Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
GHSA-v5w9-prxf-w882 HIGH 10 days ago
### Summary An unauthenticated attacker can exploit the unprotected registration endpoint (/register) to create a new user and bypass authenticatio...
npm
No PRs yet
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
GHSA-7xvh-c266-cfr5 CVE-2025-64758 MODERATE 10 days ago
### Description Since version 4.12.0, Dependency-Track users with the `SYSTEM_CONFIGURATION` permission can configure a "welcome message", which i...
npm
No PRs yet
glob CLI: Command injection via -c/--cmd executes matches with shell:true
GHSA-5j98-mcp5-4vw2 CVE-2025-64756 HIGH 10 days ago
### Summary The glob CLI contains a command injection vulnerability in its `-c/--cmd` option that allows arbitrary command execution when processi...
npm
835
Dependabot PRs
phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality
GHSA-fxm2-cmwj-qvx4 CVE-2025-62519 HIGH 10 days ago
### Summary An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ (v4.0.13 and prior) allows a p...
packagist
No PRs yet
OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization.
GHSA-hcqg-5g63-7j9h CVE-2025-65073 HIGH 11 days ago
OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone ...
pypi
No PRs yet
lsFusion Platform has a Path Traversal vulnerability
GHSA-gwwr-j923-vq7r CVE-2025-13262 MODERATE 11 days ago
A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file ...
maven
No PRs yet
vlife-base has Path Traversal vulnerability
GHSA-cg6m-9276-qpjj CVE-2025-13266 MODERATE 11 days ago
A security vulnerability has been detected in wwwlike vlife up to 2.0.1. This issue affects the function create of the file vlife-base/src/main/jav...
maven
No PRs yet
lsFusion Server is vulnerable to Path Traversal through its unpackFile function
GHSA-8wf8-frjg-xv74 CVE-2025-13265 MODERATE 11 days ago
A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/...
maven
No PRs yet
lsFusion Platform has a Path Traversal vulnerability
GHSA-5jpg-2rj5-964c CVE-2025-13261 MODERATE 11 days ago
A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/...
maven
No PRs yet
Memos' Access Tokens Stay Valid after User Password Change
GHSA-mr34-8733-grr2 CVE-2024-21635 HIGH 13 days ago
### Summary Access Tokens are used to authenticate application access. When a user changes their password, the existing list of Access Tokens stay ...
go
No PRs yet
AstrBot is vulnerable to RCE with hard-coded JWT signing keys
GHSA-4m32-cjv7-f425 CVE-2025-55449 CRITICAL 13 days ago
### Summary AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin. ### Deta...
pypi
No PRs yet
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
GHSA-m8jr-fxqx-8xx6 HIGH 13 days ago
# Summary A vulnerability in Apollo Federation's composition logic did not enforce that fields depending on protected data through `@requires` and/...
npm
No PRs yet
Directus is Vulnerable to Stored Cross-site Scripting
GHSA-vv2v-pw69-8crf CVE-2025-64747 MODERATE 13 days ago
### Summary A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject m...
npm
No PRs yet
Directus has Improper Permission Handling on Deleted Fields
GHSA-9x5g-62gj-wqf2 CVE-2025-64746 MODERATE 13 days ago
### Summary Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later...
npm
No PRs yet
ZITADEL is vulnerable to Account Takeover with deactivated Instance IdP
GHSA-j4g7-v4m4-77px CVE-2025-64717 HIGH 13 days ago
### Summary A vulnerability in ZITADEL's federation process allowed auto-linking users from external identity providers to existing users in ZITAD...
go
No PRs yet
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change
GHSA-fjh6-8679-9pch HIGH 13 days ago
### Summary Bypass of Password Confirmation - Unverified Password Change (authenticated change without current password) An authenticated user is ...
npm
No PRs yet
Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)
GHSA-x39m-3393-3qp4 HIGH 13 days ago
### Summary Unverified Email Change - Email as part of Credential / Unverified Account Recovery Channel Change The application allows changing the...
npm
No PRs yet
Flowise Fails to Invalidate Existing Sessions After Password Changes
GHSA-x7rp-qj2h-ghgw HIGH 13 days ago
### Summary Failure to Invalidate Existing Sessions After Password Change (Persistent Session / Session Invalidity Failure). ### Details After a u...
npm
No PRs yet
Shopware 6's password recovery link does not expire after email change
GHSA-2w46-vq8h-98vh MODERATE 13 days ago
### Summary When a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email)...
packagist
No PRs yet
PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users
GHSA-r9x7-7ggj-fx9f CVE-2025-64711 LOW 13 days ago
## Summary Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a ...
packagist
No PRs yet
PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal
GHSA-g2j9-g8r5-rg82 CVE-2025-64714 MODERATE 13 days ago
## Summary An unauthenticated Local File Inclusion exists in the template-switching feature: if `templateselection` is enabled in the configuratio...
packagist
No PRs yet
expr-eval vulnerable to Prototype Pollution
GHSA-8gw3-rxh4-v6jx CVE-2025-13204 HIGH 13 days ago
npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based ...
npm
No PRs yet
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields
GHSA-mx7m-j9xf-62hw CVE-2025-64530 HIGH 13 days ago
# Summary A vulnerability in Apollo Federation's composition logic allowed some queries to Apollo Router to improperly bypass access controls on ty...
npm
No PRs yet
js-yaml has prototype pollution in merge (<<)
GHSA-mh29-5h37-fv8m CVE-2025-64718 MODERATE 13 days ago
### Impact In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml doc...
npm
No PRs yet
Mattermost allows system administrators to access password hashes and MFA secrets
GHSA-mqp8-pgg5-7x7m CVE-2025-11794 MODERATE 13 days ago
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to acce...
go
No PRs yet
Mattermost fails to properly restrict access to archived channel search API
GHSA-j6gg-r5jc-47cm CVE-2025-11776 MODERATE 14 days ago
Mattermost versions < 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public chann...
go
No PRs yet
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL
GHSA-ff85-qw3h-g9vp CVE-2025-55073 MODERATE 14 days ago
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and ...
go
No PRs yet
Mattermost allows regular users to access archived channel content and files
GHSA-x3hx-ch7p-8xgg CVE-2025-41436 LOW 14 days ago
Mattermost versions < 11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archiv...
go
No PRs yet
Mattermost does not enforce MFA on WebSocket connections
GHSA-xpg8-8xpv-948p CVE-2025-55070 MODERATE 14 days ago
Mattermost versions < 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitiv...
go
No PRs yet
Directus Vulnerable to Information Leakage in Existing Collections
GHSA-cph6-524f-3hgr CVE-2025-64749 MODERATE 14 days ago
### Summary: An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error...
npm
No PRs yet
Directus's conceal fields are searchable if read permissions enabled
GHSA-8jpw-gpr4-8cmh CVE-2025-64748 MODERATE 14 days ago
## Summary A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values re...
npm
No PRs yet
LXD vulnerable to a local privilege escalation through custom storage volumes
GHSA-3g2j-vm47-x4mj HIGH 14 days ago
**Impact** This affects any LXD user in an environment where an unprivileged user may have root access to a container with an attached custom stor...
go
No PRs yet
ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values
GHSA-4249-gjr8-jpq3 HIGH 14 days ago
### Impact The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag cont...
rubygems
No PRs yet
SpiceDB WriteRelationships fails silently if payload is too big
GHSA-pm3x-jrhh-qcr7 CVE-2025-64529 LOW 14 days ago
### Impact Users who: 1. Use the exclusion operator somewhere in their authorization schema. 1. Have configured their SpiceDB server such that `--...
go
No PRs yet
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
GHSA-hr2q-hp5q-x767 CVE-2025-64525 MODERATE 14 days ago
## Summary In impacted versions of Astro using [on-demand rendering](https://docs.astro.build/en/guides/on-demand-rendering/), request headers `x-...
npm
No PRs yet
Astro development server error page is vulnerable to reflected Cross-site Scripting
GHSA-w2vj-39qv-7vh7 CVE-2025-64745 LOW 14 days ago
## Summary A Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configur...
npm
No PRs yet
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
GHSA-6jqf-mv7m-3q7p CRITICAL 14 days ago
The standard library `net/http` package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-siz...
go
No PRs yet
File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function
GHSA-6cqf-cfhv-659g CVE-2025-64523 HIGH 14 days ago
### Summary It has been found an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionalit...
go
No PRs yet
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable
GHSA-7f2v-3qq3-vvjf CVE-2025-59840 HIGH 14 days ago
## Impact Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" [expressionInterpreter](https:...
npm
No PRs yet
AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance
GHSA-8wj8-cfxr-9374 HIGH 14 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. ...
npm
No PRs yet
AWS Advanced Go Wrapper: Privilege Escalation in Aurora PostgreSQL Instance
GHSA-7wq2-32h4-9hc9 HIGH 14 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. ...
go
No PRs yet
Amazon Web Services Advanced JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance
GHSA-7xw4-g7mm-r4hh HIGH 14 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. A...
maven
No PRs yet
AWS Advanced Python Wrapper: Privilege Escalation in Aurora PostgreSQL instance
GHSA-4jvf-wx3f-2x8q CVE-2025-12967 HIGH 14 days ago
### Description of Vulnerability: An issue in AWS Wrappers for Amazon Aurora PostgreSQL may allow for privilege escalation to rds_superuser role. ...
pypi
No PRs yet
Keycloak allows Binding to an Unrestricted IP Address
GHSA-7m9g-pmxf-m9m8 CVE-2025-11538 MODERATE 14 days ago
A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug W...
maven
No PRs yet
Mattermost Incorrect Authorization vulnerability
GHSA-mqcj-8c2g-h97q CVE-2025-11777 LOW 14 days ago
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, whic...
go
No PRs yet
Incus vulnerable to local privilege escalation through custom storage volumes
GHSA-56mx-8g9f-5crf CVE-2025-64507 HIGH 14 days ago
### Impact This affects any Incus user in an environment where an unprivileged user may have root access to a container with an attached custom sto...
go
No PRs yet
Milvus Proxy has a Critical Authentication Bypass Vulnerability
GHSA-mhjq-8c7m-3f7p CVE-2025-64513 CRITICAL 14 days ago
### Impact _What kind of vulnerability is it? Who is impacted?_ An unauthenticated attacker can exploit this vulnerability to bypass all authentica...
go
No PRs yet
sudo-rs doesn't record authenticating user properly in timestamp
GHSA-q428-6v73-fc4q CVE-2025-64517 MODERATE 14 days ago
### Summary When `Defaults targetpw` (or `Defaults rootpw`) is enabled, the password of the target account (or root account) instead of the invokin...
cargo
No PRs yet
pgAdmin 4 has command injection vulnerability on Windows systems
GHSA-rm79-x4g6-hvg5 CVE-2025-12763 MODERATE 14 days ago
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True du...
pypi
No PRs yet
pgAdmin has vulnerability in LDAP authentication mechanism that allows bypassing TLS certificate verification
GHSA-g4r8-3qmh-pmch CVE-2025-12765 HIGH 14 days ago
pgAdmin <= 9.9 is affected by a vulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification.
pypi
No PRs yet