Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Local Deep Research's API keys are stored in plain text
GHSA-4h8c-qrcq-cv5c CVE-2025-57806 MODERATE 3 months ago
**Affected Versions:** > 0.2.0 and < 1.0.0 **Patched Versions:** >= 1.0.0 **Description:** The library stored confidential information, including...
pypi
No PRs yet
Silverpeas Core Username Enumeration Vulnerability
GHSA-cv2m-5pfp-f245 CVE-2025-46047 MODERATE 3 months ago
A User enumeration vulnerability in the /CredentialsServlet/ForgotPassword endpoint in Silverpeas 6.4.1 and 6.4.2 allows remote attackers to determ...
maven
No PRs yet
Undertow MadeYouReset HTTP/2 DDoS Vulnerability
GHSA-95h4-w6j8-2rp8 CVE-2025-9784 HIGH 3 months ago
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, r...
maven
No PRs yet
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
GHSA-g5qg-72qw-gw5v CVE-2025-57752 MODERATE 3 months ago
A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request he...
npm
No PRs yet
Next.js Content Injection Vulnerability for Image Optimization
GHSA-xv57-4mr9-wg8v CVE-2025-55173 MODERATE 3 months ago
A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external im...
npm
No PRs yet
Next.js Improper Middleware Redirect Handling Leads to SSRF
GHSA-4342-x723-ch2f CVE-2025-57822 MODERATE 3 months ago
A vulnerability in **Next.js Middleware** has been fixed in **v14.2.32** and **v15.4.7**. The issue occurred when request headers were directly pas...
npm
No PRs yet
Liferay Portal allows improper access through the expandoTableLocalService
GHSA-876g-49r6-33qj CVE-2025-43773 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 20...
maven
No PRs yet
Tracing logging user input may result in poisoning logs with ANSI escape sequences
GHSA-xwfj-jgwm-7wp5 CVE-2025-58160 LOW 3 months ago
### Impact Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI...
cargo
No PRs yet
Rancher Fleet Helm Values are stored inside BundleDeployment in plain text
GHSA-6h9x-9j5v-7w9h CVE-2024-52284 HIGH 3 months ago
### Impact A vulnerability has been identified when using Fleet to manage Helm charts where sensitive information is passed through `BundleDeployme...
go
No PRs yet
webp crate may expose memory contents when encoding an image
GHSA-9q78-27f3-2jmh MODERATE 3 months ago
Affected versions of this crate did not check that the input slice passed to `"webp::Encoder::encode()` is large enough for the specified image dim...
cargo
No PRs yet
github.com/gorilla/csrf improperly validates TrustedOrigins allowing CSRF attacks
GHSA-82ff-hg59-8x73 CVE-2025-47909 MODERATE 3 months ago
Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. Afte...
go
No PRs yet
gnark affected by denial of service when computing scalar multiplication using fake-GLV algorithm
GHSA-9fvj-xqr2-xwg8 CVE-2025-58157 HIGH 3 months ago
### Impact For optimizing the scalar multiplication algorithm in circuit for some curves, gnark uses fake-GLV algorithm in case the curve doesn't ...
go
No PRs yet
Eventlet affected by HTTP request smuggling in unparsed trailers
GHSA-hw6f-rjfj-j7j7 CVE-2025-58068 MODERATE 3 months ago
### Impact The Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability ...
pypi
No PRs yet
Google Sign-In for Rails allowed redirect to protocol-relative URI
GHSA-5jch-xhw4-r43v CVE-2025-58067 MODERATE 3 months ago
## Summary It is possible to redirect a user to another origin if the "proceed_to" value in the session store is set to a protocol-relative URL. ...
rubygems
No PRs yet
DoS Vulnerability in ntpd-rs
GHSA-4855-q42w-5vr4 CVE-2025-58066 MODERATE 3 months ago
# Summary A denial of service vulnerability was discovered in ntpd-rs where an attacker can induce a message storm between two NTP servers running...
cargo
No PRs yet
Harness Allows Arbitrary File Write in Gitness LFS server
GHSA-w469-hj2f-jpr5 CVE-2025-58158 HIGH 3 months ago
### Impact Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git LFS. Implementation of upload git LFS fi...
go
No PRs yet
Versity panic induced by AWS chunked data sent to port
GHSA-v2ch-c8v8-fgr7 HIGH 3 months ago
Sending AWS chunk data with no Content-Length HTTP header causes the panic, every time. ### Reproduction Setup versity server running on port 70...
go
No PRs yet
Rancher affected by unauthenticated Denial of Service
GHSA-4h45-jpvh-6p5j CVE-2024-58259 HIGH 3 months ago
### Impact A vulnerability has been identified within Rancher Manager in which it did not enforce request body size limits on certain public (unaut...
go
No PRs yet
Opencast has a partial path traversal vulnerability in UI config
GHSA-hq8m-v68g-8cf8 CVE-2025-55202 LOW 3 months ago
The protections against path traversal attacks in the UI config module are insufficient, still partially allowing for attacks in very specific case...
maven
No PRs yet
AiondaDotCom mcp-ssh command injection vulnerability in SSH operations
GHSA-694p-3fxc-m92h CVE-2025-9654 MODERATE 3 months ago
A security flaw has been discovered in AiondaDotCom mcp-ssh up to 1.0.3. Affected by this issue is some unknown functionality of the file server-si...
npm
No PRs yet
Exiv2 has quadratic performance in ICC profile parsing in JpegBase::readMetadata
GHSA-m54q-mm9w-fp6g CVE-2025-55304 LOW 3 months ago
### Impact A denial-of-service was found in Exiv2 version v0.28.5: a quadratic algorithm in the ICC profile parsing code in `jpegBase::readMetadata...
pypi
No PRs yet
Exiv2 Segmentation Faults in Exiv2::EpsImage::writeMetadata() via crafted EPS file
GHSA-496f-x7cq-cq39 CVE-2025-54080 LOW 3 months ago
### Impact An out-of-bounds read was found in Exiv2 versions v0.28.5 and earlier. Exiv2 is a command-line utility and C++ library for reading, writ...
pypi
No PRs yet
Payload does not invalidate JWTs after log out
GHSA-5v66-m237-hwf7 CVE-2025-4643 MODERATE 3 months ago
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted...
npm
No PRs yet
Payload's SQLite adapter Session Fixation vulnerability
GHSA-26rv-h2hf-3fw4 CVE-2025-4644 MODERATE 3 months ago
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could cr...
npm
No PRs yet
HashiCorp Vault Community Edition Denial of Service Though Complex JSON Payloads
GHSA-8f82-53h8-2p34 CVE-2025-6203 HIGH 3 months ago
A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memo...
go
No PRs yet
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
GHSA-jc7w-c686-c4v9 CVE-2025-58058 MODERATE 3 months ago
### Summary It is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can ...
go
32
Dependabot PRs
Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token
GHSA-3rw9-wmc8-8948 LOW 3 months ago
### Summary If users log in to Coder via OIDC, and the OpenID Identity Provider does not return a refresh token, then Coder may allow their web ses...
go
No PRs yet
Contrast leaks workload secrets to logs on INFO level
GHSA-vxg3-w9rv-rhr2 HIGH 3 months ago
This is the same vulnerability as https://github.com/edgelesssys/contrast/security/advisories/GHSA-h5f8-crrq-4pw8. The original vulnerability had b...
go
No PRs yet
Valtimo scripting engine can be used to gain access to sensitive data or resources
GHSA-w48j-pp7j-fj55 CVE-2025-58059 CRITICAL 3 months ago
### Impact Any admin that can create or modify and execute process-definitions could gain access to sensitive data or resources. This includes but...
maven
No PRs yet
Volto affected by possible DoS by invoking specific URL by anonymous user
GHSA-xjhf-7833-3pm5 CVE-2025-58047 HIGH 3 months ago
### Impact When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error. ### Patches The prob...
npm
No PRs yet
FormCms avatar upload feature has a stored cross-site scripting (XSS) vulnerability
GHSA-4fxf-xgrm-8fcj CVE-2025-56236 MODERATE 3 months ago
FormCms v0.5.5 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload feature. Authenticated users can upload .html files ...
nuget
No PRs yet
XWiki PDF export jobs store sensitive cookies unencrypted in job statuses
GHSA-9m7c-m33f-3429 CVE-2025-58049 MODERATE 3 months ago
### Impact The PDF export uses a background job that runs on the server-side. Jobs like this have a status that is serialized in the permanent dir...
maven
No PRs yet
Contao does not properly manage privileges for page and article fields
GHSA-qqfq-7cpp-hcqj CVE-2025-57759 MODERATE 3 months ago
### Impact Under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. ##...
packagist
No PRs yet
Contao can disclose sensitive information in the news module
GHSA-w53m-gxvg-vx7p CVE-2025-57757 MODERATE 3 months ago
### Impact If a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. ### ...
packagist
No PRs yet
Contao discloses sensitive information in the front end search index
GHSA-2xmj-8wmq-7475 CVE-2025-57756 MODERATE 3 months ago
### Impact Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. ### Patch...
packagist
No PRs yet
Contao applies improper access control in the back end voters
GHSA-7m47-r75r-cx8v CVE-2025-57758 MODERATE 3 months ago
### Impact The table access voter in the back end doesn't check if a user is allowed to access the corresponding module. ### Patches Update to C...
packagist
No PRs yet
lychee link checking action affected by arbitrary code injection in composite action
GHSA-65rg-554r-9j5x CVE-2024-48908 MODERATE 3 months ago
### Summary There is a potential attack of arbitrary code injection vulnerability in `lychee-setup` of the composite action at *action.yml*. ### ...
actions
No PRs yet
NeuVector admin account has insecure default password
GHSA-8pxw-9c75-6w56 CVE-2025-8077 CRITICAL 3 months ago
### Impact A vulnerability exists in NeuVector versions up to and including **5.4.5**, where a fixed string is used as the default password for th...
go
No PRs yet
NeuVector process with sensitive arguments lead to leakage
GHSA-w54x-xfxg-4gxq CVE-2025-54467 MODERATE 3 months ago
### Impact When a Java command with password parameters is executed and terminated by NeuVector for Process rule violation. For example, ``` jav...
go
No PRs yet
NeuVector has an insecure password storage vulnerable to rainbow attack
GHSA-8ff6-pc43-jwv3 CVE-2025-53884 MODERATE 3 months ago
### Impact NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline ...
go
No PRs yet
Kubernetes Nodes can delete themselves by adding an OwnerReference
GHSA-4x4m-3c2p-qppc CVE-2025-5187 MODERATE 3 months ago
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node obje...
go
No PRs yet
NodeBB SQL Injection vulnerability
GHSA-rfh2-8vxq-jqr8 CVE-2025-50979 HIGH 3 months ago
NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not p...
npm
No PRs yet
simple-admin-core SQL Injection vulnerability
GHSA-f2m2-4q6r-cwc4 CVE-2025-51667 HIGH 3 months ago
An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited S...
go
No PRs yet
Google Sign-In for Rails allowed redirects to malformed URLs
GHSA-7pwc-wh6m-44q3 CVE-2025-57821 MODERATE 3 months ago
### Summary It is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin....
rubygems
No PRs yet
Malicious versions of Nx were published
GHSA-cxm3-wv7p-598c CVE-2025-10894 CRITICAL 3 months ago
## Summary Malicious versions of the [`nx` package](https://www.npmjs.com/package/nx), as well as some supporting plugin packages, were published ...
npm
No PRs yet
The Freeform CraftCMS plugin contains an Server-side template injection (SSTI) vulnerability
GHSA-9hp3-f5g8-rccg CVE-2025-52122 CRITICAL 3 months ago
Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary co...
packagist
No PRs yet
devalue prototype pollution vulnerability
GHSA-vj54-72f3-p5jv CVE-2025-57820 HIGH 3 months ago
## 1. `devalue.parse` allows `__proto__` to be set A string passed to `devalue.parse` could represent an object with a `__proto__` property, which...
npm
33
Dependabot PRs
24%
Merged
Picklescan is missing detection when calling built-in python library asyncio.unix_events._UnixSubprocessTransport._start
GHSA-q77w-mwjj-7mqx MODERATE 3 months ago
### Summary Using asyncio.unix_events._UnixSubprocessTransport._start function, which is a built-in python library function to execute remote pick...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python cProfile.run
GHSA-49gj-c84q-6qm9 MODERATE 3 months ago
### Summary Using cProfile.run function, which is a built-in python library function to execute remote pickle file. ### Details The attack paylo...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python cProfile.runctx
GHSA-9w88-8rmg-7g2p MODERATE 3 months ago
### Summary Using cProfile.runctx function, which is a built-in python library function to execute remote pickle file. ### Details The attack pa...
pypi
No PRs yet