Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Sinatra is vulnerable to ReDoS through ETag header value generation
GHSA-mr3q-g2mv-mr4q CVE-2025-61921 LOW about 2 months ago
### Summary There is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` me...
rubygems
No PRs yet
Authlib is vulnerable to Denial of Service via Oversized JOSE Segments
GHSA-pq5p-34cr-23v9 CVE-2025-61920 HIGH about 2 months ago
**Summary** Authlib’s JOSE implementation accepts unbounded JWS/JWT header and signature segments. A remote attacker can craft a token whose base64...
pypi
9
Dependabot PRs
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
GHSA-6xw4-3v39-52mm CVE-2025-61919 HIGH about 2 months ago
## Summary `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.inp...
rubygems
21
Dependabot PRs
14%
Merged
Rack has a Possible Information Disclosure Vulnerability
GHSA-r657-rxjc-j557 CVE-2025-61780 MODERATE about 2 months ago
## Summary A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` head...
rubygems
21
Dependabot PRs
14%
Merged
quic-go: Panic occurs when queuing undecryptable packets after handshake completion
GHSA-47m2-4cr7-mhcw CVE-2025-59530 HIGH about 2 months ago
## Summary A misbehaving or malicious server can trigger an assertion in a quic-go client (and crash the process) by sending a premature HANDSHAKE...
go
No PRs yet
Liferay Portal Commerce is vulnerable to XSS through account "name" field
GHSA-m4g9-5mg6-gfr3 CVE-2025-62237 MODERATE about 2 months ago
Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4....
maven
No PRs yet
Alt Redirect: Potential Authentication Bypass by Spoofing through query-string stripping logic flaw
GHSA-rpjr-pcmr-9ppw CVE-2025-60868 MODERATE about 2 months ago
The Alt Redirect 1.6.3 addon for Statamic fails to consistently strip query string parameters when the "Query String Strip" feature is enabled. Cas...
packagist
No PRs yet
Liferay Portal is vulnerable to XSS through its workflow process builder
GHSA-xcvw-hh99-qm73 CVE-2025-62239 MODERATE about 2 months ago
Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 throug...
maven
No PRs yet
Liferay Portal's Membership page is vulnerable to XSS through “name“ text field
GHSA-xw6m-3m5q-mxpm CVE-2025-62238 MODERATE about 2 months ago
Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay Portal 7.4.3.21 through 7.4.3.111, and Lifera...
maven
No PRs yet
rardecode: DoS risk due to unrestricted RAR dictionary sizes
GHSA-rwvp-r38j-9rgg CVE-2025-11579 MODERATE about 2 months ago
rardecode versions <= 2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a spe...
go
No PRs yet
Elasticsearch: Insertion of Sensitive Information into Log File via reindex API
GHSA-56r7-h6mw-rcfv CVE-2025-37727 MODERATE about 2 months ago
Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requ...
maven
No PRs yet
Apache StreamPark contains an Incorrect Execution-Assigned Permissions vulnerability
GHSA-6wwv-6mm3-pp76 CVE-2025-30001 HIGH about 2 months ago
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users a...
maven
No PRs yet
drupal-pattern-lab/unified-twig-extensions is vulnerable to XXS
GHSA-64mv-9655-37hx CVE-2025-11570 LOW about 2 months ago
Versions of the package drupal-pattern-lab/unified-twig-extensions from 0.0.0 are vulnerable to Cross-site Scripting (XSS) due to insufficient filt...
packagist
No PRs yet
BBOT's insufficient sanitization issues in gitdumper.py can lead to RCE
GHSA-h6m2-r6h9-4c44 CVE-2025-10283 CRITICAL about 2 months ago
### Summary bbot's `gitdumper.py` insufficiently sanitises a `.git/config` file, leading to Remote Code Execution (RCE). bbot's `gitdumper.py` ca...
pypi
No PRs yet
BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver
GHSA-63wh-p5fx-h4vc CVE-2025-10281 MODERATE about 2 months ago
### Summary Due to unsafe URL handling, bbot's `git_clone.py` can be made to leak a user's github.com API key to an attacker-controlled webserver....
pypi
No PRs yet
BBOT's various issues in unarchive.py can cause arbitrary file write and RCE
GHSA-fhw8-8v9p-7jp7 CVE-2025-10284 CRITICAL about 2 months ago
### Summary Various issues in bbot's `unarchive.py` allow a malicious site to cause bbot to write arbitrary files to arbitrary locations. This can...
pypi
No PRs yet
Amazon.IonDotnet is vulnerable to Denial of Service attacks
GHSA-q5r6-9qwq-g2wj CVE-2025-11573 HIGH about 2 months ago
### Summary Amazon.IonDotnet is a library for the Dotnet language that is used to read and write Amazon Ion data. An issue exists where, under cert...
nuget
No PRs yet
Liferay Portal is vulnerable to XSS through its Calendar Events parameters
GHSA-5264-m964-7pg9 CVE-2025-62240 MODERATE about 2 months ago
Multiple cross-site scripting (XSS) vulnerabilities with Calendar events in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 th...
maven
No PRs yet
Python Social Auth - Django has unsafe account association
GHSA-wv4w-6qv2-qqfg CVE-2025-61783 MODERATE about 2 months ago
### Impact Upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead...
pypi
4
Dependabot PRs
25%
Merged
Better Auth: Unauthenticated API key creation through api-key plugin
GHSA-99h5-pjcv-gr6v CVE-2025-61928 CRITICAL about 2 months ago
### Summary Unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api...
npm
No PRs yet
Apache Flink CDC is vulnerable to SQL Injection through maliciously crafted identifiers
GHSA-wqm3-w3p6-xjgm CVE-2025-62228 MODERATE about 2 months ago
Apache Flink CDC version 3.0.0 to before 3.5.0 are vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or c...
maven
No PRs yet
n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
GHSA-365g-vjw2-grx8 HIGH about 2 months ago
### Impact The `Execute Command` node in n8n allows execution of arbitrary commands on the host system where n8n runs. While this functionality is...
npm
No PRs yet
Flowise is vulnerable to arbitrary file write through its WriteFileTool
GHSA-jv9m-vf54-chjj CVE-2025-61913 CRITICAL about 2 months ago
### Summary The WriteFileTool in Flowise does not restrict the file path for reading, allowing authenticated attackers to exploit this vulnerabili...
npm
No PRs yet
pyLoad CNL and captcha handlers allow Code Injection via unsanitized parameters
GHSA-cjjf-27cc-pvmv CVE-2025-61773 HIGH about 2 months ago
### Summary pyLoad web interface contained insufficient input validation in both the Captcha script endpoint and the Click'N'Load (CNL) Blueprint. ...
pypi
No PRs yet
scio is vunerable to Remote Command Execution through PyTorch
GHSA-m9mp-6x32-5rhg CRITICAL about 2 months ago
### Impact PyTorch reported a [**critical** vulnerability](https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6) when using `...
pypi
No PRs yet
Keycloak Potential Variable Reference in Model Storage Services
GHSA-8hxp-qmph-w5gq CVE-2025-9162 MODERATE about 2 months ago
A flaw was found in org.keycloak/keycloak-model-storage-service. The `KeycloakRealmImport` custom resource substitutes placeholders within imported...
maven
No PRs yet
Casdoor is vulnerable to Improper Authorization
GHSA-5m9m-j5p7-m7f9 CVE-2025-61524 HIGH about 2 months ago
An issue in the permission verification module and organization/application editing interface in Casdoor before 2.63.0 allows remote authenticated ...
go
No PRs yet
Opencast's Paella Player 7 is vulnerable to Cross-Site Scripting
GHSA-m2vg-rmq6-p62r CVE-2025-61788 MODERATE about 2 months ago
Prior to Opencast 17.8 and 18.2 the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodi...
maven
No PRs yet
FlowiseAI/Flosise has File Upload vulnerability
GHSA-35g6-rrw3-v6xc CVE-2025-61687 HIGH about 2 months ago
### Summary A file upload vulnerability in FlowiseAI allows authenticated users to upload arbitrary files without proper validation. This enables a...
npm
No PRs yet
Deno is Vulnerable to Command Injection on Windows During Batch File Execution
GHSA-m2gf-x3f6-8hq3 CVE-2025-61787 HIGH about 2 months ago
### Summary Deno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. ### Details In Wi...
cargo
No PRs yet
Deno's --deny-read check does not prevent permission bypass
GHSA-qq26-84mh-26j9 CVE-2025-61786 LOW about 2 months ago
### Summary `Deno.FsFile.prototype.stat` and `Deno.FsFile.prototype.statSync` are not limited by the permission model check `--deny-read=./`. It...
cargo
No PRs yet
Synapse's invalid device keys degrade federation functionality
GHSA-fh66-fcv5-jjfr CVE-2025-61672 MODERATE about 2 months ago
### Impact Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserv...
pypi
No PRs yet
Liferay Portal Notifications Widget has multiple XSS vulnerabilities through various text fields
GHSA-q8fj-76q7-4p7h CVE-2025-43771 MODERATE about 2 months ago
Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023...
maven
No PRs yet
VaahCMS is vulnerable to XSS through its Avatar Upload endpoint
GHSA-q769-phqg-263r CVE-2025-61183 MODERATE about 2 months ago
Cross-Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBas...
packagist
No PRs yet
Liferay Portal Commerce Shop is vulnerable to Stored XSS through SVG file
GHSA-893r-jr58-3hxr CVE-2025-43829 MODERATE about 2 months ago
Stored Cross-Site Scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP ...
maven
No PRs yet
Liferay Portal is vulnerable to Stored XSS through Forms text type field
GHSA-378f-8q54-3fqx CVE-2025-43830 MODERATE about 2 months ago
Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 20...
maven
No PRs yet
Liferay Portal is vulnerable to XXS through its Commerce Product's Name text field
GHSA-fjrp-77f3-43xj CVE-2025-43821 MODERATE about 2 months ago
Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP...
maven
No PRs yet
FuelVM is vulnerable to heap memory allocation re-use bug
GHSA-2pgj-5cv2-6xxw HIGH about 2 months ago
### Impact A memory safety vulnerability was present in the Fuel Virtual Machine (FuelVM), where memory reads could bypass expected access control...
cargo
No PRs yet
Melis Platform CMS SQL Injection
GHSA-mrmx-jfw8-qhgv CVE-2025-10351 CRITICAL about 2 months ago
SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to ret...
packagist
No PRs yet
Melis Platform CMS Unauthenticated File Upload Leading to RCE
GHSA-chw4-gjvw-3gxc CVE-2025-10353 CRITICAL about 2 months ago
File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows...
packagist
No PRs yet
Melis Platform CMS Unauthenticated Admin Account Creation
GHSA-p3vc-g9f9-mgw4 CVE-2025-10352 CRITICAL about 2 months ago
Vulnerability in the melis-core module of Melis Technology's Melis Platform, which, if exploited, allows an unauthenticated attacker to create an a...
packagist
No PRs yet
Liferay Portal has multiple Stored XSS vulnerabilities on its View Order page
GHSA-4mqx-4p8g-995w CVE-2025-43822 MODERATE about 2 months ago
Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4....
maven
No PRs yet
Liferay Portal is vulnerable to XSS through its Commerce Search Result widget
GHSA-xx7h-2wf7-hc7p CVE-2025-43823 MODERATE about 2 months ago
Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 be...
maven
No PRs yet
Deno's --deny-write check does not prevent permission bypass
GHSA-vg2r-rmgp-cgqj CVE-2025-61785 LOW about 2 months ago
### Summary `Deno.FsFile.prototype.utime` and `Deno.FsFile.prototype.utimeSync` are not limited by the permission model check `--deny-write=./`. ...
cargo
No PRs yet
vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class
GHSA-3f6c-7fw2-ppm4 CVE-2025-6242 HIGH about 2 months ago
### Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project's multimodal feature s...
pypi
No PRs yet
LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities
GHSA-527m-2xhr-j27g CVE-2025-61784 HIGH about 2 months ago
## Summary ## A Server-Side Request Forgery (SSRF) vulnerability in the chat API allows any authenticated user to force the server to make arbitra...
pypi
No PRs yet
vLLM: Resource-Exhaustion (DoS) through Malicious Jinja Template in OpenAI-Compatible Server
GHSA-6fvq-23cw-5628 CVE-2025-61620 MODERATE about 2 months ago
### Summary A resource-exhaustion (denial-of-service) vulnerability exists in multiple endpoints of the OpenAI-Compatible Server due to the abilit...
pypi
No PRs yet
Akka.Remote TLS did not properly implement certificate-based authentication
GHSA-jhpv-4q4f-43g5 CVE-2025-61778 CRITICAL about 2 months ago
### Impact This is a critical network security vulnerability for Akka.Remote **users who have SSL / TLS enabled** on their Akka.Remote connections...
nuget
No PRs yet
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
GHSA-wpv5-97wm-hp9c CVE-2025-61772 HIGH about 2 months ago
## Summary `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank l...
rubygems
22
Dependabot PRs
13%
Merged
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
GHSA-w9pc-fmgc-vxvw CVE-2025-61771 HIGH about 2 months ago
## Summary `Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A singl...
rubygems
22
Dependabot PRs
13%
Merged