Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Chaos Controller Manager is vulnerable to OS command injection
GHSA-369h-6j28-wwcg CVE-2025-59359 CRITICAL 3 months ago
The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenti...
go
No PRs yet
Chaos Controller Manager is vulnerable to OS command injection
GHSA-xv9f-728h-9jgv CVE-2025-59360 CRITICAL 3 months ago
The killProcesses mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unaut...
go
No PRs yet
Chaos Mesh's Chaos Controller Manager is Missing Authentication for Critical Function
GHSA-2gg8-85m5-8r2p CVE-2025-59358 HIGH 3 months ago
The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provid...
go
No PRs yet
Mattermost Open Redirect vulnerability
GHSA-69j8-prx2-vx98 CVE-2025-9072 HIGH 3 months ago
Mattermost versions 10.10.x <= 10.10.1, 10.5.x <= 10.5.9, 10.9.x <= 10.9.4 fail to validate the redirect_to parameter, allowing an attacker to craf...
go
No PRs yet
Liferay Portal has stored cross-site scripting (XSS) vulnerability
GHSA-r45v-2289-jgr4 CVE-2025-43794 MODERATE 3 months ago
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4....
maven
No PRs yet
Chaos Controller Manager is vulnerable to OS command injection
GHSA-2gcv-3qpf-c5qr CVE-2025-59361 CRITICAL 3 months ago
The cleanIptables mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unaut...
go
No PRs yet
Mattermost makes Use of Weak Hash
GHSA-9p92-x77w-9fw2 CVE-2025-9078 MODERATE 3 months ago
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache key...
go
No PRs yet
Mattermost Open Redirect vulnerability
GHSA-hm95-jx66-g2gh CVE-2025-9084 LOW 3 months ago
Mattermost versions 10.5.x <= 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafte...
go
No PRs yet
Mattermost Missing Authorization vulnerability
GHSA-3vcm-c42p-3hhf CVE-2025-9076 MODERATE 3 months ago
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious...
go
No PRs yet
Hugging Face Transformers library has Regular Expression Denial of Service
GHSA-rcv9-qm8p-9p6j CVE-2025-6051 MODERATE 3 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `norm...
pypi
No PRs yet
Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect
GHSA-m55r-9fx8-725j CVE-2025-43795 MODERATE 3 months ago
Open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA ...
maven
No PRs yet
Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack
GHSA-f3hf-r62c-mfrj CVE-2025-43796 HIGH 3 months ago
Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not ...
maven
No PRs yet
Hono has Body Limit Middleware Bypass
GHSA-92vj-g62v-jqhh CVE-2025-59139 MODERATE 3 months ago
### Summary A flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were pr...
npm
2
Dependabot PRs
httpsig-rs: HMAC verification is vulnerable to timing attack
GHSA-q7pg-9pr4-mrp2 CVE-2025-59058 MODERATE 3 months ago
### Summary HMAC signature comparison is not timing-safe and is vulnerable to timing attacks. ### Details `SharedKey::sign()` returns a `Vec<u8>` ...
cargo
No PRs yet
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
GHSA-wgpv-6j63-x5ph CVE-2025-58434 CRITICAL 3 months ago
### Summary The `forgot-password` endpoint in Flowise returns sensitive information including a valid password reset `tempToken` without authentic...
npm
No PRs yet
Liferay Portal's selection modal is vulnerable to XSS
GHSA-g8fh-pfw3-8rmr CVE-2025-43787 MODERATE 3 months ago
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12...
maven
No PRs yet
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
GHSA-59p9-h35m-wg4g CVE-2025-6638 MODERATE 3 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the Ma...
pypi
No PRs yet
Liferay Portal's Organization Selector exposes organization data to remote authenticated users
GHSA-v53g-736w-mgw4 CVE-2025-43788 MODERATE 3 months ago
The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update ...
maven
No PRs yet
Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution
GHSA-q86r-gwqc-jx85 CVE-2025-43789 LOW 3 months ago
JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSG...
maven
No PRs yet
Neo4j Cypher MCP server is vulnerable to DNS rebinding
GHSA-vcqx-v2mg-7chx CVE-2025-10193 HIGH 3 months ago
### Impact DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute un...
pypi
No PRs yet
SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions
GHSA-7vm2-j586-vcvc CVE-2025-11060 MODERATE 3 months ago
`LIVE SELECT` statements are used to capture changes to data within a table in real time. Documents included in `WHERE` conditions and `DELETE` not...
cargo
No PRs yet
Subrion CMS: Authenticated administrators are able to gain escalated access through Run SQL Query tool
GHSA-h8wv-vv58-468h CVE-2025-56556 MODERATE 3 months ago
An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature ...
packagist
No PRs yet
matrix-sdk-base: Panic in the `RoomMember::normalized_power_level()` method
GHSA-qhj8-q5r6-8q6j CVE-2025-59047 LOW 3 months ago
In matrix-sdk-base before 0.14.1, calling the `RoomMember::normalized_power_level()` method can cause a panic if a room member has a power level of...
cargo
No PRs yet
Axios is vulnerable to DoS attack through lack of data size check
GHSA-4hjh-wcwx-xvwj CVE-2025-58754 HIGH 3 months ago
## Summary When Axios runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes...
npm
3
Dependabot PRs
Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name
GHSA-wr8m-5h2p-4432 CVE-2025-43782 MODERATE 3 months ago
Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024....
maven
No PRs yet
Liferay Portal is vulnerable to Insecure Direct Object Reference (IDOR) attack through Authentication Bypass
GHSA-5wxc-3jfw-w94p CVE-2025-43790 HIGH 3 months ago
Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024....
maven
No PRs yet
Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods
GHSA-765j-9r45-w2q2 CVE-2025-58065 MODERATE 3 months ago
### Impact When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remain...
pypi
No PRs yet
Prebid-universal-creative latest on npm briefly compromised
GHSA-m662-56rj-8fmm CVE-2025-59039 CRITICAL 3 months ago
### Impact Npm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware detailed in the blog post below. This includes the...
npm
No PRs yet
Prebid.js NPM package briefly compromised
GHSA-jwq7-6j4r-2f92 CVE-2025-59038 HIGH 3 months ago
### Impact NPM users of prebid 10.9.2. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. ### Patch...
npm
No PRs yet
jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin
GHSA-33vc-wfww-vjfv CVE-2025-9910 MODERATE 3 months ago
### Vulnerability in jsondiffpatch Versions of `jsondiffpatch` prior to `0.7.2` are vulnerable to Cross-site Scripting (XSS) in the `HtmlFormatter...
npm
No PRs yet
Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage
GHSA-68x2-mx4q-78m7 CVE-2025-59052 HIGH 3 months ago
### Impact Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reaso...
npm
93
Dependabot PRs
1%
Merged
interactive-git-checkout has a Command Injection vulnerability
GHSA-4wcm-7hjf-6xw5 CVE-2025-59046 CRITICAL 3 months ago
The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the ...
npm
No PRs yet
Liferay Portal's Incorrect Authorization vulnerability can lead to guest users to obtaining sensitive data
GHSA-fvp7-jj9m-3qpf CVE-2025-43784 MODERATE 3 months ago
Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 20...
maven
No PRs yet
Liferay Portal is vulnerable to Reflected XSS attack through get_editor path
GHSA-jhgr-j9cj-8j62 CVE-2025-43783 MODERATE 3 months ago
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024....
maven
No PRs yet
Infrahub: Deleted and expired API tokens can still authenticate
GHSA-v2p7-4pv4-3wwh CVE-2025-59036 MODERATE 3 months ago
### Impact A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API...
pypi
No PRs yet
Shopware: Reflective Cross Site-Scripting (XSS) in CMS components
GHSA-9v82-vcjx-m76j HIGH 3 months ago
### Impact By exploiting XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the ...
packagist
No PRs yet
xml2rfc is vulnerable to arbitrary file reads through prepped files
GHSA-9mv7-3c64-mmqw CVE-2025-11059 HIGH 3 months ago
### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious lin...
pypi
No PRs yet
WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled
GHSA-jxmr-2h4q-rhxp CVE-2025-54376 HIGH 3 months ago
### Summary Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin A...
go
No PRs yet
PyInstaller has local privilege escalation vulnerability
GHSA-p2xp-xx3r-mffc CVE-2025-59042 HIGH 3 months ago
### Impact Due to a special entry being appended to `sys.path` during the bootstrap process of a PyInstaller-frozen application, and due to the bo...
pypi
No PRs yet
Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email
GHSA-j4h9-wv2m-wrf7 CVE-2025-59041 HIGH 3 months ago
At startup, Claude Code constructed a shell command that interpolated the value of `git config user.email` from the current workspace. If an attack...
npm
No PRs yet
Indico vulnerable to Cross-Site Scripting via LaTeX math code
GHSA-7cf7-9wrr-vrf4 CVE-2025-59035 MODERATE 3 months ago
### Impact There is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. ### Patches You...
pypi
No PRs yet
Indico may disclose unauthorized user details access via legacy API
GHSA-4269-mcfh-cp7q CVE-2025-59034 MODERATE 3 months ago
### Impact A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due t...
pypi
No PRs yet
Picklescan Bypass is Possible via File Extension Mismatch
GHSA-jgw4-cr84-mqxg CVE-2025-10155 CRITICAL 3 months ago
### Summary Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-re...
pypi
No PRs yet
Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check
GHSA-mjqp-26hc-grxg CVE-2025-10156 CRITICAL 3 months ago
### Summary Picklescan's ability to scan ZIP archives for malicious pickle files is compromised when the archive contains a file with a bad Cyclic ...
pypi
No PRs yet
Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation
GHSA-r4h8-hfp2-ggmf CVE-2025-54123 CRITICAL 3 months ago
### Summary It has been discovered that the middleware functionality in Hoverfly is vulnerable to command injection through its `/api/v2/hoverfly/m...
go
No PRs yet
Liferay Portal and Liferay DXP vulnerable to Stored Cross-site Scripting
GHSA-66x6-8jgv-qpfh CVE-2025-43785 MODERATE 3 months ago
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1....
maven
No PRs yet
Decap CMS Cross Site Scripting (XSS) vulnerability
GHSA-xp8g-32qh-mv28 CVE-2025-57520 MODERATE 3 months ago
Decap CMS through 3.8.3 is vulnerable to stored Cross-Site Scripting (XSS) in the admin preview pane. User-controlled fields (e.g., title, descript...
npm
No PRs yet
Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports
GHSA-f7qq-56ww-84cr CVE-2025-10157 CRITICAL 3 months ago
### Summary The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. T...
pypi
No PRs yet
Webrecorder packages are vulnerable to XSS through 404 error handling logic
GHSA-w765-jm6w-4hhj CVE-2025-58765 HIGH 3 months ago
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter `requestU...
npm
No PRs yet
Claude Code rg vulnerability does not protect against approval prompt bypass
GHSA-qxfv-fcpc-w36x CVE-2025-58764 HIGH 3 months ago
Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Rel...
npm
No PRs yet