Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,795

Total Advisories

1,800

With Dependabot PRs

3,507

Critical Severity

8,619

High Severity

Clear All Filters
Kubernetes Nodes can delete themselves by adding an OwnerReference
GHSA-4x4m-3c2p-qppc CVE-2025-5187 MODERATE 3 months ago
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node obje...
go
No PRs yet
NodeBB SQL Injection vulnerability
GHSA-rfh2-8vxq-jqr8 CVE-2025-50979 HIGH 3 months ago
NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not p...
npm
No PRs yet
simple-admin-core SQL Injection vulnerability
GHSA-f2m2-4q6r-cwc4 CVE-2025-51667 HIGH 3 months ago
An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited S...
go
No PRs yet
Google Sign-In for Rails allowed redirects to malformed URLs
GHSA-7pwc-wh6m-44q3 CVE-2025-57821 MODERATE 3 months ago
### Summary It is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin....
rubygems
No PRs yet
Malicious versions of Nx were published
GHSA-cxm3-wv7p-598c CVE-2025-10894 CRITICAL 3 months ago
## Summary Malicious versions of the [`nx` package](https://www.npmjs.com/package/nx), as well as some supporting plugin packages, were published ...
npm
No PRs yet
The Freeform CraftCMS plugin contains an Server-side template injection (SSTI) vulnerability
GHSA-9hp3-f5g8-rccg CVE-2025-52122 CRITICAL 3 months ago
Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary co...
packagist
No PRs yet
devalue prototype pollution vulnerability
GHSA-vj54-72f3-p5jv CVE-2025-57820 HIGH 3 months ago
## 1. `devalue.parse` allows `__proto__` to be set A string passed to `devalue.parse` could represent an object with a `__proto__` property, which...
npm
33
Dependabot PRs
24%
Merged
Picklescan is missing detection when calling built-in python library asyncio.unix_events._UnixSubprocessTransport._start
GHSA-q77w-mwjj-7mqx MODERATE 3 months ago
### Summary Using asyncio.unix_events._UnixSubprocessTransport._start function, which is a built-in python library function to execute remote pick...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python cProfile.run
GHSA-49gj-c84q-6qm9 MODERATE 3 months ago
### Summary Using cProfile.run function, which is a built-in python library function to execute remote pickle file. ### Details The attack paylo...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python cProfile.runctx
GHSA-9w88-8rmg-7g2p MODERATE 3 months ago
### Summary Using cProfile.runctx function, which is a built-in python library function to execute remote pickle file. ### Details The attack pa...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python doctest.debug_script
GHSA-fqq6-7vqf-w3fg MODERATE 3 months ago
### Summary Using doctest.debug_script function, which is a built-in python library function to execute remote pickle file. ### Details The atta...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcode
GHSA-3gf5-cxq9-w223 MODERATE 3 months ago
### Summary Using idlelib.pyshell.ModifiedInterpreter.runcode function, which is a built-in python library function to execute remote pickle file....
pypi
No PRs yet
Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcommand
GHSA-j343-8v2j-ff7w MODERATE 3 months ago
### Summary Using idlelib.pyshell.ModifiedInterpreter.runcommand function, which is a built-in python library function to execute remote pickle fi...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python idlelib.run.Executive.runcode
GHSA-m869-42cg-3xwr MODERATE 3 months ago
### Summary Using idlelib.run.Executive.runcode function, which is a built-in python library function to execute remote pickle file. ### Details ...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python lib2to3.pgen2.pgen.ParserGenerator.make_label
GHSA-p9w7-82w4-7q8m MODERATE 3 months ago
### Summary Using lib2to3.pgen2.pgen.ParserGenerator.make_label function, which is a built-in python library function to execute remote pickle fil...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python ensurepip._run_pip
GHSA-xp4f-hrf8-rxw7 MODERATE 3 months ago
### Summary Using ensurepip._run_pip function, which is a built-in python library function to execute remote pickle file. ### Details The attack...
pypi
No PRs yet
Badaso CMS file upload vulnerability
GHSA-gqp9-jh35-439m CVE-2025-52353 HIGH 3 months ago
An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PH...
packagist
No PRs yet
Picklescan is missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_autograd_prof
GHSA-4whj-rm5r-c2v8 MODERATE 3 months ago
### Summary Using torch.utils.bottleneck.\_\_main\_\_.run_autograd_prof function, which is a pytorch library function to execute remote pickle fil...
pypi
No PRs yet
GraphQL Armor Max-Depth Plugin Bypass via fragment caching
GHSA-224p-v68g-5g8f MODERATE 3 months ago
### Summary A query depth restriction using the max-depth can be bypassed if `ignoreIntrospection` is enabled (which is the default configuration) ...
npm
No PRs yet
GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation
GHSA-hmfr-rx46-4jx2 MODERATE 3 months ago
### Summary A query depth restriction using the `max-depth` property can be bypassed if `ignoreIntrospection` is enabled (which is the default conf...
npm
No PRs yet
Picklescan has a missing detection when calling built-in python library idlelib.calltip.get_entity
GHSA-9xph-j2h6-g47v MODERATE 3 months ago
### Summary Using idlelib.calltip.get_entity function, which is a built-in python library function to execute remote pickle file. ### Details Th...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python idlelib.calltip.Calltip
GHSA-8r4j-24qv-fmq9 MODERATE 3 months ago
### Summary Using idlelib.calltip.Calltip.fetch_tip, which is a built-in python library function to execute remote pickle file. ### Details The ...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python code.InteractiveInterpreter
GHSA-cj3c-v495-4xqh MODERATE 3 months ago
### Summary Using code.InteractiveInterpreter.runcode, which is a built-in python library function to execute remote pickle file. ### Details Th...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.fetch_completions
GHSA-7cq8-mj8x-j263 MODERATE 3 months ago
### Summary Using idlelib.autocomplete.AutoComplete.fetch_completions, which is a built-in python library function to execute remote pickle file. ...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.get_entity
GHSA-6w4w-5w54-rjvr MODERATE 3 months ago
### Summary Using idlelib.autocomplete.AutoComplete.get_entity, which is a built-in python library function to execute remote pickle file. ### De...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python idlelib.debugobj.ObjectTreeItem
GHSA-3vg9-h568-4w9m MODERATE 3 months ago
### Summary Using idlelib.debugobj.ObjectTreeItem.SetText, which is a built-in python library function to execute remote pickle file. ### Details...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python lib2to3.pgen2.grammar.Grammar.loads
GHSA-f54q-57x4-jg88 MODERATE 3 months ago
### Summary Using lib2to3.pgen2.grammar.Grammar.loads, which is a built-in python library function to execute remote pickle file. ### Details Th...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python profile.Profile.runctx
GHSA-6vqj-c2q5-j97w MODERATE 3 months ago
### Summary Using profile.Profile.runctx, which is a built-in python library function to execute remote pickle file. ### Details The attack payl...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python profile.Profile.run
GHSA-x696-vm39-cp64 MODERATE 3 months ago
### Summary Using profile.Profile.run, which is a built-in python library function to execute remote pickle file. ### Details The attack payload...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python trace.Trace.runctx
GHSA-g344-hcph-8vgg MODERATE 3 months ago
### Summary Using trace.Trace.runctx, which is a built-in python library function to execute remote pickle file. ### Details The attack payload ...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python trace.Trace.run
GHSA-5qwp-399c-mjwf MODERATE 3 months ago
### Summary Using trace.Trace.run, which is a built-in python library function to execute remote pickle file. ### Details The attack payload exe...
pypi
No PRs yet
xml2rfc has an arbitrary file read vulnerability
GHSA-cfmv-h8fx-85m7 CVE-2025-11058 HIGH 3 months ago
### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link...
pypi
No PRs yet
traQ Allows Insertion of Sensitive Information into Log File
GHSA-27r7-3m9x-r533 CVE-2025-57813 MODERATE 3 months ago
### Impact A vulnerability exists where sensitive information, such as OAuth tokens, is recorded in log files when an error occurs during the execu...
go
No PRs yet
jsPDF Denial of Service (DoS)
GHSA-8mvj-3j78-4qmw CVE-2025-57810 HIGH 3 months ago
### Impact User control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to...
npm
32
Dependabot PRs
ImageMagick (WriteBMPImage): 32-bit integer overflow when writing BMP scanline stride → heap buffer overflow
GHSA-mxvv-97wh-cfmm CVE-2025-57803 HIGH 3 months ago
## Summary A 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses `bytes_per_line` (stride) to a tiny value while th...
nuget
No PRs yet
ImageMagick has a Format String Bug in InterpretImageFilename leads to arbitrary code execution
GHSA-9ccg-6pjw-x645 CVE-2025-55298 HIGH 3 months ago
## Summary A format string bug vulnerability exists in `InterpretImageFilename` function where user input is directly passed to `FormatLocaleString...
nuget
No PRs yet
ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry ":" leads to crash
GHSA-fh55-q5pj-pxgw CVE-2025-55212 LOW 3 months ago
## Summary Passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, Thumbn...
nuget
No PRs yet
Easy!Appointments SQL injection vulnerability
GHSA-2f28-69j7-85hf CVE-2025-50383 MODERATE 3 months ago
alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter.
packagist
No PRs yet
LlamaIndex affected by a Denial of Service (DOS) in JSONReader
GHSA-7753-xrfw-ch36 CVE-2025-5302 HIGH 3 months ago
A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The...
pypi
No PRs yet
request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1
GHSA-pw25-c82r-75mm CVE-2025-57814 MODERATE 3 months ago
request-filtering-agent versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTT...
npm
No PRs yet
mitmproxy binaries embed a vulnerable python-hyper/h2 dependency
GHSA-63cx-g855-hvv4 MODERATE 3 months ago
mitmproxy 12.1.1 and below embed python-hyper/h2 ≤ v4.2.0, which has a gap in its HTTP/2 header validation. This enables request smuggling attacks ...
pypi
No PRs yet
h2 allows HTTP Request Smuggling due to illegal characters in headers
GHSA-847f-9342-265h CVE-2025-57804 MODERATE 3 months ago
### Summary HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers...
pypi
No PRs yet
XGrammar affected by Denial of Service by infinite recursion grammars
GHSA-5cmr-4px5-23pc CVE-2025-57809 HIGH 3 months ago
### Summary This issue: http://github.com/mlc-ai/xgrammar/issues/250 should have it's own security advisory. Since several tools accept and pass us...
pypi
No PRs yet
Craft CMS Potential Remote Code Execution via Twig SSTI
GHSA-crcq-738g-pqvc CVE-2025-57811 MODERATE 3 months ago
Note that users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/g...
packagist
No PRs yet
ImageMagick has Undefined Behavior (function-type-mismatch) in CloneSplayTree
GHSA-6hgw-6x87-578x CVE-2025-55160 MODERATE 3 months ago
## Summary - **Target:** ImageMagick (commit `ecc9a5eb456747374bae8e07038ba10b3d8821b3`) - **Type:** Undefined Behavior (function-type-mismatch) in...
nuget
No PRs yet
imagemagick: integer overflows in MNG magnification
GHSA-qp29-wxp5-wh82 CVE-2025-55154 HIGH 3 months ago
## **Vulnerability Details** The magnified size calculations in `ReadOneMNGIMage` (in `coders/png.c`) are unsafe and can overflow, leading to memo...
nuget
No PRs yet
Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation (Post-RCE)
GHSA-4gv9-mp8m-592r CVE-2025-57760 HIGH 3 months ago
This vulnerability was discovered by researchers at **Check Point**. We are sharing this report as part of a responsible disclosure process and are...
pypi
No PRs yet
imagemagick: heap-buffer overflow read in MNG magnification with alpha
GHSA-cjc8-g9w8-chfw CVE-2025-55004 HIGH 3 months ago
## **Vulnerability Details** When performing image magnification in `ReadOneMNGIMage` (in `coders/png.c`), there is an issue around the handling o...
nuget
No PRs yet
ImageMagick has a heap-buffer-overflow
GHSA-fff3-4rp7-px97 LOW 3 months ago
### Summary While Processing a crafted TIFF file, imagemagick crashes. ### Details Following is the imagemagick version: ``` imagemagick_git/build...
nuget
No PRs yet
ImageMagick has a Memory Leak in magick stream
GHSA-cfh4-9f7v-fhrc CVE-2025-53019 LOW 3 months ago
## Summary In ImageMagick's `magick stream` command, specifying multiple consecutive `%d` format specifiers in a filename template causes a memory...
nuget
No PRs yet