Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
ml-logger file handler allows reading arbitrary files
GHSA-9x36-c74v-fgr6 CVE-2025-10952 MODERATE 2 months ago
A security flaw has been discovered in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Affected by this issue is the function stre...
pypi
No PRs yet
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
GHSA-625h-95r8-8xpm CVE-2025-59830 HIGH 2 months ago
## Summary `Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on bo...
rubygems
3
Dependabot PRs
Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning
GHSA-227x-7mh8-3cf6 CVE-2025-59823 CRITICAL 2 months ago
### Impact A security vulnerability was discovered in Gardener when [Terraformer](https://github.com/gardener/terraformer) is used for infrastruct...
go
No PRs yet
ml-logger has path traversal in the file argument
GHSA-8x9j-2p8r-7xc6 CVE-2025-10951 MODERATE 2 months ago
A vulnerability was identified in geyang ml-logger 0.10.36 and prior. Affected by this vulnerability is the function log_handler of the file ml_log...
pypi
No PRs yet
ml-logger deserialization vulnerability
GHSA-57hm-8rjv-498w CVE-2025-10950 LOW 2 months ago
A vulnerability was determined in geyang ml-logger 0.10.36 and prior. Affected is the function log_handler of the file ml_logger/server.py of the c...
pypi
No PRs yet
cors-anywhere vulnerable to server-side request forgery
GHSA-r3jv-xfgx-gj24 CVE-2020-36851 CRITICAL 2 months ago
Rob -- W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to a...
npm
No PRs yet
apidoc-core is vulnerable to prototype pollution
GHSA-5q53-78f2-6gf8 CVE-2025-57317 HIGH 2 months ago
apidoc-core is the core parser library to generate apidoc result following the apidoc-spec. A Prototype Pollution vulnerability in the preProcess f...
npm
No PRs yet
dref is vulnerable to prototype pollution
GHSA-76g8-235f-gj6p CVE-2025-26278 HIGH 2 months ago
A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
npm
No PRs yet
lobe-chat has an Open Redirect
GHSA-xph5-278p-26qx CVE-2025-59426 MODERATE 2 months ago
### **Description** --- > Vulnerability Overview > The project's OIDC redirect handling logic constructs the host and protocol of the final red...
npm
No PRs yet
csvjson vulnerable to prototype injection
GHSA-xq4f-3jxp-qv6m CVE-2025-57318 HIGH 2 months ago
A Prototype Pollution vulnerability in the toCsv function of csvjson versions thru 5.1.0 allows attackers to inject properties on Object.prototype ...
npm
No PRs yet
toggle-array vulnerable to prototype pollution
GHSA-34q3-8x9v-j957 CVE-2025-57328 LOW 2 months ago
toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A...
npm
No PRs yet
spmrc vulnerable to prototype pollution
GHSA-r2rv-8pp3-65xw CVE-2025-57327 LOW 2 months ago
spmrc is a package that provides the rc manager for spm. A Prototype Pollution vulnerability in the set and config function of spmrc version 1.2.0 ...
npm
No PRs yet
magix-combine-ex vulnerable to prototype pollution
GHSA-cr7h-93fh-whwm CVE-2025-57321 LOW 2 months ago
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions through 2.2.2 allows attackers to inject p...
npm
No PRs yet
ts-fns has prototype pollution vulnerability
GHSA-g7wq-wggw-vmhg CVE-2025-57351 MODERATE 2 months ago
A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in t...
npm
No PRs yet
messageformat has a prototype pollution vulnerability
GHSA-xfqm-j7pc-xrfc CVE-2025-57349 LOW 2 months ago
The messageformat package, an implementation of the Unicode MessageFormat 2 specification for JavaScript, is vulnerable to prototype pollution due ...
npm
No PRs yet
parse is vulnerable to prototype pollution
GHSA-9g8m-v378-pcg3 CVE-2025-57324 MODERATE 2 months ago
parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState funct...
npm
2
Dependabot PRs
50%
Merged
Llama Stack could potentially allow for remote code execution
GHSA-x75h-m6jj-6cj2 CVE-2025-55178 MODERATE 2 months ago
Llama Stack prior to version v0.2.20 accepted unverified parameters in the resolve_ast_by_type function which could potentially allow for remote co...
pypi
No PRs yet
mpregular vulnerable to prototype pollution
GHSA-xx4g-r65p-3qf2 CVE-2025-57323 HIGH 2 months ago
mpregular is a package that provides a small program development framework based on RegularJS. A Prototype Pollution vulnerability in the mp.addEve...
npm
No PRs yet
json-schema-editor-visual vulnerable to prototype pollution
GHSA-3c3p-xh4f-pfh7 CVE-2025-57320 MODERATE 2 months ago
json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function ...
npm
No PRs yet
sassdoc-extras vulnerable to prototype pollution
GHSA-3mpm-jx38-9m8w CVE-2025-57326 LOW 2 months ago
A Prototype Pollution vulnerability in the byGroupAndType function of sassdoc-extras v2.5.1 and before allows attackers to inject properties on Obj...
npm
No PRs yet
web3-core-method is vulnerable to prototype pollution
GHSA-2j4c-9qqq-896r CVE-2025-57329 LOW 2 months ago
web3-core-method is a package designed to creates the methods on the web3 modules. A Prototype Pollution vulnerability in the attachToObject functi...
npm
No PRs yet
web3-core-subscriptions has a Prototype Pollution vulnerability
GHSA-hhf6-3xpg-pggx CVE-2025-57330 LOW 2 months ago
The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function...
npm
No PRs yet
node-cube vulnerable to prototype pollution
GHSA-8v65-5fw5-23wj CVE-2025-57348 LOW 2 months ago
The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an att...
npm
No PRs yet
Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes
GHSA-4j5h-mvj3-m48v CVE-2025-59839 HIGH 2 months ago
### Summary The EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. ### Details ...
packagist
No PRs yet
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure
GHSA-xh92-rqrq-227v CVE-2025-61685 MODERATE 2 months ago
The Mastra Docs MCP Server package `@mastra/mcp-docs-server` is a server designed to provide documentation context to AI agentic workflows, such as...
npm
No PRs yet
Command Injection in adb-mcp MCP Server
GHSA-54j7-grvr-9xwg CVE-2025-59834 CRITICAL 2 months ago
# Command Injection in adb-mcp MCP Server The MCP Server at https://github.com/srmorete/adb-mcp is written in a way that is vulnerable to command ...
npm
No PRs yet
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
GHSA-2jjv-qf24-vfm4 CVE-2025-59828 HIGH 2 months ago
### Summary In Claude Code versions prior to **1.0.39**, when the tool is used with **Yarn 2.x or newer (Berry)**, Yarn plugins are automatically ...
npm
No PRs yet
Omni Wireguard SideroLink potential escape
GHSA-hqrf-67pm-wgfq CVE-2025-59824 LOW 2 months ago
## Overview Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and authoriz...
go
No PRs yet
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
GHSA-vj76-c3g6-qr5v CVE-2025-59343 HIGH 2 months ago
### Impact v3.1.0, v2.1.3, v1.16.5 and below ### Patches Has been patched in 3.1.1, 2.1.4, and 1.16.6 ### Workarounds You can use the ignore opt...
npm
1
Dependabot PRs
counterpart vulnerable to prototype pollution
GHSA-2488-w585-72ch CVE-2025-57354 MODERATE 2 months ago
A vulnerability exists in the `counterpart` library for Node.js and the browser due to insufficient sanitization of user-controlled input in transl...
npm
No PRs yet
messageformat prototype pollution vulnerability
GHSA-6xv4-9cqp-92rh CVE-2025-57353 MODERATE 2 months ago
The Runtime components of messageformat package for Node.js version 3.0.1 contain a prototype pollution vulnerability. Due to insufficient validati...
npm
10
Dependabot PRs
min-document vulnerable to prototype pollution
GHSA-rx8g-88g5-qh64 CVE-2025-57352 LOW 2 months ago
A vulnerability exists in the 'min-document' package prior to version 2.19.1, stemming from improper handling of namespace operations in the remove...
npm
No PRs yet
Mangati NovoSGA XSS vulnerability in /admin
GHSA-4c44-r8rm-3p39 CVE-2025-10909 LOW 2 months ago
A security flaw has been discovered in Mangati NovoSGA up to 2.2.9. The impacted element is an unknown function of the file /admin of the component...
packagist
No PRs yet
CSVTOJSON has a prototype pollution vulnerability
GHSA-vrw9-g62v-7fmf CVE-2025-57350 MODERATE 2 months ago
The csvtojson package, a tool for converting CSV data to JSON with customizable parsing capabilities, contains a prototype pollution vulnerability ...
npm
3
Dependabot PRs
pip's fallback tar extraction doesn't check symbolic links point to extraction directory
GHSA-4xh5-x5gv-qwph CVE-2025-8869 MODERATE 2 months ago
### Summary In the fallback extraction path for source distributions, `pip` used Python’s `tarfile` module without verifying that symbolic/hard li...
pypi
3
Dependabot PRs
Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands
GHSA-2hmj-97jw-28jh CVE-2025-58457 MODERATE 2 months ago
Improper permission checks in the AdminServer allow an authenticated client with insufficient privileges to invoke the `snapshot` and `restore` com...
maven
No PRs yet
Apache IoTDB: DoS Vulnerability
GHSA-vx84-xvr8-w24c CVE-2025-48392 MODERATE 2 months ago
A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Users are recommended ...
maven
No PRs yet
Apache IoTDB: Deserialization of untrusted Data
GHSA-776q-jw43-fhjx CVE-2025-48459 CRITICAL 2 months ago
### Summary Apache IoTDB deserializes data from external inputs without sufficient validation, allowing attacker-controlled serialized objects to ...
maven
No PRs yet
Liferay Portal and DXP does not properly expire sessions
GHSA-rpx3-f938-xj5q CVE-2025-43819 MODERATE 2 months ago
### Summary Liferay Portal/DXP contains an Insufficient Session Expiration issue where the Single Logout (SLO) API may fail to invalidate a user’s...
maven
No PRs yet
WSO2 Identity Server Apps allows content spoofing in logs
GHSA-r6f3-55wj-g9p3 CVE-2024-6429 MODERATE 2 months ago
A content spoofing issue exists in WSO2 Identity Server Apps, specifically in the Authentication Portal, due to improper handling of authentication...
maven
No PRs yet
GP247 and S-Cart have a stored cross-site scripting (XSS) vulnerability
GHSA-46v4-5mc8-q2cf CVE-2025-57407 LOW 2 months ago
A stored cross-site scripting (XSS) vulnerability in the Admin Log Viewer of S-Cart <=10.0.3 allows a remote authenticated attacker to inject arbit...
packagist
No PRs yet
astral-tokio-tar has a path traversal in tar extraction
GHSA-3wgq-wrwc-vqmv CVE-2025-59825 MODERATE 2 months ago
### Impact In versions 0.5.3 and earlier of astral-tokio-tar, tar archives may extract outside of their intended destination directory when using ...
cargo
No PRs yet
Http4s vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section
GHSA-wcwh-7gfw-5wrr CVE-2025-59822 MODERATE 2 months ago
### Summary http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attack...
maven
No PRs yet
Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer
GHSA-4w7r-h757-3r74 CVE-2025-6921 MODERATE 2 months ago
The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDeca...
pypi
No PRs yet
WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability
GHSA-cmjc-qp7j-xgwr CVE-2025-4760 MODERATE 2 months ago
An authenticated stored Cross-Site Scripting (XSS) vulnerability exists in WSO2 API Manager components (`carbon-apimgt`) due to insufficient valida...
maven
No PRs yet
DNN vulnerable to Reflected Cross-Site Scripting (XSS) using url to profile
GHSA-jc4g-c8ww-5738 CVE-2025-59821 MODERATE 2 months ago
# Summary A reflected cross-site scripting (XSS) vulnerability exists under certain conditions, using a specially crafter url to view a user profil...
nuget
No PRs yet
DNN Vulnerable to Stored XSS Using Backend Admin Credentials
GHSA-gj8m-5492-q98h CVE-2025-59546 LOW 2 months ago
# Summary Users that can edit modules could set a title that includes scripts. # Description Some users (administrators and content editors) can s...
nuget
No PRs yet
DNN Vulnerable to Stored Cross-Site Scripting (XSS) in the Prompt module
GHSA-2qxc-mf4x-wr29 CVE-2025-59545 CRITICAL 2 months ago
# Summary The Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be...
nuget
No PRs yet
Liferay Portal and DXP audit events record password reminder answers
GHSA-ph63-chvv-8x46 CVE-2025-43814 MODERATE 2 months ago
In Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.1...
maven
No PRs yet
Liferay Portal and DXP does not properly check permission with import and export tasks
GHSA-pm45-xx4q-fmv7 CVE-2025-43806 MODERATE 2 months ago
Batch Engine in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA throu...
maven
No PRs yet