Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Picklescan is missing detection when calling built-in python doctest.debug_script
GHSA-fqq6-7vqf-w3fg MODERATE 3 months ago
### Summary Using doctest.debug_script function, which is a built-in python library function to execute remote pickle file. ### Details The atta...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcode
GHSA-3gf5-cxq9-w223 MODERATE 3 months ago
### Summary Using idlelib.pyshell.ModifiedInterpreter.runcode function, which is a built-in python library function to execute remote pickle file....
pypi
No PRs yet
Picklescan is missing detection when calling built-in python idlelib.pyshell.ModifiedInterpreter.runcommand
GHSA-j343-8v2j-ff7w MODERATE 3 months ago
### Summary Using idlelib.pyshell.ModifiedInterpreter.runcommand function, which is a built-in python library function to execute remote pickle fi...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python idlelib.run.Executive.runcode
GHSA-m869-42cg-3xwr MODERATE 3 months ago
### Summary Using idlelib.run.Executive.runcode function, which is a built-in python library function to execute remote pickle file. ### Details ...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python lib2to3.pgen2.pgen.ParserGenerator.make_label
GHSA-p9w7-82w4-7q8m MODERATE 3 months ago
### Summary Using lib2to3.pgen2.pgen.ParserGenerator.make_label function, which is a built-in python library function to execute remote pickle fil...
pypi
No PRs yet
Picklescan is missing detection when calling built-in python ensurepip._run_pip
GHSA-xp4f-hrf8-rxw7 MODERATE 3 months ago
### Summary Using ensurepip._run_pip function, which is a built-in python library function to execute remote pickle file. ### Details The attack...
pypi
No PRs yet
Badaso CMS file upload vulnerability
GHSA-gqp9-jh35-439m CVE-2025-52353 HIGH 3 months ago
An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PH...
packagist
No PRs yet
Picklescan is missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_autograd_prof
GHSA-4whj-rm5r-c2v8 MODERATE 3 months ago
### Summary Using torch.utils.bottleneck.\_\_main\_\_.run_autograd_prof function, which is a pytorch library function to execute remote pickle fil...
pypi
No PRs yet
GraphQL Armor Max-Depth Plugin Bypass via fragment caching
GHSA-224p-v68g-5g8f MODERATE 3 months ago
### Summary A query depth restriction using the max-depth can be bypassed if `ignoreIntrospection` is enabled (which is the default configuration) ...
npm
No PRs yet
GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation
GHSA-hmfr-rx46-4jx2 MODERATE 3 months ago
### Summary A query depth restriction using the `max-depth` property can be bypassed if `ignoreIntrospection` is enabled (which is the default conf...
npm
No PRs yet
Picklescan has a missing detection when calling built-in python library idlelib.calltip.get_entity
GHSA-9xph-j2h6-g47v MODERATE 3 months ago
### Summary Using idlelib.calltip.get_entity function, which is a built-in python library function to execute remote pickle file. ### Details Th...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python idlelib.calltip.Calltip
GHSA-8r4j-24qv-fmq9 MODERATE 3 months ago
### Summary Using idlelib.calltip.Calltip.fetch_tip, which is a built-in python library function to execute remote pickle file. ### Details The ...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python code.InteractiveInterpreter
GHSA-cj3c-v495-4xqh MODERATE 3 months ago
### Summary Using code.InteractiveInterpreter.runcode, which is a built-in python library function to execute remote pickle file. ### Details Th...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.fetch_completions
GHSA-7cq8-mj8x-j263 MODERATE 3 months ago
### Summary Using idlelib.autocomplete.AutoComplete.fetch_completions, which is a built-in python library function to execute remote pickle file. ...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python idlelib.autocomplete.AutoComplete.get_entity
GHSA-6w4w-5w54-rjvr MODERATE 3 months ago
### Summary Using idlelib.autocomplete.AutoComplete.get_entity, which is a built-in python library function to execute remote pickle file. ### De...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python idlelib.debugobj.ObjectTreeItem
GHSA-3vg9-h568-4w9m MODERATE 3 months ago
### Summary Using idlelib.debugobj.ObjectTreeItem.SetText, which is a built-in python library function to execute remote pickle file. ### Details...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python lib2to3.pgen2.grammar.Grammar.loads
GHSA-f54q-57x4-jg88 MODERATE 3 months ago
### Summary Using lib2to3.pgen2.grammar.Grammar.loads, which is a built-in python library function to execute remote pickle file. ### Details Th...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python profile.Profile.runctx
GHSA-6vqj-c2q5-j97w MODERATE 3 months ago
### Summary Using profile.Profile.runctx, which is a built-in python library function to execute remote pickle file. ### Details The attack payl...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python profile.Profile.run
GHSA-x696-vm39-cp64 MODERATE 3 months ago
### Summary Using profile.Profile.run, which is a built-in python library function to execute remote pickle file. ### Details The attack payload...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python trace.Trace.runctx
GHSA-g344-hcph-8vgg MODERATE 3 months ago
### Summary Using trace.Trace.runctx, which is a built-in python library function to execute remote pickle file. ### Details The attack payload ...
pypi
No PRs yet
Picklescan has a missing detection when calling built-in python trace.Trace.run
GHSA-5qwp-399c-mjwf MODERATE 3 months ago
### Summary Using trace.Trace.run, which is a built-in python library function to execute remote pickle file. ### Details The attack payload exe...
pypi
No PRs yet
xml2rfc has an arbitrary file read vulnerability
GHSA-cfmv-h8fx-85m7 CVE-2025-11058 HIGH 3 months ago
### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link...
pypi
No PRs yet
traQ Allows Insertion of Sensitive Information into Log File
GHSA-27r7-3m9x-r533 CVE-2025-57813 MODERATE 3 months ago
### Impact A vulnerability exists where sensitive information, such as OAuth tokens, is recorded in log files when an error occurs during the execu...
go
No PRs yet
jsPDF Denial of Service (DoS)
GHSA-8mvj-3j78-4qmw CVE-2025-57810 HIGH 3 months ago
### Impact User control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to...
npm
31
Dependabot PRs
ImageMagick (WriteBMPImage): 32-bit integer overflow when writing BMP scanline stride → heap buffer overflow
GHSA-mxvv-97wh-cfmm CVE-2025-57803 HIGH 3 months ago
## Summary A 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses `bytes_per_line` (stride) to a tiny value while th...
nuget
No PRs yet
ImageMagick has a Format String Bug in InterpretImageFilename leads to arbitrary code execution
GHSA-9ccg-6pjw-x645 CVE-2025-55298 HIGH 3 months ago
## Summary A format string bug vulnerability exists in `InterpretImageFilename` function where user input is directly passed to `FormatLocaleString...
nuget
No PRs yet
ImageMagick affected by divide-by-zero in ThumbnailImage via montage -geometry ":" leads to crash
GHSA-fh55-q5pj-pxgw CVE-2025-55212 LOW 3 months ago
## Summary Passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, Thumbn...
nuget
No PRs yet
Easy!Appointments SQL injection vulnerability
GHSA-2f28-69j7-85hf CVE-2025-50383 MODERATE 3 months ago
alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter.
packagist
No PRs yet
LlamaIndex affected by a Denial of Service (DOS) in JSONReader
GHSA-7753-xrfw-ch36 CVE-2025-5302 HIGH 3 months ago
A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The...
pypi
No PRs yet
request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1
GHSA-pw25-c82r-75mm CVE-2025-57814 MODERATE 3 months ago
request-filtering-agent versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTT...
npm
No PRs yet
mitmproxy binaries embed a vulnerable python-hyper/h2 dependency
GHSA-63cx-g855-hvv4 MODERATE 3 months ago
mitmproxy 12.1.1 and below embed python-hyper/h2 ≤ v4.2.0, which has a gap in its HTTP/2 header validation. This enables request smuggling attacks ...
pypi
No PRs yet
h2 allows HTTP Request Smuggling due to illegal characters in headers
GHSA-847f-9342-265h CVE-2025-57804 MODERATE 3 months ago
### Summary HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers...
pypi
No PRs yet
XGrammar affected by Denial of Service by infinite recursion grammars
GHSA-5cmr-4px5-23pc CVE-2025-57809 HIGH 3 months ago
### Summary This issue: http://github.com/mlc-ai/xgrammar/issues/250 should have it's own security advisory. Since several tools accept and pass us...
pypi
No PRs yet
Craft CMS Potential Remote Code Execution via Twig SSTI
GHSA-crcq-738g-pqvc CVE-2025-57811 MODERATE 3 months ago
Note that users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/g...
packagist
No PRs yet
ImageMagick has Undefined Behavior (function-type-mismatch) in CloneSplayTree
GHSA-6hgw-6x87-578x CVE-2025-55160 MODERATE 3 months ago
## Summary - **Target:** ImageMagick (commit `ecc9a5eb456747374bae8e07038ba10b3d8821b3`) - **Type:** Undefined Behavior (function-type-mismatch) in...
nuget
No PRs yet
imagemagick: integer overflows in MNG magnification
GHSA-qp29-wxp5-wh82 CVE-2025-55154 HIGH 3 months ago
## **Vulnerability Details** The magnified size calculations in `ReadOneMNGIMage` (in `coders/png.c`) are unsafe and can overflow, leading to memo...
nuget
No PRs yet
Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation (Post-RCE)
GHSA-4gv9-mp8m-592r CVE-2025-57760 HIGH 3 months ago
This vulnerability was discovered by researchers at **Check Point**. We are sharing this report as part of a responsible disclosure process and are...
pypi
No PRs yet
imagemagick: heap-buffer overflow read in MNG magnification with alpha
GHSA-cjc8-g9w8-chfw CVE-2025-55004 HIGH 3 months ago
## **Vulnerability Details** When performing image magnification in `ReadOneMNGIMage` (in `coders/png.c`), there is an issue around the handling o...
nuget
No PRs yet
ImageMagick has a heap-buffer-overflow
GHSA-fff3-4rp7-px97 LOW 3 months ago
### Summary While Processing a crafted TIFF file, imagemagick crashes. ### Details Following is the imagemagick version: ``` imagemagick_git/build...
nuget
No PRs yet
ImageMagick has a Memory Leak in magick stream
GHSA-cfh4-9f7v-fhrc CVE-2025-53019 LOW 3 months ago
## Summary In ImageMagick's `magick stream` command, specifying multiple consecutive `%d` format specifiers in a filename template causes a memory...
nuget
No PRs yet
ImageMagick has a Heap Buffer Overflow in InterpretImageFilename
GHSA-hm4x-r5hc-794f CVE-2025-53014 LOW 3 months ago
# Heap Buffer Overflow in InterpretImageFilename ## Summary A heap buffer overflow was identified in the `InterpretImageFilename` function of Imag...
nuget
No PRs yet
ImageMagick has a Stack Buffer Overflow in image.c
GHSA-qh3h-j545-h8c9 CVE-2025-53101 HIGH 3 months ago
Hi, we have found a stack buffer overflow and would like to report this issue. Could you confirm if this qualifies as a security vulnerability? I a...
nuget
No PRs yet
Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions (4.0.16 only)
GHSA-5c4f-pxmx-xcm4 CVE-2025-26467 HIGH 3 months ago
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to...
maven
No PRs yet
Adminer PHP Object Injection issue leads to Denial of Service
GHSA-mqh4-2mm8-g7w9 CVE-2025-43960 HIGH 3 months ago
Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000...
packagist
No PRs yet
PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML document in the browser
GHSA-rx7m-68vc-ppxh CVE-2025-54370 HIGH 3 months ago
**Product:** PhpSpreadsheet **Version:** 3.8.0 **CWE-ID:** CWE-918: Server-Side Request Forgery (SSRF) **CVSS vector v.3.1:** 7.5 (AV:N/AC:L/PR:N/U...
packagist
No PRs yet
Liferay Portal allows unrestricted upload of file in the style books component
GHSA-mf9q-87xx-jgvv CVE-2025-43766 MODERATE 3 months ago
The Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 throug...
maven
No PRs yet
Liferay Portal stored cross-site scripting in text field of the web content structure
GHSA-h8gx-4hhm-w45v CVE-2025-43765 MODERATE 3 months ago
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13,...
maven
No PRs yet
Liferay Portal allows open redirect in /c/portal/edit_info_item parameter redirect
GHSA-6hj4-v2qp-cqr2 CVE-2025-43767 MODERATE 3 months ago
Open Redirect vulnerability in /c/portal/edit_info_item parameter redirect in Liferay Portal 7.4.3.86 through 7.4.3.131, and Liferay DXP 2024.Q3.1 ...
maven
No PRs yet
Liferay Portal ReDoS with Role Name search in KaleoDesignerPortlet
GHSA-23w4-rpc6-wpcc CVE-2025-43764 MODERATE 3 months ago
Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal 7.4.0 t...
maven
No PRs yet
Liferay Portal JSONWS API endpoint shares sensitive information
GHSA-cv9j-mg9w-v7wm CVE-2025-43768 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 20...
maven
No PRs yet