Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
xgrammar vulnerable to denial of service by huge enum grammar
GHSA-9q5r-wfvf-rr7f CVE-2025-58446 MODERATE 3 months ago
### Summary Provided grammar, would fit in a context window of most of the models, but takes minutes to process in 0.1.23. In testing with 0.1.16 t...
pypi
No PRs yet
secrets-store-sync-controller discloses service account tokens in logs
GHSA-rcw7-pqfp-735x CVE-2025-7445 MODERATE 3 months ago
Hello Kubernetes Community, A security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs cou...
go
No PRs yet
internetarchive Vulnerable to Directory Traversal in File.download()
GHSA-wx3r-v6h7-frjp CVE-2025-58438 CRITICAL 3 months ago
### Impact **What kind of vulnerability is it?** This is a **Critical** severity directory traversal (path traversal) vulnerability in the `File.do...
pypi
No PRs yet
FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side
GHSA-rrw2-px9j-qffj CVE-2025-58369 MODERATE 3 months ago
### Impact When establishing a TLS session using `fs2-io` on the JVM using the `fs2.io.net.tls` package, if one side of the connection shuts down w...
maven
No PRs yet
Coder vulnerable to privilege escalation could lead to a cross workspace compromise
GHSA-j6xf-jwrj-v5qp CVE-2025-58437 HIGH 3 months ago
## Summary Insecure session handling opened room for a privilege escalation scenario in which [prebuilt workspaces](https://coder.com/docs/admin/t...
go
No PRs yet
ImageMagick BlobStream Forward-Seek Under-Allocation
GHSA-23hg-53q6-hqfg CVE-2025-57807 LOW 3 months ago
**Reporter:** Lumina Mescuwa **Product:** ImageMagick 7 (MagickCore) **Component:** `MagickCore/blob.c` (Blob I/O - BlobStream) **Tested:** 7...
nuget
No PRs yet
pgadmin4 is affected by a Cross-Origin Opener Policy (COOP) vulnerability
GHSA-6859-2qxq-ffv2 CVE-2025-9636 HIGH 3 months ago
pgAdmin <= 9.7 is affected by a Cross-Origin Opener Policy (COOP) vulnerability. This vulnerability allows an attacker to manipulate the OAuth flow...
pypi
No PRs yet
TkEasyGUI Affected by Uncontrolled Search Path Element Issue
GHSA-ph2w-cx28-vhrq CVE-2025-55671 HIGH 3 months ago
Uncontrolled search path element issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, arbitrary code may be exe...
pypi
No PRs yet
TkEasyGUI Vulnerable to OS Command Injection
GHSA-hfrj-3w3g-jv32 CVE-2025-55037 CRITICAL 3 months ago
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If ...
pypi
No PRs yet
podman kube play symlink traversal vulnerability
GHSA-wp3j-xq48-xpjw CVE-2025-9566 HIGH 3 months ago
### Impact The podman kube play command can overwrite host files when the kube file contains a ConfigMap or Secret volume mount and the volume alr...
go
No PRs yet
Presta Shop vulnerable to email enumeration
GHSA-8xx5-h6m3-jr33 CVE-2025-51586 MODERATE 3 months ago
### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate va...
packagist
No PRs yet
Argo CD's Project API Token Exposes Repository Credentials
GHSA-786q-9hcg-v9ff CVE-2025-55190 CRITICAL 3 months ago
### Summary Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through ...
go
No PRs yet
Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter
GHSA-qpr4-c339-7vq8 CVE-2025-58179 HIGH 3 months ago
### Summary When using Astro's Cloudflare adapter (`@astrojs/cloudflare`) configured with `output: 'server'` while using the default `imageService...
npm
No PRs yet
Pixar OpenUSD Sdf_PathNode Module Use-After-Free Vulnerability Leading to Potential Remote Code Execution
GHSA-58p5-r2f6-g2cj CRITICAL 3 months ago
### Summary A Use-After-Free (UAF) vulnerability has been discovered in the Sdf_PathNode module of the Pixar OpenUSD library. This issue occurs dur...
pypi
No PRs yet
Netty vulnerable to request smuggling due to incorrect parsing of chunk extensions
GHSA-fghv-69vj-qj49 CVE-2025-58056 LOW 3 months ago
## Summary A flaw in netty's parsing of chunk extensions in HTTP/1.1 messages with chunked encoding can lead to request smuggling issues with some ...
maven
7
Dependabot PRs
Vaadin Platform possible file bypass via upload validation on the server-side
GHSA-c7v7-rqfm-f44j MODERATE 3 months ago
### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload ...
maven
No PRs yet
Vaadin Flow Components possible file bypass via upload validation on the server-side
GHSA-94g8-xv23-7656 MODERATE 3 months ago
### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload ...
maven
No PRs yet
Vaadin Framework possible file bypass via upload validation on the server-side
GHSA-9gfh-4fwj-w3rj CVE-2025-9467 MODERATE 3 months ago
### Description When the Vaadin Upload's start listener is used to validate metadata about an incoming upload, it is possible to bypass the upload ...
maven
No PRs yet
Memos Vulnerable to Stored Cross-Site Scripting
GHSA-cgrg-86m5-xm4w CVE-2025-56761 MODERATE 3 months ago
Memos 0.22 is vulnerable to Stored Cross site scripting (XSS) vulnerabilities by the upload attachment and user avatar features. Memos does not ver...
go
No PRs yet
Memos Vulnerable to Path Traversal via the CreateResource Endpoint
GHSA-78j5-8vq7-jxv5 CVE-2025-56760 MODERATE 3 months ago
When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal s...
go
No PRs yet
PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps
GHSA-vxmw-7h4f-hqxh LOW 3 months ago
### Summary `gh-action-pypi-publish` makes use of GitHub Actions expression expansions (i.e. `${{ ... }}`) in contexts that are potentially attack...
actions
24
Dependabot PRs
Weblate has a long session expiry when verifying second factor
GHSA-377j-wj38-4728 CVE-2025-58352 LOW 3 months ago
### Impact The verification of the second factor had too long a session expiry. The long session expiry could be used to circumvent rate limiting o...
pypi
No PRs yet
Langchain Community Vulnerable to XML External Entity (XXE) Attacks
GHSA-pc6w-59fv-rh23 CVE-2025-6984 HIGH 3 months ago
The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE) attacks due to insecure X...
pypi
No PRs yet
Liferay Portal Vulnerable to Denial of Service in Kaleo Forms Admin
GHSA-j4fw-4mhr-hc45 CVE-2025-43772 HIGH 3 months ago
Kaleo Forms Admin in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 27, and older unsupported versions does no...
maven
No PRs yet
DeepDiff Class Pollution in Delta class leading to DoS, Remote Code Execution, and more
GHSA-mw26-5g2v-hqw3 CVE-2025-58367 CRITICAL 3 months ago
### Summary [Python class pollution](https://blog.abdulrah33m.com/prototype-pollution-in-python/) is a novel vulnerability categorized under [CWE-9...
pypi
1
Dependabot PRs
Mautic Vulnerable to User Enumeration via Response Timing
GHSA-3ggv-qwcp-j6xg CVE-2025-9824 MODERATE 3 months ago
### Impact The attacker can validate if a user exists by checking the time login returns. This timing difference can be used to enumerate valid use...
packagist
No PRs yet
Mautic vulnerable to reflected XSS in lead:addLeadTags - Quick Add
GHSA-9v8p-m85m-f7mm CVE-2025-9823 MODERATE 3 months ago
## Summary A Cross-Site Scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in the context of another user’s session....
packagist
No PRs yet
Mautic vulnerable to secret data extraction via elfinder
GHSA-438m-6mhw-hq5w CVE-2025-9822 MODERATE 3 months ago
### Summary _A user with administrator rights can change the configuration of the mautic application and extract secrets that are not normally avai...
packagist
No PRs yet
Mautic vulnerable to SSRF via webhook function
GHSA-hj6f-7hp7-xg69 CVE-2025-9821 LOW 3 months ago
### Summary Users with webhook permissions can conduct SSRF via webhooks. If they have permission to view the webhook logs, the (partial) request r...
packagist
No PRs yet
Hono's flaw in URL path parsing could cause path confusion
GHSA-9hp6-4448-45g2 CVE-2025-58362 HIGH 3 months ago
### Summary A flaw in the `getPath` utility function could allow path confusion and potential bypass of proxy-level ACLs (e.g. Nginx location bloc...
npm
3
Dependabot PRs
frost-core: refresh shares with smaller min_signers will reduce security of group
GHSA-wgq8-vr6r-mqxm CVE-2025-58359 MODERATE 3 months ago
### Impact It was not clear that it is not possible to change `min_signers` (i.e. the threshold) with the refresh share functionality (`frost_core...
cargo
No PRs yet
Electron has ASAR Integrity Bypass via resource modification
GHSA-vmqv-hx8q-j7mg CVE-2025-55305 MODERATE 3 months ago
### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs...
npm
No PRs yet
Claude Code Vulnerable to Arbitrary Code Execution Due to Insufficient Startup Warning
GHSA-ph6w-f82w-28w6 HIGH 3 months ago
When Claude Code was started in a new directory, it displayed a warning asking, "Do you trust the files in this folder?". This warning did not prop...
npm
No PRs yet
CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package
GHSA-x9gp-vjh6-3wv6 CVE-2025-58064 LOW 3 months ago
### Impact A Cross-Site Scripting (XSS) vulnerability has been discovered in the CKEditor 5 clipboard package. This vulnerability could be triggere...
npm
No PRs yet
Netty's decoders vulnerable to DoS via zip bomb style attack
GHSA-3p8m-j85q-pgmj CVE-2025-58057 MODERATE 3 months ago
### Summary With specially crafted input, `BrotliDecoder` and some other decompressing decoders will allocate a large number of reachable byte buf...
maven
5
Dependabot PRs
XWiki configuration files can be accessed through jsx and sx endpoints
GHSA-m63c-3rmg-r2cf CVE-2025-55748 CRITICAL 3 months ago
### Impact It's possible to get access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../...
maven
No PRs yet
XWiki configuration files can be accessed through the webjars API
GHSA-qww7-89xh-x7m7 CVE-2025-55747 CRITICAL 3 months ago
### Impact It's possible to get access and read configuration files by using URLs such as `http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F....
maven
No PRs yet
Jenkins OpenTelemetry Plugin missing permission check allows capturing credentials
GHSA-f696-867g-2759 CVE-2025-58460 MODERATE 3 months ago
A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b_92b_cd64 and earlier allows attackers with Overall/Read permission to conn...
maven
No PRs yet
Jenkins global-build-stats Plugin missing permission check can result in graph IDs being enumerated
GHSA-gm8g-fh49-qq6v CVE-2025-58459 MODERATE 3 months ago
Jenkins global-build-stats Plugin 322.v22f4db_18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers w...
maven
No PRs yet
Jenkins Git client Plugin file system information disclosure vulnerability
GHSA-g2pq-9jr7-w6gv CVE-2025-58458 MODERATE 3 months ago
In Jenkins Git client Plugin 6.3.2 and earlier, Git URL field form validation responses differ based on whether the specified file path exists on t...
maven
No PRs yet
Apache DolphinScheduler Incorrect Default Permissions Vulnerability
GHSA-rrpj-r8h7-rm7r CVE-2024-43166 LOW 3 months ago
Incorrect Default Permissions vulnerability in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recom...
maven
No PRs yet
Soft Serve vulnerable to arbitrary file writing through SSH API
GHSA-33pr-m977-5w97 CVE-2025-58355 HIGH 3 months ago
Attackers can create/override arbitrary files with uncontrolled data. For a PoC, spin up an instance of soft-serve as explained in the README, and...
go
No PRs yet
mcp-markdownify-server vulnerable to command injection in pptx-to-markdown tool
GHSA-45qj-4xq3-3c45 CVE-2025-58358 HIGH 3 months ago
### Summary A command injection vulnerability exists in the `mcp-markdownify-server` MCP Server. The vulnerability is caused by the unsanitized us...
npm
No PRs yet
ArrayQueue's push_front is not panic-safe
GHSA-xqjr-wfx3-gmxv MODERATE 3 months ago
The safe API `array_queue::ArrayQueue::push_front` can lead to deallocating uninitialized memory if a panic occurs while invoking the `clone` metho...
cargo
No PRs yet
Command Injection via sonarqube-scan-action GitHub Action
GHSA-f79p-9c5r-xg88 CVE-2025-58178 HIGH 3 months ago
### Impact A command injection vulnerability was discovered in the SonarQube Scan GitHub Action that allows untrusted input arguments to be process...
actions
No PRs yet
arenavec has multiple memory corruption vulnerabilities in safe APIs
GHSA-3632-54q8-m96x HIGH 3 months ago
The crate has the following vulnerabilities: - The public trait `arenavec::common::AllocHandle` allows the return of raw pointers through its meth...
cargo
No PRs yet
MobSF Path Traversal in GET /download/<filename> using absolute filenames
GHSA-ccc3-fvfx-mw3v CVE-2025-58161 LOW 3 months ago
### Summary The GET /download/<filename> route uses string path verification via os.path.commonprefix, which allows an authenticated user to downlo...
pypi
No PRs yet
MobSF Vulnerable to Arbitrary File Write (AR-Slip) via Absolute Path in .a Extraction
GHSA-9gh8-9r95-3fc3 CVE-2025-58162 MODERATE 3 months ago
### Summary The vulnerability allows any user to overwrite any files available under the account privileges of the running process. ### Details As...
pypi
No PRs yet
PocketMine-MP `ResourcePackDataInfoPacket` amplification vulnerability due to lack of resource pack sequence status checking
GHSA-fqqv-56h5-f57g HIGH 3 months ago
### Summary A denial-of-service / out-of-memory vulnerability exists in the `STATUS_SEND_PACKS` handling of `ResourcePackClientResponsePacket`. Po...
packagist
No PRs yet
ESP-IDF web_server basic auth bypass using empty or incomplete Authorization header
GHSA-mxh2-ccgj-8635 CVE-2025-57808 HIGH 3 months ago
### Summary On the ESP-IDF platform, ESPHome's [`web_server` authentication](https://esphome.io/components/web_server.html#configuration-variables)...
pypi
No PRs yet