Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Kubernetes C# client accepts certificates from any CA without properly verifying the trust chain
GHSA-w7r3-mgwf-4mqq CVE-2025-9708 MODERATE 2 months ago
A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certificates from any Certif...
nuget
No PRs yet
Liferay Portal allows remote attackers to view display page templates via crafted URLs
GHSA-5pp7-m8x8-rc82 CVE-2025-43805 MODERATE 2 months ago
Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update...
maven
No PRs yet
Timing Attack Vulnerability in SCRAM Authentication
GHSA-3wfh-36rx-9537 CVE-2025-59432 MODERATE 2 months ago
### Impact A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because `Arrays.equals` was used to compare sec...
maven
2
Dependabot PRs
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another
GHSA-mp7c-m3rh-r56v CVE-2025-59160 MODERATE 2 months ago
### Impact matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in `MatrixClient::getJoinedRooms`, allowing a remote a...
npm
No PRs yet
@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode
GHSA-65hm-pwj5-73pw CVE-2025-59333 HIGH 2 months ago
The MCP Server provided by ExecuteAutomation at https://github.com/executeautomation/mcp-database-server provides an MCP interface for agentic work...
npm
No PRs yet
Liferay Portal has unchecked input for loop condition vulnerability in XML-RPC
GHSA-95h4-8mqc-4mpf CVE-2025-43801 MODERATE 2 months ago
Unchecked input for loop condition vulnerability in XML-RPC in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay ...
maven
No PRs yet
Spring Expression language property modification using Spring Cloud Gateway Server WebFlux
GHSA-q2cj-h8fw-q4cc CVE-2025-41243 CRITICAL 2 months ago
Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable ...
maven
No PRs yet
Podman Creates Temporary File with Insecure Permissions
GHSA-m68q-4hqr-mc6f CVE-2025-4953 HIGH 2 months ago
A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. Th...
go
No PRs yet
Spring Security annotation detection mechanism has authorization bypass
GHSA-8v5q-rhf3-jphm CVE-2025-41248 HIGH 2 months ago
The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized su...
maven
No PRs yet
TYPO3 "Form to Database" extension susceptible to Cross-site Scripting
GHSA-54pg-2x9h-cmx8 CVE-2025-10316 LOW 2 months ago
The extension "Form to Database" is susceptible to Cross-Site Scripting. This issue affects the following versions: before 2.2.5, from 3.0.0 before...
packagist
No PRs yet
Spring Framework annotation detection mechanism may result in improper authorization
GHSA-jmp9-x22r-554x CVE-2025-41249 HIGH 2 months ago
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized s...
maven
3
Dependabot PRs
33%
Merged
Openfire has potential identity spoofing issue via unsafe CN parsing
GHSA-w252-645g-87mp CVE-2025-59154 MODERATE 3 months ago
## Summary Identity spoofing in X.509 client certificate authentication in Openfire allows internal attackers to impersonate other users via craft...
maven
No PRs yet
Liferay Stored Cross-site Scripting vulnerability
GHSA-vg6h-g5mr-9hgv CVE-2025-43802 MODERATE 3 months ago
Stored cross-site scripting (XSS) vulnerability in a custom object’s /o/c/<object-name> API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, ...
maven
No PRs yet
Liferay has Insecure Default Initialization of Resource issue
GHSA-25m3-w28p-v3v3 CVE-2025-43797 MODERATE 3 months ago
In Liferay Portal 7.1.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update ...
maven
No PRs yet
is-arrayish@0.3.3 contains malware after npm account takeover
GHSA-frh7-2f84-v9mw CVE-2025-59331 HIGH 3 months ago
### Impact On 8 September 2025, an npm publishing account for `is-arrayish` was taken over after a phishing attack. Version `0.3.3` was published, ...
npm
No PRs yet
error-ex@1.3.3 contains malware after npm account takeover
GHSA-6jp5-hh4c-8c5h CVE-2025-59330 HIGH 3 months ago
### Impact On 8 September 2025, an npm publishing account for `error-ex` was taken over after a phishing attack. Version `1.3.3` was published, fun...
npm
No PRs yet
color-convert@3.1.1 contains malware after npm account takeover
GHSA-pxx3-g568-hxr4 CVE-2025-59162 HIGH 3 months ago
### Impact On 8 September 2025, the npm publishing account for `color-convert` was taken over after a phishing attack. Version `3.1.1` was publishe...
npm
No PRs yet
color-name@2.0.1 contains malware after npm account takeover
GHSA-5fvm-p68v-5wmh CVE-2025-59145 HIGH 3 months ago
### Impact On 8 September 2025, an npm publishing account for `color-name` was taken over after a phishing attack. Version `2.0.1` was published, f...
npm
No PRs yet
Liferay Portal Uses Default Password
GHSA-43xf-59vr-g4f2 CVE-2025-43799 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through upda...
maven
No PRs yet
Liferay DXP Missing Critical Step in Authentication
GHSA-4p5r-3jmm-652q CVE-2025-43798 LOW 3 months ago
Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TO...
maven
No PRs yet
debug@4.4.2 contains malware after npm account takeover
GHSA-4x49-vf9v-38px CVE-2025-59144 HIGH 3 months ago
### Impact On 8 September 2025, the npm publishing account for `debug` was taken over after a phishing attack. Version `4.4.2` was published, funct...
npm
No PRs yet
Liferay Portal Cross-site Scripting (XSS) vulnerability
GHSA-jfv5-r382-xvwh CVE-2025-43800 MODERATE 3 months ago
Cross-site scripting (XSS) vulnerability in Objects in Liferay Portal 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023...
maven
No PRs yet
color@5.0.1 contains malware after npm account takeover
GHSA-qrmh-qg46-72pp CVE-2025-59143 HIGH 3 months ago
### Impact On 8 September 2025, the npm publishing account for `color` was taken over after a phishing attack. Version `5.0.1` was published, funct...
npm
No PRs yet
color-string@2.1.1 contains malware after npm account takeover
GHSA-286p-vc9p-p5qv CVE-2025-59142 HIGH 3 months ago
### Impact On 8 September 2025, the npm publishing account for `color-string` was taken over after a phishing attack. Version `2.1.1` was published...
npm
No PRs yet
simple-swizzle@0.2.3 contains malware after npm account takeover
GHSA-9g9j-rggx-7fmg CVE-2025-59141 HIGH 3 months ago
### Impact On 8 September 2025, the npm publishing account for `simple-swizzle` was taken over after a phishing attack. Version `0.2.3` was publish...
npm
No PRs yet
backslash@0.2.1 contains malware after npm account takeover
GHSA-53mq-f4w3-f7qv CVE-2025-59140 HIGH 3 months ago
### Impact On 8 September 2025, the npm publishing account for `backslash` was taken over after a phishing attack. Version `0.2.1` was published, f...
npm
No PRs yet
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability
GHSA-g5cg-6c7v-mmpw CVE-2025-59155 MODERATE 3 months ago
### Impact A Server-Side Request Forgery (SSRF) vulnerability that affects all users running the HackMD MCP server in HTTP mode. Attackers could e...
npm
No PRs yet
Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark
GHSA-f7qg-xj45-w956 CVE-2025-9862 MODERATE 3 months ago
### Impact A vulnerability in Ghost's oEmbed mechanism allows staff users to exfiltrate data from internal systems via SSRF. ### Vulnerable versi...
npm
No PRs yet
Flowise has unsandboxed remote code execution via Custom MCP
GHSA-6933-jpx5-q87q HIGH 3 months ago
### Summary The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However,...
npm
No PRs yet
Flowise has arbitrary file access due to missing chat flow id validation
GHSA-q67q-549q-p849 CRITICAL 3 months ago
### Summary Missing chat flow id validation allows an attacker to access arbitrary file. ### Details Commit https://github.com/FlowiseAI/Flowise...
npm
No PRs yet
Flowise has an Arbitrary File Read
GHSA-99pg-hqvx-r4gf CRITICAL 3 months ago
### Summary An arbitrary file read vulnerability in the `chatId` parameter supplied to both the `/api/v1/get-upload-file` and `/api/v1/openai-assis...
npm
No PRs yet
Flowise has Remote Code Execution vulnerability
GHSA-3gcm-f6qx-ff7p CVE-2025-59528 CRITICAL 3 months ago
## Description ### Cause of the Vulnerability The `CustomMCP` node allows users to input configuration settings for connecting to an external MCP...
npm
No PRs yet
FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability
GHSA-hr92-4q35-4j3m CVE-2025-59527 HIGH 3 months ago
### Summary --- A Server-Side Request Forgery (SSRF) vulnerability was discovered in the `/api/v1/fetch-links` endpoint of the Flowise application...
npm
No PRs yet
FlowiseAI Pre-Auth Arbitrary Code Execution
GHSA-7944-7c6r-55vv CVE-2025-57164 CRITICAL 3 months ago
## Summary An authenticated admin user of **FlowiseAI** can exploit the **Supabase RPC Filter** component to execute **arbitrary server-side code*...
npm
No PRs yet
Liferay Portal has Improper Validation of Specified Quantity in Input
GHSA-xvgg-9h29-4g34 CVE-2025-43793 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through upda...
maven
No PRs yet
Liferay Portal has External Control of System or Configuration Settings
GHSA-vp64-77c6-33h8 CVE-2025-43792 LOW 3 months ago
Remote staging in Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7...
maven
No PRs yet
Open Web Analytics Server is vulnerable to SQL Injection
GHSA-6w8r-xgqq-qg6g CVE-2025-59397 MODERATE 3 months ago
Open Web Analytics (OWA) before 1.8.1 allows SQL injection.
packagist
No PRs yet
Liferay Portal vulnerable to Cross-site Scripting
GHSA-5c6v-fqcw-w6q5 CVE-2025-43791 MODERATE 3 months ago
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3...
maven
No PRs yet
Apache Fory Deserialization of Untrusted Data vulnerability
GHSA-5hmf-8wx5-4qq3 CVE-2025-59328 MODERATE 3 months ago
A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of un...
maven
No PRs yet
FUSE-Rust: Uninitalized memory read and leak caused by fuser crate
GHSA-cvmj-47v9-35m9 HIGH 3 months ago
During the creation of a new libfuse session with `fuse_session_new`, the operation list was passed as NULL incorrectly. libfuse expects this argum...
cargo
No PRs yet
Stored XSS in n8n LangChain Chat Trigger Node via initialMessages Parameter
GHSA-mvh4-2cm2-6hpg CVE-2025-58177 MODERATE 3 months ago
### Impact A stored Cross-Site Scripting (XSS) vulnerability was identified in the `@n8n/n8n-nodes-langchain.chatTrigger` node in n8n. If an author...
npm
No PRs yet
Envoy: Race condition in Dynamic Forward Proxy leads to use-after-free and segmentation faults
GHSA-g9vw-6pvx-7gmw CVE-2025-54588 HIGH 3 months ago
### Summary A use-after-free (UAF) vulnerability in Envoy's DNS cache causes abnormal process termination. Envoy may reallocate memory when proces...
go
No PRs yet
Before action, Ash's hooks may execute in certain scenarios despite a request being forbidden
GHSA-jj4j-x5ww-cwh9 CVE-2025-48042 HIGH 3 months ago
### Summary Certain bulk action calls with a `before_transaction` hook and no `after_transaction` hook, will call the `before_transaction` hook bef...
hex
No PRs yet
Temporal OSS Server Vulnerable to Allocation of Resources Without Limits or Throttling
GHSA-p768-c3pr-6459 CVE-2025-8396 MODERATE 3 months ago
Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to exce...
go
No PRs yet
mcp-kubernetes-server has an OS Command Injection vulnerability
GHSA-4hqq-7q79-932p CVE-2025-59377 CRITICAL 3 months ago
`feiskyer/mcp-kubernetes-server` through **0.1.11** allows **OS command injection** via the `/mcp/kubectl` endpoint. The handler constructs a shell...
pypi
No PRs yet
mcp-kubernetes-server has a Command Injection vulnerability
GHSA-hjm5-xgj8-vwj6 CVE-2025-59376 MODERATE 3 months ago
`mcp-kubernetes-server` does not correctly enforce the `--disable-write` / `--disable-delete` protections when commands are chained. The server onl...
pypi
No PRs yet
serde_yml crate is unsound and unmaintained
GHSA-hhw4-xg65-fp2x MODERATE 3 months ago
Using `serde_yml::ser::Serializer.emitter` can cause a segmentation fault, which is unsound. The GitHub project for `serde_yml` was archived after...
cargo
No PRs yet
LibYML: `libyml::string::yaml_string_extend` is unsound and unmaintained
GHSA-gfxp-f68g-8x78 HIGH 3 months ago
In version 0.0.4, `libyml::string::yaml_string_extend` was revised resulting in undefined behaviour, which is unsound. The GitHub project for `lib...
cargo
No PRs yet
MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency
GHSA-qj3p-xc97-xw74 MODERATE 3 months ago
### Who is affected? This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC...
npm
1
Dependabot PRs
fast-able is vulnerable to DoS attack through insecure method
GHSA-95hm-pr6q-298w HIGH 3 months ago
The public accessible struct SyncVec has a public safe method get_unchecked. It accept a parameter index and used in the get_unchecked without suff...
cargo
No PRs yet