Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF
GHSA-p72g-pv48-7w9x CVE-2025-54988 CRITICAL 3 months ago
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry o...
maven
1
Dependabot PRs
Liferay Portal Vulnerable to Cross-Site Scripting via DDMPortlet_definition Parameter
GHSA-62pf-hcwj-rcfc CVE-2025-43757 MODERATE 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 20...
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting in Dynamic Data Mapping
GHSA-mpww-r37c-vxjw CVE-2025-43746 MODERATE 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 20...
maven
No PRs yet
Eclipse Jetty affected by MadeYouReset HTTP/2 vulnerability
GHSA-mmxm-8w33-wc4h CVE-2025-5115 HIGH 3 months ago
## Technical Details Below is a technical explanation of a newly discovered vulnerability in HTTP/2, which we refer to as “MadeYouReset.” ### Mad...
maven
1
Dependabot PRs
x402 SDK vulnerable in outdated versions in resource servers for builders
GHSA-3j63-5h8p-gf7c HIGH 3 months ago
### Impact There is a security vulnerability in outdated versions of the x402 SDK. This does not directly affect users' keys, smart contracts, or f...
npm
No PRs yet
n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted files
GHSA-ggjm-f3g4-rwmm CVE-2025-57749 MODERATE 3 months ago
### Impact A symlink traversal vulnerability was discovered in the `Read/Write File` node in n8n. While the node attempts to restrict access to sen...
npm
No PRs yet
Directus allows unauthenticated file upload and file modification due to lacking input sanitization
GHSA-mv33-9f6j-pfmc CVE-2025-55746 CRITICAL 3 months ago
## Summary A vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary conte...
npm
No PRs yet
Spree Commerce is vulnerable to RCE through Search API
GHSA-x485-rhg3-cqr4 CVE-2011-10026 CRITICAL 3 months ago
Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitatio...
rubygems
No PRs yet
Liferay Portal Vulnerable to Cross-Site Request Forgery
GHSA-p9gc-59hf-x48p CVE-2025-43748 HIGH 3 months ago
Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.6, 2...
maven
No PRs yet
elysia-cors Origin Validation Error
GHSA-f9qj-4c5x-cpcw CVE-2025-50864 MODERATE 3 months ago
An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The ...
npm
No PRs yet
Liferay Portal Unvalidated File Upload
GHSA-56qj-wp5r-mvhj CVE-2025-43750 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
Liferay Portal Unauthenticated File Access via URL
GHSA-5fx5-cff6-f3fp CVE-2025-43749 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
CRI-O has Potential High Memory Consumption from File Read
GHSA-8f93-j3fx-72f3 CVE-2025-4437 MODERATE 3 months ago
There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CR...
go
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting via assetTagNames Parameter
GHSA-j6p8-g3rj-ghpm CVE-2025-43741 MODERATE 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 20...
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting through URLs
GHSA-3fp2-6mwq-4q3j CVE-2025-43742 MODERATE 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 20...
maven
No PRs yet
Apache EventMesh Vulnerable to Server-Side Request Forgery in WebhookUtil.java
GHSA-hf86-8x8v-h7vc CVE-2024-39954 MODERATE 3 months ago
Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse funct...
maven
No PRs yet
Default Credentials in nginx-defender Configuration Files
GHSA-pr72-8fxw-xx22 CVE-2025-55740 MODERATE 3 months ago
### Impact This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files [config.yaml](https://github.co...
go
No PRs yet
Liferay Portal Enumeration Discrepancy in Calendars
GHSA-g4vp-4gqr-7v8c CVE-2025-43743 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting via DDM Structure Field Labels
GHSA-m49p-6cjp-x2h3 CVE-2025-43744 MODERATE 3 months ago
A stored DOM-based Cross-Site Scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5,...
maven
No PRs yet
Liferay Portal CSRF Vulnerability via Endpoint Parameter
GHSA-7q33-gwcm-r6cj CVE-2025-43745 MODERATE 3 months ago
A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4....
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting via backURL Paramter
GHSA-vjwr-cqwf-6q96 CVE-2025-43737 MODERATE 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 thr...
maven
No PRs yet
WP Crontrol Authenticated (Administrator+) plugin vulnerable to Blind Server-Side Request Forgery
GHSA-35c5-67fm-cpcp CVE-2025-8678 MODERATE 3 months ago
### Impact The WP Crontrol plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in versions 1.17.0 to 1.19.1 via the `wp_remote...
packagist
No PRs yet
screenshot-desktop vulnerable to command Injection via `format` option
GHSA-gjx4-2c7g-fm94 CVE-2025-55294 CRITICAL 3 months ago
## Impact This vulnerability is a **command injection** issue. When user-controlled input is passed into the `format` option of the screenshot fu...
npm
No PRs yet
Mermaid improperly sanitizes sequence diagram labels leading to XSS
GHSA-7rqq-prvp-x9jh CVE-2025-54881 MODERATE 3 months ago
### Summary In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to `innerHTML` during calcula...
npm
No PRs yet
Mermaid does not properly sanitize architecture diagram iconText leading to XSS
GHSA-8gwm-58g9-j8pw CVE-2025-54880 MODERATE 3 months ago
### Summary In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 `html()` method,...
npm
3
Dependabot PRs
Liferay Portal Reflected Cross-Site Scripting Vulnerability in displayType Parameter
GHSA-cwgh-r52j-xh6c CVE-2025-43738 MODERATE 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 20...
maven
No PRs yet
Astro allows unauthorized third-party images in _image endpoint
GHSA-xf8x-j4p2-f749 CVE-2025-55303 MODERATE 3 months ago
### Summary In affected versions of `astro`, the image optimization endpoint in projects deployed with on-demand rendering allows images from unau...
npm
No PRs yet
HydrAIDE Authentication Bypass Vulnerability
GHSA-qp7j-x725-g67f CRITICAL 3 months ago
### Summary There is no authentication of any kind. ### Details TLS is implemented, the tunnel between the client and server is secure, however o...
go
No PRs yet
Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source
GHSA-hfmv-hhh3-43f2 CVE-2025-52478 HIGH 3 months ago
### Impact A stored **Cross-Site Scripting (XSS)** vulnerability was identified in [n8n](https://github.com/n8n-io/n8n), specifically in the **For...
npm
No PRs yet
MoonShine Arbitrary File Upload Vulnerability
GHSA-8xfq-7f6m-mpmf CVE-2025-51489 MODERATE 3 months ago
An arbitrary file upload vulnerability in MoonShine v3.12.4 allows attackers to execute arbitrary code via uploading a crafted SVG file.
packagist
No PRs yet
MoonShine SQL Injection Vulnerability
GHSA-9g9j-3w64-3cjh CVE-2025-51510 MODERATE 3 months ago
MoonShine v3.12.5 was discovered to contain a SQL injection vulnerability via the Data parameter under the Blog module.
packagist
No PRs yet
moonshine Stored Cross-Site Scripting Vulnerability in Create Article
GHSA-p632-58pp-c9xg CVE-2025-51487 MODERATE 3 months ago
A stored cross-site scripting (XSS) vulnerability in the Create Article function of MoonShine v3.12.3 allows attackers to execute arbitrary web scr...
packagist
No PRs yet
moonshine Stored Cross-Site Scripting Vulnerability in Create Admin
GHSA-rh9f-gr6q-mpc4 CVE-2025-51488 MODERATE 3 months ago
A stored cross-site scripting (XSS) vulnerability in the Create Admin function of MoonShine v3.12.3 allows attackers to execute arbitrary web scrip...
packagist
No PRs yet
Liferay Portal Email Modification Vulnerability via Calendar Portlet
GHSA-7mxq-h2r7-h449 CVE-2025-43739 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
Liferay Portal has Stored Cross-Site Scripting Vulnerability via Message Boards Feature
GHSA-22jp-w3cg-gvmm CVE-2025-43740 MODERATE 3 months ago
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1...
maven
No PRs yet
LibreNMS allows stored XSS in Alert Template name field
GHSA-vxq6-8cwm-wj99 CVE-2025-55296 MODERATE 3 months ago
### Summary A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.6.0) in the Alert Template creation feature. This allows a...
packagist
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting
GHSA-3p2m-574v-v257 CVE-2025-43731 MODERATE 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 20...
maven
No PRs yet
Copier's safe template has filesystem write access outside destination path
GHSA-p7q8-grrj-3m8w CVE-2025-55214 MODERATE 3 months ago
### Impact Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use [unsafe](https://copier.readthedoc...
pypi
No PRs yet
OpenFGA Authorization Bypass
GHSA-mgh9-4mwp-fg55 CVE-2025-55213 MODERATE 3 months ago
### Overview OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper pol...
go
No PRs yet
Capsule tenant owners with "patch namespace" permission can hijack system namespaces label
GHSA-fcpm-6mxq-m5vv CVE-2025-55205 CRITICAL 3 months ago
### Summary A namespace label injection vulnerability in Capsule v0.10.3 allows authenticated tenant users to inject arbitrary labels into system n...
go
No PRs yet
Copier's safe template has arbitrary filesystem read/write access
GHSA-3xw7-v6cj-5q8h CVE-2025-55201 HIGH 3 months ago
### Impact Copier's current security model shall restrict filesystem access through Jinja: - Files can only be read using `{% include ... %}`, wh...
pypi
No PRs yet
Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code
GHSA-x5gv-jw7f-j6xj CVE-2025-55284 HIGH 3 months ago
Due to an overly broad allowlist of safe commands, it was possible to bypass the Claude Code confirmation prompts to read a file and then send file...
npm
No PRs yet
Liferay Portal Login Bypass Vulnerability
GHSA-g4wg-mpfg-x2q6 CVE-2025-3639 LOW 3 months ago
Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024....
maven
No PRs yet
Liferay Portal Vulnerable to Insecure Direct Object Reference
GHSA-v6xr-v2qg-h22h CVE-2025-43732 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 20...
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting
GHSA-vhcr-hgc8-29qr CVE-2025-43733 LOW 3 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7 allows a remote a...
maven
No PRs yet
IdMap from_iter may lead to uninitialized memory being freed on drop
GHSA-qq4c-hm99-979m MODERATE 3 months ago
Due to a flaw in the constructor `id_map::IdMap::from_iter`, ill-formed objects may be created in which the amount of actually initialized memory i...
cargo
No PRs yet
Spring Framework MVC Applications Path Traversal Vulnerability
GHSA-r936-gwx5-v52f CVE-2025-41242 MODERATE 3 months ago
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An app...
maven
No PRs yet
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js
GHSA-q4rg-7cjj-5r86 CVE-2025-9095 MODERATE 3 months ago
A cross-site scripting (XSS) issue exists in ExpressGateway up to 1.16.10 in the REST endpoint implemented in lib/rest/routes/users.js. User-contro...
npm
No PRs yet
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js
GHSA-xfp8-x3j6-h67v CVE-2025-9096 MODERATE 3 months ago
A cross-site scripting (XSS) issue exists in ExpressGateway ≤ 1.16.10 in lib/rest/routes/apps.js. User-controlled data returned by the REST endpoin...
npm
No PRs yet
Bouncy Castle for Java Uncontrolled Resource Consumption Vulnerability
GHSA-v6cf-mv9h-c8mc CVE-2025-9092 LOW 4 months ago
Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0 bc-fips (API modules) all...
maven
No PRs yet