Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,822

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Indico vulnerability allows attackers to bulk dump user details
GHSA-q28v-664f-q6wj CVE-2025-53640 MODERATE 5 months ago
### Impact An endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such a...
pypi
No PRs yet
py-libp2p is vulnerable to DoS attacks through use of large RSA keys
GHSA-x8c6-gj59-6rx8 CVE-2025-29606 MODERATE 5 months ago
py-libp2p before 0.2.3 allows a peer to cause a denial of service (resource consumption) via a large RSA key.
pypi
No PRs yet
Roundup is vulnerable to XSS through interactions between URLs and issue tracker templates
GHSA-qxh9-qmf2-rhwc CVE-2025-53865 MODERATE 5 months ago
In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive).
pypi
No PRs yet
Better Call routing bug can lead to Cache Deception
GHSA-hq75-xg7r-rx6c MODERATE 5 months ago
### Summary Using a CDN that caches (`/**/*.png`, `/**/*.json`, `/**/*.css`, etc...) requests, a cache deception can emerge. This could lead to un...
npm
No PRs yet
phpThumb is vulnerable to Command Injection through its gif_outputAsJpeg function
GHSA-q745-cfqh-hcrw CVE-2025-52994 MODERATE 5 months ago
gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202...
packagist
No PRs yet
Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs
GHSA-j288-q9x7-2f5v CVE-2025-48924 MODERATE 5 months ago
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 t...
maven
765
Dependabot PRs
23%
Merged
Transformers is vulnerable to ReDoS attack through its DonutProcessor class
GHSA-37mw-44qp-f5jm CVE-2025-3933 MODERATE 5 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the Donut...
pypi
No PRs yet
Nimbus JOSE + JWT is vulnerable to DoS attacks when processing deeply nested JSON
GHSA-xwmg-2g98-w7v9 CVE-2025-53864 MODERATE 5 months ago
Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT ...
maven
48
Dependabot PRs
25%
Merged
Apache Tomcat Coyote vulnerable to Denial of Service via excessive HTTP/2 streams
GHSA-25xr-qj8w-c4vf CVE-2025-53506 MODERATE 5 months ago
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces th...
maven
No PRs yet
Apache Tomcat Utilities is vulnerable to resource exhaustion when using the APR/Native connector
GHSA-4j3c-42xv-3f84 CVE-2025-52434 MODERATE 5 months ago
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Nativ...
maven
No PRs yet
Apache Tomcat Catalina is vulnerable to DoS attack through bypassing of size limits
GHSA-wr62-c79q-cv37 CVE-2025-52520 MODERATE 5 months ago
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size ...
maven
No PRs yet
@pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation
GHSA-54xv-94qv-2gfg CVE-2025-53626 MODERATE 5 months ago
## Summary The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and p...
npm
No PRs yet
Matrix Rust SDK vulnerable to SQL Injection through its EventCache implementation
GHSA-275g-g844-73jh CVE-2025-53549 MODERATE 5 months ago
An SQL injection vulnerability in the `EventCache::find_event_with_relations` method of matrix-sdk 0.11 and 0.12 allows malicious room members to e...
cargo
3
Dependabot PRs
100%
Merged
Parse Server exposes the data schema via GraphQL API
GHSA-48q3-prgv-gm4w CVE-2025-53364 MODERATE 5 months ago
### Impact The Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key...
npm
28
Dependabot PRs
7%
Merged
LlamaIndex vulnerable to data loss through hash collisions in its DocugamiReader class
GHSA-5hq9-5r78-2gjh CVE-2025-6211 MODERATE 5 months ago
A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to but excluding version 0.12.41, involves the use of MD5 h...
pypi
No PRs yet
Jenkins Xooa Plugin vulnerability does not mask its Xooa Deployment Token
GHSA-23j7-px3w-jwp2 CVE-2025-53677 MODERATE 5 months ago
Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attack...
maven
No PRs yet
Jenkins VAddy Plugin vulnerability exposes plaintext keys on its job configuration form
GHSA-8gp3-m447-gw2v CVE-2025-53669 MODERATE 5 months ago
Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for atta...
maven
No PRs yet
Jenkins Xooa Plugin vulnerability exposes unencrypted tokens to authenticated users
GHSA-56h7-r62c-83qp CVE-2025-53676 MODERATE 5 months ago
Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, wher...
maven
No PRs yet
Jenkins Applitools Eyes Plugin vulnerability exposes unencrypted keys to certain authenticated users
GHSA-q92v-3f4w-5xg8 CVE-2025-53742 MODERATE 5 months ago
Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where t...
maven
No PRs yet
Jenkins Warrior Framework Plugin vulnerability exposes unencrypted passwords to certain authenticated users
GHSA-2g8w-9933-36vr CVE-2025-53675 MODERATE 5 months ago
Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be ...
maven
No PRs yet
Jenkins Applitools Eyes Plugin vulnerability does not mask API keys on its job configuration form
GHSA-jmrv-rxgr-phvr CVE-2025-53743 MODERATE 5 months ago
Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potenti...
maven
No PRs yet
Jenkins Sensedia API Platform Plugin vulnerability exposes unencrypted tokens in its global configuration file
GHSA-93j6-jcjw-3rwp CVE-2025-53673 MODERATE 5 months ago
Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file `com....
maven
No PRs yet
Jenkins Nouvola DiveCloud Plugin vulnerability does not mask keys on its job configuration form
GHSA-4v4v-92cx-x4f4 CVE-2025-53671 MODERATE 5 months ago
Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configurati...
maven
No PRs yet
Jenkins ReadyAPI Functional Testing Plugin vulnerability exposes secrets
GHSA-r496-x769-f8j4 CVE-2025-53657 MODERATE 5 months ago
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config...
maven
No PRs yet
Jenkins Statistics Gatherer Plugin does not mask AWS Secret Key
GHSA-26x3-7jw5-7mg4 CVE-2025-53655 MODERATE 5 months ago
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file `org.jenkins.plugins.st...
maven
No PRs yet
Jenkins ReadyAPI Functional Testing Plugin vulnerability stores unencrypted authentication credentials
GHSA-884f-p57j-f258 CVE-2025-53656 MODERATE 5 months ago
Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job `confi...
maven
No PRs yet
Jenkins Sensedia API Platform Plugin vulnerability exposes unencrypted tokens
GHSA-vx57-hphr-3mr9 CVE-2025-53674 MODERATE 5 months ago
Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasin...
maven
No PRs yet
Jenkins Dead Man's Snitch Plugin vulnerability stores tokens in plain text
GHSA-5pcv-7v3q-hw8j CVE-2025-53666 MODERATE 5 months ago
Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can ...
maven
No PRs yet
Jenkins QMetry Test Management Plugin stores unencrypted API keys
GHSA-p9gh-rpjw-78qg CVE-2025-53659 MODERATE 5 months ago
QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job `config.xml` files on the Jenkins controller as...
maven
No PRs yet
Jenkins QMetry Test Management Plugin vulnerability exposes API keys
GHSA-962q-84v8-hxhj CVE-2025-53660 MODERATE 5 months ago
QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job `config.xml` files on the Jenkins controller as...
maven
No PRs yet
Jenkins IFTTT Build Notifier Plugin vulnerability exposes IFTTT Maker Channel Keys
GHSA-jxwj-qccf-4896 CVE-2025-53662 MODERATE 5 months ago
Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job `config.xml` files on the Jenkins controller...
maven
No PRs yet
Jenkins Nouvola DiveCloud Plugin vulnerability stores unencrypted credentials
GHSA-45hr-8gq6-7f7f CVE-2025-53670 MODERATE 5 months ago
Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on ...
maven
No PRs yet
Jenkins VAddy Plugin vulnerability exposes unencrypted keys to certain authenticated users
GHSA-mr49-vmp6-2pwq CVE-2025-53668 MODERATE 5 months ago
Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be ...
maven
No PRs yet
Jenkins Apica Loadtest Plugin vulnerability exposes authentication tokens
GHSA-q8p4-vw42-66gh CVE-2025-53664 MODERATE 5 months ago
Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job `config.xml` files on the Jenkins...
maven
No PRs yet
Jenkins Kryptowire Plugin vulnerability stores unencrypted Kryptowire API key
GHSA-cvg7-767r-w3fq CVE-2025-53672 MODERATE 5 months ago
Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file `org.aerogear.kryptowire.Globa...
maven
No PRs yet
Jenkins Apica Loadtest Plugin vulnerability exposes authentication tokens
GHSA-28j3-hphh-cjr8 CVE-2025-53665 MODERATE 5 months ago
Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins c...
maven
No PRs yet
Jenkins Dead Man's Snitch Plugin vulnerability does not mask tokens
GHSA-m248-72rh-cpx4 CVE-2025-53667 MODERATE 5 months ago
Jenkins Dead Man's Snitch Plugin 0.1 does not mask Dead Man's Snitch tokens displayed on the job configuration form, increasing the potential for a...
maven
No PRs yet
Jenkins IBM Cloud DevOps Plugin vulnerability exposes SonarQube authentication tokens
GHSA-pgrx-5f8q-r5mq CVE-2025-53663 MODERATE 5 months ago
Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job `config.xml` files on the Jenkins cont...
maven
No PRs yet
Jenkins Statistics Gatherer Plugin vulnerability exposes AWS Secret Key
GHSA-3c9f-c64m-h4wc CVE-2025-53654 MODERATE 5 months ago
Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file `org.jenkins.plugins.st...
maven
No PRs yet
Jenkins Git Parameter Plugin vulnerable to code injection due to inexhaustive parameter check
GHSA-qcj2-99cg-mppf CVE-2025-53652 MODERATE 5 months ago
Jenkins Git Parameter Plugin implements a choice build parameter that lists the configured Git SCM’s branches, tags, pull requests, and revisions. ...
maven
No PRs yet
Jenkins HTML Publisher Plugin vulnerability displays controller file system information in its logs
GHSA-367v-5ppj-2hrx CVE-2025-53651 MODERATE 5 months ago
Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML repor...
maven
No PRs yet
Jenkins Aqua Security Scanner Plugin vulnerability exposes scanner tokens
GHSA-3wgg-3j4j-3f69 CVE-2025-53653 MODERATE 5 months ago
Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins contro...
maven
No PRs yet
Jenkins Credentials Binding Plugin vulnerability can expose sensitive information in logger messages
GHSA-9768-hprv-crj5 CVE-2025-53650 MODERATE 5 months ago
Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exce...
maven
No PRs yet
Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization
GHSA-r64v-82fh-xc63 CVE-2025-53512 MODERATE 5 months ago
### Impact Any user with a Juju account on a controller can read debug log messages from the `/log` endpoint. No specific permissions are required ...
go
No PRs yet
Cloudflare Vite plugin exposes secrets over the built-in dev server
GHSA-4pfg-2mw5-f8jx CVE-2025-59427 MODERATE 5 months ago
### Summary Note: [originally posted on H1](https://hackerone.com/reports/3117837) but closed. Cross-posting over to here in abundance of caution ...
npm
No PRs yet
fastapi-guard is vulnerable to ReDoS through inefficient regex
GHSA-j47q-rc62-w448 CVE-2025-53539 MODERATE 5 months ago
### Summary fastapi-guard detects penetration attempts by using regex patterns to scan incoming requests. However, some of the regex patterns used...
pypi
No PRs yet
Dagster vulnerable to Path Traversal attack through its /logs endpoint
GHSA-q93c-p2mw-p23f CVE-2023-51232 MODERATE 5 months ago
Directory Traversal vulnerability in dagster-webserver Dagster thru 1.5.10 allows remote attackers to obtain sensitive information via crafted requ...
pypi
No PRs yet
LlamaIndex vulnerable to DoS attack through uncontrolled recursive JSON parsing
GHSA-3wxx-q3gv-pvvv CVE-2025-5472 MODERATE 5 months ago
The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnera...
pypi
No PRs yet
LlamaIndex vulnerability in its ObsidianReader class can lead to Path Traversal exploit
GHSA-3j8r-jf9w-5cmh CVE-2025-6210 MODERATE 5 months ago
A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, before version 0.5.2 (specifically in version 0.12.27 of llama...
pypi
No PRs yet
Transformers vulnerable to ReDoS attack through its SETTING_RE variable
GHSA-489j-g2vx-39wf CVE-2025-3262 MODERATE 5 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.4...
pypi
No PRs yet