Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
reflex-dev/reflex has an Open Redirect vulnerability
GHSA-rfh5-c9h5-q8jm CVE-2025-62379 LOW about 1 month ago
### Mitigation Make sure `GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN` is not set in a production environment. So the following is correct: ``` asse...
pypi
No PRs yet
Microsoft Security Advisory CVE-2025-55248: .NET Information Disclosure Vulnerability
GHSA-gwq6-fmvp-qp68 CVE-2025-55248 MODERATE about 1 month ago
# Microsoft Security Advisory CVE-2025-55248 | .NET Information Disclosure Vulnerability ## <a name="executive-summary"></a>Executive summary Mic...
nuget
No PRs yet
Microsoft Security Advisory CVE-2025-55247 | .NET Denial of Service Vulnerability
GHSA-w3q9-fxm7-j8fq CVE-2025-55247 HIGH about 1 month ago
# Microsoft Security Advisory CVE-2025-55247 | .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsof...
nuget
No PRs yet
alloy-dyn-abi has DoS vulnerability on `alloy_dyn_abi::TypedData` hashing
GHSA-pgp9-98jm-wwq2 CVE-2025-62370 HIGH about 1 month ago
### Impact An uncaught panic triggered by malformed input to `alloy_dyn_abi::TypedData` could lead to a denial-of-service (DoS) via `eip712_signin...
cargo
16
Dependabot PRs
12%
Merged
Netty has SMTP Command Injection Vulnerability that Allows Email Forgery
GHSA-jq43-27x9-3v86 CVE-2025-59419 HIGH about 1 month ago
### Summary An SMTP Command Injection (CRLF Injection) vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command pa...
maven
No PRs yet
Apache Spark has Inadequate Encryption Strength
GHSA-6p6v-m64v-jx8q CVE-2025-55039 MODERATE about 2 months ago
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure defau...
maven
No PRs yet
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
GHSA-9f2h-7v79-mxw3 CVE-2025-62374 MODERATE about 2 months ago
### Summary Prototype pollution capabilities on various APIs. ### Details Injection of malicious payload allows attacker to remotely execute arb...
npm
2
Dependabot PRs
50%
Merged
Magento vulnerable to stored Cross-Site Scripting (XSS)
GHSA-pcrx-r49h-x2w5 CVE-2025-54266 MODERATE about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) ...
packagist
No PRs yet
Magento provides incorrect authorization through a security feature bypass
GHSA-69x9-xp2j-w8g8 CVE-2025-54263 HIGH about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento vulnerable to stored Cross-Site Scripting (XSS)
GHSA-2768-5wmv-cfff CVE-2025-54264 HIGH about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) ...
packagist
No PRs yet
Magento allows incorrect authorization
GHSA-r355-75hw-r8jf CVE-2025-54265 MODERATE about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento vulnerable to privilege escalation due to incorrect authorization
GHSA-qvwr-p3hj-j6jf CVE-2025-54267 MODERATE about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
GHSA-r4hh-pcgx-j5r2 CVE-2025-34267 HIGH about 2 months ago
Flowise v3.0.1 < 3.0.8 and all versions after with 'ALLOW_BUILTIN_DEP' enabled contain an authenticated remote code execution vulnerability and nod...
npm
No PRs yet
Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability
GHSA-5rrx-jjjq-q2r5 CVE-2025-55315 CRITICAL about 2 months ago
# Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability ## <a name="executive-summary"></a>Executive summary Mic...
nuget
4
Dependabot PRs
CometBFT's invalid BitArray handling can lead to network halt
GHSA-hrhf-2vcr-ghch HIGH about 2 months ago
Name: ASA-2025-003: Invalid BitArray handling can lead to network halt Criticality: High (Considerable Impact; Possible Likelihood per [ACMv1.2](ht...
go
28
Dependabot PRs
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails
GHSA-xw6r-chmh-vpmj CVE-2025-62366 LOW about 2 months ago
### Summary An HTML injection vulnerability in plaintext emails generated by Mailgen has been discovered. Your project is affected if you use the ...
npm
No PRs yet
Home Assistant has Stored XSS vulnerability in Energy dashboard from Energy Entity Name
GHSA-mq77-rv97-285m CVE-2025-62172 HIGH about 2 months ago
### Summary An authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can ...
pypi
No PRs yet
Argo Workflow may expose artifact repository credentials
GHSA-c2hv-4pfj-mm2r CVE-2025-62157 HIGH about 2 months ago
### Summary An attacker who has permissions to read logs from pods in a namespace with Argo Workflow can read `workflow-controller` logs and get cr...
go
No PRs yet
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
GHSA-7mvr-c777-76hp CVE-2025-59288 HIGH about 2 months ago
### Summary Use of `curl` with the `-k` (or `--insecure`) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-th...
npm
No PRs yet
JDBC Driver for SQL Server has improper input validation issue
GHSA-m494-w24q-6f7w CVE-2025-59250 HIGH about 2 months ago
Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.
maven
No PRs yet
Argo Workflow has a Zipslip Vulnerability
GHSA-p84v-gxvw-73pf CVE-2025-62156 HIGH about 2 months ago
### **Vulnerability Description** #### Vulnerability Overview 1. During the artifact extraction process, the `unpack()` function extracts the com...
go
No PRs yet
Apache Geode web-api is vulnerable to Cross-site Scripting
GHSA-w595-4975-gm3h CVE-2024-44088 MODERATE about 2 months ago
Malicious script injection ('Cross-site Scripting') vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks...
maven
No PRs yet
Liferay has Incorrect Permission Assignment for Critical Resource
GHSA-j4f7-gj7q-xg9m CVE-2025-62251 MODERATE about 2 months ago
Liferay Portal 7.3.0 through 7.4.3.119, and Liferay DXP 2023.Q3.1 through 2023.Q3.8, 2023.Q4.0 through 2023.Q4.5, 7.4 GA through update 92 and 7.3 ...
maven
No PRs yet
LibreNMS is vulnerable to Reflected-XSS in `report_this` function
GHSA-86rg-8hc8-v82p CVE-2025-62365 MODERATE about 2 months ago
### Summary Reflected-XSS in `report_this` function in `librenms/includes/functions.php` ### Details Recently, it was discovered that the `report...
packagist
No PRs yet
Liferay Mentions Web is Vulnerable to Cross-site Scripting
GHSA-mj68-2xr5-28xh CVE-2025-62246 MODERATE about 2 months ago
Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay D...
maven
No PRs yet
Liferay Commerce Order Content Web is Vulnerable to Authorization Bypass Through User-Controlled Key
GHSA-fhcw-px4q-pmvv CVE-2025-62241 MODERATE about 2 months ago
Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticate...
maven
No PRs yet
Liferay is Vulnerable to Authorization Bypass Through User-Controlled Key
GHSA-pfwq-mr9g-gq6m CVE-2025-62252 MODERATE about 2 months ago
Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 20...
maven
No PRs yet
Liferay Account Admin Web vulnerable to Authorization Bypass Through User-Controlled Key
GHSA-3cm9-jrf5-h2cx CVE-2025-62242 MODERATE about 2 months ago
Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0...
maven
No PRs yet
tracexec has `env` command argument injection via environment variables starting with dash in traced exec events
GHSA-6fgx-x7m2-74qm LOW about 2 months ago
### Impact For tracexec's command line reconstruction feature, when a traced process executes another process with a environment variable where th...
cargo
No PRs yet
Omni vulnerable to information leak via API
GHSA-77r9-w39m-9xh5 CVE-2025-61688 HIGH about 2 months ago
### Impact Omni might leak sensitive information via an API. ### Patches v1.1.5, v1.0.2 and v1.2.0 contain the patch. ### Workarounds None. #...
go
No PRs yet
Omni is Vulnerable to DoS via Empty Create/Update Resource Requests
GHSA-4p3p-cr38-v5xp CVE-2025-59836 MODERATE about 2 months ago
## Summary A nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of...
go
No PRs yet
llama-index has Insecure Temporary File
GHSA-rg9h-vx28-xxp5 CVE-2025-7707 HIGH about 2 months ago
The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi...
pypi
No PRs yet
Liferay Publications is vulnerable to Incorrect Authorization
GHSA-894w-w643-qvxv CVE-2025-62243 MODERATE about 2 months ago
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through ...
maven
No PRs yet
Liferay Publications vulnerable to Authorization Bypass Through User-Controlled Key
GHSA-2hfj-jv6q-762v CVE-2025-62244 MODERATE about 2 months ago
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through ...
maven
No PRs yet
MongoDB Rust Driver has certificate validation disabled when `tlsInsecure=False` appears in connection string
GHSA-3p6w-gv5g-xjw9 CVE-2025-11695 HIGH about 2 months ago
When tlsInsecure=False appears in a connection string, certificate validation is disabled. This vulnerability affects MongoDB Rust Driver versions...
cargo
No PRs yet
CommandKit has incorrect command name exposure in context object for message command aliases
GHSA-fhwm-pc6r-4h2f CVE-2025-62378 MODERATE about 2 months ago
### Impact A logic flaw exists in the message command handler of CommandKit that affects how the `commandName` property is exposed to both middlew...
npm
No PRs yet
Ash Framework: Filter authorization misapplies impossible bypass/runtime policies
GHSA-7r7f-9xpj-jmr7 CVE-2025-48043 HIGH about 2 months ago
### Summary When using **filter** authorization, two edge cases could cause the policy compiler/authorizer to generate a permissive filter: 1. **...
hex
No PRs yet
QGIS QWC2 Cross-Site Scripting vulnerability
GHSA-gxp8-m5rq-3m38 CVE-2025-11183 MODERATE about 2 months ago
Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 < 2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in...
npm
No PRs yet
cel-rust May Panic During Parsing of Invalid CEL Expressions
GHSA-wxwx-9fh7-5mrw CVE-2025-62162 HIGH about 2 months ago
### Summary Parsing certain malformed CEL expressions can cause the parser to panic, terminating the process. When the crate is used to evaluate u...
cargo
No PRs yet
Happy DOM: VM Context Escape can lead to Remote Code Execution
GHSA-37j7-fg3j-429f CVE-2025-61927 CRITICAL about 2 months ago
# Escape of VM Context gives access to process level functionality ## Summary Happy DOM v19 and lower contains a security vulnerability that puts ...
npm
223
Dependabot PRs
12%
Merged
Parallax is vulnerable to DoS via malicious p2p message
GHSA-xc79-566c-j4qx HIGH about 2 months ago
### Impact A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacke...
go
No PRs yet
Astro's `X-Forwarded-Host` is reflected without validation
GHSA-5ff5-9fcw-vg88 CVE-2025-61925 MODERATE about 2 months ago
### Summary When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an `X-Forwar...
npm
No PRs yet
Flowise is vulnerable to arbitrary file exposure through its ReadFileTool
GHSA-j44m-5v8f-gc9c HIGH about 2 months ago
### Summary The ReadFileTool in Flowise does not restrict file path access, allowing authenticated attackers to exploit this vulnerability to read...
npm
No PRs yet
Authlib : JWE zip=DEF decompression bomb enables DoS
GHSA-g7f3-828f-7h7m CVE-2025-62706 MODERATE about 2 months ago
### Summary _Authlib’s JWE `zip=DEF` path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of meg...
pypi
4
Dependabot PRs
Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret
GHSA-33f4-mjch-7fpr CVE-2025-61926 MODERATE about 2 months ago
A vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret: https://gith...
go
No PRs yet
python-ldap is Vulnerable to Improper Encoding or Escaping of Output and Improper Null Termination
GHSA-p34h-wq7j-h5v6 CVE-2025-61912 MODERATE about 2 months ago
### Summary `ldap.dn.escape_dn_chars()` escapes `\x00` incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514...
pypi
No PRs yet
python-ldap has sanitization bypass in ldap.filter.escape_filter_chars
GHSA-r7r6-cc7p-4v5m CVE-2025-61911 MODERATE about 2 months ago
### Summary The sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` o...
pypi
No PRs yet
Liferay Portal is vulnerable to CSRF through publication comments
GHSA-9676-rh83-cr86 CVE-2025-62245 MODERATE about 2 months ago
Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 t...
maven
No PRs yet
Bagisto is vulnerable to XSS through Admin Panel's product creation path
GHSA-29mf-w486-v3vc CVE-2025-60880 HIGH about 2 months ago
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted...
packagist
No PRs yet
PowerJob OpenAPIController is missing authorization
GHSA-9wq6-87hw-6mhc CVE-2025-11581 MODERATE about 2 months ago
A security vulnerability has been detected in PowerJob up to 5.1.2. This vulnerability affects unknown code of the file /openApi/runJob of the comp...
maven
No PRs yet