Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode
GHSA-w2p4-p4rh-qcm3 CVE-2025-12762 CRITICAL 14 days ago
pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing resto...
pypi
No PRs yet
pgAdmin is affected by an LDAP injection vulnerability
GHSA-cvf4-f829-762v CVE-2025-12764 HIGH 14 days ago
pgAdmin <= 9.9 is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP charac...
pypi
No PRs yet
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)
GHSA-rrx3-2x4g-mq2h CVE-2025-64509 HIGH 15 days ago
### Impact In affected versions, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, le...
pypi
No PRs yet
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input
GHSA-fc2v-vcwj-269v CVE-2025-64508 HIGH 15 days ago
### Impact In affected versions, brotli "bombs" (highly compressed brotli streams, such as many zeros) can be sent to the server. Since the server...
pypi
No PRs yet
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
GHSA-7cx5-254x-cgrq CVE-2025-64502 MODERATE 15 days ago
### Impact The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning be...
npm
No PRs yet
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass
GHSA-3rg7-wf37-54rm CVE-2025-64500 HIGH 15 days ago
### Description The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't ...
packagist
No PRs yet
Evervault Go SDK: Incomplete PCR Validation in Enclave Attestation for non-Evervault hosted Enclaves
GHSA-88h9-77c7-p6w4 CVE-2025-64186 HIGH 15 days ago
### Summary A vulnerability was identified in the `evervault-go` SDK’s attestation verification logic that may allow incomplete documents to pass ...
go
No PRs yet
OAuth2-Proxy is vulnerable to header smuggling via underscore leading to potential privilege escalation
GHSA-vjrc-mh2v-45x6 CVE-2025-64484 HIGH 15 days ago
### Impact All deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers (e.g., WSGI-based framewor...
go
No PRs yet
Wasmtime provides unsound API access to a WebAssembly shared linear memory
GHSA-hc7m-r6v8-hg9q CVE-2025-64345 LOW 15 days ago
### Impact Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which p...
cargo
2
Dependabot PRs
sudo-rs: Partial password reveal is possible after timeout
GHSA-c978-wq47-pvvw CVE-2025-64170 LOW 15 days ago
### Summary If a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens,...
cargo
No PRs yet
OpenAM: Using arbitrary OIDC requested claims values in id_token and user_info is allowed
GHSA-39hr-239p-fhqc CVE-2025-64099 HIGH 15 days ago
### Summary If the "claims_parameter_supported" parameter is activated, it is possible through the "oidc-claims-extension.groovy" script, to inject...
maven
No PRs yet
changedetection.io: Stored XSS in Watch update via API
GHSA-4c3j-3h7v-22q9 CVE-2025-62780 LOW 15 days ago
### Summary A Stored Cross Site Scripting is present in the changedetection.io Watch update API due to unsufficient security checks. ### Details ...
pypi
No PRs yet
Observability Operator is vulnerable to Incorrect Privilege Assignment through its Custom Resource MonitorStack
GHSA-mj6p-p843-x5wc CVE-2025-2843 HIGH 15 days ago
A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* ...
go
No PRs yet
jose2go is vulnerable to a JWT bomb attack through its decode function
GHSA-9mj6-hxhv-w67j CVE-2025-63811 HIGH 15 days ago
An issue was discovered in dvsekhvalnov jose2go 1.5.0 thru 1.7.0 allowing an attacker to cause a Denial-of-Service (DoS) via crafted JSON Web Encry...
go
No PRs yet
TYPO3 Modules Extension has Improper Authentication vulnerability
GHSA-49qv-h8pm-73pf CVE-2025-12998 HIGH 15 days ago
Improper Authentication vulnerability in TYPO3 Extension "Modules" codingms/modules. This issue affects Extension "Modules": before 4.3.11, from 5....
packagist
No PRs yet
Soft Serve is vulnerable to SSRF through its Webhooks
GHSA-vwq2-jx9q-9h9f CVE-2025-64522 CRITICAL 17 days ago
SUMMARY We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create w...
go
No PRs yet
TorrentPier is Vulnerable to Authenticated SQL Injection through Moderator Control Panel's topic_id parameter
GHSA-4rwr-8c3m-55f6 CVE-2025-64519 HIGH 17 days ago
### Summary An authenticated SQL injection vulnerability exists in the moderator control panel (`modcp.php`). Users with moderator permissions can ...
packagist
No PRs yet
CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection
GHSA-6fhj-vr9j-g45r CVE-2025-64518 HIGH 17 days ago
### Impact The XML [`Validator`](https://docs.oracle.com/javase/8/docs/api/javax/xml/validation/Validator.html) used by cyclonedx-core-java was no...
maven
2
Dependabot PRs
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand
GHSA-g4mf-96x5-5m2c CVE-2025-12613 HIGH 18 days ago
Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containi...
npm
No PRs yet
EverShop is vulnerable to Unauthorized Order Information Access (IDOR)
GHSA-c73g-mx2w-cc93 CVE-2025-12919 LOW 18 days ago
A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolv...
npm
No PRs yet
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc
GHSA-f83h-ghpp-7wcc HIGH 20 days ago
### 🚀 Overview This report **demonstrates a real-world privilege escalation** vulnerability in [pdfminer.six](https://github.com/pdfminer/pdfminer...
pypi
No PRs yet
Arbitrary Code Execution in pdfminer.six via Crafted PDF Input
GHSA-wf5f-4jwr-ppcp CVE-2025-64512 HIGH 20 days ago
### Summary pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()`...
pypi
1
Dependabot PRs
KubeVirt Vulnerable to Arbitrary Host File Read and Write
GHSA-46xp-26xh-hpqh CVE-2025-64324 HIGH 20 days ago
### Summary The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, the impl...
go
No PRs yet
AstrBot has an arbitrary file read vulnerability in function _encode_image_bs64
GHSA-vm2f-46xc-5jc3 CVE-2025-57697 MODERATE 20 days ago
AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Since the _encode_image_bs64 function defined in e...
pypi
No PRs yet
AstrBot contains a directory traversal vulnerability
GHSA-xrj9-mw57-j34v CVE-2025-57698 HIGH 20 days ago
AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-...
pypi
No PRs yet
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
GHSA-cm35-v4vp-5xvx CVE-2025-64496 HIGH 20 days ago
### Summary Open WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external m...
npm pypi
No PRs yet
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
GHSA-w7xj-8fx7-wfch CVE-2025-64495 HIGH 20 days ago
### Summary The functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabl...
npm pypi
No PRs yet
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files
GHSA-rwvc-j5jr-mgvh CVE-2025-48985 LOW 21 days ago
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass fil...
npm
No PRs yet
Nuxt DevTools vulnerable to cross-site scripting (XSS)
GHSA-xmq3-q5pm-rp26 CVE-2025-52662 MODERATE 21 days ago
A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain...
npm
No PRs yet
Soft Serve does not sanitize ANSI escape sequences in user input
GHSA-fv2r-r8mp-pg48 CVE-2025-64494 MODERATE 21 days ago
### Impact In several places where the user can insert data (e.g. names), ANSI escape sequences are not being removed, which can then be used, for ...
go
No PRs yet
KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes
GHSA-2r4r-5x78-mvqf CVE-2025-64437 MODERATE 21 days ago
### Summary _Short summary of the problem. Make the impact and severity as clear as possible. It is possible to trick the `virt-handler` component...
go
No PRs yet
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
GHSA-7xgm-5prm-v5gc CVE-2025-64436 MODERATE 21 days ago
### Summary The permissions granted to the `virt-handler` service account, such as the ability to update VMI and patch nodes, could be abused to f...
go
No PRs yet
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
GHSA-9m94-w2vq-hcf9 CVE-2025-64435 MODERATE 21 days ago
### Summary _Short summary of the problem. Make the impact and severity as clear as possible. A logic flaw in the `virt-controller` allows an atta...
go
No PRs yet
KubeVirt's Improper TLS Certificate Management Handling Allows API Identity Spoofing
GHSA-ggp9-c99x-54gp CVE-2025-64434 MODERATE 21 days ago
### Summary Due to improper TLS certificate management, a compromised `virt-handler` could impersonate `virt-api` by using its own TLS credentials,...
go
No PRs yet
KubeVirt Arbitrary Container File Read
GHSA-qw6q-3pgr-5cwq CVE-2025-64433 MODERATE 21 days ago
### Summary _Short summary of the problem. Make the impact and severity as clear as possible. Mounting a user-controlled PVC disk within a VM allo...
go
No PRs yet
KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer
GHSA-38jw-g2qx-4286 CVE-2025-64432 MODERATE 21 days ago
### Summary _Short summary of the problem. Make the impact and severity as clear as possible. A flawed implementation of the Kubernetes aggregatio...
go
No PRs yet
containerd CRI server: Host memory exhaustion through Attach goroutine leak
GHSA-m6hq-p25p-ffr2 CVE-2025-64329 MODERATE 21 days ago
### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetit...
go
29
Dependabot PRs
MQTT does not validate hostnames
GHSA-9c5q-w6gr-fxcq CVE-2025-12790 HIGH 21 days ago
A flaw was found in Rubygem MQTT. By default, the package used to not have hostname validation, resulting in possible Man-in-the-Middle (MITM) attack.
rubygems
No PRs yet
Apollo Router Affected by an Access Control Bypass on Polymorphic Types
GHSA-x33c-7c2v-mrj9 CVE-2025-64173 HIGH 21 days ago
# Summary A vulnerability in Apollo Router allowed for unauthenticated queries to access data that required additional access controls. Router inc...
cargo
No PRs yet
Apollo Router Improperly Enforces Renamed Access Control Directives
GHSA-g8jh-vg5j-4h3f CVE-2025-64347 HIGH 21 days ago
# Summary A vulnerability in Apollo Router allowed for unauthorized access to protected data through schema elements with access control directive...
cargo
No PRs yet
Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values
GHSA-52c5-vh7f-26fx CVE-2025-64501 HIGH 21 days ago
### Impact The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag cont...
rubygems
No PRs yet
OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses
GHSA-w2jf-268q-mrvh LOW 21 days ago
### Impact Unauthenticated denial of service. ### Summary When installing module packages from attacker-controlled sources, `tofu init` may use ...
go
No PRs yet
Open redirect endpoint in Datasette
GHSA-w832-gg5g-x44m CVE-2025-64481 LOW 21 days ago
### Impact Deployed instances of Datasette prior to `0.65.2` and `1.0a21` include an open redirect vulnerability. Hits to the path `//example.com...
pypi
No PRs yet
containerd affected by a local privilege escalation via wide permissions on CRI directory
GHSA-pwhc-rpq9-4c8w CVE-2024-25621 HIGH 21 days ago
### Impact An overly broad default permission vulnerability was found in containerd. - `/var/lib/containerd` was created with the permission bits...
go
29
Dependabot PRs
LangGraph Checkpoint affected by RCE in "json" mode of JsonPlusSerializer
GHSA-wwqv-p2pp-99h5 CVE-2025-64439 HIGH 22 days ago
# Summary Prior to `langgraph-checkpoint` version `3.0` , LangGraph’s `JsonPlusSerializer` (used as the default serialization protocol for all che...
pypi
No PRs yet
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
GHSA-x4qj-2f4q-r4rx CVE-2025-64430 HIGH 22 days ago
### Impact A Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a `Parse.File` with `uri` par...
npm
No PRs yet
IDOR Vulnerabilities in ZITADEL's Organization API allows Cross-Tenant Data Tempering
GHSA-cpf4-pmr4-w6cx CVE-2025-64431 HIGH 22 days ago
### Summary ZITADEL's Organization V2Beta API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users with...
go
No PRs yet
Weblate leaks the IP of project member inviting user to be reviewer in Audit log
GHSA-gr35-vpx2-qxhc CVE-2025-64326 LOW 22 days ago
### Summary Weblate leaks the IP address of the project member inviting the user to the project in the audit log. ### Details The audit log includ...
pypi
No PRs yet
youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects
GHSA-vf95-55w6-qmrf CVE-2025-62596 HIGH 22 days ago
### Impact ### youki’s apparmor handling performs insufficiently strict write-target validation, which—combined with path substitution during path...
cargo
No PRs yet
youki container escape via "masked path" abuse due to mount race conditions
GHSA-4g74-7cff-xcv8 CVE-2025-62161 HIGH 22 days ago
### Impact ### youki utilizes bind mounting the container's `/dev/null` as a file mask. When performing this operation, the initial validation of ...
cargo
No PRs yet