Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,050

Total Advisories

1,846

With Dependabot PRs

3,534

Critical Severity

8,712

High Severity

Clear All Filters
Rancher exposes sensitive information through audit logs
GHSA-mw39-9qc2-f7mg CVE-2024-58269 MODERATE about 2 months ago
### Impact **Note: The exploitation of this issue requires that the malicious user have access to Rancher’s audit log storage.** A vulnerability h...
go
No PRs yet
Rancher user retains access to clusters despite Global Role removal
GHSA-j4vr-pcmw-hx59 CVE-2023-32199 MODERATE about 2 months ago
### Impact A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or...
go
No PRs yet
Liferay Portal ComboServlet denial of service via large file combination
GHSA-q95h-87j6-273x CVE-2025-62254 MODERATE about 2 months ago
The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 ...
maven
No PRs yet
MCMS reflected cross-site scripting (XSS) vulnerability
GHSA-wvv5-5g6x-hp7j CVE-2025-60837 MODERATE about 2 months ago
A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a user's bro...
maven
No PRs yet
rollbar vulnerable to Prototype Pollution in merge()
GHSA-xcg2-9pp4-j82x CVE-2025-62517 MODERATE about 2 months ago
### Impact Prototype pollution vulnerability in merge(). If application code calls `rollbar.configure()` with untrusted input, prototype pollution...
npm
No PRs yet
Piranha CMS vulnerable to stored cross-site scripting (XSS)
GHSA-3qcp-9v8c-6jp7 CVE-2025-61413 MODERATE about 2 months ago
A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.0 allows attackers to execute arbitrary web sc...
nuget
No PRs yet
Liferay Portal and DXP do not properly restrict access to OpenAPI
GHSA-j82q-c85j-xw4w CVE-2025-62256 MODERATE about 2 months ago
Liferay Portal 7.4.0 through 7.4.3.109, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, 7.3 GA ...
maven
No PRs yet
Keycloak does not invalidate offline sessions when the offline_access scope is removed
GHSA-895x-rfqp-jh5c CVE-2025-12110 MODERATE about 2 months ago
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token ...
maven
No PRs yet
Keycloak does not invalidate sessions when "Remember Me" is disabled
GHSA-64w3-5q9m-68xf CVE-2025-11429 MODERATE about 2 months ago
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Ses...
maven
No PRs yet
Moodle's error handling leads to sensitive information disclosure
GHSA-c5cj-xp43-qcc3 CVE-2025-62396 MODERATE about 2 months ago
An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers ...
packagist
No PRs yet
Moodle has a time restriction bypass
GHSA-w29j-8phw-ffjf CVE-2025-62401 MODERATE about 2 months ago
An issue in Moodle's timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to co...
packagist
No PRs yet
Moodle does not properly enforce MFA
GHSA-25wf-7x6c-wmpf CVE-2025-62398 MODERATE about 2 months ago
A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially ...
packagist
No PRs yet
Moodle exposed the names of hidden groups to users
GHSA-422v-w6c5-vq42 CVE-2025-62400 MODERATE about 2 months ago
Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal pr...
packagist
No PRs yet
Moodle sends quiz-related messages to inactive/suspended users
GHSA-8fcv-4qp9-pg32 CVE-2025-62394 MODERATE about 2 months ago
Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-rel...
packagist
No PRs yet
Moodle course access permissions are not properly checked in course_output_fragment_course_overview
GHSA-rjcm-7v2p-9265 CVE-2025-62393 MODERATE about 2 months ago
A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users ...
packagist
No PRs yet
Slack Nebula may accept arbitrary source IP addresses
GHSA-x6fh-7qmf-69xh CVE-2025-62820 MODERATE about 2 months ago
Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.
go
No PRs yet
Liferay Portal and Liferay DXP vulnerable to reflected cross-site scripting (XSS)
GHSA-phjr-p9c5-hprx CVE-2025-62248 MODERATE about 2 months ago
A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, ...
maven
No PRs yet
OpenBao and Vault Leak []byte Fields in Audit Logs
GHSA-rc54-2g2c-g36g CVE-2025-62705 MODERATE about 2 months ago
### Impact OpenBao's audit log did not appropriately redact fields when relevant subsystems sent `[]byte` response parameters rather than `string`...
go
No PRs yet
Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl
GHSA-gr7h-xw4f-wh86 CVE-2025-62710 MODERATE about 2 months ago
### Impact EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java...
maven
No PRs yet
pypdf can exhaust RAM via manipulated LZWDecode streams
GHSA-jfx9-29x2-rv3j CVE-2025-62708 MODERATE about 2 months ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of ...
pypi
No PRs yet
pypdf possibly loops infinitely when reading DCT inline images without EOF marker
GHSA-vr63-x8vc-m265 CVE-2025-62707 MODERATE about 2 months ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a ...
pypi
4
Dependabot PRs
Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories
GHSA-h5fg-jpgr-rv9c CVE-2025-11965 MODERATE about 2 months ago
# Description There is a flaw in the hidden file protection feature of Vert.x Web’s `StaticHandler` when `setIncludeHidden(false)` is configured. ...
maven
2
Dependabot PRs
OpenBao leaks HTTPRawBody in Audit Logs
GHSA-ghfh-fmx4-26h8 CVE-2025-62513 MODERATE about 2 months ago
### Impact OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This ...
go
No PRs yet
ncurses exposes uninitialized memory in string reading functions
GHSA-x77x-7mmh-cxv3 MODERATE about 2 months ago
Multiple string reading functions expose uninitialized memory by setting length to capacity when no null terminator is found. This allows reading ...
cargo
No PRs yet
Scapy Session Loading Vulnerable to Arbitrary Code Execution via Untrusted Pickle Deserialization
GHSA-cq46-m9x9-j8w2 MODERATE about 2 months ago
### Summary An unsafe deserialization vulnerability in Scapy <v2.7.0 allows attackers to execute arbitrary code **when a malicious session file is...
pypi
No PRs yet
Hugging Face Smolagents XPath injection vulnerability in the search_item_ctrl_f function
GHSA-8mf9-rmgw-33qc CVE-2025-11844 MODERATE about 2 months ago
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/visio...
pypi
No PRs yet
Nautobot Single Source of Truth (SSoT) has an unauthenticated ServiceNow configuration URL
GHSA-535g-62r7-cx6v CVE-2025-62607 MODERATE about 2 months ago
The servicenow config URL is using a generic django View with no authentication. URL: `/plugins/ssot/servicenow/config/` ### Impact _What kind of...
pypi
No PRs yet
Liferay Portal reflected cross-site scripting (XSS) vulnerability in the google_gaget
GHSA-rx48-gqc2-4w47 CVE-2025-62249 MODERATE about 2 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 20...
maven
No PRs yet
code16 Sharp vulnerable to Cross Site Scripting (XSS)
GHSA-9778-v769-qvjf CVE-2025-61457 MODERATE about 2 months ago
code16 Sharp v9.6.6 is vulnerable to Cross Site Scripting (XSS) src/Form/Fields/SharpFormUploadField.php.
packagist
No PRs yet
NeuVector is shipping cryptographic material into its binary
GHSA-h773-7gf7-9m2x CVE-2025-54471 MODERATE about 2 months ago
### Impact NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secr...
go
No PRs yet
Liferay Portal fails to verify messages from the cluster network is trusted
GHSA-6pgj-w687-9c8c CVE-2025-62250 MODERATE about 2 months ago
Improper Authentication in Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 202...
maven
No PRs yet
ProcessWire CMS vulnerable to resource-exhaustion Denial of Service
GHSA-9p44-q66p-xm6p CVE-2025-60790 MODERATE about 2 months ago
ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limi...
packagist
No PRs yet
Shopware Customer Orders can be canceled, even if refunds are disabled
GHSA-r2vg-hvjm-fg38 MODERATE about 2 months ago
Refunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hi...
packagist
No PRs yet
Shopware exposes sensitive user information via CSV export mapping
GHSA-27c9-vp3w-6ww8 MODERATE about 2 months ago
### Impact Malicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashe...
packagist
No PRs yet
Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually
GHSA-m895-2hj3-8cg9 MODERATE about 2 months ago
In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber a...
packagist
No PRs yet
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
GHSA-g8mr-fgfg-5qpc CVE-2025-62595 MODERATE about 2 months ago
### Summary: A bypass was discovered in the `Koa.js` framework affecting its back redirect functionality. In certain circumstances, an attacker ca...
npm
No PRs yet
Taguette vulnerable to cross-site scripting via tag name, tag description, document name and document description
GHSA-g9qw-g6rv-3889 CVE-2025-62528 MODERATE about 2 months ago
### Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or desc...
pypi
No PRs yet
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
GHSA-vffh-c9pq-4crh MODERATE about 2 months ago
### Summary In some Notification types (e.g., Webhook, Telegram), the `send()` function allows user-controlled renderTemplate input. This leads to...
npm
No PRs yet
vite allows server.fs.deny bypass via backslash on Windows
GHSA-93m4-6634-74q7 CVE-2025-62522 MODERATE about 2 months ago
### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` wh...
npm
No PRs yet
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
GHSA-xvp7-8vm8-xfxx MODERATE about 2 months ago
### Summary The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using `console.log`and `console.debug` ...
npm
No PRs yet
Citizen vulnerable to stored XSS in sticky header button messages
GHSA-g955-vw6w-v6pp CVE-2025-62508 MODERATE about 2 months ago
### Summary The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored...
packagist
No PRs yet
Cargo Mediawiki Extension vulnerable to Cross-site Scripting
GHSA-gr6v-3pmp-996p CVE-2025-62671 MODERATE about 2 months ago
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - C...
packagist
No PRs yet
ibexa/fieldtype-richtext has an XSS vulnerability via acronym custom tag in Rich Text
GHSA-8c2g-f8jm-5cr7 MODERATE about 2 months ago
### Impact This security advisory resolves an XSS vulnerability in acronym custom tag in Rich Text, in the back office of the DXP. Back office acce...
packagist
No PRs yet
ibexa/admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal
GHSA-2mx6-fq24-g2mh MODERATE about 2 months ago
### Impact This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back offi...
packagist
No PRs yet
ezsystems/ezplatform-admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal
GHSA-99c7-c3mw-mxhv MODERATE about 2 months ago
### Impact This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back offi...
packagist
No PRs yet
ibexa/user login enumerates user accounts
GHSA-q3x8-6898-23g3 MODERATE about 2 months ago
### Impact In v5, error messages could provide enough information to tell whether a user exists or not. This is resolved by ensuring the error mess...
packagist
No PRs yet
Keycloak error_description injection on error pages that can trigger phishing attacks
GHSA-27gc-wj6x-9w55 CVE-2025-10044 MODERATE about 2 months ago
Keycloak’s account console accepts arbitrary text in the `error_description` query parameter. This text is directly rendered in error pages without...
maven
No PRs yet
Mammoth is vulnerable to Directory Traversal
GHSA-rmjr-87wv-gf87 CVE-2025-11849 MODERATE about 2 months ago
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the packa...
maven npm nuget +1 more
No PRs yet
bagisto has Cross Site Scripting (XSS) in Create New Customer
GHSA-r9xj-mvqf-jm7w CVE-2025-62414 MODERATE 2 months ago
### Summary In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to reflected / stored Cross-Site Scripting (XSS...
packagist
No PRs yet
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
GHSA-fg89-g389-p346 CVE-2025-62418 MODERATE 2 months ago
### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafte...
packagist
No PRs yet