Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,842

Total Advisories

1,805

With Dependabot PRs

3,510

Critical Severity

8,633

High Severity

Clear All Filters
@perfood/couch-auth may expose session tokens, passwords
GHSA-62vx-hpcr-m9ch CVE-2025-60794 MODERATE 12 days ago
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts li...
npm
No PRs yet
phppgadmin contains a SQL injection vulnerability
GHSA-927w-vq5c-8gc3 CVE-2025-60797 MODERATE 12 days ago
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied...
packagist
No PRs yet
golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read
GHSA-f6x5-jh6r-wrfv CVE-2025-47914 MODERATE 13 days ago
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message i...
go
No PRs yet
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
GHSA-j5w8-q4qc-rx2x CVE-2025-58181 MODERATE 13 days ago
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause...
go
1
Dependabot PRs
esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
GHSA-hcpf-qv9m-vfgp CVE-2025-65026 MODERATE 13 days ago
### Summary The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature....
go
No PRs yet
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
GHSA-fvmw-cj7j-j39q CVE-2025-65019 MODERATE 13 days ago
**Summary** A Cross-Site Scripting (XSS) vulnerability exists in Astro when using the **@astrojs/cloudflare** adapter with `output: 'server'`. Th...
npm
No PRs yet
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
GHSA-ggxq-hp9w-j794 CVE-2025-64765 MODERATE 13 days ago
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validati...
npm
No PRs yet
authentik's invitation expiry is delayed by at least 5 minutes
GHSA-ch7q-53v8-73pc CVE-2025-64708 MODERATE 13 days ago
### Summary In previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background ta...
go
No PRs yet
authentik allows a deactivated Service account to authenticate to OAuth
GHSA-xr73-jq5p-ch8r CVE-2025-64521 MODERATE 13 days ago
### Summary When authenticating with `client_id` and `client_secret` to an OAuth provider, authentik creates a service account for the provider. I...
go
No PRs yet
MongoDB driver extension affected by mongoc_bulk_operation_t's read of invalid memory
GHSA-mwcc-7vpp-xmv9 CVE-2025-12119 MODERATE 13 days ago
A mongoc_bulk_operation_t may read invalid memory if large options are passed.
packagist
No PRs yet
XWiki view file macro: User can view content of office file without view rights on the attachment
GHSA-8c52-x9w7-vc95 CVE-2025-65089 MODERATE 14 days ago
### Summary A user with no view rights on a page may see the content of an office attachment displayed with the view file macro. ### Details If on...
maven
No PRs yet
LibreNMS is vulnerable to SQL Injection (Boolean-Based Blind) in hostname parameter in ajax_output.php endpoint
GHSA-6pmj-xjxp-p8g9 CVE-2025-65093 MODERATE 14 days ago
## Summary A **Boolean-Based Blind SQL Injection** vulnerability was identified in the LibreNMS application at the `/ajax_output.php` endpoint. Th...
packagist
No PRs yet
Backdrop CMS Host Header Injection vulnerability
GHSA-ffpg-gm3h-4p5p CVE-2025-63828 MODERATE 14 days ago
Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to re...
packagist
No PRs yet
Drupal core allows Object Injection
GHSA-m6vv-vcj8-w8m7 CVE-2025-13081 MODERATE 14 days ago
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This is...
packagist
No PRs yet
Drupal Email TFA allows Functionality Bypass
GHSA-9jrw-jrrj-p6fr CVE-2025-12760 MODERATE 14 days ago
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass. This issue affects Email TF...
packagist
No PRs yet
LibreNMS vulnerable to Reflected Cross-Site Scripting (XSS) in endpoint `/maps/nodeimage` parameter `Image Name`
GHSA-j8cq-7f6p-256x CVE-2025-65013 MODERATE 14 days ago
## Summary A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the LibreNMS application at the `/maps/nodeimage` endpoint. The ...
packagist
No PRs yet
Kirby CMS has cross-site scripting (XSS) in the changes dialog
GHSA-84hf-8gh5-575j CVE-2025-65012 MODERATE 14 days ago
### TL;DR This vulnerability affects all Kirby 5 sites that might have potential attackers in the group of authenticated Panel users or that allow...
packagist
No PRs yet
XWiki AdminTools application doesn't set permissions on the AdminTools space
GHSA-v7r8-8p5c-h4xw CVE-2025-54990 MODERATE 14 days ago
### Impact Users without admin rights have access to `AdminTools.SpammedPages`. ### Details View rights are not restricted only to admin users f...
maven
No PRs yet
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
GHSA-7xvh-c266-cfr5 CVE-2025-64758 MODERATE 15 days ago
### Description Since version 4.12.0, Dependency-Track users with the `SYSTEM_CONFIGURATION` permission can configure a "welcome message", which i...
npm
No PRs yet
lsFusion Platform has a Path Traversal vulnerability
GHSA-gwwr-j923-vq7r CVE-2025-13262 MODERATE 15 days ago
A vulnerability was determined in lsfusion platform up to 6.1. Affected by this vulnerability is the function UploadFileRequestHandler of the file ...
maven
No PRs yet
vlife-base has Path Traversal vulnerability
GHSA-cg6m-9276-qpjj CVE-2025-13266 MODERATE 15 days ago
A security vulnerability has been detected in wwwlike vlife up to 2.0.1. This issue affects the function create of the file vlife-base/src/main/jav...
maven
No PRs yet
lsFusion Server is vulnerable to Path Traversal through its unpackFile function
GHSA-8wf8-frjg-xv74 CVE-2025-13265 MODERATE 15 days ago
A weakness has been identified in lsfusion platform up to 6.1. This vulnerability affects the function unpackFile of the file server/src/main/java/...
maven
No PRs yet
lsFusion Platform has a Path Traversal vulnerability
GHSA-5jpg-2rj5-964c CVE-2025-13261 MODERATE 15 days ago
A vulnerability was found in lsfusion platform up to 6.1. Affected is the function DownloadFileRequestHandler of the file web-client/src/main/java/...
maven
No PRs yet
Directus is Vulnerable to Stored Cross-site Scripting
GHSA-vv2v-pw69-8crf CVE-2025-64747 MODERATE 18 days ago
### Summary A stored cross-site scripting (XSS) vulnerability exists that allows users with `upload files` and `edit item` permissions to inject m...
npm
No PRs yet
Directus has Improper Permission Handling on Deleted Fields
GHSA-9x5g-62gj-wqf2 CVE-2025-64746 MODERATE 18 days ago
### Summary Directus does not properly clean up field-level permissions when a field is deleted. If a new field with the same name is created later...
npm
No PRs yet
Shopware 6's password recovery link does not expire after email change
GHSA-2w46-vq8h-98vh MODERATE 18 days ago
### Summary When a customer changes their email address after requesting a password reset, the old password reset link (tied to the previous email)...
packagist
No PRs yet
PrivateBin's template-switching feature allows arbitrary local file inclusion through path traversal
GHSA-g2j9-g8r5-rg82 CVE-2025-64714 MODERATE 18 days ago
## Summary An unauthenticated Local File Inclusion exists in the template-switching feature: if `templateselection` is enabled in the configuratio...
packagist
No PRs yet
js-yaml has prototype pollution in merge (<<)
GHSA-mh29-5h37-fv8m CVE-2025-64718 MODERATE 18 days ago
### Impact In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml doc...
npm
1
Dependabot PRs
Mattermost allows system administrators to access password hashes and MFA secrets
GHSA-mqp8-pgg5-7x7m CVE-2025-11794 MODERATE 18 days ago
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to sanitize user data which allows system administrators to acce...
go
No PRs yet
Mattermost fails to properly restrict access to archived channel search API
GHSA-j6gg-r5jc-47cm CVE-2025-11776 MODERATE 18 days ago
Mattermost versions < 11 fail to properly restrict access to archived channel search API which allows guest users to discover archived public chann...
go
No PRs yet
Mattermost allows an attacker to edit arbitrary posts via a crafted MSTeams plugin OAuth redirect URL
GHSA-ff85-qw3h-g9vp CVE-2025-55073 MODERATE 18 days ago
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11, 10.12.x <= 10.12.0 fail to validate the relationship between the post being updated and ...
go
No PRs yet
Mattermost does not enforce MFA on WebSocket connections
GHSA-xpg8-8xpv-948p CVE-2025-55070 MODERATE 18 days ago
Mattermost versions < 11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitiv...
go
No PRs yet
Directus Vulnerable to Information Leakage in Existing Collections
GHSA-cph6-524f-3hgr CVE-2025-64749 MODERATE 19 days ago
### Summary: An observable difference in error messaging was found in the Directus REST API. The `/items/{collection}` API returns different error...
npm
No PRs yet
Directus's conceal fields are searchable if read permissions enabled
GHSA-8jpw-gpr4-8cmh CVE-2025-64748 MODERATE 19 days ago
## Summary A vulnerability allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values re...
npm
No PRs yet
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
GHSA-hr2q-hp5q-x767 CVE-2025-64525 MODERATE 19 days ago
## Summary In impacted versions of Astro using [on-demand rendering](https://docs.astro.build/en/guides/on-demand-rendering/), request headers `x-...
npm
No PRs yet
sudo-rs doesn't record authenticating user properly in timestamp
GHSA-q428-6v73-fc4q CVE-2025-64517 MODERATE 19 days ago
### Summary When `Defaults targetpw` (or `Defaults rootpw`) is enabled, the password of the target account (or root account) instead of the invokin...
cargo
No PRs yet
pgAdmin 4 has command injection vulnerability on Windows systems
GHSA-rm79-x4g6-hvg5 CVE-2025-12763 MODERATE 19 days ago
pgAdmin 4 versions up to 9.9 are affected by a command injection vulnerability on Windows systems. This issue is caused by the use of shell=True du...
pypi
No PRs yet
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
GHSA-7cx5-254x-cgrq CVE-2025-64502 MODERATE 19 days ago
### Impact The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning be...
npm
No PRs yet
AstrBot has an arbitrary file read vulnerability in function _encode_image_bs64
GHSA-vm2f-46xc-5jc3 CVE-2025-57697 MODERATE 25 days ago
AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Since the _encode_image_bs64 function defined in e...
pypi
No PRs yet
Nuxt DevTools vulnerable to cross-site scripting (XSS)
GHSA-xmq3-q5pm-rp26 CVE-2025-52662 MODERATE 25 days ago
A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain...
npm
No PRs yet
Soft Serve does not sanitize ANSI escape sequences in user input
GHSA-fv2r-r8mp-pg48 CVE-2025-64494 MODERATE 25 days ago
### Impact In several places where the user can insert data (e.g. names), ANSI escape sequences are not being removed, which can then be used, for ...
go
No PRs yet
KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes
GHSA-2r4r-5x78-mvqf CVE-2025-64437 MODERATE 25 days ago
### Summary _Short summary of the problem. Make the impact and severity as clear as possible. It is possible to trick the `virt-handler` component...
go
No PRs yet
KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes
GHSA-7xgm-5prm-v5gc CVE-2025-64436 MODERATE 25 days ago
### Summary The permissions granted to the `virt-handler` service account, such as the ability to update VMI and patch nodes, could be abused to f...
go
No PRs yet
KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation
GHSA-9m94-w2vq-hcf9 CVE-2025-64435 MODERATE 25 days ago
### Summary _Short summary of the problem. Make the impact and severity as clear as possible. A logic flaw in the `virt-controller` allows an atta...
go
No PRs yet
KubeVirt's Improper TLS Certificate Management Handling Allows API Identity Spoofing
GHSA-ggp9-c99x-54gp CVE-2025-64434 MODERATE 25 days ago
### Summary Due to improper TLS certificate management, a compromised `virt-handler` could impersonate `virt-api` by using its own TLS credentials,...
go
No PRs yet
KubeVirt Arbitrary Container File Read
GHSA-qw6q-3pgr-5cwq CVE-2025-64433 MODERATE 25 days ago
### Summary _Short summary of the problem. Make the impact and severity as clear as possible. Mounting a user-controlled PVC disk within a VM allo...
go
No PRs yet
KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer
GHSA-38jw-g2qx-4286 CVE-2025-64432 MODERATE 25 days ago
### Summary _Short summary of the problem. Make the impact and severity as clear as possible. A flawed implementation of the Kubernetes aggregatio...
go
No PRs yet
containerd CRI server: Host memory exhaustion through Attach goroutine leak
GHSA-m6hq-p25p-ffr2 CVE-2025-64329 MODERATE 25 days ago
### Impact A bug was found in containerd's CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. Repetit...
go
33
Dependabot PRs
WSO2 Carbon Mediation vulnerable to XML External Entity (XXE) attacks
GHSA-fvfq-q238-j7j3 CVE-2025-10713 MODERATE 27 days ago
An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses...
maven
No PRs yet
Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode
GHSA-m35w-xx8c-6xc7 CVE-2025-58337 MODERATE 27 days ago
An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that...
pypi
No PRs yet