Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,050

Total Advisories

1,846

With Dependabot PRs

3,534

Critical Severity

8,712

High Severity

Clear All Filters
Mermaid improperly sanitizes sequence diagram labels leading to XSS
GHSA-7rqq-prvp-x9jh CVE-2025-54881 MODERATE 4 months ago
### Summary In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to `innerHTML` during calcula...
npm
No PRs yet
Mermaid does not properly sanitize architecture diagram iconText leading to XSS
GHSA-8gwm-58g9-j8pw CVE-2025-54880 MODERATE 4 months ago
### Summary In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 `html()` method,...
npm
5
Dependabot PRs
Liferay Portal Reflected Cross-Site Scripting Vulnerability in displayType Parameter
GHSA-cwgh-r52j-xh6c CVE-2025-43738 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 20...
maven
No PRs yet
Astro allows unauthorized third-party images in _image endpoint
GHSA-xf8x-j4p2-f749 CVE-2025-55303 MODERATE 4 months ago
### Summary In affected versions of `astro`, the image optimization endpoint in projects deployed with on-demand rendering allows images from unau...
npm
No PRs yet
MoonShine Arbitrary File Upload Vulnerability
GHSA-8xfq-7f6m-mpmf CVE-2025-51489 MODERATE 4 months ago
An arbitrary file upload vulnerability in MoonShine v3.12.4 allows attackers to execute arbitrary code via uploading a crafted SVG file.
packagist
No PRs yet
MoonShine SQL Injection Vulnerability
GHSA-9g9j-3w64-3cjh CVE-2025-51510 MODERATE 4 months ago
MoonShine v3.12.5 was discovered to contain a SQL injection vulnerability via the Data parameter under the Blog module.
packagist
No PRs yet
moonshine Stored Cross-Site Scripting Vulnerability in Create Article
GHSA-p632-58pp-c9xg CVE-2025-51487 MODERATE 4 months ago
A stored cross-site scripting (XSS) vulnerability in the Create Article function of MoonShine v3.12.3 allows attackers to execute arbitrary web scr...
packagist
No PRs yet
moonshine Stored Cross-Site Scripting Vulnerability in Create Admin
GHSA-rh9f-gr6q-mpc4 CVE-2025-51488 MODERATE 4 months ago
A stored cross-site scripting (XSS) vulnerability in the Create Admin function of MoonShine v3.12.3 allows attackers to execute arbitrary web scrip...
packagist
No PRs yet
Liferay Portal Email Modification Vulnerability via Calendar Portlet
GHSA-7mxq-h2r7-h449 CVE-2025-43739 MODERATE 4 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
Liferay Portal has Stored Cross-Site Scripting Vulnerability via Message Boards Feature
GHSA-22jp-w3cg-gvmm CVE-2025-43740 MODERATE 4 months ago
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1...
maven
No PRs yet
LibreNMS allows stored XSS in Alert Template name field
GHSA-vxq6-8cwm-wj99 CVE-2025-55296 MODERATE 4 months ago
### Summary A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.6.0) in the Alert Template creation feature. This allows a...
packagist
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting
GHSA-3p2m-574v-v257 CVE-2025-43731 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 20...
maven
No PRs yet
Copier's safe template has filesystem write access outside destination path
GHSA-p7q8-grrj-3m8w CVE-2025-55214 MODERATE 4 months ago
### Impact Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use [unsafe](https://copier.readthedoc...
pypi
No PRs yet
OpenFGA Authorization Bypass
GHSA-mgh9-4mwp-fg55 CVE-2025-55213 MODERATE 4 months ago
### Overview OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper pol...
go
No PRs yet
Liferay Portal Vulnerable to Insecure Direct Object Reference
GHSA-v6xr-v2qg-h22h CVE-2025-43732 MODERATE 4 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 20...
maven
No PRs yet
IdMap from_iter may lead to uninitialized memory being freed on drop
GHSA-qq4c-hm99-979m MODERATE 4 months ago
Due to a flaw in the constructor `id_map::IdMap::from_iter`, ill-formed objects may be created in which the amount of actually initialized memory i...
cargo
No PRs yet
Spring Framework MVC Applications Path Traversal Vulnerability
GHSA-r936-gwx5-v52f CVE-2025-41242 MODERATE 4 months ago
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An app...
maven
No PRs yet
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js
GHSA-q4rg-7cjj-5r86 CVE-2025-9095 MODERATE 4 months ago
A cross-site scripting (XSS) issue exists in ExpressGateway up to 1.16.10 in the REST endpoint implemented in lib/rest/routes/users.js. User-contro...
npm
No PRs yet
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js
GHSA-xfp8-x3j6-h67v CVE-2025-9096 MODERATE 4 months ago
A cross-site scripting (XSS) issue exists in ExpressGateway ≤ 1.16.10 in lib/rest/routes/apps.js. User-controlled data returned by the REST endpoin...
npm
No PRs yet
@astrojs/node's trailing slash handling causes open redirect issue
GHSA-9x9c-ghc5-jhw9 CVE-2025-55207 MODERATE 4 months ago
### Summary Following https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in ...
npm
No PRs yet
User-defined implementations of the safe trait scratchpad::Tracking can cause heap buffer overflows
GHSA-77h3-w9rx-hj3q MODERATE 4 months ago
The `get` and `set` methods of the public trait `scratchpad::Tracking` interact with unsafe code regions in the crate, and they influence the compu...
cargo
No PRs yet
Information Disclosure in Amazon ECS Container Agent
GHSA-wm7x-ww72-r77q CVE-2025-9039 MODERATE 4 months ago
**Summary** [Amazon Elastic Container Service (Amazon ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) is a fully ma...
go
No PRs yet
Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions
GHSA-fxgf-3xh6-m2pp CVE-2025-55674 MODERATE 4 months ago
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use...
pypi
No PRs yet
Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access
GHSA-mhpq-m962-mg92 CVE-2025-55675 MODERATE 4 months ago
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated u...
pypi
No PRs yet
Apache Superset data query improperly discloses database schema information to low-privileged guest user
GHSA-9g5x-mm39-wg9r CVE-2025-55673 MODERATE 4 months ago
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This f...
pypi
No PRs yet
Apache Superset's chart visualization has a stored Cross-Site Scripting (XSS) vulnerability
GHSA-fj97-2v9x-w5m4 CVE-2025-55672 MODERATE 4 months ago
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit c...
pypi
No PRs yet
Helm May Panic Due To Incorrect YAML Content
GHSA-f9f8-9pmf-xv68 CVE-2025-55198 MODERATE 4 months ago
A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic. ### Impa...
go
374
Dependabot PRs
18%
Merged
Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion
GHSA-9h84-qmv7-982p CVE-2025-55199 MODERATE 4 months ago
A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and h...
go
374
Dependabot PRs
18%
Merged
swift-nio-http2 affected by HTTP/2 MadeYouReset vulnerability
GHSA-xvr7-p2c6-j83w MODERATE 4 months ago
The HTTP/2 [MadeYouReset vulnerability](https://galbarnahum.com/made-you-reset) has a mild effect on swift-nio-http2. swift-nio-http2 mostly prote...
swift
No PRs yet
Active Record logging vulnerable to ANSI escape injection
GHSA-76r7-hhxj-r776 CVE-2025-55193 MODERATE 4 months ago
This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without...
rubygems
7047
Dependabot PRs
8%
Merged
PyPDF's Manipulated FlateDecode streams can exhaust RAM
GHSA-7hfw-26vp-jp8m CVE-2025-55197 MODERATE 4 months ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a...
pypi
16
Dependabot PRs
OMERO.web displays unecessary user information when requesting password reset
GHSA-gpmg-4x4g-mr5r CVE-2025-54791 MODERATE 4 months ago
### Background If an error occurred when resetting a user's password using the ``Forgot Password`` option in OMERO.web, the error message displaye...
pypi
No PRs yet
Apache Tomcat Session Fixation vulnerability
GHSA-23hv-mwm6-g8jf CVE-2025-55668 MODERATE 4 months ago
Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1...
maven
No PRs yet
Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation
GHSA-4cx2-fc23-5wg6 CVE-2025-8916 MODERATE 4 months ago
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpki...
maven
10
Dependabot PRs
Liferay Portal 7.4.0 and Liferay DXP have a reflected cross-site scripting (XSS) vulnerability
GHSA-m5c7-5gv3-hcpf CVE-2025-43734 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2...
maven
No PRs yet
svg-sanitizer Bypasses Attribute Sanitization
GHSA-22wq-q86m-83fh CVE-2025-55166 MODERATE 4 months ago
#### Problem The sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lowe...
packagist
No PRs yet
Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
GHSA-wcmw-8xpp-rwfj CVE-2025-49558 MODERATE 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU)...
packagist
No PRs yet
Magento vulnerable to path traversal
GHSA-h4f4-gv6h-x824 CVE-2025-49559 MODERATE 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname...
packagist
No PRs yet
Liferay Portal and Liferay DXP have a reflected cross-site scripting vulnerability
GHSA-222w-xmc5-jhp3 CVE-2025-43735 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 20...
maven
No PRs yet
Liferay Portal and Liferay DXP have a Denial Of Service via File Upload (DOS) vulnerability
GHSA-cg99-m88x-422c CVE-2025-43736 MODERATE 4 months ago
A Denial Of Service via File Upload (DOS) vulnerability in Liferay Portal 7.4.3.0 through 7.4.3.132, Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024....
maven
No PRs yet
Bouncy Castle for Java on All (API modules) allows Excessive Allocation
GHSA-67mf-3cr5-8w23 CVE-2025-8885 MODERATE 4 months ago
A resource allocation vulnerability exists in Bouncy Castle for Java (by Legion of the Bouncy Castle Inc.) that affects all API modules. The vulner...
maven
No PRs yet
Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers
GHSA-r3v7-pc4g-7xp9 CVE-2025-55152 MODERATE 4 months ago
### Summary With specially crafted value of the `x-forwarded-proto` or `x-forwarded-for` headers, it's possible to significantly slow down an oak ...
npm
No PRs yet
slab allows out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check
GHSA-qx2v-8332-m4fv CVE-2025-55159 MODERATE 4 months ago
### Impact The `get_disjoint_mut` method in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, all...
cargo
No PRs yet
Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions
GHSA-gjpm-6w34-ppvf CVE-2025-54463 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits t...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-j66h-xhpr-7q5g CVE-2025-54458 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fails to check user access of the Confluence space, allowing attackers to create a subscription to a ...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-qjrx-j8wm-xf83 CVE-2025-8285 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check the access of the user to the channel which allows attackers to create channel subscrip...
go
No PRs yet
Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions
GHSA-w92j-c6gr-hj8r CVE-2025-53514 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allow\ing attackers to crash the plugin via constant hits t...
go
No PRs yet
Mattermost Confluence Plugin is Missing Authentication for Critical Function
GHSA-qpjq-c5hr-7925 CVE-2025-54478 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to enforce user authentication of the Mattermost instance, allowing unauthenticated attackers to...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-v6c8-g53h-mc2h CVE-2025-53910 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to create a channel subscription without...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-cmpr-8prq-w5p5 CVE-2025-48731 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to Confluence spaces, which allows attackers to edit subscriptions for Conf...
go
No PRs yet