Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Apache Pyfory python is vulnerable to deserialization of untrusted data
GHSA-538v-3wq9-4h3r CVE-2025-61622 CRITICAL about 2 months ago
Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allo...
pypi
No PRs yet
QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
GHSA-25qh-j22f-pwp8 CVE-2025-11226 MODERATE about 2 months ago
QOS.CH logback-core versions up to 1.5.18 contain an ACE vulnerability in conditional configuration file processing in Java applications. This vuln...
maven
38
Dependabot PRs
5%
Merged
Liferay Portal Vulnerable to XSS in Web Content translation
GHSA-qh92-cr5f-3595 CVE-2025-43826 MODERATE about 2 months ago
Stored cross-site scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versi...
maven
No PRs yet
Liferay Portal Vulnerable to IDOR via audit events
GHSA-pw86-qvx9-34r7 CVE-2025-43827 MODERATE about 2 months ago
Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, ...
maven
No PRs yet
github.com/MANTRA-Chain/mantrachain/x/tokenfactory tx gas limit is not enforced in send hooks
GHSA-qwvm-wqq8-8j69 CVE-2025-61595 HIGH about 2 months ago
### Impact send hooks can spend more gas than what's remained in tx, combined with recursive calls in the wasm contract, can amplify the gas consu...
go
No PRs yet
Argo CD Unauthenticated Remote DoS via malformed Azure DevOps git.push webhook
GHSA-gpx4-37g2-c8pv CVE-2025-59538 HIGH about 2 months ago
### Summary In the default configuration, `webhook.azuredevops.username` and `webhook.azuredevops.password` not set, Argo CD’s /api/webhook endpoi...
go
No PRs yet
validator.js has a URL validation bypass vulnerability in its isURL function
GHSA-9965-vmph-33xx CVE-2025-56200 MODERATE about 2 months ago
A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse pro...
npm
66
Dependabot PRs
Finance.js vulnerable to DoS via the seekZero() parameter
GHSA-5q7q-p8pc-782h CVE-2025-56572 HIGH about 2 months ago
An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter.
npm
No PRs yet
Joomla! CMS vulnerable to XSS via the input filter
GHSA-fm22-g2q9-j3pw CVE-2025-54476 MODERATE about 2 months ago
Improper handling of input could lead to a cross-site scripting (XSS) vector in the checkAttribute method of the input filter framework class.
packagist
No PRs yet
Finance.js vulnerable to DoS via the IRR function’s depth parameter
GHSA-f8r4-mf27-rf7m CVE-2025-56571 HIGH about 2 months ago
Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/itera...
npm
No PRs yet
FormCMS has an improper access control vulnerability in the /api/schemas/history/[schemaId] endpoint
GHSA-6cwx-42hw-w69c CVE-2025-55797 MODERATE about 2 months ago
An improper access control vulnerability in FormCms v0.5.4 in the /api/schemas/history/[schemaId] endpoint allows unauthenticated attackers to acce...
nuget
No PRs yet
argo-cd vulnerable unauthenticated DoS via malformed Gogs webhook payload
GHSA-wp4p-9pxh-cgx2 CVE-2025-59537 HIGH about 2 months ago
### Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legi...
go
No PRs yet
Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload
GHSA-f9gq-prrc-hrhc CVE-2025-59531 HIGH about 2 months ago
### Summary Unpatched Argo CD versions are vulnerable to malicious API requests which can crash the API server and cause denial of service to legi...
go
No PRs yet
Repository Credentials Race Condition Crashes Argo CD Server
GHSA-g88p-r42r-ppp9 CVE-2025-55191 MODERATE about 2 months ago
### Summary A race condition in the repository credentials handler can cause the Argo CD server to panic and crash when concurrent operations are ...
go
No PRs yet
figma-developer-mcp vulnerable to command injection in get_figma_data tool
GHSA-gxw4-4fc5-9gr5 CVE-2025-53967 HIGH about 2 months ago
### Summary A command injection vulnerability exists in the `figma-developer-mcp` MCP Server. The vulnerability is caused by the unsanitized use o...
npm
No PRs yet
@nubosoftware/node-static failure to catch exception can result in server crash
GHSA-27w5-gj5q-82fv CVE-2025-11149 HIGH 2 months ago
This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exceptio...
npm
No PRs yet
check-branches is vulnerable to command Injection
GHSA-9c4g-fp4r-prrv CVE-2025-11148 CRITICAL 2 months ago
All versions of the package check-branches are vulnerable to Command Injection. check-branches is a command-line tool that is interacted with loca...
npm
No PRs yet
Liferay Portal vulnerable to cross-site scripting in the related asset selector
GHSA-2856-xf2f-6vrf CVE-2025-43811 MODERATE 2 months ago
Multiple stored cross-site scripting (XSS) vulnerability in the related asset selector in Liferay Portal 7.4.3.50 through 7.4.3.111, and Liferay DX...
maven
No PRs yet
Liferay Portal vulnerable to reflected cross-site scripting via the `redirect` parameter
GHSA-m4hg-46pw-6mmv CVE-2025-43817 MODERATE 2 months ago
Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023....
maven
No PRs yet
Liferay Portal vulnerable to reflected cross-site scripting on the page configuration page
GHSA-wmjx-xv9v-r89q CVE-2025-43815 MODERATE 2 months ago
Reflected cross-site scripting (XSS) vulnerability on the page configuration page in Liferay Portal 7.4.3.102 through 7.4.3.110, and Liferay DXP 20...
maven
No PRs yet
Liferay Portal vulnerable to cross-site scripting in the web content template
GHSA-jv8x-mm3v-75r7 CVE-2025-43812 MODERATE 2 months ago
Cross-site scripting (XSS) vulnerability in web content template in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 202...
maven
No PRs yet
Liferay Portal vulnerable to path traversal and denial-of-service in the ComboServlet
GHSA-2hm7-r8f3-423h CVE-2025-43813 MODERATE 2 months ago
Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported ve...
maven
No PRs yet
Liferay Portal vulnerable to cross-site scripting in the Calendar widget
GHSA-pf86-4w35-cj89 CVE-2025-43820 MODERATE 2 months ago
Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3....
maven
No PRs yet
Liferay Portal vulnerable to cross-site scripting in the Calendar widget
GHSA-gj92-p9mh-83j8 CVE-2025-43818 MODERATE 2 months ago
Cross-site scripting (XSS) vulnerability in the Calendar widget in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 202...
maven
No PRs yet
Coder AgentAPI exposed user chat history via a DNS rebinding attack
GHSA-w64r-2g3w-w8w4 CVE-2025-59956 MODERATE 2 months ago
### Summary AgentAPI prior to version [0.4.0](https://github.com/coder/agentapi/releases/tag/v0.4.0) was susceptible to a client-side DNS rebinding...
go
No PRs yet
go-f3 module vulnerable to integer overflow leading to panic
GHSA-g99p-47x7-mq88 CVE-2025-59942 HIGH 2 months ago
### Impact Filecoin nodes consuming F3 messages are vulnerable. go-f3 panics when it validates a "poison" messages. A "poison" message can can c...
go
No PRs yet
go-f3 Vulnerable to Cached Justification Verification Bypass
GHSA-7pq9-rf9p-wcrf CVE-2025-59941 MODERATE 2 months ago
### Description A vulnerability exists in go-f3's justification verification caching mechanism where verification results are cached without proper...
go
No PRs yet
MinIO Java Client XML Tag Value Substitution Vulnerability
GHSA-h7rh-xfpj-hpcm CVE-2025-59952 HIGH 2 months ago
#### Description In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were aut...
maven
No PRs yet
j178/prek-action vulnerable to arbitrary code injection in composite action
GHSA-pwf7-47c3-mfhx CRITICAL 2 months ago
### Summary There are three potential attacks of arbitrary code injection vulnerability in the composite action at _action.yml_. ### Details The G...
actions
No PRs yet
mkdocs-include-markdown-plugin susceptible to unvalidated input colliding with substitution placeholders
GHSA-v39m-5m9j-m9w9 CVE-2025-59940 MODERATE 2 months ago
### Impact CWE-20: Improper Input Validation Low impact ### Patches Patched in v7.1.8 (commit https://github.com/mondeja/mkdocs-include-markdown-p...
pypi
No PRs yet
go-mail has insufficient address encoding when passing mail addresses to the SMTP client
GHSA-wpwj-69cm-q9c5 CVE-2025-59937 HIGH 2 months ago
### Impact Due to incorrect handling of the `mail.Address` values when a sender- or recipient address is passed to the corresponding `MAIL FROM` or...
go
1
Dependabot PRs
vet MCP Server SSE Transport DNS Rebinding Vulnerability
GHSA-6q9c-m9fr-865m CVE-2025-59163 LOW 2 months ago
SafeDep `vet` is vulnerable to a DNS rebinding attack due to lack of HTTP `Host` and `Origin` header validation. To exploit this vulnerability fo...
go
No PRs yet
llama-index-core insecurely handles temporary files
GHSA-cr7q-2w66-hjcm CVE-2025-7647 HIGH 2 months ago
The llama-index-core package, up to version 0.12.44, contains a vulnerability in the `get_cache_dir()` function where a predictable, hardcoded dire...
pypi
No PRs yet
github.com/nyaruka/phonenumbers Vulnerable to Improper Validation of Syntactic Correctness of Input
GHSA-fmjh-f678-cv3x CVE-2025-10954 MODERATE 2 months ago
Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the...
go
No PRs yet
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
GHSA-529q-4j3p-7c5r CVE-2025-3193 MODERATE 2 months ago
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in mer...
npm
No PRs yet
PiranhaCMS stored XSS
GHSA-456v-f425-8mcv CVE-2025-57692 MODERATE 2 months ago
PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitr...
nuget
No PRs yet
OpenMLS improper persistence of the secret tree during message processing
GHSA-qr9h-x63w-vqfm MODERATE 2 months ago
### Summary A bug in the OpenMLS library prevented private key material from being updated in storage during message processing. The key material ...
cargo
No PRs yet
kcp is missing update validation allows arbitrary LogicalCluster status patches through initializingworkspaces Virtual Workspace
GHSA-q6hv-wcjr-wp8h LOW 2 months ago
### Impact Because UPDATE validation is not being applied, it is possible for an actor with access to an instance of the [initializingworkspaces v...
go
No PRs yet
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
GHSA-w87v-7w53-wwxv CVE-2025-59845 HIGH 2 months ago
### Impact A **Cross-Site Request Forgery (CSRF)** vulnerability was identified in Apollo’s **Embedded Sandbox** and **Embedded Explorer**. The v...
npm
2
Dependabot PRs
express-xss-sanitizer has an unbounded recursion depth
GHSA-hvq2-wf92-j4f3 CVE-2025-59364 MODERATE 2 months ago
# Security Advisory: express-xss-sanitizer ## Overview A vulnerability was discovered in express-xss-sanitizer that allowed unbounded recursion de...
npm
No PRs yet
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass
GHSA-qc2q-qhf3-235m CVE-2025-59936 CRITICAL 2 months ago
### Summary A vulnerability in `get-jwks` can lead to cache poisoning in the JWKS key-fetching mechanism. ### Details When the `iss` (issuer) cla...
npm
No PRs yet
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute
GHSA-vvfj-2jqx-52jm CVE-2025-59842 LOW 2 months ago
Links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the `noopener` attri...
pypi
No PRs yet
Rancher update on users can deny the service to the admin
GHSA-q82v-h4rq-5c86 CVE-2024-58260 HIGH 2 months ago
### Impact A vulnerability has been identified within Rancher Manager where a missing server-side validation on the `.username` field in Rancher c...
go
No PRs yet
Rancher CLI SAML authentication is vulnerable to phishing attacks
GHSA-v3vj-5868-2ch2 CVE-2024-58267 HIGH 2 months ago
### Impact A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to ...
go
No PRs yet
Rancher sends sensitive information to external services through the `/meta/proxy` endpoint
GHSA-mjcp-rj3c-36fr CVE-2025-54468 MODERATE 2 months ago
### Impact A vulnerability has been identified within Rancher Manager whereby `Impersonate-Extra-*` headers are being sent to an external entity, ...
go
No PRs yet
Argument injection vulnerability in SonarQube Scan Action
GHSA-5xq9-5g24-4g6f CVE-2025-59844 HIGH 2 months ago
A command injection vulnerability exists in SonarQube GitHub Action prior to v6.0.0 when workflows pass user-controlled input to the args parameter...
actions
No PRs yet
Apache Airflow: Connection sensitive details exposed to users with READ permissions
GHSA-q475-2pgm-7hvp CVE-2025-54831 MODERATE 2 months ago
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connec...
pypi
No PRs yet
WSO2's Input Validation Management Service contains Observable Discrepancy when Multi-Attribute Login is enabled
GHSA-w82p-r9vw-4rg5 CVE-2025-1396 LOW 2 months ago
A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system retu...
maven
No PRs yet
Hutool allows remote code execution (RCE) via the QLExpressEngine class
GHSA-gcfh-36x4-mgj6 CVE-2025-56769 HIGH 2 months ago
An issue was discovered in chinabugotech hutool before 5.8.40 allowing attackers to execute arbitrary expressions that lead to arbitrary method inv...
maven
No PRs yet
Liferay Portal and DXP vulnerable to a memory leak
GHSA-hrqm-qpw9-w8rv CVE-2025-43816 MODERATE 2 months ago
A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP...
maven
No PRs yet