Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,790

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
willitmerge has a Command Injection vulnerability
GHSA-j9wj-m24m-7jj6 MODERATE about 8 hours ago
willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version ...
npm
No PRs yet
node-forge is vulnerable to ASN.1 OID Integer Truncation
GHSA-65ch-62r8-g69g CVE-2025-66030 MODERATE about 8 hours ago
### Summary **MITRE-Formatted CVE Description** An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1 and below enables remote,...
npm
536
Dependabot PRs
REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]
GHSA-x6vr-q3vf-vqgq CVE-2025-66026 MODERATE 1 day ago
### Summary A reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter `args[types]` is rendered...
packagist
No PRs yet
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
GHSA-675q-66gf-gqg8 MODERATE 1 day ago
### Summary During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter ...
npm
No PRs yet
Contao is vulnerable to remote code execution in template closures
GHSA-98vj-mm79-v77r CVE-2025-65960 MODERATE 1 day ago
### Impact Backend users with precise control over the contents of template closures can execute arbitrary PHP functions that do not have required...
packagist
No PRs yet
GeoServer has a Reflected Cross-Site Scripting (XSS) vulnerability in its WMS GetFeatureInfo HTML format
GHSA-w66h-j855-qr72 CVE-2025-21621 MODERATE 1 day ago
### Summary A reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker...
maven
No PRs yet
Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization
GHSA-93vm-mqpw-8wh3 CVE-2025-13467 MODERATE 1 day ago
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deseriali...
maven
No PRs yet
REDAXO CMS is vulnerable to XSS through its module management component
GHSA-vqc7-7fj4-3fm3 CVE-2025-64049 MODERATE 1 day ago
A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary w...
packagist
No PRs yet
body-parser is vulnerable to denial of service when url encoding is used
GHSA-wqch-xfxh-vrr4 CVE-2025-13466 MODERATE 1 day ago
### Impact body-parser 2.2.0 is vulnerable to denial of service due to inefficient handling of URL-encoded bodies with very large numbers of param...
npm
279
Dependabot PRs
Babylon's BIP322 signature implementation is not fully compliant to the spec
GHSA-xq4h-wqm2-668w MODERATE 2 days ago
### Summary The BIP-322 signature verification does not enforce the SIGHASH value to be SIGHASH_ALL, and therefore is not strictly following the [...
go
No PRs yet
pypdf's LZWDecode streams be manipulated to exhaust RAM
GHSA-m449-cwjh-6pw7 MODERATE 2 days ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing t...
pypi
No PRs yet
Formwork CMS has Stored Cross-Site Scripting Vulnerebility in Blog Tags
GHSA-7j46-f57w-76pj CVE-2025-65956 MODERATE 2 days ago
### Summary Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting (XSS). Any user with credenti...
packagist
No PRs yet
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`
GHSA-6465-jgvq-jhgp CVE-2025-65944 MODERATE 2 days ago
### Impact When a Node.js application using the Sentry SDK has `sendDefaultPii: true` it is possible to inadvertently send certain sensitive HTTP h...
npm
No PRs yet
Free5GC is vulnerable to DoS via the Nudm_SubscriberDataManagement API
GHSA-3j9f-7w24-pcqg CVE-2025-60633 MODERATE 2 days ago
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via the Nudm_SubscriberDataManagement API.
go
No PRs yet
Free5GC is vulnerable to DoS through its Npcf_BDTPolicyControl POST API
GHSA-vgq7-9r5r-j9v3 CVE-2025-60632 MODERATE 2 days ago
An issue was discovered in Free5GC v4.0.0 and v4.0.1 allowing an attacker to cause a denial of service via crafted POST request to the Npcf_BDTPoli...
go
No PRs yet
MLX has Wild Pointer Dereference in load_gguf()
GHSA-j842-xgm4-wf88 CVE-2025-62609 MODERATE 6 days ago
## Summary Segmentation fault in `mlx::core::load_gguf()` when loading malicious GGUF files. Untrusted pointer from external gguflib library is de...
pypi
No PRs yet
MLX has heap-buffer-overflow in load()
GHSA-w6vg-jg77-2qg6 CVE-2025-62608 MODERATE 6 days ago
## Summary Heap buffer overflow in `mlx::core::load()` when parsing malicious NumPy `.npy` files. Attacker-controlled file causes 13-byte out-of-b...
pypi
No PRs yet
OpenFGA Improper Policy Enforcement
GHSA-2c64-vmv2-hgfc CVE-2025-64751 MODERATE 6 days ago
### Overview OpenFGA v1.4.0 to v1.11.0 (openfga-0.1.34 <= Helm chart <= openfga-0.2.48, v.1.4.0 <= docker <= v.1.11.0) are vulnerable to improper ...
go
No PRs yet
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage
GHSA-3mm3-wfpv-q85g CVE-2025-63700 MODERATE 6 days ago
An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verifi...
npm
No PRs yet
vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
GHSA-69j4-grxj-j64p CVE-2025-62426 MODERATE 6 days ago
### Summary The /v1/chat/completions and /tokenize endpoints allow a `chat_template_kwargs` request parameter that is used in the code before it is...
pypi
No PRs yet
zx Uses Incorrectly-Resolved Name or Reference
GHSA-w87r-vg9q-crqm CVE-2025-13437 MODERATE 6 days ago
When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error...
npm
No PRs yet
Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow
GHSA-8x9v-8qgj-945x CVE-2025-64027 MODERATE 6 days ago
Snipe-IT v8.3.4 (build 20218) contains a reflected cross-site scripting (XSS) vulnerability in the CSV Import workflow. When an invalid CSV file is...
packagist
No PRs yet
phppgadmin contains an incorrect access control vulnerability
GHSA-r63p-v37q-g74c CVE-2025-60799 MODERATE 7 days ago
phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized man...
packagist
No PRs yet
phppgadmin contains a SQL injection vulnerability
GHSA-g6xh-wrpf-v6j6 CVE-2025-60798 MODERATE 7 days ago
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from ...
packagist
No PRs yet
@perfood/couch-auth may expose session tokens, passwords
GHSA-62vx-hpcr-m9ch CVE-2025-60794 MODERATE 7 days ago
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts li...
npm
No PRs yet
phppgadmin contains a SQL injection vulnerability
GHSA-927w-vq5c-8gc3 CVE-2025-60797 MODERATE 7 days ago
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied...
packagist
No PRs yet
golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read
GHSA-f6x5-jh6r-wrfv CVE-2025-47914 MODERATE 7 days ago
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message i...
go
No PRs yet
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
GHSA-j5w8-q4qc-rx2x CVE-2025-58181 MODERATE 7 days ago
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause...
go
1
Dependabot PRs
esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
GHSA-hcpf-qv9m-vfgp CVE-2025-65026 MODERATE 7 days ago
### Summary The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature....
go
No PRs yet
Astro Cloudflare adapter has Stored Cross Site Scripting vulnerability in /_image endpoint
GHSA-fvmw-cj7j-j39q CVE-2025-65019 MODERATE 7 days ago
**Summary** A Cross-Site Scripting (XSS) vulnerability exists in Astro when using the **@astrojs/cloudflare** adapter with `output: 'server'`. Th...
npm
No PRs yet
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
GHSA-ggxq-hp9w-j794 CVE-2025-64765 MODERATE 7 days ago
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validati...
npm
No PRs yet
authentik's invitation expiry is delayed by at least 5 minutes
GHSA-ch7q-53v8-73pc CVE-2025-64708 MODERATE 7 days ago
### Summary In previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background ta...
go
No PRs yet
authentik allows a deactivated Service account to authenticate to OAuth
GHSA-xr73-jq5p-ch8r CVE-2025-64521 MODERATE 8 days ago
### Summary When authenticating with `client_id` and `client_secret` to an OAuth provider, authentik creates a service account for the provider. I...
go
No PRs yet
MongoDB driver extension affected by mongoc_bulk_operation_t's read of invalid memory
GHSA-mwcc-7vpp-xmv9 CVE-2025-12119 MODERATE 8 days ago
A mongoc_bulk_operation_t may read invalid memory if large options are passed.
packagist
No PRs yet
XWiki view file macro: User can view content of office file without view rights on the attachment
GHSA-8c52-x9w7-vc95 CVE-2025-65089 MODERATE 8 days ago
### Summary A user with no view rights on a page may see the content of an office attachment displayed with the view file macro. ### Details If on...
maven
No PRs yet
LibreNMS is vulnerable to SQL Injection (Boolean-Based Blind) in hostname parameter in ajax_output.php endpoint
GHSA-6pmj-xjxp-p8g9 CVE-2025-65093 MODERATE 8 days ago
## Summary A **Boolean-Based Blind SQL Injection** vulnerability was identified in the LibreNMS application at the `/ajax_output.php` endpoint. Th...
packagist
No PRs yet
Backdrop CMS Host Header Injection vulnerability
GHSA-ffpg-gm3h-4p5p CVE-2025-63828 MODERATE 8 days ago
Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to re...
packagist
No PRs yet
Drupal core allows Object Injection
GHSA-m6vv-vcj8-w8m7 CVE-2025-13081 MODERATE 8 days ago
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This is...
packagist
No PRs yet
Drupal Email TFA allows Functionality Bypass
GHSA-9jrw-jrrj-p6fr CVE-2025-12760 MODERATE 8 days ago
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass. This issue affects Email TF...
packagist
No PRs yet
LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`
GHSA-j8cq-7f6p-256x CVE-2025-65013 MODERATE 8 days ago
## Summary A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the `/maps/nodeimage` endpoint. The ...
packagist
No PRs yet
Kirby CMS has cross-site scripting (XSS) in the changes dialog
GHSA-84hf-8gh5-575j CVE-2025-65012 MODERATE 9 days ago
### TL;DR This vulnerability affects all Kirby 5 sites that might have potential attackers in the group of authenticated Panel users or that allow...
packagist
No PRs yet
XWiki AdminTools application doesn't set permissions on the AdminTools space
GHSA-v7r8-8p5c-h4xw CVE-2025-54990 MODERATE 9 days ago
### Impact Users without admin rights have access to `AdminTools.SpammedPages`. ### Details View rights are not restricted only to admin users f...
maven
No PRs yet
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
GHSA-7xvh-c266-cfr5 CVE-2025-64758 MODERATE 10 days ago
### Description Since version 4.12.0, Dependency-Track users with the `SYSTEM_CONFIGURATION` permission can configure a "welcome message", which i...
npm
No PRs yet
lsFusion Platform has Path Traversal vulnerability
GHSA-gwwr-j923-vq7r CVE-2025-13262 MODERATE 10 days ago
A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file ...
maven
No PRs yet
vlife-base has Path Traversal vulnerability
GHSA-cg6m-9276-qpjj CVE-2025-13266 MODERATE 10 days ago
A security vulnerability has been detected in wwwlike vlife up to 2.0.1. This issue affects the function create of the file vlife-base/src/main/jav...
maven
No PRs yet
lsFusion Server is vulnerable to Path Traversal through its unpackFile function
GHSA-8wf8-frjg-xv74 CVE-2025-13265 MODERATE 10 days ago
A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/...
maven
No PRs yet
lsFusion Platform has Path Traversal vulnerability
GHSA-5jpg-2rj5-964c CVE-2025-13261 MODERATE 10 days ago
A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/...
maven
No PRs yet
Directus is Vulnerable to Stored Cross-site Scripting
GHSA-vv2v-pw69-8crf CVE-2025-64747 MODERATE 12 days ago
### Summary A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject m...
npm
No PRs yet
Directus has Improper Permission Handling on Deleted Fields
GHSA-9x5g-62gj-wqf2 CVE-2025-64746 MODERATE 12 days ago
### Summary Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later...
npm
No PRs yet
Shopware 6's password recovery link does not expire after email change
GHSA-2w46-vq8h-98vh MODERATE 12 days ago
### Summary When a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email)...
packagist
No PRs yet