Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system
GHSA-gjp8-99fv-cgcw CVE-2025-47410 HIGH about 1 month ago
Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tric...
maven
No PRs yet
Cargo Mediawiki Extension vulnerable to Cross-site Scripting
GHSA-gr6v-3pmp-996p CVE-2025-62671 MODERATE about 1 month ago
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - C...
packagist
No PRs yet
MCMS vulnerable SQL injection via the content_title parameter
GHSA-54wc-49qj-5ghj CVE-2025-56316 CRITICAL about 1 month ago
A SQL injection vulnerability in the content_title parameter of the /cms/content/list endpoint in MCMS 5.5.0 through 6.0.1 allows remote attackers ...
maven
No PRs yet
Keras framework vulnerable to deserialization of untrusted data
GHSA-cvhh-q5g5-qprp CVE-2025-49655 CRITICAL about 1 month ago
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a m...
pypi
No PRs yet
pyquokka is Vulnerable to Remote Code Execution by Pickle Deserialization via FlightServer
GHSA-f74j-gffq-vm9p CVE-2025-62515 CRITICAL about 1 month ago
### Description In the FlightServer class of the pyquokka framework, the do_action() method directly uses pickle.loads() to deserialize action bod...
pypi
No PRs yet
ibexa/fieldtype-richtext has an XSS vulnerability via acronym custom tag in Rich Text
GHSA-8c2g-f8jm-5cr7 MODERATE about 1 month ago
### Impact This security advisory resolves an XSS vulnerability in acronym custom tag in Rich Text, in the back office of the DXP. Back office acce...
packagist
No PRs yet
Ash has authorization bypass when bypass policy condition evaluates to true
GHSA-pcxq-fjp3-r752 CVE-2025-48044 HIGH about 1 month ago
### Summary Bypass policies incorrectly authorize requests when their condition evaluates to true but their authorization checks fail and no other ...
hex
No PRs yet
ibexa/admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal
GHSA-2mx6-fq24-g2mh MODERATE about 1 month ago
### Impact This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back offi...
packagist
No PRs yet
ezsystems/ezplatform-admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal
GHSA-99c7-c3mw-mxhv MODERATE about 1 month ago
### Impact This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back offi...
packagist
No PRs yet
ibexa/user login enumerates user accounts
GHSA-q3x8-6898-23g3 MODERATE about 1 month ago
### Impact In v5, error messages could provide enough information to tell whether a user exists or not. This is resolved by ensuring the error mess...
packagist
No PRs yet
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
GHSA-fgx4-p8xf-qhp9 CVE-2025-62505 LOW about 1 month ago
### Vulnerability Description --- Vulnerability Overview - When the client sends an arbitrary URL array and impl: ["naive"] to the tRPC endpoint...
npm
No PRs yet
Keycloak error_description injection on error pages that can trigger phishing attacks
GHSA-27gc-wj6x-9w55 CVE-2025-10044 MODERATE about 1 month ago
Keycloak’s account console accepts arbitrary text in the `error_description` query parameter. This text is directly rendered in error pages without...
maven
No PRs yet
OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests
GHSA-g46h-2rq9-gw5m CVE-2025-59043 HIGH about 1 month ago
### Summary JSON objects after decoding might use more memory than their serialized version. It is possible to tune a JSON to maximize the factor ...
go
No PRs yet
Git LFS may write to arbitrary files via crafted symlinks
GHSA-6pvw-g552-53c5 CVE-2025-26625 HIGH about 1 month ago
### Impact When populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visib...
go
No PRs yet
Mammoth is vulnerable to Directory Traversal
GHSA-rmjr-87wv-gf87 CVE-2025-11849 MODERATE about 1 month ago
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the packa...
maven npm nuget +1 more
No PRs yet
MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS
GHSA-jjjj-jwhf-8rgr CVE-2025-62506 HIGH about 1 month ago
### Summary A privilege escalation vulnerability allows service accounts and STS (Security Token Service) accounts with restricted session policies...
go
No PRs yet
Angular SSR has a Server-Side Request Forgery (SSRF) flaw
GHSA-q63q-pgmf-mxhr CVE-2025-62427 HIGH about 1 month ago
### Impact The vulnerability is a **Server-Side Request Forgery (SSRF)** flaw within the URL resolution mechanism of Angular's Server-Side Renderin...
npm
No PRs yet
bagisto has Cross Site Scripting (XSS) in Create New Customer
GHSA-r9xj-mvqf-jm7w CVE-2025-62414 MODERATE about 1 month ago
### Summary In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to reflected / stored Cross-Site Scripting (XSS...
packagist
No PRs yet
bagisto has CSV Formula Injection in Create New Product
GHSA-jqrp-58fv-w8cq CVE-2025-62417 CRITICAL about 1 month ago
### Summary When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved ...
packagist
No PRs yet
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
GHSA-fg89-g389-p346 CVE-2025-62418 MODERATE about 1 month ago
### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafte...
packagist
No PRs yet
bagisto has Server Side Template Injection (SSTI) in Product Description
GHSA-527q-4wqv-g9wj CVE-2025-62416 MODERATE about 1 month ago
### Summary Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side ...
packagist
No PRs yet
LibreNMS alert-rules has a Cross-Site Scripting Vulnerability
GHSA-6g2v-66ch-6xmh CVE-2025-62412 LOW about 1 month ago
## Executive Summary **Product:** LibreNMS **Vendor:** LibreNMS **Vulnerability Type:** Cross-Site Scripting (XSS) **CVSS Score:** 4.3 (AV:N...
packagist
No PRs yet
PrestaShop Checkout Target PayPal merchant account hijacking from backoffice
GHSA-wvpg-4wrh-5889 CVE-2025-61924 LOW about 1 month ago
### Impact Wrong usage of the PHP `array_search()` allows bypass of validation. ### Patches The problem has been patched in versions: - v4.4.1 for...
packagist
No PRs yet
PrestaShop Checkout Backoffice directory traversal allows arbitrary file disclosure
GHSA-fpxp-pfqm-x54w CVE-2025-61923 MODERATE about 1 month ago
# Impact Missing validation on input vulnerable to directory traversal. # Patches The problem has been patched in versions: v4.4.1 for PrestaShop...
packagist
No PRs yet
PrestaShop Checkout allows customer account takeover via email
GHSA-54hq-mf6h-48xh CVE-2025-61922 CRITICAL about 1 month ago
# Impact Missing validation on Express Checkout feature allows silent log-in ## Affected versions The issue was introduced in PrestaShop Checkout...
packagist
No PRs yet
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
GHSA-9329-mxxw-qwf8 CVE-2025-53092 MODERATE about 1 month ago
### Summary A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly refle...
npm
No PRs yet
Strapi Password Hashing is Missing Maximum Password Length Validation
GHSA-2cjv-6wg9-f4f3 CVE-2025-25298 MODERATE about 1 month ago
## Summary Strapi's password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords ex...
npm
No PRs yet
Smidge is vulnerable to Path Traversal
GHSA-9rvm-p3qm-f4vv CVE-2025-11842 MODERATE about 1 month ago
A security vulnerability has been detected in Shazwazza Smidge up to 4.5.1. The impacted element is an unknown function of the component Bundle Han...
nuget
No PRs yet
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
GHSA-495j-h493-42q2 CVE-2024-56143 HIGH about 1 month ago
### Summary It's possible to access any private fields by filtering through the lookup parameters ### Details Using the new lookup operator provi...
npm
No PRs yet
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
GHSA-67px-r26w-598x CVE-2025-62415 MODERATE about 1 month ago
### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafte...
packagist
No PRs yet
LibreNMS has a Stored XSS vulnerability in its Alert Transport name field
GHSA-frc6-pwgr-c28w CVE-2025-62411 MODERATE about 1 month ago
### Summary LibreNMS <= 25.8.0 contains a **Stored Cross-Site Scripting (XSS)** vulnerability in the Alert Transports management functionality. Wh...
packagist
No PRs yet
Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection
GHSA-fwxx-wv44-7qfg CVE-2025-41253 HIGH about 1 month ago
The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system propertie...
maven
No PRs yet
Spring Framework STOMP over WebSocket applications may allow attackers to send unauthorized messages
GHSA-7fch-4f2f-jcgm CVE-2025-41254 MODERATE about 1 month ago
STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. ### Affected Sprin...
maven
No PRs yet
Strapi is vulnerable to Insufficient Session Expiration
GHSA-4r8w-3jww-m2rp CVE-2025-3930 MODERATE about 1 month ago
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker wh...
npm
No PRs yet
Apache Traffic Control has an Inefficient Regular Expression Complexity vulnerability
GHSA-9m49-p2j3-c6xm CVE-2025-61581 LOW about 1 month ago
*** UNSUPPORTED WHEN ASSIGNED *** Inefficient Regular Expression Complexity vulnerability in Apache Traffic Control. This issue affects Apache Tra...
go
No PRs yet
Mattermost has an Observable Timing Discrepancy vulnerability
GHSA-xr3w-rmvj-f6m7 CVE-2025-54499 LOW about 1 month ago
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to use constant-time comparison for sensitive string comparisons which allows attack...
go
No PRs yet
Apache ActiveMQ NMS AMQP Client has a Deserialization of Untrusted Data vulnerability
GHSA-4mjw-xr5x-prpc CVE-2025-54539 CRITICAL about 1 month ago
A Deserialization of Untrusted Data vulnerability exists in the Apache ActiveMQ NMS AMQP Client. This issue affects all versions of Apache ActiveM...
nuget
No PRs yet
Mattermost has a Missing Authorization vulnerability
GHSA-r6qj-894f-5hr2 CVE-2025-58075 HIGH about 1 month ago
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using ...
go
No PRs yet
Mattermost has a Missing Authorization vulnerability
GHSA-7cr3-38jm-6p45 CVE-2025-41443 MODERATE about 1 month ago
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which...
go
No PRs yet
Mattermost has an Incorrect Authorization vulnerability
GHSA-424h-xj87-m937 CVE-2025-10545 LOW about 1 month ago
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when adding channel members which allows...
go
No PRs yet
Mattermost has a Missing Authorization vulnerability
GHSA-3q4q-wqm6-hvf3 CVE-2025-41410 MODERATE about 1 month ago
Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which al...
go
No PRs yet
Mattermost has a Missing Authorization vulnerability
GHSA-6q7m-p8cc-998r CVE-2025-58073 HIGH about 1 month ago
Mattermost versions 10.11.x <= 10.11.1, 10.10.x <= 10.10.2, 10.5.x <= 10.5.10 fail to verify a user has permission to join a Mattermost team using ...
go
No PRs yet
GeoIP processor disables SSL certificate validation when downloading databases
GHSA-3xgr-h5hq-7299 MODERATE about 1 month ago
### Impact The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading Geo...
maven
No PRs yet
OpenSearch Data Prepper uses deprecated SSL protocol identifier
GHSA-28gg-8qqj-fhh5 MODERATE about 1 month ago
### Impact The GeoIP processor and Kafka source and buffer were using the deprecated "SSL" protocol identifier when creating SSL contexts, potenti...
maven
No PRs yet
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
GHSA-qpm2-6cq5-7pq5 CVE-2025-62410 CRITICAL about 1 month ago
### Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice,...
npm
No PRs yet
go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents
GHSA-72c7-4g63-hpw5 CVE-2025-62375 MODERATE about 1 month ago
### Impact This vulnerability only affects users of the AWS attestor. Users of the AWS attestor could have unknowingly received a forged identity ...
go
No PRs yet
OpenSearch Data Prepper plugins trust all SSL certificates by default
GHSA-43ff-rr26-8hx4 CVE-2025-62371 HIGH about 1 month ago
### Impact The OpenSearch sink and source plugins in Data Prepper are configured to trust all SSL certificates by default when no certificate path...
maven
No PRs yet
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
GHSA-hwmc-4c8j-xxj7 CVE-2025-62381 HIGH about 1 month ago
### Summary `sveltekit-superforms` v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the `parseFormData` function of ...
npm
No PRs yet
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails
GHSA-q4w9-x3rv-4c8j CVE-2025-62380 LOW about 1 month ago
### Summary An HTML injection vulnerability in plaintext emails generated by Mailgen has been discovered. Projecta are affected if the `Mailgen.ge...
npm
No PRs yet
gnark-crypto doesn't range check input values during ECDSA and EdDSA signature deserialization
GHSA-fr8m-434r-g3xp MODERATE about 1 month ago
### Impact During deserialization of ECDSA and EdDSA signatures gnark-crypto did not check that the values are in the range `[1, n-1]` with `n` be...
go
No PRs yet