Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,859

Total Advisories

1,806

With Dependabot PRs

3,511

Critical Severity

8,639

High Severity

Clear All Filters
Liferay Portal exposes 500 status when attempting login with a deleted client secret
GHSA-9vwq-j6gq-w9xh CVE-2025-43777 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 20...
maven
No PRs yet
Liferay Portal is vulnerable to XSS attack through its Style Book theme
GHSA-qgj5-4qvg-2f8c CVE-2025-43774 LOW 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.17 allows a remote ...
maven
No PRs yet
Liferay Portal is vulnerable to SSRF through custom object attachment fields
GHSA-477q-x55m-j38g CVE-2025-43763 MODERATE 3 months ago
A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4....
maven
No PRs yet
pREST has a Systemic SQL Injection Vulnerability
GHSA-p46v-f2x8-qp98 CVE-2025-58450 CRITICAL 3 months ago
# Summary pREST provides a simple way for users to expose access their database via a REST-full API. The project is implemented using the Go progra...
go
No PRs yet
MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server
GHSA-g9hg-qhmf-q45m CVE-2025-58444 HIGH 3 months ago
An XSS flaw exists in the MCP Inspector local development tool when it renders a redirect URL returned by a remote MCP server. If the Inspector con...
npm
No PRs yet
XWiki Blog Application: Privilege Escalation (PR) from account through blog content
GHSA-gwj6-xpfg-pxwr CVE-2025-58365 HIGH 3 months ago
### Impact The blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-...
maven
No PRs yet
Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation
GHSA-hjfh-p8f5-24wr CVE-2025-57817 HIGH 3 months ago
### Summary The OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highl...
pypi
No PRs yet
Fides Webserver API Rate Limiting Vulnerability in Proxied Environments
GHSA-fq34-xw6c-fphf CVE-2025-57816 MODERATE 3 months ago
### Summary The Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The sys...
pypi
No PRs yet
Fides has a Lack of Brute-Force Protections on Authentication Endpoints
GHSA-7q62-r88r-j5gw CVE-2025-57815 LOW 3 months ago
### Summary The Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation contr...
pypi
No PRs yet
Fides' Admin UI User Password Change Does Not Invalidate Current Session
GHSA-rpw8-82v9-3q87 CVE-2025-57766 LOW 3 months ago
### Summary Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where at...
pypi
No PRs yet
@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API
GHSA-3ch2-jxxc-v4xf CVE-2025-54994 CRITICAL 3 months ago
# Command Injection in MCP Server The MCP Server at https://github.com/akoskm/create-mcp-server-stdio is written in a way that is vulnerable to co...
npm
No PRs yet
CodeceptJS's incomprehensive sanitation can lead to Command Injection
GHSA-34w8-mcwr-vg29 CVE-2025-57285 CRITICAL 3 months ago
CodeceptJS versions 3.5.0 through 3.7.5-beta.18 contain a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync ...
npm
No PRs yet
N8N's Chat Trigger component is vulnerable to XSS
GHSA-v2x8-97xq-8xrr CVE-2025-56265 HIGH 3 months ago
An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary c...
npm
No PRs yet
SimStudioAI: A function in route.ts is vulnerable to Code Injection
GHSA-g4c9-f287-64xg CVE-2025-10097 MODERATE 3 months ago
A vulnerability was identified in SimStudioAI sim. This impacts an unknown function of the file apps/sim/app/api/function/execute/route.ts. The man...
npm
No PRs yet
Django is subject to SQL injection through its column aliases
GHSA-6w2r-r2m5-xq5w CVE-2025-57833 HIGH 3 months ago
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in colum...
pypi
6
Dependabot PRs
sanitize-html is vulnerable to XSS through incomprehensive sanitization
GHSA-qhxp-v273-g94h CVE-2019-25225 MODERATE 3 months ago
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanit...
npm
No PRs yet
Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data
GHSA-cxvc-g8f2-4gmm CVE-2025-58782 MODERATE 3 months ago
There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Ja...
maven
No PRs yet
Atlantis Exposes Service Version Publicly on /status API Endpoint
GHSA-xh7v-965r-23f7 CVE-2025-58445 LOW 3 months ago
### Summary Atlantis publicly exposes detailed version information on its `/status` endpoint. This information disclosure could allow attackers to ...
go
No PRs yet
xgrammar vulnerable to denial of service by huge enum grammar
GHSA-9q5r-wfvf-rr7f CVE-2025-58446 MODERATE 3 months ago
### Summary Provided grammar, would fit in a context window of most of the models, but takes minutes to process in 0.1.23. In testing with 0.1.16 t...
pypi
No PRs yet
secrets-store-sync-controller discloses service account tokens in logs
GHSA-rcw7-pqfp-735x CVE-2025-7445 MODERATE 3 months ago
Hello Kubernetes Community, A security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs cou...
go
No PRs yet
internetarchive Vulnerable to Directory Traversal in File.download()
GHSA-wx3r-v6h7-frjp CVE-2025-58438 CRITICAL 3 months ago
### Impact **What kind of vulnerability is it?** This is a **Critical** severity directory traversal (path traversal) vulnerability in the `File.do...
pypi
No PRs yet
FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side
GHSA-rrw2-px9j-qffj CVE-2025-58369 MODERATE 3 months ago
### Impact When establishing a TLS session using `fs2-io` on the JVM using the `fs2.io.net.tls` package, if one side of the connection shuts down w...
maven
No PRs yet
Coder vulnerable to privilege escalation could lead to a cross workspace compromise
GHSA-j6xf-jwrj-v5qp CVE-2025-58437 HIGH 3 months ago
## Summary Insecure session handling opened room for a privilege escalation scenario in which [prebuilt workspaces](https://coder.com/docs/admin/t...
go
No PRs yet
ImageMagick BlobStream Forward-Seek Under-Allocation
GHSA-23hg-53q6-hqfg CVE-2025-57807 LOW 3 months ago
**Reporter:** Lumina Mescuwa **Product:** ImageMagick 7 (MagickCore) **Component:** `MagickCore/blob.c` (Blob I/O - BlobStream) **Tested:** 7...
nuget
No PRs yet
pgadmin4 is affected by a Cross-Origin Opener Policy (COOP) vulnerability
GHSA-6859-2qxq-ffv2 CVE-2025-9636 HIGH 3 months ago
pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow...
pypi
No PRs yet
TkEasyGUI Affected by Uncontrolled Search Path Element Issue
GHSA-ph2w-cx28-vhrq CVE-2025-55671 HIGH 3 months ago
Uncontrolled search path element issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, arbitrary code may be exe...
pypi
No PRs yet
TkEasyGUI Vulnerable to OS Command Injection
GHSA-hfrj-3w3g-jv32 CVE-2025-55037 CRITICAL 3 months ago
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If ...
pypi
No PRs yet
podman kube play symlink traversal vulnerability
GHSA-wp3j-xq48-xpjw CVE-2025-9566 HIGH 3 months ago
### Impact The podman kube play command can overwrite host files when the kube file contains a ConfigMap or Secret volume mount and the volume alr...
go
No PRs yet
Presta Shop vulnerable to email enumeration
GHSA-8xx5-h6m3-jr33 CVE-2025-51586 MODERATE 3 months ago
### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate va...
packagist
No PRs yet
Argo CD's Project API Token Exposes Repository Credentials
GHSA-786q-9hcg-v9ff CVE-2025-55190 CRITICAL 3 months ago
### Summary Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through ...
go
No PRs yet
Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter
GHSA-qpr4-c339-7vq8 CVE-2025-58179 HIGH 3 months ago
### Summary When using Astro's Cloudflare adapter (`@astrojs/cloudflare`) configured with `output: 'server'` while using the default `imageService...
npm
No PRs yet
Pixar OpenUSD Sdf_PathNode Module Use-After-Free Vulnerability Leading to Potential Remote Code Execution
GHSA-58p5-r2f6-g2cj CRITICAL 3 months ago
### Summary A Use-After-Free (UAF) vulnerability has been discovered in the Sdf_PathNode module of the Pixar OpenUSD library. This issue occurs dur...
pypi
No PRs yet
Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions
GHSA-fghv-69vj-qj49 CVE-2025-58056 LOW 3 months ago
## Summary A flaw in netty's parsing of chunk extensions in HTTP/1.1 messages with chunked encoding can lead to request smuggling issues with some ...
maven
7
Dependabot PRs
Vaadin Platform possible file bypass via upload validation on the server-side
GHSA-c7v7-rqfm-f44j MODERATE 3 months ago
### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload ...
maven
No PRs yet
Vaadin Flow Components possible file bypass via upload validation on the server-side
GHSA-94g8-xv23-7656 MODERATE 3 months ago
### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload ...
maven
No PRs yet
Vaadin Framework possible file bypass via upload validation on the server-side
GHSA-9gfh-4fwj-w3rj CVE-2025-9467 MODERATE 3 months ago
### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload ...
maven
No PRs yet
Memos Vulnerable to Stored Cross-Site Scripting
GHSA-cgrg-86m5-xm4w CVE-2025-56761 MODERATE 3 months ago
Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not ver...
go
No PRs yet
Memos Vulnerable to Path Traversal via the CreateResource Endpoint
GHSA-78j5-8vq7-jxv5 CVE-2025-56760 MODERATE 3 months ago
When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal s...
go
No PRs yet
PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps
GHSA-vxmw-7h4f-hqxh LOW 3 months ago
### Summary `gh-action-pypi-publish` makes use of GitHub Actions expression expansions (i.e. `${{ ... }}`) in contexts that are potentially attack...
actions
28
Dependabot PRs
Weblate has a long session expiry when verifying second factor
GHSA-377j-wj38-4728 CVE-2025-58352 LOW 3 months ago
### Impact The verification of the second factor had too long a session expiry. The long session expiry could be used to circumvent rate limiting o...
pypi
No PRs yet
Langchain Community Vulnerable to XML External Entity (XXE) Attacks
GHSA-pc6w-59fv-rh23 CVE-2025-6984 HIGH 3 months ago
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure X...
pypi
No PRs yet
Liferay Portal Vulnerable to Denial of Service in Kaleo Forms Admin
GHSA-j4fw-4mhr-hc45 CVE-2025-43772 HIGH 3 months ago
Kaleo Forms Admin in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 27, and older unsupported versions does no...
maven
No PRs yet
DeepDiff Class Pollution in Delta class leading to DoS, Remote Code Execution, and more
GHSA-mw26-5g2v-hqw3 CVE-2025-58367 CRITICAL 3 months ago
### Summary [Python class pollution](https://blog.abdulrah33m.com/prototype-pollution-in-python/) is a novel vulnerability categorized under [CWE-9...
pypi
1
Dependabot PRs
Mautic Vulnerable to User Enumeration via Response Timing
GHSA-3ggv-qwcp-j6xg CVE-2025-9824 MODERATE 3 months ago
### Impact The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid use...
packagist
No PRs yet
Mautic vulnerable to reflected XSS in lead:addLeadTags - Quick Add
GHSA-9v8p-m85m-f7mm CVE-2025-9823 MODERATE 3 months ago
## Summary A Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session....
packagist
No PRs yet
Mautic vulnerable to secret data extraction via elfinder
GHSA-438m-6mhw-hq5w CVE-2025-9822 MODERATE 3 months ago
### Summary _A user with administrator rights can change the configuration of the mautic application and extract secrets that are not normally avai...
packagist
No PRs yet
Mautic vulnerable to SSRF via webhook function
GHSA-hj6f-7hp7-xg69 CVE-2025-9821 LOW 3 months ago
### Summary Users with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request r...
packagist
No PRs yet
Hono's flaw in URL path parsing could cause path confusion
GHSA-9hp6-4448-45g2 CVE-2025-58362 HIGH 3 months ago
### Summary A flaw in the `getPath` utility function could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location bloc...
npm
3
Dependabot PRs
frost-core: refresh shares with smaller min_signers will reduce security of group
GHSA-wgq8-vr6r-mqxm CVE-2025-58359 MODERATE 3 months ago
### Impact It was not clear that it is not possible to change `min_signers` (i.e. the threshold) with the refresh share functionality (`frost_core...
cargo
No PRs yet
Electron has ASAR Integrity Bypass via resource modification
GHSA-vmqv-hx8q-j7mg CVE-2025-55305 MODERATE 3 months ago
### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs...
npm
No PRs yet