-xph5-278p-26qx CVE-2025-59426 MODERATE 3 months ago
### **Description** --- > Vulnerability Overview > The project's OIDC redirect handling logic constructs the host and protocol of the final red...
npm
No PRs yet
json-schema-editor-visual vulnerable to prototype pollution
GHSA-3c3p-xh4f-pfh7 CVE-2025-57320 MODERATE 3 months ago
json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function ...
npm
No PRs yet
parse is vulnerable to prototype pollution
GHSA-9g8m-v378-pcg3 CVE-2025-57324 MODERATE 3 months ago
parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState funct...
npm
3
Dependabot PRs
33%
Merged
Llama Stack could potentially allow for remote code execution
GHSA-x75h-m6jj-6cj2 CVE-2025-55178 MODERATE 3 months ago
Llama Stack prior to version v0.2.20 accepted unverified parameters in the resolve_ast_by_type function which could potentially allow for remote co...
pypi
No PRs yet
ts-fns has prototype pollution vulnerability
GHSA-g7wq-wggw-vmhg CVE-2025-57351 MODERATE 3 months ago
A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in t...
npm
No PRs yet
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure
GHSA-xh92-rqrq-227v CVE-2025-61685 MODERATE 3 months ago
The Mastra Docs MCP Server package `@mastra/mcp-docs-server` is a server designed to provide documentation context to AI agentic workflows, such as...
npm
No PRs yet
counterpart vulnerable to prototype pollution
GHSA-2488-w585-72ch CVE-2025-57354 MODERATE 3 months ago
A vulnerability exists in the `counterpart` library for Node.js and the browser due to insufficient sanitization of user-controlled input in transl...
npm
No PRs yet
CSVTOJSON has a prototype pollution vulnerability
GHSA-vrw9-g62v-7fmf CVE-2025-57350 MODERATE 3 months ago
The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability ...
npm
6
Dependabot PRs
messageformat prototype pollution vulnerability
GHSA-6xv4-9cqp-92rh CVE-2025-57353 MODERATE 3 months ago
The Runtime components of messageformat package for Node.js version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validati...
npm
20
Dependabot PRs
pip's fallback tar extraction doesn't check symbolic links point to extraction directory
GHSA-4xh5-x5gv-qwph CVE-2025-8869 MODERATE 3 months ago
### Summary In the fallback extraction path for source distributions, `pip` used Python’s `tarfile` module without verifying that symbolic/hard li...
pypi
5
Dependabot PRs
Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands
GHSA-2hmj-97jw-28jh CVE-2025-58457 MODERATE 3 months ago
Improper permission checks in the AdminServer allow an authenticated client with insufficient privileges to invoke the `snapshot` and `restore` com...
maven
No PRs yet
Apache IoTDB: DoS Vulnerability
GHSA-vx84-xvr8-w24c CVE-2025-48392 MODERATE 3 months ago
A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Users are recommended ...
maven
No PRs yet
Liferay Portal and DXP does not properly expire sessions
GHSA-rpx3-f938-xj5q CVE-2025-43819 MODERATE 3 months ago
### Summary Liferay Portal/DXP contains an Insufficient Session Expiration issue where the Single Logout (SLO) API may fail to invalidate a user’s...
maven
No PRs yet
WSO2 Identity Server Apps allows content spoofing in logs
GHSA-r6f3-55wj-g9p3 CVE-2024-6429 MODERATE 3 months ago
A content spoofing issue exists in WSO2 Identity Server Apps, specifically in the Authentication Portal, due to improper handling of authentication...
maven
No PRs yet
astral-tokio-tar has a path traversal in tar extraction
GHSA-3wgq-wrwc-vqmv CVE-2025-59825 MODERATE 3 months ago
### Impact In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using ...
cargo
No PRs yet
Http4s vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section
GHSA-wcwh-7gfw-5wrr CVE-2025-59822 MODERATE 3 months ago
### Summary http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attack...
maven
No PRs yet
Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer
GHSA-4w7r-h757-3r74 CVE-2025-6921 MODERATE 3 months ago
The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDeca...
pypi
No PRs yet
WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability
GHSA-cmjc-qp7j-xgwr CVE-2025-4760 MODERATE 3 months ago
An authenticated stored Cross-Site Scripting (XSS) vulnerability exists in WSO2 API Manager components (`carbon-apimgt`) due to insufficient valida...
maven
No PRs yet
DNN vulnerable to Reflected Cross-Site Scripting (XSS) using url to profile
GHSA-jc4g-c8ww-5738 CVE-2025-59821 MODERATE 3 months ago
# Summary A reflected cross-site scripting (XSS) vulnerability exists under certain conditions, using a specially crafter url to view a user profil...
nuget
No PRs yet
Liferay Portal and DXP audit events record password reminder answers
GHSA-ph63-chvv-8x46 CVE-2025-43814 MODERATE 3 months ago
In Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.1...
maven
No PRs yet
Liferay Portal and DXP allows users to add a note to a different virtual instance
GHSA-f372-9rcj-8w2c CVE-2025-43810 MODERATE 3 months ago
Insecure Direct Object Reference (IDOR) vulnerability with commerce order notes in Liferay Portal 7.3.5 through 7.4.3.112, and Liferay DXP 2023.Q4....
maven
No PRs yet
Liferay Portal and DXP does not properly check permission with import and export tasks
GHSA-pm45-xx4q-fmv7 CVE-2025-43806 MODERATE 3 months ago
Batch Engine in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA throu...
maven
No PRs yet
DNN affected by Stored Cross-Site Scripting (XSS) in Profile Biography field
GHSA-7rcc-q6rq-jpcm CVE-2025-59539 MODERATE 3 months ago
## Summary Users can use special syntax to inject javascript code in their profile biography field. Although there was sanitization in place, it di...
nuget
No PRs yet
DNN allows loading unused themes on anonymous clients through query parameters
GHSA-wq2j-w9pm-7x2p CVE-2025-59535 MODERATE 3 months ago
### Summary Arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page...
nuget
No PRs yet
Liferay has a stored cross-site scripting (XSS) vulnerability via a a publication’s “Name” text field
GHSA-jh9h-8xf2-25wj CVE-2025-43807 MODERATE 3 months ago
Stored cross-site scripting (XSS) vulnerability in the notifications widget in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 th...
maven
No PRs yet
CodeChecker has a buffer overflow in the log command
GHSA-5xf2-f6ch-6p8r CVE-2025-40843 MODERATE 3 months ago
### Summary CodeChecker versions up to 6.26.1 contain a buffer overflow vulnerability in the internal `ldlogger` library, which is executed by the ...
pypi
No PRs yet
Mailgen: HTML injection vulnerability in plaintext e-mails
GHSA-j2xj-h7w5-r7vp CVE-2025-59526 MODERATE 3 months ago
# HTML Injection and XSS Filter Bypass in Plaintext Emails ### Summary An HTML injection vulnerability in plaintext emails generated by Mailgen ha...
npm
No PRs yet
@conventional-changelog/git-client has Argument Injection vulnerability
GHSA-vh25-5764-9wcr CVE-2025-59433 MODERATE 3 months ago
## Background on exploitation This vulnerability manifests with the library's `getTags()` API, which allows specifying extra parameters passed to ...
npm
23
Dependabot PRs
Liferay Portal Commerce component has Incorrect Permission Assignment for Critical Resource
GHSA-chr3-w547-85hw CVE-2025-43808 MODERATE 3 months ago
The Commerce component in Liferay Portal 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA...
maven
No PRs yet
Liferay Portal Cross-Site Request Forgery (CSRF) vulnerability
GHSA-697h-3q6m-jwp4 CVE-2025-43809 MODERATE 3 months ago
Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal 7.4.0 through 7.4.3.111, and older unsu...
maven
No PRs yet
Liferay Contacts Center widget has insecure direct object reference
GHSA-8c8v-r5jj-4425 CVE-2025-43803 MODERATE 3 months ago
Insecure direct object reference (IDOR) vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupporte...
maven
No PRs yet
Grafana-Zabbix ReDoS vulnerability
GHSA-g4rr-88fc-26fj CVE-2025-10630 MODERATE 3 months ago
Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data f...
go
No PRs yet
@digitalocean/do-markdownit has Type Confusion vulnerability
GHSA-2h8j-8r9p-849f CVE-2025-59717 MODERATE 3 months ago
### Overview A type confusion issue exists in the `@digitalocean/do-markdownit` package. In the `callout` and `fence_environment` plugins, the `all...
npm
No PRs yet
Snipe-IT allows unsafe deserialization
GHSA-phwj-fgch-xvrj CVE-2025-59713 MODERATE 3 months ago
Snipe-IT before 8.1.18 allows unsafe deserialization.
packagist
No PRs yet
Snipe-IT allows XSS
GHSA-c9wp-pr7f-hfqm CVE-2025-59712 MODERATE 3 months ago
Snipe-IT before 8.1.18 allows XSS.
packagist
No PRs yet
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages
GHSA-m79r-r765-5f9j CVE-2025-59417 MODERATE 3 months ago
### Summary We identified a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code ...
npm
No PRs yet
@sequa-ai/sequa-mcp has Command Injection vulnerability
GHSA-9pw5-wx67-q964 CVE-2025-10619 MODERATE 3 months ago
A vulnerability was detected in sequa-ai sequa-mcp up to 1.0.13. This affects the function redirectToAuthorization of the file src/helpers/node-oau...
npm
No PRs yet
Parcel has an Origin Validation Error vulnerability
GHSA-qm9p-f9j5-w83w CVE-2025-56648 MODERATE 3 months ago
parcel versions 1.6.1 and above have an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's dev...
npm
No PRs yet
Keycloak SMTP Inject Vulnerability
GHSA-m4j5-5x4r-2xp9 CVE-2025-8419 MODERATE 3 months ago
Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to...
maven
No PRs yet
DragonFly's tiny file download uses hard coded HTTP protocol
GHSA-mcvp-rpgg-9273 CVE-2025-59410 MODERATE 3 months ago
### Impact The code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an atta...
go
No PRs yet
DragonFly has weak integrity checks for downloaded files
GHSA-hx2h-vjw2-8r54 CVE-2025-59354 MODERATE 3 months ago
### Impact The DragonFly2 uses a variety of hash functions, including the MD5 hash. This algorithm does not provide collision resistance; it is sec...
go
No PRs yet
DragonFly vulnerable to arbitrary file read and write on a peer machine
GHSA-79hx-3fp8-hj66 CVE-2025-59352 MODERATE 3 months ago
### Impact A peer exposes the gRPC API and HTTP API for consumption by other peers. These APIs allow peers to send requests that force the recipien...
go
No PRs yet
DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error
GHSA-4mhv-8rh3-4ghw CVE-2025-59351 MODERATE 3 months ago
### Impact We found two instances in the DragonFly codebase where the first return value of a function is dereferenced even when the function retur...
go
No PRs yet
Dragonfly vulnerable to timing attacks against Proxy’s basic authentication
GHSA-c2fc-9q9c-5486 CVE-2025-59350 MODERATE 3 months ago
### Impact The access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An atta...
go
No PRs yet
Dragonfly incorrectly handles a task structure’s usedTrac field
GHSA-2qgr-gfvj-qpcr CVE-2025-59348 MODERATE 3 months ago
### Impact The processPieceFromSource method (figure 4.1) is part of a task processing mechanism. The method writes pieces of data to storage, upda...
go
No PRs yet
Dragonfly's manager makes requests to external endpoints with disabled TLS authentication
GHSA-98x5-jw98-6c97 CVE-2025-59347 MODERATE 3 months ago
### Impact The Manager disables TLS certificate verification in two HTTP clients (figures 3.1 and 3.2). The clients are not configurable, so users...
go
No PRs yet