Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
GHSA-58c5-g7wp-6w37 CVE-2025-66035 HIGH about 14 hours ago
The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token*...
npm
No PRs yet
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
GHSA-wmjr-v86c-m9jj LOW about 16 hours ago
## Summary - Vulnerable component: `multi-session` plugin’s `/sign-out` after-hook (`packages/better-auth/src/plugins/multi-session/index.ts`) - Is...
npm
No PRs yet
willitmerge has a Command Injection vulnerability
GHSA-j9wj-m24m-7jj6 MODERATE about 16 hours ago
willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version ...
npm
No PRs yet
node-forge has ASN.1 Unbounded Recursion
GHSA-554w-wpv2-vw27 CVE-2025-66031 HIGH about 16 hours ago
### Summary An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to ...
npm
977
Dependabot PRs
node-forge is vulnerable to ASN.1 OID Integer Truncation
GHSA-65ch-62r8-g69g CVE-2025-66030 MODERATE about 16 hours ago
### Summary **MITRE-Formatted CVE Description** An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote,...
npm
977
Dependabot PRs
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
GHSA-5gfm-wpxj-wjgq CVE-2025-12816 HIGH about 16 hours ago
### Summary CVE-2025-12816 has been reserved by CERT/CC **Description** An Interpretation Conflict (CWE-436) vulnerability in node-forge versions...
npm
977
Dependabot PRs
Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack
GHSA-q279-jhrf-cc6v CVE-2025-62593 CRITICAL about 18 hours ago
# Summary Developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. ...
pypi
No PRs yet
Valibot has a ReDoS vulnerability in `EMOJI_REGEX`
GHSA-vqpr-j7v3-hqw9 CVE-2025-66020 HIGH about 18 hours ago
### Summary The `EMOJI_REGEX` used in the `emoji` action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciou...
npm
No PRs yet
OneUptime Unauthorized User Creation via API
GHSA-m449-vh5f-574g CVE-2025-65966 HIGH about 18 hours ago
### Summary A low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. ### ...
npm
No PRs yet
Apache Druid’s Kerberos authenticator uses a weak fallback secret
GHSA-w88f-4875-99c8 CVE-2025-59390 CRITICAL 1 day ago
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration ...
maven
No PRs yet
REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]
GHSA-x6vr-q3vf-vqgq CVE-2025-66026 MODERATE 1 day ago
### Summary A reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter `args[types]` is rendered...
packagist
No PRs yet
libnftnl has Heap-based Buffer Overflow in nftnl::Batch::with_page_size (nftnl-rs)
GHSA-2fjw-whxm-9v4q CRITICAL 1 day ago
A heap-buffer-overflow vulnerability exists in the Rust wrapper for libnftnl, triggered via the nftnl::Batch::with_page_size constructor. When a sm...
cargo
No PRs yet
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
GHSA-675q-66gf-gqg8 CVE-2025-66028 MODERATE 1 day ago
### Summary During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter ...
npm
No PRs yet
OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization
GHSA-g9gq-3pfx-2gw2 CVE-2025-66021 HIGH 1 day ago
### Summary It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows `noscript` and `style` tags with `allowT...
maven
No PRs yet
Better Auth Passkey Plugin allows passkey deletion through IDOR
GHSA-4vcf-q4xf-f48m HIGH 1 day ago
# Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using `...
npm
No PRs yet
OpenSearch is vulnerable to DoS via complex query_string inputs
GHSA-mw3v-mmfw-3x2g CVE-2025-9624 HIGH 1 day ago
A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all ...
maven
No PRs yet
Contao is vulnerable to cross-site scripting in templates
GHSA-68q5-78xp-cwwc CVE-2025-65961 LOW 1 day ago
### Impact It is possible to inject code into the template output that will be executed in the browser in the front end and back end. ### Patches...
packagist
No PRs yet
Contao is vulnerable to remote code execution in template closures
GHSA-98vj-mm79-v77r CVE-2025-65960 MODERATE 1 day ago
### Impact Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required...
packagist
No PRs yet
cggmp24 and cggmp21 are vulnerable to signature forgery through altered presignatures
GHSA-8frv-q972-9rq5 CVE-2025-66017 HIGH 1 day ago
### Impact This attack is against presignatures used in very specific context: * Presignatures + HD wallets derivation: security level reduces to 8...
cargo
No PRs yet
cggmp21 has a missing check in the ZK proof used in CGGMP21
GHSA-m95p-425x-x889 CVE-2025-66016 CRITICAL 1 day ago
### Impact cggmp21 concerns a missing check in the ZK proof that enables an attack in which a single malicious signer can reconstruct full private...
cargo
No PRs yet
VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM
GHSA-66jq-2c23-2xh5 CVE-2025-65942 LOW 1 day ago
### Impact Affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malforme...
go
No PRs yet
Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer
GHSA-xv5p-fjw5-vrj6 CVE-2025-62703 HIGH 1 day ago
### Summary The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server i...
pypi
No PRs yet
GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
GHSA-fjf5-xgmq-5525 CVE-2025-58360 HIGH 2 days ago
## Description An XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint ``/geoserv...
maven
No PRs yet
GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format
GHSA-w66h-j855-qr72 CVE-2025-21621 MODERATE 2 days ago
### Summary A reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker...
maven
No PRs yet
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
GHSA-93vm-mqpw-8wh3 CVE-2025-13467 MODERATE 2 days ago
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deseriali...
maven
No PRs yet
REDAXO CMS is vulnerable to XSS through its module management component
GHSA-vqc7-7fj4-3fm3 CVE-2025-64049 MODERATE 2 days ago
A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary w...
packagist
No PRs yet
REDAXO CMS is vulnerable to RCE attack through its template management component
GHSA-xj9j-gjxg-7jvq CVE-2025-64050 HIGH 2 days ago
A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to...
packagist
No PRs yet
body-parser is vulnerable to denial of service when url encoding is used
GHSA-wqch-xfxh-vrr4 CVE-2025-13466 MODERATE 2 days ago
### Impact body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of param...
npm
283
Dependabot PRs
Grype has a credential disclosure vulnerability in its JSON output
GHSA-6gxw-85q2-q646 CVE-2025-65965 HIGH 2 days ago
A credential disclosure vulnerability was found in Grype, affecting versions `v0.68.0` through `v0.104.0`. If registry credentials are defined and ...
go
No PRs yet
OMERO.web uses jquery-form library, which may be vulnerable to XSS attack
GHSA-j4gv-6x9v-v23g LOW 3 days ago
### Impact OMERO.web uses the jquery-form library throughout to handle form submission and response processing. Due to some unpatched potential vul...
pypi
No PRs yet
Babylon's BIP322 signature implementation is not fully compliant to the spec
GHSA-xq4h-wqm2-668w MODERATE 3 days ago
### Summary The BIP-322 signature verification does not enforce the SIGHASH value to be SIGHASH_ALL, and therefore is not strictly following the [...
go
No PRs yet
Babylon's malformed vote extensions are not rejected
GHSA-2fcv-qww3-9v6h HIGH 3 days ago
### Summary Adversarial validators can send large vote extensions by using non-existing protobuf tags. This will result in the rejection of the su...
go
No PRs yet
LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction
GHSA-rj4j-2jph-gg43 CRITICAL 3 days ago
### Summary Multiple path traversal and unsafe path handling vulnerabilities were discovered in eKuiper prior to the fixes implemented in PR [lf-ed...
go
No PRs yet
pypdf's LZWDecode streams be manipulated to exhaust RAM
GHSA-m449-cwjh-6pw7 CVE-2025-66019 MODERATE 3 days ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing t...
pypi
No PRs yet
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
GHSA-7j46-f57w-76pj CVE-2025-65956 MODERATE 3 days ago
### Summary Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting (XSS). Any user with credenti...
packagist
No PRs yet
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`
GHSA-6465-jgvq-jhgp CVE-2025-65944 MODERATE 3 days ago
### Impact In version 10.11.0, a change to how the SDK collects request data in Node.js applications caused certain incoming HTTP headers to be add...
npm
No PRs yet
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
GHSA-7ff4-jw48-3436 CVE-2025-64761 HIGH 3 days ago
### Impact Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group ...
go
No PRs yet
new-api is vulnerable to SSRF Bypass
GHSA-9f46-w24h-69w4 CVE-2025-62155 HIGH 3 days ago
### Summary A recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur....
go
No PRs yet
Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices
GHSA-xh5w-g8gq-r3v9 CVE-2025-13609 HIGH 3 days ago
A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platfor...
pypi
No PRs yet
Free5GC is vulnerable to DoS via the Nudm_SubscriberDataManagement API
GHSA-3j9f-7w24-pcqg CVE-2025-60633 MODERATE 3 days ago
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.
go
No PRs yet
NSSF panic due to nil pointer dereference when expiry field is omitted in NSSAIAvailability POST
GHSA-f2hj-vpp9-6vm2 CVE-2025-60638 HIGH 3 days ago
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIA...
go
No PRs yet
Free5GC is vulnerable to DoS through its Npcf_BDTPolicyControl POST API
GHSA-vgq7-9r5r-j9v3 CVE-2025-60632 MODERATE 3 days ago
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPoli...
go
No PRs yet
Apache Syncope's AES encryption stores hard-coded passwords in internal database
GHSA-jqg8-m35q-jh7j CVE-2025-65998 HIGH 3 days ago
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default opt...
maven
No PRs yet
thread-amount Vulnerable to Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS
GHSA-jf9p-2fv9-2jp2 CVE-2025-65947 HIGH 6 days ago
Affected versions of this crate contain resource leaks when querying thread counts on Windows and Apple platforms. ### Windows The `thread_amount`...
cargo
No PRs yet
SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results
GHSA-9m7r-g8hg-x3vr CVE-2025-65111 LOW 6 days ago
### Impact If a schema includes the following characteristics: 1. Permission defined in terms of a union (`+`) 1. That union references the same ...
go
No PRs yet
MLX has Wild Pointer Dereference in load_gguf()
GHSA-j842-xgm4-wf88 CVE-2025-62609 MODERATE 6 days ago
## Summary Segmentation fault in `mlx::core::load_gguf()` when loading malicious GGUF files. Untrusted pointer from external gguflib library is de...
pypi
No PRs yet
MLX has heap-buffer-overflow in load()
GHSA-w6vg-jg77-2qg6 CVE-2025-62608 MODERATE 6 days ago
## Summary Heap buffer overflow in `mlx::core::load()` when parsing malicious NumPy `.npy` files. Attacker-controlled file causes 13-byte out-of-b...
pypi
No PRs yet
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default
GHSA-gmm6-j2g5-r52m CVE-2025-13357 HIGH 6 days ago
Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting...
go
No PRs yet
Grafana Incorrect Privilege Assignment vulnerability
GHSA-w62r-7c53-fmc5 CVE-2025-41115 CRITICAL 6 days ago
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by...
go
1
Dependabot PRs
OpenFGA Improper Policy Enforcement
GHSA-2c64-vmv2-hgfc CVE-2025-64751 MODERATE 7 days ago
### Overview OpenFGA v1.4.0 to v1.11.0 (openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper ...
go
No PRs yet