Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,842

Total Advisories

1,801

With Dependabot PRs

3,510

Critical Severity

8,633

High Severity

Clear All Filters
Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms
GHSA-8535-hvm8-2hmv CVE-2025-66298 HIGH about 2 hours ago
### Summary Having a simple form on site can reveal the whole Grav configuration details (including plugin configuration details) by using the corr...
packagist
No PRs yet
Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass
GHSA-662m-56v4-3r8f CVE-2025-66294 HIGH about 2 hours ago
### Summary A Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to exe...
packagist
No PRs yet
Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection
GHSA-858q-77wx-hhx6 CVE-2025-66297 HIGH about 2 hours ago
### Summary A user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. ...
packagist
No PRs yet
Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption
GHSA-h756-wh59-hhjv CVE-2025-66295 HIGH about 2 hours ago
### Summary When a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal s...
packagist
No PRs yet
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes
GHSA-v4hv-rgfq-gp49 CVE-2025-66412 HIGH about 2 hours ago
A **Stored Cross-Site Scripting ([XSS](https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss))** vulnerability has been i...
npm
No PRs yet
Gin-vue-admin has an arbitrary file deletion vulnerability
GHSA-jrhg-82w2-vvj7 CVE-2025-66410 HIGH about 3 hours ago
### Impact Attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'Fi...
go
No PRs yet
Keras Directory Traversal Vulnerability
GHSA-hjqc-jx6g-rwp9 CVE-2025-12060 HIGH about 3 hours ago
## Summary Keras's `keras.utils.get_file()` function is vulnerable to directory traversal attacks despite implementing `filter_safe_paths()`. The ...
pypi
No PRs yet
Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter
GHSA-m8vh-v6r6-w7p6 CVE-2025-66305 HIGH about 3 hours ago
**Endpoint**: `admin/config/system` **Submenu**: `Languages` **Parameter**: `Supported` **Application**: Grav v 1.7.48 --- ## Summary A De...
packagist
No PRs yet
Grav has Broken Access Control which allows an Editor to modify the page's YAML Frontmatter to alter form processing actions
GHSA-v8x2-fjv7-8hjh CVE-2025-66301 HIGH about 3 hours ago
### Summary Due to a broken access control vulnerability in the `/admin/pages/{page_name}` endpoint, an editor ( user with full permissions to page...
packagist
No PRs yet
Grav is vulnerable to Arbitrary File Read
GHSA-p4ww-mcp9-j6f2 CVE-2025-66300 HIGH about 3 hours ago
### Summary - A low privilege user account with page editing privilege can read any server files using "Frontmatter" form. - This includes Grav us...
packagist
No PRs yet
Grav is Vulnerable to Security Sandbox Bypass with SSTI (Server Side Template Injection)
GHSA-gjc5-8cfh-653x CVE-2025-66299 HIGH about 3 hours ago
## Summary Grav CMS is vulnerable to a Server-Side Template Injection (SSTI) that allows any authenticated user with editor permissions to execute...
packagist
No PRs yet
Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover
GHSA-cjcp-qxvg-4rjm CVE-2025-66296 HIGH about 3 hours ago
### Summary A privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating u...
packagist
No PRs yet
XWiki Jetty Package (XJetty) allows accessing any application file through URL
GHSA-53gx-j3p6-2rw9 CVE-2025-55749 HIGH about 9 hours ago
### Impact In an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webap...
maven
No PRs yet
trytond does not enforce access rights for the route of the HTML editor.
GHSA-p3p5-xrmv-4j6x CVE-2025-66423 HIGH 2 days ago
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for the route of the HTML editor. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70.
pypi
No PRs yet
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
GHSA-58c5-g7wp-6w37 CVE-2025-66035 HIGH 5 days ago
The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token*...
npm
No PRs yet
node-forge has ASN.1 Unbounded Recursion
GHSA-554w-wpv2-vw27 CVE-2025-66031 HIGH 5 days ago
### Summary An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to ...
npm
1633
Dependabot PRs
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
GHSA-5gfm-wpxj-wjgq CVE-2025-12816 HIGH 5 days ago
### Summary CVE-2025-12816 has been reserved by CERT/CC **Description** An Interpretation Conflict (CWE-436) vulnerability in node-forge versions...
npm
1633
Dependabot PRs
Valibot has a ReDoS vulnerability in `EMOJI_REGEX`
GHSA-vqpr-j7v3-hqw9 CVE-2025-66020 HIGH 5 days ago
### Summary The `EMOJI_REGEX` used in the `emoji` action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciou...
npm
1
Dependabot PRs
OneUptime Unauthorized User Creation via API
GHSA-m449-vh5f-574g CVE-2025-65966 HIGH 5 days ago
### Summary A low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. ### ...
npm
No PRs yet
Hive Metastore Server is vulnerable to SQL Injection
GHSA-932v-x9x2-vq29 CVE-2025-62728 HIGH 6 days ago
SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability...
maven
No PRs yet
OWASP Java HTML Sanitizer is vulnerable to XSS via noscript tag and improper style tag sanitization
GHSA-g9gq-3pfx-2gw2 CVE-2025-66021 HIGH 6 days ago
### Summary It is observed that OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows `noscript` and `style` tags with `allowT...
maven
No PRs yet
Better Auth Passkey Plugin allows passkey deletion through IDOR
GHSA-4vcf-q4xf-f48m HIGH 6 days ago
# Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using `...
npm
No PRs yet
OpenSearch is vulnerable to DoS via complex query_string inputs
GHSA-mw3v-mmfw-3x2g CVE-2025-9624 HIGH 6 days ago
A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all ...
maven
No PRs yet
cggmp24 and cggmp21 are vulnerable to signature forgery through altered presignatures
GHSA-8frv-q972-9rq5 CVE-2025-66017 HIGH 6 days ago
### Impact This attack is against presignatures used in very specific context: * Presignatures + HD wallets derivation: security level reduces to 8...
cargo
No PRs yet
Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer
GHSA-xv5p-fjw5-vrj6 CVE-2025-62703 HIGH 6 days ago
### Summary The Fugue framework implements an RPC server system for distributed computing operations. In the core functionality of the RPC server i...
pypi
No PRs yet
GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
GHSA-fjf5-xgmq-5525 CVE-2025-58360 HIGH 6 days ago
## Description An XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint ``/geoserv...
maven
No PRs yet
REDAXO CMS is vulnerable to RCE attack through its template management component
GHSA-xj9j-gjxg-7jvq CVE-2025-64050 HIGH 6 days ago
A Remote Code Execution (RCE) vulnerability in the template management component in REDAXO CMS 5.20.0 allows remote authenticated administrators to...
packagist
No PRs yet
Grype has a credential disclosure vulnerability in its JSON output
GHSA-6gxw-85q2-q646 CVE-2025-65965 HIGH 7 days ago
A credential disclosure vulnerability was found in Grype, affecting versions `v0.68.0` through `v0.104.0`. If registry credentials are defined and ...
go
No PRs yet
Babylon's malformed vote extensions are not rejected
GHSA-2fcv-qww3-9v6h HIGH 7 days ago
### Summary Adversarial validators can send large vote extensions by using non-existing protobuf tags. This will result in the rejection of the su...
go
No PRs yet
OpenBao is Vulnerable to Privileged Operator Identity Group Root Escalation
GHSA-7ff4-jw48-3436 CVE-2025-64761 HIGH 7 days ago
### Impact Similar to HCSEC-2025-13 / CVE-2025-5999, a privileged operator could use the identity group subsystem to add a root policy to a group ...
go
No PRs yet
new-api is vulnerable to SSRF Bypass
GHSA-9f46-w24h-69w4 CVE-2025-62155 HIGH 7 days ago
### Summary A recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur....
go
No PRs yet
Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices
GHSA-xh5w-g8gq-r3v9 CVE-2025-13609 HIGH 7 days ago
A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platfor...
pypi
No PRs yet
NSSF panic due to nil pointer dereference when expiry field is omitted in NSSAIAvailability POST
GHSA-f2hj-vpp9-6vm2 CVE-2025-60638 HIGH 7 days ago
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Nnssf_NSSAIA...
go
No PRs yet
Apache Syncope's AES encryption stores hard-coded passwords in internal database
GHSA-jqg8-m35q-jh7j CVE-2025-65998 HIGH 8 days ago
Apache Syncope can be configured to store the user password values in the internal database with AES encryption, though this is not the default opt...
maven
No PRs yet
thread-amount Vulnerable to Resource Exhaustion (Memory and Handle Leaks) on Windows and macOS
GHSA-jf9p-2fv9-2jp2 CVE-2025-65947 HIGH 10 days ago
Affected versions of this crate contain resource leaks when querying thread counts on Windows and Apple platforms. ### Windows The `thread_amount`...
cargo
No PRs yet
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default
GHSA-gmm6-j2g5-r52m CVE-2025-13357 HIGH 11 days ago
Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting...
go
No PRs yet
Minder does not sandbox http.send in Rego programs
GHSA-6xvf-4vh9-mw47 HIGH 11 days ago
### Impact Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have acces...
go
No PRs yet
authkit-nextjs may let session cookies be cached in CDNs
GHSA-p8pf-44ff-93gf CVE-2025-64762 HIGH 11 days ago
In `authkit-nextjs` version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN cach...
npm
No PRs yet
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
GHSA-7mv8-j34q-vp7q CVE-2025-64755 HIGH 11 days ago
Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host sys...
npm
No PRs yet
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
GHSA-pmqf-x6x8-p7qw CVE-2025-62372 HIGH 11 days ago
### Summary Users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct `ndim` but incorrect `sh...
pypi
No PRs yet
vLLM deserialization vulnerability leading to DoS and potential RCE
GHSA-mrw7-hf4f-83pf CVE-2025-62164 HIGH 11 days ago
### Summary A memory corruption vulnerability that leading to a crash (denial-of-service) and potentially remote code execution (RCE) exists in vLL...
pypi
No PRs yet
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
GHSA-6qv9-48xg-fc7f CVE-2025-65106 HIGH 11 days ago
## Context A template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals...
pypi
38
Dependabot PRs
OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter
GHSA-2jm2-2p35-rp3j CVE-2025-65103 HIGH 12 days ago
### Summary An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queri...
packagist
No PRs yet
Claude Code vulnerable to command execution prior to startup trust dialog
GHSA-5hhx-v7f6-x7gv CVE-2025-65099 HIGH 12 days ago
When running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins befor...
npm
No PRs yet
esm.sh CDN service has arbitrary file write via tarslip
GHSA-h3mw-4f23-gwpw CVE-2025-65025 HIGH 12 days ago
### Summary The esm.sh CDN service is vulnerable to a Path Traversal (CWE-22) vulnerability during NPM package tarball extraction. An attacker ca...
go
No PRs yet
Astro vulnerable to reflected XSS via the server islands feature
GHSA-wrwg-2hg8-v723 CVE-2025-64764 HIGH 12 days ago
## Summary After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted app...
npm
No PRs yet
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
GHSA-v5w9-prxf-w882 HIGH 14 days ago
### Summary An unauthenticated attacker can exploit the unprotected registration endpoint (/register) to create a new user and bypass authenticatio...
npm
No PRs yet
glob CLI: Command injection via -c/--cmd executes matches with shell:true
GHSA-5j98-mcp5-4vw2 CVE-2025-64756 HIGH 14 days ago
### Summary The glob CLI contains a command injection vulnerability in its `-c/--cmd` option that allows arbitrary command execution when processi...
npm
900
Dependabot PRs
phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality
GHSA-fxm2-cmwj-qvx4 CVE-2025-62519 HIGH 14 days ago
### Summary An authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ (v4.0.13 and prior) allows a p...
packagist
No PRs yet
OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization.
GHSA-hcqg-5g63-7j9h CVE-2025-65073 HIGH 15 days ago
OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone ...
pypi
No PRs yet