Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Liferay Portal Vulnerable to Cross-Site Scripting
GHSA-3p2m-574v-v257 CVE-2025-43731 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 20...
maven
No PRs yet
Copier's safe template has filesystem write access outside destination path
GHSA-p7q8-grrj-3m8w CVE-2025-55214 MODERATE 4 months ago
### Impact Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use [unsafe](https://copier.readthedoc...
pypi
No PRs yet
OpenFGA Authorization Bypass
GHSA-mgh9-4mwp-fg55 CVE-2025-55213 MODERATE 4 months ago
### Overview OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper pol...
go
No PRs yet
Capsule tenant owners with "patch namespace" permission can hijack system namespaces label
GHSA-fcpm-6mxq-m5vv CVE-2025-55205 CRITICAL 4 months ago
### Summary A namespace label injection vulnerability in Capsule v0.10.3 allows authenticated tenant users to inject arbitrary labels into system n...
go
No PRs yet
Copier's safe template has arbitrary filesystem read/write access
GHSA-3xw7-v6cj-5q8h CVE-2025-55201 HIGH 4 months ago
### Impact Copier's current security model shall restrict filesystem access through Jinja: - Files can only be read using `{% include ... %}`, wh...
pypi
No PRs yet
Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code
GHSA-x5gv-jw7f-j6xj CVE-2025-55284 HIGH 4 months ago
Due to an overly broad allowlist of safe commands, it was possible to bypass the Claude Code confirmation prompts to read a file and then send file...
npm
No PRs yet
Liferay Portal Login Bypass Vulnerability
GHSA-g4wg-mpfg-x2q6 CVE-2025-3639 LOW 4 months ago
Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024....
maven
No PRs yet
Liferay Portal Vulnerable to Insecure Direct Object Reference
GHSA-v6xr-v2qg-h22h CVE-2025-43732 MODERATE 4 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 20...
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting
GHSA-vhcr-hgc8-29qr CVE-2025-43733 LOW 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7 allows a remote a...
maven
No PRs yet
IdMap from_iter may lead to uninitialized memory being freed on drop
GHSA-qq4c-hm99-979m MODERATE 4 months ago
Due to a flaw in the constructor `id_map::IdMap::from_iter`, ill-formed objects may be created in which the amount of actually initialized memory i...
cargo
No PRs yet
Spring Framework MVC Applications Path Traversal Vulnerability
GHSA-r936-gwx5-v52f CVE-2025-41242 MODERATE 4 months ago
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An app...
maven
No PRs yet
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js
GHSA-q4rg-7cjj-5r86 CVE-2025-9095 MODERATE 4 months ago
A cross-site scripting (XSS) issue exists in ExpressGateway up to 1.16.10 in the REST endpoint implemented in lib/rest/routes/users.js. User-contro...
npm
No PRs yet
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js
GHSA-xfp8-x3j6-h67v CVE-2025-9096 MODERATE 4 months ago
A cross-site scripting (XSS) issue exists in ExpressGateway ≤ 1.16.10 in lib/rest/routes/apps.js. User-controlled data returned by the REST endpoin...
npm
No PRs yet
Bouncy Castle for Java Uncontrolled Resource Consumption Vulnerability
GHSA-v6cf-mv9h-c8mc CVE-2025-9092 LOW 4 months ago
Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0 bc-fips (API modules) all...
maven
No PRs yet
HashiCorp go-getter Vulnerable to Symlink Attacks
GHSA-wjrx-6529-hcj3 CVE-2025-8959 HIGH 4 months ago
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designa...
go
244
Dependabot PRs
15%
Merged
Template Secret leakage in logs in Scaffolder when using `fetch:template`
GHSA-3x3q-ghcp-whf7 CVE-2025-55285 LOW 4 months ago
A logging flaw in Backstage Scaffolder’s `fetch:template` action up to `@backstage/plugin-scaffolder-backend` **2.1.0** may write template secrets ...
npm
No PRs yet
@astrojs/node's trailing slash handling causes open redirect issue
GHSA-9x9c-ghc5-jhw9 CVE-2025-55207 MODERATE 4 months ago
### Summary Following https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in ...
npm
No PRs yet
User-defined implementations of the safe trait scratchpad::Tracking can cause heap buffer overflows
GHSA-77h3-w9rx-hj3q MODERATE 4 months ago
The `get` and `set` methods of the public trait `scratchpad::Tracking` interact with unsafe code regions in the crate, and they influence the compu...
cargo
No PRs yet
Information Disclosure in Amazon ECS Container Agent
GHSA-wm7x-ww72-r77q CVE-2025-9039 MODERATE 4 months ago
**Summary** [Amazon Elastic Container Service (Amazon ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) is a fully ma...
go
No PRs yet
Youki: If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.
GHSA-j26p-6wx7-f3pw CVE-2025-54867 HIGH 4 months ago
### Summary If `/proc` and `/sys` in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem. ...
cargo
No PRs yet
Apache Superset data query improperly discloses database schema information to low-privileged guest user
GHSA-9g5x-mm39-wg9r CVE-2025-55673 MODERATE 4 months ago
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This f...
pypi
No PRs yet
Apache Superset's chart visualization has a stored Cross-Site Scripting (XSS) vulnerability
GHSA-fj97-2v9x-w5m4 CVE-2025-55672 MODERATE 4 months ago
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit c...
pypi
No PRs yet
Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions
GHSA-fxgf-3xh6-m2pp CVE-2025-55674 MODERATE 4 months ago
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use...
pypi
No PRs yet
Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access
GHSA-mhpq-m962-mg92 CVE-2025-55675 MODERATE 4 months ago
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated u...
pypi
No PRs yet
Flowise OS command remote code execution
GHSA-2vv2-3x8x-4gv7 CVE-2025-8943 CRITICAL 4 months ago
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's i...
npm
No PRs yet
Active Storage allowed transformation methods that were potentially unsafe
GHSA-r4mg-4433-c7g3 CVE-2025-24293 CRITICAL 4 months ago
Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list ...
rubygems
7047
Dependabot PRs
8%
Merged
Helm May Panic Due To Incorrect YAML Content
GHSA-f9f8-9pmf-xv68 CVE-2025-55198 MODERATE 4 months ago
A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic. ### Impa...
go
366
Dependabot PRs
18%
Merged
Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion
GHSA-9h84-qmv7-982p CVE-2025-55199 MODERATE 4 months ago
A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and h...
go
366
Dependabot PRs
18%
Merged
swift-nio-http2 affected by HTTP/2 MadeYouReset vulnerability
GHSA-xvr7-p2c6-j83w MODERATE 4 months ago
The HTTP/2 [MadeYouReset vulnerability](https://galbarnahum.com/made-you-reset) has a mild effect on swift-nio-http2. swift-nio-http2 mostly prote...
swift
No PRs yet
m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials
GHSA-x6gv-2rvh-qmp6 CRITICAL 4 months ago
## Summary The `steam-workshop-deploy` github action does not exclude the `.git` directory when packaging content for deployment and provides no bu...
actions
12
Dependabot PRs
50%
Merged
Active Record logging vulnerable to ANSI escape injection
GHSA-76r7-hhxj-r776 CVE-2025-55193 MODERATE 4 months ago
This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without...
rubygems
7042
Dependabot PRs
8%
Merged
PyPDF's Manipulated FlateDecode streams can exhaust RAM
GHSA-7hfw-26vp-jp8m CVE-2025-55197 MODERATE 4 months ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a...
pypi
16
Dependabot PRs
External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access
GHSA-fcxq-v2r3-cc8h CVE-2025-55196 HIGH 4 months ago
## Summary A vulnerability was discovered in the External Secrets Operator where the `List()` calls for Kubernetes Secret and SecretStore resources...
go
No PRs yet
Netty affected by MadeYouReset HTTP/2 DDoS vulnerability
GHSA-prj3-ccx8-p6x4 CVE-2025-55163 HIGH 4 months ago
Below is a technical explanation of a newly discovered vulnerability in HTTP/2, which we refer to as “MadeYouReset.” ### MadeYouReset Vulnerabilit...
maven
70
Dependabot PRs
27%
Merged
OMERO.web displays unecessary user information when requesting password reset
GHSA-gpmg-4x4g-mr5r CVE-2025-54791 MODERATE 4 months ago
### Background If an error occurred when resetting a user's password using the ``Forgot Password`` option in OMERO.web, the error message displaye...
pypi
No PRs yet
OliveTin OS Command Injection vulnerability
GHSA-p3qf-84rg-jxfc CVE-2025-50946 HIGH 4 months ago
OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go.
go
No PRs yet
Apache Tomcat Improper Resource Shutdown or Release vulnerability
GHSA-gqp3-2cvr-x8m3 CVE-2025-48989 HIGH 4 months ago
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apach...
maven
1
Dependabot PRs
100%
Merged
Soosyze CMS's /user/login endpoint missing rate-limiting and lockout mechanisms
GHSA-vq9x-w82r-rhmc CVE-2025-52392 HIGH 4 months ago
Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. An attacker can ...
packagist
No PRs yet
Apache Tomcat Session Fixation vulnerability
GHSA-23hv-mwm6-g8jf CVE-2025-55668 MODERATE 4 months ago
Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1...
maven
No PRs yet
Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation
GHSA-4cx2-fc23-5wg6 CVE-2025-8916 MODERATE 4 months ago
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpki...
maven
10
Dependabot PRs
Liferay Portal 7.4.0 and Liferay DXP have a reflected cross-site scripting (XSS) vulnerability
GHSA-m5c7-5gv3-hcpf CVE-2025-43734 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2...
maven
No PRs yet
svg-sanitizer Bypasses Attribute Sanitization
GHSA-22wq-q86m-83fh CVE-2025-55166 MODERATE 4 months ago
#### Problem The sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lowe...
packagist
No PRs yet
Keras vulnerable to CVE-2025-1550 bypass via reuse of internal functionality
GHSA-c9rc-mg46-23w3 CVE-2025-8747 HIGH 4 months ago
### Summary It is possible to bypass the mitigation introduced in response to [CVE-2025-1550](https://github.com/keras-team/keras/security/advisori...
pypi
No PRs yet
Magento Cross-Site Request Forgery (CSRF) vulnerability
GHSA-5777-jj7p-mpqw CVE-2025-49555 HIGH 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) ...
packagist
No PRs yet
Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
GHSA-wcmw-8xpp-rwfj CVE-2025-49558 MODERATE 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU)...
packagist
No PRs yet
Magento Cross-site Scripting vulnerability
GHSA-8mq8-c243-2335 CVE-2025-49557 HIGH 4 months ago
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting...
packagist
No PRs yet
Magento has incorrect authorization issue that leads to arbitrary file system read
GHSA-7hrj-3c9x-xv5h CVE-2025-49556 HIGH 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento vulnerable to path traversal
GHSA-h4f4-gv6h-x824 CVE-2025-49559 MODERATE 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname...
packagist
No PRs yet
Magento vulnerable to denial of service
GHSA-xgfm-992v-h2hr CVE-2025-49554 HIGH 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnera...
packagist
No PRs yet
content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE
GHSA-w2cq-g8g3-gm83 CVE-2025-55164 HIGH 4 months ago
### Impact A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if you provide a policy name called `__proto__` you ca...
npm
No PRs yet