Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,768

Total Advisories

1,784

With Dependabot PRs

3,504

Critical Severity

8,609

High Severity

Clear All Filters
REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]
GHSA-x6vr-q3vf-vqgq CVE-2025-66026 MODERATE about 3 hours ago
### Summary A reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter `args[types]` is rendered...
packagist
No PRs yet
libnftnl has Heap-based Buffer Overflow in nftnl::Batch::with_page_size (nftnl-rs)
GHSA-2fjw-whxm-9v4q CRITICAL about 3 hours ago
A heap-buffer-overflow vulnerability exists in the Rust wrapper for libnftnl, triggered via the nftnl::Batch::with_page_size constructor. When a sm...
cargo
No PRs yet
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
GHSA-675q-66gf-gqg8 MODERATE about 4 hours ago
### Summary During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter ...
npm
No PRs yet
OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization
GHSA-g9gq-3pfx-2gw2 CVE-2025-66021 HIGH about 5 hours ago
### Summary It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows `noscript` and `style` tags with `allowT...
maven
No PRs yet
Better Auth Passkey Plugin allows passkey deletion through IDOR
GHSA-4vcf-q4xf-f48m HIGH about 5 hours ago
# Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using `...
npm
No PRs yet
Contao is vulnerable to cross-site scripting in templates
GHSA-68q5-78xp-cwwc CVE-2025-65961 LOW about 6 hours ago
### Impact It is possible to inject code into the template output that will be executed in the browser in the front end and back end. ### Patches...
packagist
No PRs yet
Contao is vulnerable to remote code execution in template closures
GHSA-98vj-mm79-v77r CVE-2025-65960 MODERATE about 6 hours ago
### Impact Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required...
packagist
No PRs yet
cggmp24 and cggmp21 are vulnerable to signature forgery through altered presignatures
GHSA-8frv-q972-9rq5 CVE-2025-66017 HIGH about 6 hours ago
### Impact This attack is against presignatures used in very specific context: * Presignatures + HD wallets derivation: security level reduces to 8...
cargo
No PRs yet
cggmp21 has a missing check in the ZK proof used in CGGMP21
GHSA-m95p-425x-x889 CVE-2025-66016 CRITICAL about 6 hours ago
### Impact cggmp21 concerns a missing check in the ZK proof that enables an attack in which a single malicious signer can reconstruct full private...
cargo
No PRs yet
VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM
GHSA-66jq-2c23-2xh5 CVE-2025-65942 LOW about 6 hours ago
### Impact Affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malforme...
go
No PRs yet
Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer
GHSA-xv5p-fjw5-vrj6 CVE-2025-62703 HIGH about 6 hours ago
### Summary The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server i...
pypi
No PRs yet
GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
GHSA-fjf5-xgmq-5525 CVE-2025-58360 HIGH about 8 hours ago
## Description An XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint ``/geoserv...
maven
No PRs yet
GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format
GHSA-w66h-j855-qr72 CVE-2025-21621 MODERATE about 8 hours ago
### Summary A reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker...
maven
No PRs yet
body-parser is vulnerable to denial of service when url encoding is used
GHSA-wqch-xfxh-vrr4 CVE-2025-13466 MODERATE about 12 hours ago
### Impact body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of param...
npm
251
Dependabot PRs
Grype has a credential disclosure vulnerability in its JSON output
GHSA-6gxw-85q2-q646 CVE-2025-65965 HIGH about 12 hours ago
A credential disclosure vulnerability was found in Grype, affecting versions `v0.68.0` through `v0.104.0`. If registry credentials are defined and ...
go
No PRs yet
OMERO.web uses jquery-form library, which may be vulnerable to XSS attack
GHSA-j4gv-6x9v-v23g LOW 1 day ago
### Impact OMERO.web uses the jquery-form library throughout to handle form submission and response processing. Due to some unpatched potential vul...
pypi
No PRs yet
Babylon's BIP322 signature implementation is not fully compliant to the spec
GHSA-xq4h-wqm2-668w MODERATE 1 day ago
### Summary The BIP-322 signature verification does not enforce the SIGHASH value to be SIGHASH_ALL, and therefore is not strictly following the [...
go
No PRs yet
Babylon's malformed vote extensions are not rejected
GHSA-2fcv-qww3-9v6h HIGH 1 day ago
### Summary Adversarial validators can send large vote extensions by using non-existing protobuf tags. This will result in the rejection of the su...
go
No PRs yet
LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction
GHSA-rj4j-2jph-gg43 CRITICAL 1 day ago
### Summary Multiple path traversal and unsafe path handling vulnerabilities were discovered in eKuiper prior to the fixes implemented in PR [lf-ed...
go
No PRs yet
pypdf's LZWDecode streams be manipulated to exhaust RAM
GHSA-m449-cwjh-6pw7 MODERATE 1 day ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing t...
pypi
No PRs yet
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
GHSA-7j46-f57w-76pj CVE-2025-65956 MODERATE 1 day ago
### Summary Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting (XSS). Any user with credenti...
packagist
No PRs yet
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`
GHSA-6465-jgvq-jhgp CVE-2025-65944 MODERATE 1 day ago
### Impact When a Node.js application using the Sentry SDK has `sendDefaultPii: true` it is possible to inadvertently send certain sensitive HTTP h...
npm
No PRs yet
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
GHSA-7ff4-jw48-3436 CVE-2025-64761 HIGH 1 day ago
### Impact Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group ...
go
No PRs yet
new-api is vulnerable to SSRF Bypass
GHSA-9f46-w24h-69w4 CVE-2025-62155 HIGH 1 day ago
### Summary A recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur....
go
No PRs yet
NSSF panic due to nil pointer dereference when expiry field is omitted in NSSAIAvailability POST
GHSA-f2hj-vpp9-6vm2 CVE-2025-60638 HIGH 1 day ago
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIA...
go
No PRs yet
Free5GC is vulnerable to DoS via the Nudm_SubscriberDataManagement API
GHSA-3j9f-7w24-pcqg CVE-2025-60633 MODERATE 1 day ago
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.
go
No PRs yet
Free5GC is vulnerable to DoS through its Npcf_BDTPolicyControl POST API
GHSA-vgq7-9r5r-j9v3 CVE-2025-60632 MODERATE 1 day ago
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPoli...
go
No PRs yet
Apache Syncope's AES encryption stores hard-coded passwords in internal database
GHSA-jqg8-m35q-jh7j CVE-2025-65998 HIGH 1 day ago
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default opt...
maven
No PRs yet
thread-amount Vulnerable to Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS
GHSA-jf9p-2fv9-2jp2 CVE-2025-65947 HIGH 4 days ago
Affected versions of this crate contain resource leaks when querying thread counts on Windows and Apple platforms. ### Windows The `thread_amount`...
cargo
No PRs yet
SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results
GHSA-9m7r-g8hg-x3vr CVE-2025-65111 LOW 4 days ago
### Impact If a schema includes the following characteristics: 1. Permission defined in terms of a union (`+`) 1. That union references the same ...
go
No PRs yet
MLX has Wild Pointer Dereference in load_gguf()
GHSA-j842-xgm4-wf88 CVE-2025-62609 MODERATE 4 days ago
## Summary Segmentation fault in `mlx::core::load_gguf()` when loading malicious GGUF files. Untrusted pointer from external gguflib library is de...
pypi
No PRs yet
MLX has heap-buffer-overflow in load()
GHSA-w6vg-jg77-2qg6 CVE-2025-62608 MODERATE 4 days ago
## Summary Heap buffer overflow in `mlx::core::load()` when parsing malicious NumPy `.npy` files. Attacker-controlled file causes 13-byte out-of-b...
pypi
No PRs yet
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default
GHSA-gmm6-j2g5-r52m CVE-2025-13357 HIGH 4 days ago
Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting...
go
No PRs yet
Grafana Incorrect Privilege Assignment vulnerability
GHSA-w62r-7c53-fmc5 CVE-2025-41115 CRITICAL 4 days ago
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by...
go
1
Dependabot PRs
OpenFGA Improper Policy Enforcement
GHSA-2c64-vmv2-hgfc CVE-2025-64751 MODERATE 5 days ago
### Overview OpenFGA v1.4.0 to v1.11.0 (openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper ...
go
No PRs yet
Minder does not sandbox http.send in Rego programs
GHSA-6xvf-4vh9-mw47 HIGH 5 days ago
### Impact Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have acces...
go
No PRs yet
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage
GHSA-3mm3-wfpv-q85g CVE-2025-63700 MODERATE 5 days ago
An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verifi...
npm
No PRs yet
authkit-nextjs may let session cookies be cached in CDNs
GHSA-p8pf-44ff-93gf CVE-2025-64762 HIGH 5 days ago
In `authkit-nextjs` version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN cach...
npm
No PRs yet
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
GHSA-7mv8-j34q-vp7q CVE-2025-64755 HIGH 5 days ago
Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host sys...
npm
No PRs yet
vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
GHSA-69j4-grxj-j64p CVE-2025-62426 MODERATE 5 days ago
### Summary The /v1/chat/completions and /tokenize endpoints allow a `chat_template_kwargs` request parameter that is used in the code before it is...
pypi
No PRs yet
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
GHSA-pmqf-x6x8-p7qw CVE-2025-62372 HIGH 5 days ago
### Summary Users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct `ndim` but incorrect `sh...
pypi
No PRs yet
vLLM deserialization vulnerability leading to DoS and potential RCE
GHSA-mrw7-hf4f-83pf CVE-2025-62164 HIGH 5 days ago
### Summary A memory corruption vulnerability that leading to a crash (denial-of-service) and potentially remote code execution (RCE) exists in vLL...
pypi
No PRs yet
zx Uses Incorrectly-Resolved Name or Reference
GHSA-w87r-vg9q-crqm CVE-2025-13437 MODERATE 5 days ago
When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error...
npm
No PRs yet
Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow
GHSA-8x9v-8qgj-945x CVE-2025-64027 MODERATE 5 days ago
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is...
packagist
No PRs yet
OSV-SCALIBR has NULL Pointer Dereference
GHSA-f786-75f3-74xj CVE-2025-13425 LOW 5 days ago
A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for ...
go
No PRs yet
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
GHSA-547r-qmjm-8hvw CVE-2025-65108 CRITICAL 5 days ago
### Summary A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code ...
npm
No PRs yet
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
GHSA-6qv9-48xg-fc7f CVE-2025-65106 HIGH 5 days ago
## Context A template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals...
pypi
29
Dependabot PRs
@hpke/core reuses AEAD nonces
GHSA-73g8-5h73-26h4 CVE-2025-64767 CRITICAL 5 days ago
### Summary The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls....
npm
2
Dependabot PRs
phppgadmin contains a SQL injection vulnerability
GHSA-g6xh-wrpf-v6j6 CVE-2025-60798 MODERATE 5 days ago
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from ...
packagist
No PRs yet
phppgadmin contains an incorrect access control vulnerability
GHSA-r63p-v37q-g74c CVE-2025-60799 MODERATE 5 days ago
phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized man...
packagist
No PRs yet