Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,820

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Liferay Portal is vulnerable to XSS attack through its search bar portlet
GHSA-x5fw-8xgx-q6c9 CVE-2025-43781 MODERATE 3 months ago
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.110 through 7.4.3.128, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024...
maven
No PRs yet
Liferay Portal is vulnerable to XSS attacks via its remote app title field
GHSA-88g3-pv3w-5wmr CVE-2025-43775 MODERATE 3 months ago
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 t...
maven
No PRs yet
SGLang Remote Code Execution Vulnerability via Unsafe Deserialization in update_weights_from_tensor
GHSA-9w53-xr52-mwgj CVE-2025-10164 MODERATE 3 months ago
A security flaw has been discovered in lmsys sglang 0.4.6. Affected by this vulnerability is the function main of the file /update_weights_from_ten...
pypi
1
Dependabot PRs
TinyEnv: Inline comments not stripped properly in .env values
GHSA-72cm-7236-h43r CVE-2025-58759 MODERATE 3 months ago
### Impact TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where var...
packagist
No PRs yet
TinyEnv: Missing .env file not required — may cause unexpected behavior
GHSA-3j7m-5g4q-gfpc CVE-2025-58758 MODERATE 3 months ago
### Impact TinyEnv did not require the `.env` file to exist when loading environment variables. This could lead to **unexpected behavior** where ...
packagist
No PRs yet
Element Plus Link component (el-link) implements insufficient input validation for the href attribute
GHSA-5m5x-9j46-h678 CVE-2025-57665 MODERATE 3 months ago
Element Plus Link component (el-link) prior to 2.11.0 implements insufficient input validation for the href attribute, creating a security abstract...
npm
No PRs yet
YesWiki Cross Site Scripting vulnerability
GHSA-29cj-cxw4-v4j2 CVE-2025-52277 MODERATE 3 months ago
Cross Site Scripting vulnerability in YesWiki v.4.5.4 allows a remote attacker to execute arbitrary code via a crafted payload to the meta configur...
packagist
No PRs yet
Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting
GHSA-rcc7-jx7p-hrv4 CVE-2025-43776 MODERATE 3 months ago
A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 t...
maven
No PRs yet
copyparty: Sharing a single file does not fully restrict access to other files in source folder
GHSA-pxvw-4w88-6x95 CVE-2025-58753 MODERATE 3 months ago
There was a missing permission-check in the shares feature (the `shr` global-option). When a share is created for just one file inside a folder, i...
pypi
No PRs yet
TYPO3 backend modules have Broken Access Control
GHSA-2fhw-2j7m-mr4m CVE-2025-59017 MODERATE 3 months ago
Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑...
packagist
No PRs yet
TYPO3 CMS exposes sensitive information in an error message
GHSA-cvm2-5f78-g9m8 CVE-2025-59016 MODERATE 3 months ago
Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 1...
packagist
No PRs yet
TYPO3 CSV download feature information disclosure
GHSA-j8vm-7q52-2m2m CVE-2025-59019 MODERATE 3 months ago
Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend use...
packagist
No PRs yet
TYPO3 CMS has an open‑redirect vulnerability
GHSA-72jf-5fg5-3cw3 CVE-2025-59013 MODERATE 3 months ago
An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 1...
packagist
No PRs yet
TYPO3 Bookmark Toolbar vulnerable to denial of service
GHSA-xrcq-533q-8rxw CVE-2025-59014 MODERATE 3 months ago
An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level bac...
packagist
No PRs yet
TYPO3 CMS uses insufficient entropy when generating passwords
GHSA-p5jq-5383-qvc7 CVE-2025-59015 MODERATE 3 months ago
A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy...
packagist
No PRs yet
Liferay Portal is vulnerable to XSS attack through fieldset name in Kaleo Forms Admin
GHSA-cpg4-qcj8-42gp CVE-2025-43778 MODERATE 3 months ago
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.11, 2025.Q1.0...
maven
No PRs yet
Liferay Portal exposes 500 status when attempting login with a deleted client secret
GHSA-9vwq-j6gq-w9xh CVE-2025-43777 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 20...
maven
No PRs yet
Liferay Portal is vulnerable to SSRF through custom object attachment fields
GHSA-477q-x55m-j38g CVE-2025-43763 MODERATE 3 months ago
A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4....
maven
No PRs yet
Fides Webserver API Rate Limiting Vulnerability in Proxied Environments
GHSA-fq34-xw6c-fphf CVE-2025-57816 MODERATE 3 months ago
### Summary The Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The sys...
pypi
No PRs yet
SimStudioAI: A function in route.ts is vulnerable to Code Injection
GHSA-g4c9-f287-64xg CVE-2025-10097 MODERATE 3 months ago
A vulnerability was identified in SimStudioAI sim. This impacts an unknown function of the file apps/sim/app/api/function/execute/route.ts. The man...
npm
No PRs yet
sanitize-html is vulnerable to XSS through incomprehensive sanitization
GHSA-qhxp-v273-g94h CVE-2019-25225 MODERATE 3 months ago
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanit...
npm
No PRs yet
Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data
GHSA-cxvc-g8f2-4gmm CVE-2025-58782 MODERATE 3 months ago
There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Ja...
maven
No PRs yet
xgrammar vulnerable to denial of service by huge enum grammar
GHSA-9q5r-wfvf-rr7f CVE-2025-58446 MODERATE 3 months ago
### Summary Provided grammar, would fit in a context window of most of the models, but takes minutes to process in 0.1.23. In testing with 0.1.16 t...
pypi
No PRs yet
secrets-store-sync-controller discloses service account tokens in logs
GHSA-rcw7-pqfp-735x CVE-2025-7445 MODERATE 3 months ago
Hello Kubernetes Community, A security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs cou...
go
No PRs yet
FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side
GHSA-rrw2-px9j-qffj CVE-2025-58369 MODERATE 3 months ago
### Impact When establishing a TLS session using `fs2-io` on the JVM using the `fs2.io.net.tls` package, if one side of the connection shuts down w...
maven
No PRs yet
Presta Shop vulnerable to email enumeration
GHSA-8xx5-h6m3-jr33 CVE-2025-51586 MODERATE 3 months ago
### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate va...
packagist
No PRs yet
Vaadin Platform possible file bypass via upload validation on the server-side
GHSA-c7v7-rqfm-f44j MODERATE 3 months ago
### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload ...
maven
No PRs yet
Vaadin Flow Components possible file bypass via upload validation on the server-side
GHSA-94g8-xv23-7656 MODERATE 3 months ago
### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload ...
maven
No PRs yet
Vaadin Framework possible file bypass via upload validation on the server-side
GHSA-9gfh-4fwj-w3rj CVE-2025-9467 MODERATE 3 months ago
### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload ...
maven
No PRs yet
Memos Vulnerable to Stored Cross-Site Scripting
GHSA-cgrg-86m5-xm4w CVE-2025-56761 MODERATE 3 months ago
Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not ver...
go
No PRs yet
Memos Vulnerable to Path Traversal via the CreateResource Endpoint
GHSA-78j5-8vq7-jxv5 CVE-2025-56760 MODERATE 3 months ago
When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal s...
go
No PRs yet
Mautic Vulnerable to User Enumeration via Response Timing
GHSA-3ggv-qwcp-j6xg CVE-2025-9824 MODERATE 3 months ago
### Impact The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid use...
packagist
No PRs yet
Mautic vulnerable to reflected XSS in lead:addLeadTags - Quick Add
GHSA-9v8p-m85m-f7mm CVE-2025-9823 MODERATE 3 months ago
## Summary A Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session....
packagist
No PRs yet
Mautic vulnerable to secret data extraction via elfinder
GHSA-438m-6mhw-hq5w CVE-2025-9822 MODERATE 3 months ago
### Summary _A user with administrator rights can change the configuration of the mautic application and extract secrets that are not normally avai...
packagist
No PRs yet
frost-core: refresh shares with smaller min_signers will reduce security of group
GHSA-wgq8-vr6r-mqxm CVE-2025-58359 MODERATE 3 months ago
### Impact It was not clear that it is not possible to change `min_signers` (i.e. the threshold) with the refresh share functionality (`frost_core...
cargo
No PRs yet
Electron has ASAR Integrity Bypass via resource modification
GHSA-vmqv-hx8q-j7mg CVE-2025-55305 MODERATE 3 months ago
### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs...
npm
No PRs yet
Netty's decoders vulnerable to DoS via zip bomb style attack
GHSA-3p8m-j85q-pgmj CVE-2025-58057 MODERATE 3 months ago
### Summary With specially crafted input, `BrotliDecoder` and some other decompressing decoders will allocate a large number of reachable byte buf...
maven
5
Dependabot PRs
Jenkins OpenTelemetry Plugin missing permission check allows capturing credentials
GHSA-f696-867g-2759 CVE-2025-58460 MODERATE 3 months ago
A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to conn...
maven
No PRs yet
Jenkins global-build-stats Plugin missing permission check can result in graph IDs being enumerated
GHSA-gm8g-fh49-qq6v CVE-2025-58459 MODERATE 3 months ago
Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers w...
maven
No PRs yet
Jenkins Git client Plugin file system information disclosure vulnerability
GHSA-g2pq-9jr7-w6gv CVE-2025-58458 MODERATE 3 months ago
In Jenkins Git client Plugin 6.3.2 and earlier, Git URL field form validation responses differ based on whether the specified file path exists on t...
maven
No PRs yet
ArrayQueue's push_front is not panic-safe
GHSA-xqjr-wfx3-gmxv MODERATE 3 months ago
The safe API `array_queue::ArrayQueue::push_front` can lead to deallocating uninitialized memory if a panic occurs while invoking the `clone` metho...
cargo
No PRs yet
MobSF Vulnerable to Arbitrary File Write (AR-Slip) via Absolute Path in .a Extraction
GHSA-9gh8-9r95-3fc3 CVE-2025-58162 MODERATE 3 months ago
### Summary The vulnerability allows any user to overwrite any files available under the account privileges of the running process. ### Details As...
pypi
No PRs yet
Local Deep Research's API keys are stored in plain text
GHSA-4h8c-qrcq-cv5c CVE-2025-57806 MODERATE 3 months ago
**Affected Versions:** > 0.2.0 and < 1.0.0 **Patched Versions:** >= 1.0.0 **Description:** The library stored confidential information, including...
pypi
No PRs yet
Silverpeas Core Username Enumeration Vulnerability
GHSA-cv2m-5pfp-f245 CVE-2025-46047 MODERATE 3 months ago
A User enumeration vulnerability in the /CredentialsServlet/ForgotPassword endpoint in Silverpeas 6.4.1 and 6.4.2 allows remote attackers to determ...
maven
No PRs yet
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
GHSA-g5qg-72qw-gw5v CVE-2025-57752 MODERATE 3 months ago
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request he...
npm
No PRs yet
Next.js Content Injection Vulnerability for Image Optimization
GHSA-xv57-4mr9-wg8v CVE-2025-55173 MODERATE 3 months ago
A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external im...
npm
No PRs yet
Next.js Improper Middleware Redirect Handling Leads to SSRF
GHSA-4342-x723-ch2f CVE-2025-57822 MODERATE 3 months ago
A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly pas...
npm
No PRs yet
Liferay Portal allows improper access through the expandoTableLocalService
GHSA-876g-49r6-33qj CVE-2025-43773 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 20...
maven
No PRs yet
webp crate may expose memory contents when encoding an image
GHSA-9q78-27f3-2jmh MODERATE 3 months ago
Affected versions of this crate did not check that the input slice passed to `"webp::Encoder::encode()` is large enough for the specified image dim...
cargo
No PRs yet
github.com/gorilla/csrf improperly validates TrustedOrigins allowing CSRF attacks
GHSA-82ff-hg59-8x73 CVE-2025-47909 MODERATE 3 months ago
Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. Afte...
go
No PRs yet