Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,820

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
vLLM has remote code execution vulnerability in the tool call parser for Qwen3-Coder
GHSA-79j6-g2m3-jgfw CVE-2025-9141 HIGH 4 months ago
### Summary An unsafe deserialization vulnerability allows any authenticated user to execute arbitrary code on the server if they are able to get t...
pypi
No PRs yet
go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data
GHSA-2464-8j7c-4cjm MODERATE 4 months ago
### Summary Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields. ...
go
No PRs yet
UnoPim vulnerable to CSRF on Product edit feature and creation of other types
GHSA-287x-6r2h-f9mw CVE-2025-55744 MODERATE 4 months ago
### Summary Some of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF). | Method | Endpoint | Status | Reason | ...
packagist
No PRs yet
UnoPim vulnerable to remote code execution through Arbitrary File upload
GHSA-v22v-xwh7-2vrm CVE-2025-55743 HIGH 4 months ago
### Summary: Affected Functionality: **Image upload at User creation** Endpoint: `/admin/settings/users/create` ### Details The image upload at th...
packagist
No PRs yet
UnoPim has Stored Cross-site Scripting vulnerability in user creation functionality
GHSA-xr97-25v7-hc2q CVE-2025-55742 MODERATE 4 months ago
### Summary Affected Functionality: User creation Endpoint: `/admin/settings/users/create` ### Details https://github.com/unopim/unopim/blob/a0dc8...
packagist
No PRs yet
vllm API endpoints vulnerable to Denial of Service Attacks
GHSA-rxc4-3w6r-4v47 CVE-2025-48956 HIGH 4 months ago
### Summary A Denial of Service (DoS) vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP...
pypi
No PRs yet
Mattermost Fails to Sanitize Path Traversal Sequences
GHSA-x67c-v8jr-p29r CVE-2025-8023 MODERATE 4 months ago
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template ...
go
No PRs yet
Mattermost Fails to Validate File Paths
GHSA-gq3r-5833-5532 CVE-2025-36530 MODERATE 4 months ago
Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin impo...
go
No PRs yet
Mattermost Fails to Properly Validate Team Role Modification
GHSA-4276-cm8c-788h CVE-2025-53971 LOW 4 months ago
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Tea...
go
No PRs yet
Mattermost Fails to Validate Remote Cluster Upload Sessions
GHSA-q453-638c-h4mr CVE-2025-49222 MODERATE 4 months ago
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in re...
go
No PRs yet
Mattermost Lack of Access Control Validation
GHSA-pwvr-grqg-7vp2 CVE-2025-49810 LOW 4 months ago
Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts
go
No PRs yet
Mattermost Server SSRF Vulnerability via the Agents Plugin
GHSA-vqwh-5jhh-vc9p CVE-2025-47700 LOW 4 months ago
Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into ...
go
No PRs yet
Mattermost Does Not Sanitize the Team Invite ID
GHSA-qj47-w9f2-qg44 CVE-2025-47870 MODERATE 4 months ago
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v...
go
No PRs yet
wong2 mcp-cli Command Injection Vulnerability
GHSA-p6rm-483j-37jf CVE-2025-9262 LOW 4 months ago
A flaw has been found in wong2 mcp-cli 1.13.0. Affected is the function redirectToAuthorization of the file /src/oauth/provider.js of the component...
npm
No PRs yet
Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF
GHSA-p72g-pv48-7w9x CVE-2025-54988 CRITICAL 4 months ago
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry o...
maven
2
Dependabot PRs
Liferay Portal Vulnerable to Cross-Site Scripting via DDMPortlet_definition Parameter
GHSA-62pf-hcwj-rcfc CVE-2025-43757 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 20...
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting in Dynamic Data Mapping
GHSA-mpww-r37c-vxjw CVE-2025-43746 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 20...
maven
No PRs yet
Eclipse Jetty affected by MadeYouReset HTTP/2 vulnerability
GHSA-mmxm-8w33-wc4h CVE-2025-5115 HIGH 4 months ago
## Technical Details Below is a technical explanation of a newly discovered vulnerability in HTTP/2, which we refer to as “MadeYouReset.” ### Mad...
maven
1
Dependabot PRs
x402 SDK vulnerable in outdated versions in resource servers for builders
GHSA-3j63-5h8p-gf7c HIGH 4 months ago
### Impact There is a security vulnerability in outdated versions of the x402 SDK. This does not directly affect users' keys, smart contracts, or f...
npm
No PRs yet
n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted files
GHSA-ggjm-f3g4-rwmm CVE-2025-57749 MODERATE 4 months ago
### Impact A symlink traversal vulnerability was discovered in the `Read/Write File` node in n8n. While the node attempts to restrict access to sen...
npm
No PRs yet
Directus allows unauthenticated file upload and file modification due to lacking input sanitization
GHSA-mv33-9f6j-pfmc CVE-2025-55746 CRITICAL 4 months ago
## Summary A vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary conte...
npm
No PRs yet
Spree Commerce is vulnerable to RCE through Search API
GHSA-x485-rhg3-cqr4 CVE-2011-10026 CRITICAL 4 months ago
Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitatio...
rubygems
No PRs yet
Liferay Portal Vulnerable to Cross-Site Request Forgery
GHSA-p9gc-59hf-x48p CVE-2025-43748 HIGH 4 months ago
Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.6, 2...
maven
No PRs yet
elysia-cors Origin Validation Error
GHSA-f9qj-4c5x-cpcw CVE-2025-50864 MODERATE 4 months ago
An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The ...
npm
No PRs yet
Liferay Portal Unvalidated File Upload
GHSA-56qj-wp5r-mvhj CVE-2025-43750 MODERATE 4 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
Liferay Portal Unauthenticated File Access via URL
GHSA-5fx5-cff6-f3fp CVE-2025-43749 MODERATE 4 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
CRI-O has Potential High Memory Consumption from File Read
GHSA-8f93-j3fx-72f3 CVE-2025-4437 MODERATE 4 months ago
There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CR...
go
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting via assetTagNames Parameter
GHSA-j6p8-g3rj-ghpm CVE-2025-43741 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 20...
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting through URLs
GHSA-3fp2-6mwq-4q3j CVE-2025-43742 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 20...
maven
No PRs yet
Apache EventMesh Vulnerable to Server-Side Request Forgery in WebhookUtil.java
GHSA-hf86-8x8v-h7vc CVE-2024-39954 MODERATE 4 months ago
Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse funct...
maven
No PRs yet
Default Credentials in nginx-defender Configuration Files
GHSA-pr72-8fxw-xx22 CVE-2025-55740 MODERATE 4 months ago
### Impact This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files [config.yaml](https://github.co...
go
No PRs yet
Liferay Portal Enumeration Discrepancy in Calendars
GHSA-g4vp-4gqr-7v8c CVE-2025-43743 MODERATE 4 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting via DDM Structure Field Labels
GHSA-m49p-6cjp-x2h3 CVE-2025-43744 MODERATE 4 months ago
A stored DOM-based Cross-Site Scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5,...
maven
No PRs yet
Liferay Portal CSRF Vulnerability via Endpoint Parameter
GHSA-7q33-gwcm-r6cj CVE-2025-43745 MODERATE 4 months ago
A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4....
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting via backURL Paramter
GHSA-vjwr-cqwf-6q96 CVE-2025-43737 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 thr...
maven
No PRs yet
WP Crontrol Authenticated (Administrator+) plugin vulnerable to Blind Server-Side Request Forgery
GHSA-35c5-67fm-cpcp CVE-2025-8678 MODERATE 4 months ago
### Impact The WP Crontrol plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in versions 1.17.0 to 1.19.1 via the `wp_remote...
packagist
No PRs yet
screenshot-desktop vulnerable to command Injection via `format` option
GHSA-gjx4-2c7g-fm94 CVE-2025-55294 CRITICAL 4 months ago
## Impact This vulnerability is a **command injection** issue. When user-controlled input is passed into the `format` option of the screenshot fu...
npm
No PRs yet
Mermaid improperly sanitizes sequence diagram labels leading to XSS
GHSA-7rqq-prvp-x9jh CVE-2025-54881 MODERATE 4 months ago
### Summary In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to `innerHTML` during calcula...
npm
No PRs yet
Mermaid does not properly sanitize architecture diagram iconText leading to XSS
GHSA-8gwm-58g9-j8pw CVE-2025-54880 MODERATE 4 months ago
### Summary In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 `html()` method,...
npm
3
Dependabot PRs
Liferay Portal Reflected Cross-Site Scripting Vulnerability in displayType Parameter
GHSA-cwgh-r52j-xh6c CVE-2025-43738 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 20...
maven
No PRs yet
Astro allows unauthorized third-party images in _image endpoint
GHSA-xf8x-j4p2-f749 CVE-2025-55303 MODERATE 4 months ago
### Summary In affected versions of `astro`, the image optimization endpoint in projects deployed with on-demand rendering allows images from unau...
npm
No PRs yet
HydrAIDE Authentication Bypass Vulnerability
GHSA-qp7j-x725-g67f CRITICAL 4 months ago
### Summary There is no authentication of any kind. ### Details TLS is implemented, the tunnel between the client and server is secure, however o...
go
No PRs yet
Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source
GHSA-hfmv-hhh3-43f2 CVE-2025-52478 HIGH 4 months ago
### Impact A stored **Cross-Site Scripting (XSS)** vulnerability was identified in [n8n](https://github.com/n8n-io/n8n), specifically in the **For...
npm
No PRs yet
MoonShine Arbitrary File Upload Vulnerability
GHSA-8xfq-7f6m-mpmf CVE-2025-51489 MODERATE 4 months ago
An arbitrary file upload vulnerability in MoonShine v3.12.4 allows attackers to execute arbitrary code via uploading a crafted SVG file.
packagist
No PRs yet
MoonShine SQL Injection Vulnerability
GHSA-9g9j-3w64-3cjh CVE-2025-51510 MODERATE 4 months ago
MoonShine v3.12.5 was discovered to contain a SQL injection vulnerability via the Data parameter under the Blog module.
packagist
No PRs yet
moonshine Stored Cross-Site Scripting Vulnerability in Create Article
GHSA-p632-58pp-c9xg CVE-2025-51487 MODERATE 4 months ago
A stored cross-site scripting (XSS) vulnerability in the Create Article function of MoonShine v3.12.3 allows attackers to execute arbitrary web scr...
packagist
No PRs yet
moonshine Stored Cross-Site Scripting Vulnerability in Create Admin
GHSA-rh9f-gr6q-mpc4 CVE-2025-51488 MODERATE 4 months ago
A stored cross-site scripting (XSS) vulnerability in the Create Admin function of MoonShine v3.12.3 allows attackers to execute arbitrary web scrip...
packagist
No PRs yet
Liferay Portal Email Modification Vulnerability via Calendar Portlet
GHSA-7mxq-h2r7-h449 CVE-2025-43739 MODERATE 4 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
Liferay Portal has Stored Cross-Site Scripting Vulnerability via Message Boards Feature
GHSA-22jp-w3cg-gvmm CVE-2025-43740 MODERATE 4 months ago
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1...
maven
No PRs yet
LibreNMS allows stored XSS in Alert Template name field
GHSA-vxq6-8cwm-wj99 CVE-2025-55296 MODERATE 4 months ago
### Summary A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.6.0) in the Alert Template creation feature. This allows a...
packagist
No PRs yet