Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,859

Total Advisories

1,807

With Dependabot PRs

3,511

Critical Severity

8,639

High Severity

Clear All Filters
Contao does not properly manage privileges for page and article fields
GHSA-qqfq-7cpp-hcqj CVE-2025-57759 MODERATE 3 months ago
### Impact Under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. ##...
packagist
No PRs yet
Contao can disclose sensitive information in the news module
GHSA-w53m-gxvg-vx7p CVE-2025-57757 MODERATE 3 months ago
### Impact If a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. ### ...
packagist
No PRs yet
Contao discloses sensitive information in the front end search index
GHSA-2xmj-8wmq-7475 CVE-2025-57756 MODERATE 3 months ago
### Impact Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. ### Patch...
packagist
No PRs yet
Contao applies improper access control in the back end voters
GHSA-7m47-r75r-cx8v CVE-2025-57758 MODERATE 3 months ago
### Impact The table access voter in the back end doesn't check if a user is allowed to access the corresponding module. ### Patches Update to C...
packagist
No PRs yet
lychee link checking action affected by arbitrary code injection in composite action
GHSA-65rg-554r-9j5x CVE-2024-48908 MODERATE 3 months ago
### Summary There is a potential attack of arbitrary code injection vulnerability in `lychee-setup` of the composite action at *action.yml*. ### ...
actions
No PRs yet
NeuVector admin account has insecure default password
GHSA-8pxw-9c75-6w56 CVE-2025-8077 CRITICAL 3 months ago
### Impact A vulnerability exists in NeuVector versions up to and including **5.4.5**, where a fixed string is used as the default password for th...
go
No PRs yet
NeuVector process with sensitive arguments lead to leakage
GHSA-w54x-xfxg-4gxq CVE-2025-54467 MODERATE 3 months ago
### Impact When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation. For example, ``` jav...
go
No PRs yet
NeuVector has an insecure password storage vulnerable to rainbow attack
GHSA-8ff6-pc43-jwv3 CVE-2025-53884 MODERATE 3 months ago
### Impact NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline ...
go
No PRs yet
Kubernetes Nodes can delete themselves by adding an OwnerReference
GHSA-4x4m-3c2p-qppc CVE-2025-5187 MODERATE 3 months ago
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node obje...
go
No PRs yet
NodeBB SQL Injection vulnerability
GHSA-rfh2-8vxq-jqr8 CVE-2025-50979 HIGH 3 months ago
NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not p...
npm
No PRs yet
simple-admin-core SQL Injection vulnerability
GHSA-f2m2-4q6r-cwc4 CVE-2025-51667 HIGH 3 months ago
An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited S...
go
No PRs yet
Google Sign-In for Rails allowed redirects to malformed URLs
GHSA-7pwc-wh6m-44q3 CVE-2025-57821 MODERATE 3 months ago
### Summary It is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin....
rubygems
No PRs yet
Malicious versions of Nx were published
GHSA-cxm3-wv7p-598c CVE-2025-10894 CRITICAL 3 months ago
## Summary Malicious versions of the [`nx` package](https://www.npmjs.com/package/nx), as well as some supporting plugin packages, were published ...
npm
No PRs yet
The Freeform CraftCMS plugin contains an Server-side template injection (SSTI) vulnerability
GHSA-9hp3-f5g8-rccg CVE-2025-52122 CRITICAL 3 months ago
Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary co...
packagist
No PRs yet
devalue prototype pollution vulnerability
GHSA-vj54-72f3-p5jv CVE-2025-57820 HIGH 3 months ago
## 1. `devalue.parse` allows `__proto__` to be set A string passed to `devalue.parse` could represent an object with a `__proto__` property, which...
npm
33
Dependabot PRs
24%
Merged
Picklescan is missing detection when calling built-in python library asyncio.unix_events._UnixSubprocessTransport._start
GHSA-q77w-mwjj-7mqx MODERATE 3 months ago
### Summary Using asyncio.unix_events._UnixSubprocessTransport._start function, which is a built-in python library function to execute remote pick...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python cProfile.run
GHSA-49gj-c84q-6qm9 MODERATE 3 months ago
### Summary Using cProfile.run function, which is a built-in python library function to execute remote pickle file. ### Details The attack paylo...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python cProfile.runctx
GHSA-9w88-8rmg-7g2p MODERATE 3 months ago
### Summary Using cProfile.runctx function, which is a built-in python library function to execute remote pickle file. ### Details The attack pa...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python doctest.debug_script
GHSA-fqq6-7vqf-w3fg MODERATE 3 months ago
### Summary Using doctest.debug_script function, which is a built-in python library function to execute remote pickle file. ### Details The atta...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcode
GHSA-3gf5-cxq9-w223 MODERATE 3 months ago
### Summary Using idlelib.pyshell.ModifiedInterpreter.runcode function, which is a built-in python library function to execute remote pickle file....
pypi
No PRs yet
Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcommand
GHSA-j343-8v2j-ff7w MODERATE 3 months ago
### Summary Using idlelib.pyshell.ModifiedInterpreter.runcommand function, which is a built-in python library function to execute remote pickle fi...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python idlelib.run.Executive.runcode
GHSA-m869-42cg-3xwr MODERATE 3 months ago
### Summary Using idlelib.run.Executive.runcode function, which is a built-in python library function to execute remote pickle file. ### Details ...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python lib2to3.pgen2.pgen.ParserGenerator.make_label
GHSA-p9w7-82w4-7q8m MODERATE 3 months ago
### Summary Using lib2to3.pgen2.pgen.ParserGenerator.make_label function, which is a built-in python library function to execute remote pickle fil...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python ensurepip._run_pip
GHSA-xp4f-hrf8-rxw7 MODERATE 3 months ago
### Summary Using ensurepip._run_pip function, which is a built-in python library function to execute remote pickle file. ### Details The attack...
pypi
No PRs yet
Badaso CMS file upload vulnerability
GHSA-gqp9-jh35-439m CVE-2025-52353 HIGH 3 months ago
An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PH...
packagist
No PRs yet
Picklescan is missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_autograd_prof
GHSA-4whj-rm5r-c2v8 MODERATE 3 months ago
### Summary Using torch.utils.bottleneck.\_\_main\_\_.run_autograd_prof function, which is a pytorch library function to execute remote pickle fil...
pypi
No PRs yet
GraphQL Armor Max-Depth Plugin Bypass via fragment caching
GHSA-224p-v68g-5g8f MODERATE 3 months ago
### Summary A query depth restriction using the max-depth can be bypassed if `ignoreIntrospection` is enabled (which is the default configuration) ...
npm
No PRs yet
GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation
GHSA-hmfr-rx46-4jx2 MODERATE 3 months ago
### Summary A query depth restriction using the `max-depth` property can be bypassed if `ignoreIntrospection` is enabled (which is the default conf...
npm
No PRs yet
Picklescan has a missing detection when calling built-in python library idlelib.calltip.get_entity
GHSA-9xph-j2h6-g47v MODERATE 3 months ago
### Summary Using idlelib.calltip.get_entity function, which is a built-in python library function to execute remote pickle file. ### Details Th...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python idlelib.calltip.Calltip
GHSA-8r4j-24qv-fmq9 MODERATE 3 months ago
### Summary Using idlelib.calltip.Calltip.fetch_tip, which is a built-in python library function to execute remote pickle file. ### Details The ...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python code.InteractiveInterpreter
GHSA-cj3c-v495-4xqh MODERATE 3 months ago
### Summary Using code.InteractiveInterpreter.runcode, which is a built-in python library function to execute remote pickle file. ### Details Th...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.fetch_completions
GHSA-7cq8-mj8x-j263 MODERATE 3 months ago
### Summary Using idlelib.autocomplete.AutoComplete.fetch_completions, which is a built-in python library function to execute remote pickle file. ...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.get_entity
GHSA-6w4w-5w54-rjvr MODERATE 3 months ago
### Summary Using idlelib.autocomplete.AutoComplete.get_entity, which is a built-in python library function to execute remote pickle file. ### De...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python idlelib.debugobj.ObjectTreeItem
GHSA-3vg9-h568-4w9m MODERATE 3 months ago
### Summary Using idlelib.debugobj.ObjectTreeItem.SetText, which is a built-in python library function to execute remote pickle file. ### Details...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python lib2to3.pgen2.grammar.Grammar.loads
GHSA-f54q-57x4-jg88 MODERATE 3 months ago
### Summary Using lib2to3.pgen2.grammar.Grammar.loads, which is a built-in python library function to execute remote pickle file. ### Details Th...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python profile.Profile.runctx
GHSA-6vqj-c2q5-j97w MODERATE 3 months ago
### Summary Using profile.Profile.runctx, which is a built-in python library function to execute remote pickle file. ### Details The attack payl...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python profile.Profile.run
GHSA-x696-vm39-cp64 MODERATE 3 months ago
### Summary Using profile.Profile.run, which is a built-in python library function to execute remote pickle file. ### Details The attack payload...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python trace.Trace.runctx
GHSA-g344-hcph-8vgg MODERATE 3 months ago
### Summary Using trace.Trace.runctx, which is a built-in python library function to execute remote pickle file. ### Details The attack payload ...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python trace.Trace.run
GHSA-5qwp-399c-mjwf MODERATE 3 months ago
### Summary Using trace.Trace.run, which is a built-in python library function to execute remote pickle file. ### Details The attack payload exe...
pypi
No PRs yet
xml2rfc has an arbitrary file read vulnerability
GHSA-cfmv-h8fx-85m7 CVE-2025-11058 HIGH 3 months ago
### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link...
pypi
No PRs yet
traQ Allows Insertion of Sensitive Information into Log File
GHSA-27r7-3m9x-r533 CVE-2025-57813 MODERATE 3 months ago
### Impact A vulnerability exists where sensitive information, such as OAuth tokens, is recorded in log files when an error occurs during the execu...
go
No PRs yet
jsPDF Denial of Service (DoS)
GHSA-8mvj-3j78-4qmw CVE-2025-57810 HIGH 3 months ago
### Impact User control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to...
npm
34
Dependabot PRs
ImageMagick (WriteBMPImage): 32-bit integer overflow when writing BMP scanline stride → heap buffer overflow
GHSA-mxvv-97wh-cfmm CVE-2025-57803 HIGH 3 months ago
## Summary A 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses `bytes_per_line` (stride) to a tiny value while th...
nuget
No PRs yet
ImageMagick has a Format String Bug in InterpretImageFilename leads to arbitrary code execution
GHSA-9ccg-6pjw-x645 CVE-2025-55298 HIGH 3 months ago
## Summary A format string bug vulnerability exists in `InterpretImageFilename` function where user input is directly passed to `FormatLocaleString...
nuget
No PRs yet
ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry ":" leads to crash
GHSA-fh55-q5pj-pxgw CVE-2025-55212 LOW 3 months ago
## Summary Passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, Thumbn...
nuget
No PRs yet
Easy!Appointments SQL injection vulnerability
GHSA-2f28-69j7-85hf CVE-2025-50383 MODERATE 3 months ago
alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter.
packagist
No PRs yet
LlamaIndex affected by a Denial of Service (DOS) in JSONReader
GHSA-7753-xrfw-ch36 CVE-2025-5302 HIGH 3 months ago
A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The...
pypi
No PRs yet
request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1
GHSA-pw25-c82r-75mm CVE-2025-57814 MODERATE 3 months ago
request-filtering-agent versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTT...
npm
No PRs yet
mitmproxy binaries embed a vulnerable python-hyper/h2 dependency
GHSA-63cx-g855-hvv4 MODERATE 3 months ago
mitmproxy 12.1.1 and below embed python-hyper/h2 ≤ v4.2.0, which has a gap in its HTTP/2 header validation. This enables request smuggling attacks ...
pypi
No PRs yet
h2 allows HTTP Request Smuggling due to illegal characters in headers
GHSA-847f-9342-265h CVE-2025-57804 MODERATE 3 months ago
### Summary HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers...
pypi
No PRs yet