Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,822

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Liferay Portal and Liferay DXP have a reflected cross-site scripting vulnerability
GHSA-222w-xmc5-jhp3 CVE-2025-43735 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 20...
maven
No PRs yet
Liferay Portal and Liferay DXP have a Denial Of Service via File Upload (DOS) vulnerability
GHSA-cg99-m88x-422c CVE-2025-43736 MODERATE 4 months ago
A Denial Of Service via File Upload (DOS) vulnerability in Liferay Portal 7.4.3.0 through 7.4.3.132, Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024....
maven
No PRs yet
Bouncy Castle for Java on All (API modules) allows Excessive Allocation
GHSA-67mf-3cr5-8w23 CVE-2025-8885 MODERATE 4 months ago
A resource allocation vulnerability exists in Bouncy Castle for Java (by Legion of the Bouncy Castle Inc.) that affects all API modules. The vulner...
maven
No PRs yet
Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers
GHSA-r3v7-pc4g-7xp9 CVE-2025-55152 MODERATE 4 months ago
### Summary With specially crafted value of the `x-forwarded-proto` or `x-forwarded-for` headers, it's possible to significantly slow down an oak ...
npm
No PRs yet
Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass
GHSA-9gvj-pp9x-gcfr HIGH 4 months ago
### Details There's a parsing logic error in picklescan and modelscan while trying to deal with opcode `STACK_GLOBAL`. Function `_list_globals` whe...
pypi
2
Dependabot PRs
50%
Merged
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
GHSA-pwh4-6r3m-j2rf CVE-2025-55156 HIGH 4 months ago
### Summary The parameter `add_links` in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensit...
pypi
No PRs yet
Komari vulnerable to 2FA Authentication Bypass
GHSA-jhmr-57cj-q6g9 HIGH 4 months ago
### Summary Logic error in 2FA verification condition allows bypass of two-factor authentication ### Details https://github.com/komari-monitor/k...
go
No PRs yet
Komari vulnerable to Cross-site WebSocket Hijacking
GHSA-q355-h244-969h HIGH 4 months ago
### Summary WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users ...
go
No PRs yet
HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit
GHSA-xcxh-6cv4-q8p8 LOW 4 months ago
### Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with `target="_blank"` but without the `rel="noopener nor...
npm
No PRs yet
Litestar has potential log injection in exception logging
GHSA-674p-xv2x-rf3g LOW 4 months ago
### Summary Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configu...
pypi
No PRs yet
slab allows out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check
GHSA-qx2v-8332-m4fv CVE-2025-55159 MODERATE 4 months ago
### Impact The `get_disjoint_mut` method in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, all...
cargo
No PRs yet
Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions
GHSA-gjpm-6w34-ppvf CVE-2025-54463 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits t...
go
No PRs yet
Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions
GHSA-w92j-c6gr-hj8r CVE-2025-53514 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allow\ing attackers to crash the plugin via constant hits t...
go
No PRs yet
Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions
GHSA-vc77-c2hx-h5x2 CVE-2025-52931 HIGH 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits t...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-42m6-5vm7-fjv2 CVE-2025-53857 LOW 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to get channel subscription details with...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-j66h-xhpr-7q5g CVE-2025-54458 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fails to check user access of the Confluence space, allowing attackers to create a subscription to a ...
go
No PRs yet
Mattermost Confluence Plugin has Improper Validation of Specified Type of Input
GHSA-3cg3-3mmr-w8hj CVE-2025-54525 HIGH 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-v6c8-g53h-mc2h CVE-2025-53910 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to create a channel subscription without...
go
No PRs yet
Mattermost Confluence Plugin is Missing Authentication for Critical Function
GHSA-qpjq-c5hr-7925 CVE-2025-54478 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to enforce user authentication of the Mattermost instance, allowing unauthenticated attackers to...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-qjrx-j8wm-xf83 CVE-2025-8285 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check the access of the user to the channel which allows attackers to create channel subscrip...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-cmpr-8prq-w5p5 CVE-2025-48731 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to Confluence spaces, which allows attackers to edit subscriptions for Conf...
go
No PRs yet
Mattermost Confluence Plugin is Missing Authentication for Critical Function
GHSA-6ff3-jgxh-vffj CVE-2025-44004 HIGH 4 months ago
Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to creat...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-rfg4-2m63-fw2q CVE-2025-49221 LOW 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to enforce authentication of the user to the Mattermost instance, which allows unauthenticated a...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-vpcr-fqpc-386h CVE-2025-44001 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, which allows attackers to get channel subscription details ...
go
No PRs yet
TinyScientist has Path Traversal Vulnerability in PDF Review Function (CWE-22)
GHSA-rrgf-hcr9-jq6h CVE-2025-55149 MODERATE 4 months ago
## Description A critical path traversal vulnerability (CWE-22) has been identified in the `review_paper` function in `backend/app.py`. The vulnera...
pypi
No PRs yet
Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery
GHSA-c6g5-g6r7-q4j6 CVE-2025-4655 MODERATE 4 months ago
An SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 thr...
maven
No PRs yet
Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery
GHSA-6v93-frf9-2rp8 CVE-2025-4581 MODERATE 4 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
Craft CMS has a theoretical bypass for CVE-2025-23209
GHSA-2vcf-qxv3-2mgw CVE-2025-54417 MODERATE 4 months ago
**Pre-requisites:** * Have a compromised security key (https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret) * Somehow, man...
packagist
No PRs yet
Liferay Portal Reflected XSS in blogs-web
GHSA-6qcg-28jh-hm7r CVE-2025-4576 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,20...
maven
No PRs yet
The AuthKit Remix Library renders sensitive auth data in HTML
GHSA-v3gr-w9gf-23cx CVE-2025-55009 HIGH 4 months ago
### Summary Before `0.15.0`, `@workos-inc/authkit-remix` returned sensitive authentication artifacts from the `authkitLoader`, specifically `seale...
npm
No PRs yet
The AuthKit React Router Library rendered sensitive auth data in HTML
GHSA-vqvc-9q8x-vmq6 CVE-2025-55008 HIGH 4 months ago
In versions before `0.7.0`, `@workos-inc/authkit-react-router` exposed sensitive authentication artifacts — specifically `sealedSession` and `acces...
npm
No PRs yet
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
GHSA-2q8q-8fgw-9p6p CVE-2025-55001 MODERATE 4 months ago
### Impact OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using t...
go
1
Dependabot PRs
100%
Merged
OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse
GHSA-rxp7-9q75-vj3p CVE-2025-55003 MODERATE 4 months ago
### Impact OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normali...
go
1
Dependabot PRs
100%
Merged
OpenBao TOTP Secrets Engine Code Reuse
GHSA-f7c3-mhj2-9pvg CVE-2025-55000 MODERATE 4 months ago
### Impact OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normaliz...
go
1
Dependabot PRs
100%
Merged
OpenBao has a Timing Side-Channel in the Userpass Auth Method
GHSA-hh28-h22f-8357 CVE-2025-54999 LOW 4 months ago
### Impact When using OpenBao's `userpass` auth method, user enumeration was possible due to timing difference between non-existent users and user...
go
1
Dependabot PRs
100%
Merged
OpenBao Userpass and LDAP User Lockout Bypass
GHSA-j3xv-7fxp-gfhx CVE-2025-54998 MODERATE 4 months ago
### Impact Attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different...
go
1
Dependabot PRs
100%
Merged
Privileged OpenBao Operator May Execute Code on the Underlying Host
GHSA-xp75-r577-cvhp CVE-2025-54997 CRITICAL 4 months ago
### Impact Under certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the a...
go
1
Dependabot PRs
100%
Merged
OpenBao Root Namespace Operator May Elevate Token Privileges
GHSA-vf84-mxrq-crqc CVE-2025-54996 HIGH 4 months ago
### Impact Accounts with access to the highly-privileged identity entity system in the root namespace may increase their scope directly to the `ro...
go
1
Dependabot PRs
100%
Merged
@fedify/fedify has Improper Authentication and Incorrect Authorization
GHSA-6jcc-xgcr-q3h4 CVE-2025-54888 HIGH 4 months ago
### Summary An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged acti...
npm
2
Dependabot PRs
50%
Merged
Apache Seata: Deserialization of untrusted Data in Apache Seata Server
GHSA-g358-g2pq-c46j CVE-2025-53606 HIGH 4 months ago
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are reco...
maven
No PRs yet
Apache CXF: Untrusted JMS configuration can lead to RCE
GHSA-g4px-6qhm-hqjm CVE-2025-48913 MODERATE 4 months ago
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution c...
maven
No PRs yet
ExecuTorch integer overflow vulnerability
GHSA-84m3-f99p-cqx5 CVE-2025-30405 CRITICAL 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potential...
pypi
No PRs yet
ExecuTorch vulnerable to Heap-based Buffer Overflow
GHSA-xc7w-r669-48pf CVE-2025-54951 CRITICAL 4 months ago
A group of related buffer overflow vulnerabilities in the loading of ExecuTorch models can cause the runtime to crash and potentially result in cod...
pypi
No PRs yet
ExecuTorch out-of-bounds access vulnerability
GHSA-f9hx-c6jf-3qxm CVE-2025-54950 CRITICAL 4 months ago
An out-of-bounds access vulnerability in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution o...
pypi
No PRs yet
ExecuTorch integer overflow vulnerability leads to code execution
GHSA-33r8-vrx9-rmcv CVE-2025-54952 MODERATE 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause smaller-than-expected memory regions to be allocated, potentially r...
pypi
No PRs yet
ExecuTorch integer overflow vulnerability
GHSA-hj95-mhgf-jxc4 CVE-2025-30404 CRITICAL 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause overlapping allocations, potentially resulting in code execution or...
pypi
No PRs yet
ExecuTorch heap buffer overflow vulnerability
GHSA-9m39-3mf3-xwch CVE-2025-54949 CRITICAL 4 months ago
A heap buffer overflow vulnerability in the loading of ExecuTorch models can potentially result in code execution or other undesirable effects. Thi...
pypi
No PRs yet
operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd
GHSA-856v-8qm2-9wjv CVE-2025-7195 MODERATE 4 months ago
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK...
go
No PRs yet
JWE is missing AES-GCM authentication tag validation in encrypted JWE
GHSA-c7p4-hx26-pr73 CVE-2025-54887 CRITICAL 4 months ago
### Overview The authentication tag of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide w...
rubygems
7
Dependabot PRs
71%
Merged
quiche connection ID retirement can trigger an infinite loop
GHSA-m3hh-f9gh-74c2 CVE-2025-7054 HIGH 4 months ago
## Impact Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames. QUIC...
cargo
2
Dependabot PRs