Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Liferay Portal exposes ERC which can lead to exploit the time response attack
GHSA-9p7x-8c57-4pqv CVE-2025-43786 MODERATE 3 months ago
Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024...
maven
No PRs yet
Liferay Portal is vulnerable to XSS attack through its search bar portlet
GHSA-x5fw-8xgx-q6c9 CVE-2025-43781 MODERATE 3 months ago
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.110 through 7.4.3.128, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024...
maven
No PRs yet
Liferay Portal is vulnerable to XSS attacks via its remote app title field
GHSA-88g3-pv3w-5wmr CVE-2025-43775 MODERATE 3 months ago
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 t...
maven
No PRs yet
SGLang Remote Code Execution Vulnerability via Unsafe Deserialization in update_weights_from_tensor
GHSA-9w53-xr52-mwgj CVE-2025-10164 MODERATE 3 months ago
A security flaw has been discovered in lmsys sglang 0.4.6. Affected by this vulnerability is the function main of the file /update_weights_from_ten...
pypi
1
Dependabot PRs
Monai: Unsafe use of Pickle deserialization may lead to RCE
GHSA-p8cm-mm2v-gwjm CVE-2025-58757 HIGH 3 months ago
>To prevent this report from being deemed inapplicable or out of scope, due to the project's unique nature (for medical applications) and widesprea...
pypi
No PRs yet
MONAI: Unsafe torch usage may lead to arbitrary code execution
GHSA-6vm5-6jv9-rjpj CVE-2025-58756 HIGH 3 months ago
### Summary In ```model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True)``` in monai/bundle/scripts.py , ```weigh...
pypi
No PRs yet
MONAI does not prevent path traversal, potentially leading to arbitrary file writes
GHSA-x6ww-pf9m-m73m CVE-2025-58755 HIGH 3 months ago
### Summary The extractall function ```zip_file.extractall(output_dir)``` is used directly to process compressed files. It is used in many places i...
pypi
No PRs yet
TinyEnv: Inline comments not stripped properly in .env values
GHSA-72cm-7236-h43r CVE-2025-58759 MODERATE 3 months ago
### Impact TinyEnv did not properly strip inline comments inside .env values. This could lead to unexpected behavior or misconfiguration, where var...
packagist
No PRs yet
TinyEnv: Missing .env file not required — may cause unexpected behavior
GHSA-3j7m-5g4q-gfpc CVE-2025-58758 MODERATE 3 months ago
### Impact TinyEnv did not require the `.env` file to exist when loading environment variables. This could lead to **unexpected behavior** where ...
packagist
No PRs yet
Vite middleware may serve files starting with the same name with the public directory
GHSA-g4jq-h2w9-997c CVE-2025-58751 LOW 3 months ago
### Summary Files starting with the same name with the public directory were served bypassing the `server.fs` settings. ### Impact Only apps that ...
npm
No PRs yet
Vite's `server.fs` settings were not applied to HTML files
GHSA-jqfw-vq24-v9c3 CVE-2025-58752 LOW 3 months ago
### Summary Any HTML files on the machine were served regardless of the `server.fs` settings. ### Impact Only apps that match the following condi...
npm
No PRs yet
Maho is Vulnerable to Authenticated Remote Code Execution via File Upload
GHSA-vgmm-27fc-vmgp CVE-2025-58449 HIGH 3 months ago
### Summary In Maho 25.7.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Products` permissions can create a custo...
packagist
No PRs yet
Cattown is Vulnerable to Uncontrolled Resource Consumption through Inefficient Regular Expression Complexity
GHSA-455v-w7r9-3vv9 CVE-2025-58451 HIGH 3 months ago
### Overview A security review of the Cattown identified multiple weaknesses that could potentially impact its stability and security. ### Affecte...
npm
No PRs yet
listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover
GHSA-rf24-wg77-gq7w CVE-2025-58430 HIGH 3 months ago
### Summary Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’...
go
No PRs yet
OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload
GHSA-49mj-x8jp-qvfc CVE-2025-58180 HIGH 3 months ago
### Impact OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an **authenticated** attacker to upload a file und...
pypi
No PRs yet
CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion
GHSA-93mf-426m-g6x9 CVE-2025-58063 HIGH 3 months ago
# Summary The CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling cache pinnin...
go
No PRs yet
Element Plus Link component (el-link) implements insufficient input validation for the href attribute
GHSA-5m5x-9j46-h678 CVE-2025-57665 MODERATE 3 months ago
Element Plus Link component (el-link) prior to 2.11.0 implements insufficient input validation for the href attribute, creating a security abstract...
npm
No PRs yet
Apache DolphinScheduler vulnerable to Alert Script Attack
GHSA-3vcp-r62v-xpvg CVE-2024-43115 HIGH 3 months ago
Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script. Th...
maven
No PRs yet
YesWiki Cross Site Scripting vulnerability
GHSA-29cj-cxw4-v4j2 CVE-2025-52277 MODERATE 3 months ago
Cross Site Scripting vulnerability in YesWiki v.4.5.4 allows a remote attacker to execute arbitrary code via a crafted payload to the meta configur...
packagist
No PRs yet
Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting
GHSA-rcc7-jx7p-hrv4 CVE-2025-43776 MODERATE 3 months ago
A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 t...
maven
No PRs yet
Magento Community Edition Improper Input Validation vulnerability
GHSA-wh92-6q6g-px7j CVE-2025-54236 CRITICAL 3 months ago
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation ...
packagist
No PRs yet
toodee is vulnerable to Heap Buffer Overflow through its DrainCol Destructor
GHSA-pfp7-vxgr-83pw HIGH 3 months ago
An off-by-one error in the `DrainCol::drop` destructor could cause an unsafe memory copy operation to exceed the bounds of the associated vector. ...
cargo
No PRs yet
copyparty: Sharing a single file does not fully restrict access to other files in source folder
GHSA-pxvw-4w88-6x95 CVE-2025-58753 MODERATE 3 months ago
There was a missing permission-check in the shares feature (the `shr` global-option). When a share is created for just one file inside a folder, i...
pypi
No PRs yet
DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware
GHSA-w62p-hx95-gf2c CVE-2025-59037 HIGH 3 months ago
The DuckDB distribution for [Node.js](http://node.js/) on [npm](https://www.npmjs.com/) was compromised with malware (along with [several other pac...
npm
No PRs yet
TYPO3 CMS exposes sensitive information in an error message
GHSA-cvm2-5f78-g9m8 CVE-2025-59016 MODERATE 3 months ago
Error messages containing sensitive information in the File Abstraction Layer in TYPO3 CMS versions 9.0.0-9.5.54, 10.0.0-10.4.53, 11.0.0-11.5.47, 1...
packagist
No PRs yet
TYPO3 backend modules have Broken Access Control
GHSA-2fhw-2j7m-mr4m CVE-2025-59017 MODERATE 3 months ago
Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑...
packagist
No PRs yet
TYPO3 CSV download feature information disclosure
GHSA-j8vm-7q52-2m2m CVE-2025-59019 MODERATE 3 months ago
Missing authorization checks in the CSV download feature of TYPO3 CMS versions 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend use...
packagist
No PRs yet
TYPO3 Workspaces Module Information Disclosure
GHSA-w2pf-7q5w-2cgw CVE-2025-59018 HIGH 3 months ago
Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0...
packagist
No PRs yet
TYPO3 CMS has an open‑redirect vulnerability
GHSA-72jf-5fg5-3cw3 CVE-2025-59013 MODERATE 3 months ago
An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 1...
packagist
No PRs yet
TYPO3 Bookmark Toolbar vulnerable to denial of service
GHSA-xrcq-533q-8rxw CVE-2025-59014 MODERATE 3 months ago
An uncaught exception in the Bookmark Toolbar of TYPO3 CMS versions 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 lets administrator‑level bac...
packagist
No PRs yet
TYPO3 CMS uses insufficient entropy when generating passwords
GHSA-p5jq-5383-qvc7 CVE-2025-59015 MODERATE 3 months ago
A deterministic three‑character prefix in the Password Generation component of TYPO3 CMS versions 12.0.0–12.4.36 and 13.0.0–13.4.17 reduces entropy...
packagist
No PRs yet
Liferay Portal is vulnerable to XSS attack through fieldset name in Kaleo Forms Admin
GHSA-cpg4-qcj8-42gp CVE-2025-43778 MODERATE 3 months ago
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.11, 2025.Q1.0...
maven
No PRs yet
Liferay Portal exposes 500 status when attempting login with a deleted client secret
GHSA-9vwq-j6gq-w9xh CVE-2025-43777 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 20...
maven
No PRs yet
Liferay Portal is vulnerable to XSS attack through its Style Book theme
GHSA-qgj5-4qvg-2f8c CVE-2025-43774 LOW 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.17 allows a remote ...
maven
No PRs yet
Liferay Portal is vulnerable to SSRF through custom object attachment fields
GHSA-477q-x55m-j38g CVE-2025-43763 MODERATE 3 months ago
A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4....
maven
No PRs yet
pREST has a Systemic SQL Injection Vulnerability
GHSA-p46v-f2x8-qp98 CVE-2025-58450 CRITICAL 3 months ago
# Summary pREST provides a simple way for users to expose access their database via a REST-full API. The project is implemented using the Go progra...
go
No PRs yet
MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server
GHSA-g9hg-qhmf-q45m CVE-2025-58444 HIGH 3 months ago
An XSS flaw exists in the MCP Inspector local development tool when it renders a redirect URL returned by a remote MCP server. If the Inspector con...
npm
No PRs yet
XWiki Blog Application: Privilege Escalation (PR) from account through blog content
GHSA-gwj6-xpfg-pxwr CVE-2025-58365 HIGH 3 months ago
### Impact The blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-...
maven
No PRs yet
Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation
GHSA-hjfh-p8f5-24wr CVE-2025-57817 HIGH 3 months ago
### Summary The OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highl...
pypi
No PRs yet
Fides Webserver API Rate Limiting Vulnerability in Proxied Environments
GHSA-fq34-xw6c-fphf CVE-2025-57816 MODERATE 3 months ago
### Summary The Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The sys...
pypi
No PRs yet
Fides has a Lack of Brute-Force Protections on Authentication Endpoints
GHSA-7q62-r88r-j5gw CVE-2025-57815 LOW 3 months ago
### Summary The Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation contr...
pypi
No PRs yet
Fides' Admin UI User Password Change Does Not Invalidate Current Session
GHSA-rpw8-82v9-3q87 CVE-2025-57766 LOW 3 months ago
### Summary Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where at...
pypi
No PRs yet
@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API
GHSA-3ch2-jxxc-v4xf CVE-2025-54994 CRITICAL 3 months ago
# Command Injection in MCP Server The MCP Server at https://github.com/akoskm/create-mcp-server-stdio is written in a way that is vulnerable to co...
npm
No PRs yet
CodeceptJS's incomprehensive sanitation can lead to Command Injection
GHSA-34w8-mcwr-vg29 CVE-2025-57285 CRITICAL 3 months ago
CodeceptJS versions 3.5.0 through 3.7.5-beta.18 contain a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync ...
npm
No PRs yet
N8N's Chat Trigger component is vulnerable to XSS
GHSA-v2x8-97xq-8xrr CVE-2025-56265 HIGH 3 months ago
An arbitrary file upload vulnerability in the Chat Trigger component of N8N v1.95.3, v1.100.1, and v1.101.1 allows attackers to execute arbitrary c...
npm
No PRs yet
SimStudioAI: A function in route.ts is vulnerable to Code Injection
GHSA-g4c9-f287-64xg CVE-2025-10097 MODERATE 3 months ago
A vulnerability was identified in SimStudioAI sim. This impacts an unknown function of the file apps/sim/app/api/function/execute/route.ts. The man...
npm
No PRs yet
Django is subject to SQL injection through its column aliases
GHSA-6w2r-r2m5-xq5w CVE-2025-57833 HIGH 3 months ago
An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in colum...
pypi
6
Dependabot PRs
sanitize-html is vulnerable to XSS through incomprehensive sanitization
GHSA-qhxp-v273-g94h CVE-2019-25225 MODERATE 3 months ago
`sanitize-html` prior to version 2.0.0-beta is vulnerable to Cross-site Scripting (XSS). The `sanitizeHtml()` function in `index.js` does not sanit...
npm
No PRs yet
Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data
GHSA-cxvc-g8f2-4gmm CVE-2025-58782 MODERATE 3 months ago
There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Ja...
maven
No PRs yet
Atlantis Exposes Service Version Publicly on /status API Endpoint
GHSA-xh7v-965r-23f7 CVE-2025-58445 LOW 3 months ago
### Summary Atlantis publicly exposes detailed version information on its `/status` endpoint. This information disclosure could allow attackers to ...
go
No PRs yet