Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
GHSA-p543-xpfm-54cp CVE-2025-61770 HIGH about 2 months ago
## Summary `Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit....
rubygems
21
Dependabot PRs
14%
Merged
vLLM is vulnerable to timing attack at bearer auth
GHSA-wr9h-g72x-mwhm CVE-2025-59425 HIGH about 2 months ago
### Summary The API key support in vLLM performed validation using a method that was vulnerable to a timing attack. This could potentially allow an...
pypi
No PRs yet
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
GHSA-mm7p-fcc7-pg87 CVE-2025-13033 MODERATE about 2 months ago
The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extra...
npm
No PRs yet
python-socketio vulnerable to arbitrary Python code execution (RCE) through malicious pickle deserialization in certain multi-server deployments
GHSA-g8c6-8fjj-2r4m CVE-2025-61765 MODERATE about 2 months ago
### Summary A remote code execution vulnerability in python-socketio versions prior to 5.14.0 allows attackers to execute arbitrary Python code thr...
pypi
No PRs yet
pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding
GHSA-rj3r-r7hh-jxfq CVE-2025-11362 HIGH about 2 months ago
Versions of the package pdfmake from 0.3.0-beta.1 to before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling vi...
npm
No PRs yet
Liferay Profile Widget does not prevent vCard extension spoofing
GHSA-pfxj-gvqg-mj44 CVE-2025-43824 MODERATE about 2 months ago
The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3....
maven
No PRs yet
SillyTavern Web Interface Vulnerable DNS Rebinding
GHSA-7cxj-w27x-x78q CVE-2025-59159 CRITICAL about 2 months ago
### Summary The web UI for SillyTavern is susceptible to DNS rebinding, allowing attackers to perform actions like install malicious extensions, re...
npm
No PRs yet
Litestar X-Forwarded-For Header Spoofing Vulnerability Enables Rate Limit Evasion
GHSA-hm36-ffrh-c77c CVE-2025-59152 HIGH about 2 months ago
While testing Litestar's RateLimitMiddleware, I discovered that rate limits can be completely bypassed by manipulating the X-Forwarded-For header. ...
pypi
No PRs yet
XWiki Platform is vulnerable to HQL injection via wiki and space search REST API
GHSA-gprp-h92g-gc2h CVE-2025-52472 CRITICAL about 2 months ago
### Impact The REST search URL is vulnerable to HQL injection via the `orderField` parameter. The specified value is added twice in the query, tho...
maven
No PRs yet
LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing
GHSA-m42m-m8cr-8m58 CVE-2025-6985 HIGH about 2 months ago
The HTMLSectionSplitter class in langchain-text-splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing. This vulne...
pypi
No PRs yet
XWiki OIDC Authenticator: Users with "view" access can create tokens for any users they can view
GHSA-f2hf-pfrj-vrm7 CVE-2025-49594 CRITICAL about 2 months ago
### Impact Anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authent...
maven
No PRs yet
Flowise vulnerable to RCE via Dynamic function constructor injection
GHSA-hmgh-466j-fx4c CVE-2025-55346 CRITICAL about 2 months ago
### Summary User-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in...
npm
No PRs yet
NovoSGA: Manipulation of User Creation Page can lead to weak password requirements
GHSA-xgr2-5837-hf48 CVE-2025-11322 LOW about 2 months ago
A flaw has been found in Mangati NovoSGA up to 2.2.12. The impacted element is an unknown function of the file /novosga.users/new of the component ...
packagist
No PRs yet
clearml is vulnerable to Path Traversal through its `safe_extract` function
GHSA-579p-qf78-fqm2 CVE-2025-8917 MODERATE about 2 months ago
A vulnerability in clearml versions before 2.0.2 allows for path traversal due to improper handling of symbolic and hard links in the `safe_extract...
pypi
No PRs yet
ZenML is vulnerable to Path Traversal through its `PathMaterializer` class
GHSA-q92x-2x5g-h365 CVE-2025-8406 MODERATE about 2 months ago
ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_direct...
pypi
No PRs yet
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function
GHSA-v7c4-33vf-cqqq CVE-2025-11287 MODERATE about 2 months ago
A vulnerability was identified in samanhappy MCPHub up to 0.9.10. This vulnerability affects the function handleSseConnection of the file src/servi...
npm
No PRs yet
MCPHub's ServerController is vulnerable to Command Injection
GHSA-5q2p-3jg8-2m98 CVE-2025-11285 LOW about 2 months ago
A vulnerability was found in samanhappy MCPHub up to 0.9.10. Affected by this issue is some unknown functionality of the file src/controllers/serve...
npm
No PRs yet
Liferay Portal exposes sensitive user data through its Freemarker template
GHSA-rggc-gf6w-9q73 CVE-2025-43825 MODERATE about 2 months ago
A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 thro...
maven
No PRs yet
Flowise Stored XSS vulnerability through logs in chatbot
GHSA-7r4h-vmj9-wg42 CVE-2025-29192 MODERATE about 2 months ago
### Description In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject maliciou...
npm
No PRs yet
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
GHSA-964p-j4gg-mhwc CVE-2025-50538 CRITICAL about 2 months ago
### Summary A stored Cross-Site Scripting (XSS) vulnerability in FlowiseAI allows a user to inject arbitrary JavaScript code via message input. Whe...
npm
No PRs yet
Flowise vulnerable to XSS
GHSA-4fr9-3x69-36wv MODERATE about 2 months ago
### Summary A XSS(cross-site scripting) vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this...
npm
No PRs yet
wrflib has a soundness issue and is unmaintained
GHSA-466c-pfvv-v83g LOW about 2 months ago
All functions under `wrflib::byte_extract` are simply wrapper of unsafe pointer offset and lacks sufficient checks to it pointer and offset paramet...
cargo
No PRs yet
NiceGUI has a Reflected XSS
GHSA-8c95-hpq2-w46f CVE-2025-53354 MODERATE about 2 months ago
### Summary A Cross-Site Scripting (XSS) risk exists in NiceGUI when developers render unescaped user input into the DOM using `ui.html()`. Before...
pypi
No PRs yet
phpMyFAQ duplicate email registration allows multiple accounts with the same email
GHSA-9wj2-4hcm-r74j CVE-2025-59943 HIGH about 2 months ago
### Summary phpMyFAQ does not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created ...
packagist
No PRs yet
Claude Code permission deny bypass through symlink
GHSA-66m2-gx93-v996 CVE-2025-59829 LOW about 2 months ago
Claude Code failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude...
npm
No PRs yet
Claude Code can execute commands prior to the startup trust dialog
GHSA-4fgq-fpq9-mr3g CVE-2025-59536 HIGH about 2 months ago
Due to a bug in the startup trust dialog implementation, Claude Code could be tricked to execute code contained in a project before the user accept...
npm
No PRs yet
Canonical LXD CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI
GHSA-p8hw-rfjg-689h CVE-2025-54286 HIGH about 2 months ago
### Description OIDC authentication uses cookies with the SameSite=Strict attribute, preventing cookies from being sent with requests from other si...
go
No PRs yet
Canonical LXD Arbitrary File Read via Template Injection in Snapshot Patterns
GHSA-w2hg-2v4p-vmh6 CVE-2025-54287 HIGH about 2 months ago
### Impact In LXD's instance snapshot creation functionality, the Pongo2 template engine is used in the `snapshots.pattern` configuration for gener...
go
No PRs yet
Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server
GHSA-7232-97c6-j525 CVE-2025-54288 MODERATE about 2 months ago
### Impact In LXD's devLXD server, the source container identification process uses process cmdline (command line) information, allowing attackers ...
go
No PRs yet
Canonical LXD Vulnerable to Privilege Escalation via WebSocket Connection Hijacking in Operations API
GHSA-3g72-chj4-2228 CVE-2025-54289 HIGH about 2 months ago
### Impact LXD's operations API includes secret values necessary for WebSocket connections when retrieving information about running operations. Th...
go
No PRs yet
Canonical LXD Project Existence Determination Through Error Handling in Image Export Function
GHSA-p3x5-mvmp-5f35 CVE-2025-54290 MODERATE about 2 months ago
### Impact In LXD's images export API (`/1.0/images/{fingerprint}/export`), implementation differences in error handling allow determining project ...
go
No PRs yet
Canonical LXD Path Traversal Vulnerability in Instance Log File Retrieval Function
GHSA-472f-vmf2-pr3h CVE-2025-54293 HIGH about 2 months ago
### Impact Although outside the scope of this penetration test, a path traversal vulnerability exists in the validLogFileName function that validat...
go
No PRs yet
Canonical LXD Project Existence Determination Through Error Handling in Image Get Function
GHSA-xch9-h8qw-85c7 CVE-2025-54291 MODERATE about 2 months ago
### Impact The LXD /1.0/images endpoint is implemented as an AllowUntrusted API that requires no authentication, making it accessible to users with...
go
No PRs yet
DataChain Vulnerable to Deserialization of Untrusted Data from Environment Variables
GHSA-6px8-mr29-cj4r CVE-2025-61677 LOW about 2 months ago
The DataChain library reads serialized objects from environment variables (such as `DATACHAIN__METASTORE` and `DATACHAIN__WAREHOUSE`) in the `loade...
pypi
No PRs yet
Apache Kylin Authentication Bypass Vulnerability
GHSA-mr9j-4j48-xcm2 CVE-2025-61733 HIGH about 2 months ago
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2....
maven
No PRs yet
Apache Kylin Files or Directories Accessible to External Parties
GHSA-p86w-w5rh-m3hx CVE-2025-61734 HIGH about 2 months ago
Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin ac...
maven
No PRs yet
Apache Kylin Server-Side Request Forgery (SSRF) Vulnerability
GHSA-f6m8-qm7j-fh65 CVE-2025-61735 HIGH about 2 months ago
Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long ...
maven
No PRs yet
Django vulnerable to partial directory traversal via archives
GHSA-q95w-c7qg-hrff CVE-2025-59682 LOW about 2 months ago
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by ...
pypi
21
Dependabot PRs
Dolibarr vulnerable to RCE via the computed field parameter
GHSA-27hj-48r9-x2vx CVE-2025-56588 HIGH about 2 months ago
Dolibarr ERP & CRM v21.0.1 were discovered to contain a remote code execution (RCE) vulnerability in the User module configuration via the computed...
packagist
No PRs yet
Django vulnerable to SQL injection in column aliases
GHSA-hpr9-3m2g-3j9p CVE-2025-59681 HIGH about 2 months ago
An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggre...
pypi
21
Dependabot PRs
Auth0 Symfony SDK Does Not Properly Handle File Types in Bulk User Import
GHSA-7jp2-5h22-m432 LOW about 2 months ago
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
Auth0 Wordpress plugin Does Not Properly Handle File Types in Bulk User Import
GHSA-w22c-pw5m-482x LOW about 2 months ago
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
laravel-auth0 SDK Does Not Properly Handle File Types in Bulk User Import
GHSA-hjfh-5jmm-xr24 LOW about 2 months ago
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
auth0-PHP SDK Does Not Properly Handle File Types in Bulk User Import
GHSA-9mh6-g99m-ppcw CVE-2025-58769 LOW about 2 months ago
### Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without ...
packagist
No PRs yet
marimo vulnerable to proxy abuse of /mpl/{port}/
GHSA-xjv7-6w92-42r7 MODERATE about 2 months ago
### Summary The `/mpl/<port>/<route>` endpoint, which is accessible without authentication on default Marimo installations allows for external att...
pypi
No PRs yet
risc0 vulnerable to arbitrary code execution in guest via memory safety failure in `sys_read`
GHSA-jqq4-c7wq-36h7 CVE-2025-61588 CRITICAL about 2 months ago
# Arbitrary code execution in guest via memory safety failure in `sys_read` In affected versions of `risc0-zkvm-platform`, when the zkVM guest cal...
cargo
No PRs yet
Fiora chat group avatar is vulnerable to XSS via SVG files
GHSA-2c6j-vw6r-mfch CVE-2025-56515 LOW about 2 months ago
File upload vulnerability in Fiora chat application 1.0.0 through user avatar upload functionality. The application fails to validate SVG file cont...
npm
No PRs yet
Fiora chat user avatar is vulnerable to XSS via SVG files
GHSA-hg3j-6pmh-mvjr CVE-2025-56514 LOW about 2 months ago
Cross Site Scripting (XSS) vulnerability in Fiora chat application 1.0.0 allows arbitrary JavaScript execution when malicious SVG files are rendere...
npm
No PRs yet
@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
GHSA-m8rj-ppph-mj33 CVE-2025-61668 HIGH about 2 months ago
### Impact When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error. ### Patches The prob...
npm
No PRs yet
SPDK is vulnerable to buffer overflow in the NVMe-oF target component
GHSA-5m5w-w2h2-fqgq CVE-2025-57275 MODERATE about 2 months ago
Storage Performance Development Kit (SPDK) 25.05 is vulnerable to Buffer Overflow in the NVMe-oF target component in SPDK - lib/nvmf.
pypi
No PRs yet