Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Minder does not sandbox http.send in Rego programs
GHSA-6xvf-4vh9-mw47 HIGH 7 days ago
### Impact Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have acces...
go
No PRs yet
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage
GHSA-3mm3-wfpv-q85g CVE-2025-63700 MODERATE 7 days ago
An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verifi...
npm
No PRs yet
authkit-nextjs may let session cookies be cached in CDNs
GHSA-p8pf-44ff-93gf CVE-2025-64762 HIGH 7 days ago
In `authkit-nextjs` version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN cach...
npm
No PRs yet
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
GHSA-7mv8-j34q-vp7q CVE-2025-64755 HIGH 7 days ago
Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host sys...
npm
No PRs yet
vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
GHSA-69j4-grxj-j64p CVE-2025-62426 MODERATE 7 days ago
### Summary The /v1/chat/completions and /tokenize endpoints allow a `chat_template_kwargs` request parameter that is used in the code before it is...
pypi
No PRs yet
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
GHSA-pmqf-x6x8-p7qw CVE-2025-62372 HIGH 7 days ago
### Summary Users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct `ndim` but incorrect `sh...
pypi
No PRs yet
vLLM deserialization vulnerability leading to DoS and potential RCE
GHSA-mrw7-hf4f-83pf CVE-2025-62164 HIGH 7 days ago
### Summary A memory corruption vulnerability that leading to a crash (denial-of-service) and potentially remote code execution (RCE) exists in vLL...
pypi
No PRs yet
zx Uses Incorrectly-Resolved Name or Reference
GHSA-w87r-vg9q-crqm CVE-2025-13437 MODERATE 7 days ago
When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error...
npm
No PRs yet
Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow
GHSA-8x9v-8qgj-945x CVE-2025-64027 MODERATE 7 days ago
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is...
packagist
No PRs yet
OSV-SCALIBR has NULL Pointer Dereference
GHSA-f786-75f3-74xj CVE-2025-13425 LOW 7 days ago
A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for ...
go
No PRs yet
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
GHSA-547r-qmjm-8hvw CVE-2025-65108 CRITICAL 7 days ago
### Summary A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code ...
npm
No PRs yet
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
GHSA-6qv9-48xg-fc7f CVE-2025-65106 HIGH 7 days ago
## Context A template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals...
pypi
33
Dependabot PRs
@hpke/core reuses AEAD nonces
GHSA-73g8-5h73-26h4 CVE-2025-64767 CRITICAL 7 days ago
### Summary The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls....
npm
2
Dependabot PRs
phppgadmin contains an incorrect access control vulnerability
GHSA-r63p-v37q-g74c CVE-2025-60799 MODERATE 7 days ago
phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized man...
packagist
No PRs yet
phppgadmin contains a SQL injection vulnerability
GHSA-g6xh-wrpf-v6j6 CVE-2025-60798 MODERATE 7 days ago
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from ...
packagist
No PRs yet
@perfood/couch-auth may expose session tokens, passwords
GHSA-62vx-hpcr-m9ch CVE-2025-60794 MODERATE 7 days ago
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts li...
npm
No PRs yet
phppgadmin vulnerable to Cross-site Scripting
GHSA-h369-cpjj-qfff CVE-2025-60796 LOW 7 days ago
phpPgAdmin versions 7.13.0 and earlier contain multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied inputs ...
packagist
No PRs yet
Resty has a Path Traversal vulnerability
GHSA-cv3m-hxpc-4hvm CVE-2025-13435 LOW 7 days ago
A security vulnerability has been detected in Dreampie Resty versions up to the 1.3.1.SNAPSHOT. This affects the function Request of the file /rest...
maven
No PRs yet
phppgadmin contains a SQL injection vulnerability
GHSA-927w-vq5c-8gc3 CVE-2025-60797 MODERATE 7 days ago
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied...
packagist
No PRs yet
golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read
GHSA-f6x5-jh6r-wrfv CVE-2025-47914 MODERATE 8 days ago
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message i...
go
No PRs yet
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
GHSA-j5w8-q4qc-rx2x CVE-2025-58181 MODERATE 8 days ago
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause...
go
1
Dependabot PRs
OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter
GHSA-2jm2-2p35-rp3j CVE-2025-65103 HIGH 8 days ago
### Summary An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queri...
packagist
No PRs yet
Claude Code vulnerable to command execution prior to startup trust dialog
GHSA-5hhx-v7f6-x7gv CVE-2025-65099 HIGH 8 days ago
When running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins befor...
npm
No PRs yet
esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
GHSA-hcpf-qv9m-vfgp CVE-2025-65026 MODERATE 8 days ago
### Summary The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature....
go
No PRs yet
esm.sh CDN service has arbitrary file write via tarslip
GHSA-h3mw-4f23-gwpw CVE-2025-65025 HIGH 8 days ago
### Summary The esm.sh CDN service is vulnerable to a Path Traversal (CWE-22) vulnerability during NPM package tarball extraction. An attacker ca...
go
No PRs yet
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
GHSA-fvmw-cj7j-j39q CVE-2025-65019 MODERATE 8 days ago
**Summary** A Cross-Site Scripting (XSS) vulnerability exists in Astro when using the **@astrojs/cloudflare** adapter with `output: 'server'`. Th...
npm
No PRs yet
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
GHSA-ggxq-hp9w-j794 CVE-2025-64765 MODERATE 8 days ago
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validati...
npm
No PRs yet
Astro vulnerable to reflected XSS via the server islands feature
GHSA-wrwg-2hg8-v723 CVE-2025-64764 HIGH 8 days ago
## Summary After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted app...
npm
No PRs yet
Astro Development Server has Arbitrary Local File Read
GHSA-x3h8-62x9-952g CVE-2025-64757 LOW 8 days ago
### Summary A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through th...
npm
No PRs yet
authentik's invitation expiry is delayed by at least 5 minutes
GHSA-ch7q-53v8-73pc CVE-2025-64708 MODERATE 8 days ago
### Summary In previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background ta...
go
No PRs yet
authentik allows a deactivated Service account to authenticate to OAuth
GHSA-xr73-jq5p-ch8r CVE-2025-64521 MODERATE 8 days ago
### Summary When authenticating with `client_id` and `client_secret` to an OAuth provider, authentik creates a service account for the provider. I...
go
No PRs yet
Apache Causeway vulnerable to deserialization in Java
GHSA-wq4c-57mh-5f7g CVE-2025-64408 CRITICAL 8 days ago
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These v...
maven
No PRs yet
MongoDB driver extension affected by mongoc_bulk_operation_t's read of invalid memory
GHSA-mwcc-7vpp-xmv9 CVE-2025-12119 MODERATE 9 days ago
A mongoc_bulk_operation_t may read invalid memory if large options are passed.
packagist
No PRs yet
Modular Max Serve has Unsafe Deserialization vulnerability
GHSA-7xcv-9j6c-2fmc CVE-2025-60455 CRITICAL 9 days ago
Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used ...
pypi
No PRs yet
XWiki view file macro: User can view content of office file without view rights on the attachment
GHSA-8c52-x9w7-vc95 CVE-2025-65089 MODERATE 9 days ago
### Summary A user with no view rights on a page may see the content of an office attachment displayed with the view file macro. ### Details If on...
maven
No PRs yet
LibreNMS is vulnerable to SQL Injection (Boolean-Based Blind) in hostname parameter in ajax_output.php endpoint
GHSA-6pmj-xjxp-p8g9 CVE-2025-65093 MODERATE 9 days ago
## Summary A **Boolean-Based Blind SQL Injection** vulnerability was identified in the LibreNMS application at the `/ajax_output.php` endpoint. Th...
packagist
No PRs yet
Backdrop CMS Host Header Injection vulnerability
GHSA-ffpg-gm3h-4p5p CVE-2025-63828 MODERATE 9 days ago
Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to re...
packagist
No PRs yet
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
GHSA-mhpg-hpj5-73r2 CVE-2025-13083 LOW 9 days ago
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Contr...
packagist
No PRs yet
Drupal core allows Object Injection
GHSA-m6vv-vcj8-w8m7 CVE-2025-13081 MODERATE 9 days ago
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This is...
packagist
No PRs yet
Drupal core allows Forceful Browsing
GHSA-83v7-c2cf-p9c2 CVE-2025-13080 LOW 9 days ago
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: ...
packagist
No PRs yet
Drupal core allows Content Spoofing
GHSA-h89p-5896-f4q8 CVE-2025-13082 LOW 9 days ago
User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupa...
packagist
No PRs yet
Drupal Email TFA allows Functionality Bypass
GHSA-9jrw-jrrj-p6fr CVE-2025-12760 MODERATE 9 days ago
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass. This issue affects Email TF...
packagist
No PRs yet
Mattermost allows other users to determine when users had read channels via channel member objects
GHSA-9hh7-6558-qfp2 CVE-2025-55074 LOW 9 days ago
Mattermost versions 10.11.x <= 10.11.3, and 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to d...
go
No PRs yet
Drupal Simple multi step form allows Cross-Site Scripting
GHSA-gg35-374m-9ph8 CVE-2025-12761 LOW 9 days ago
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Si...
packagist
No PRs yet
Eclipse Jersey has a Race Condition
GHSA-7p63-w6x9-6gr7 CVE-2025-12383 CRITICAL 9 days ago
In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, ...
maven
No PRs yet
joserfc has Possible Uncontrolled Resource Consumption Vulnerability Triggered by Logging Arbitrarily Large JWT Token Payloads
GHSA-frfh-8v73-gjg4 CVE-2025-65015 CRITICAL 9 days ago
### Summary The `ExceededSizeError` exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbi...
pypi
No PRs yet
LibreNMS has Weak Password Policy
GHSA-5mrf-j8v6-f45g CVE-2025-65014 LOW 9 days ago
## Summary A **Weak Password Policy** vulnerability was identified in the user management functionality of the _LibreNMS_ application. This vulner...
packagist
No PRs yet
LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`
GHSA-j8cq-7f6p-256x CVE-2025-65013 MODERATE 9 days ago
## Summary A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the `/maps/nodeimage` endpoint. The ...
packagist
No PRs yet
Kirby CMS has cross-site scripting (XSS) in the changes dialog
GHSA-84hf-8gh5-575j CVE-2025-65012 MODERATE 9 days ago
### TL;DR This vulnerability affects all Kirby 5 sites that might have potential attackers in the group of authenticated Panel users or that allow...
packagist
No PRs yet
XWiki AdminTools application doesn't set permissions on the AdminTools space
GHSA-v7r8-8p5c-h4xw CVE-2025-54990 MODERATE 9 days ago
### Impact Users without admin rights have access to `AdminTools.SpammedPages`. ### Details View rights are not restricted only to admin users f...
maven
No PRs yet