Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
HashiCorp go-getter Vulnerable to Symlink Attacks
GHSA-wjrx-6529-hcj3 CVE-2025-8959 HIGH 4 months ago
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designa...
go
244
Dependabot PRs
15%
Merged
Template Secret leakage in logs in Scaffolder when using `fetch:template`
GHSA-3x3q-ghcp-whf7 CVE-2025-55285 LOW 4 months ago
A logging flaw in Backstage Scaffolder’s `fetch:template` action up to `@backstage/plugin-scaffolder-backend` **2.1.0** may write template secrets ...
npm
No PRs yet
@astrojs/node's trailing slash handling causes open redirect issue
GHSA-9x9c-ghc5-jhw9 CVE-2025-55207 MODERATE 4 months ago
### Summary Following https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in ...
npm
No PRs yet
User-defined implementations of the safe trait scratchpad::Tracking can cause heap buffer overflows
GHSA-77h3-w9rx-hj3q MODERATE 4 months ago
The `get` and `set` methods of the public trait `scratchpad::Tracking` interact with unsafe code regions in the crate, and they influence the compu...
cargo
No PRs yet
Information Disclosure in Amazon ECS Container Agent
GHSA-wm7x-ww72-r77q CVE-2025-9039 MODERATE 4 months ago
**Summary** [Amazon Elastic Container Service (Amazon ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) is a fully ma...
go
No PRs yet
Youki: If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.
GHSA-j26p-6wx7-f3pw CVE-2025-54867 HIGH 4 months ago
### Summary If `/proc` and `/sys` in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem. ...
cargo
No PRs yet
Apache Superset data query improperly discloses database schema information to low-privileged guest user
GHSA-9g5x-mm39-wg9r CVE-2025-55673 MODERATE 4 months ago
When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This f...
pypi
No PRs yet
Apache Superset's chart visualization has a stored Cross-Site Scripting (XSS) vulnerability
GHSA-fj97-2v9x-w5m4 CVE-2025-55672 MODERATE 4 months ago
A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit c...
pypi
No PRs yet
Apache Superset has bypass of `DISALLOWED_SQL_FUNCTIONS` that allows execution of blocked SQL functions
GHSA-fxgf-3xh6-m2pp CVE-2025-55674 MODERATE 4 months ago
A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use...
pypi
No PRs yet
Apache Superset allows authenticated users to discover metadata about datasources they don't have permission to access
GHSA-mhpq-m962-mg92 CVE-2025-55675 MODERATE 4 months ago
Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated u...
pypi
No PRs yet
Flowise OS command remote code execution
GHSA-2vv2-3x8x-4gv7 CVE-2025-8943 CRITICAL 4 months ago
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's i...
npm
No PRs yet
Active Storage allowed transformation methods that were potentially unsafe
GHSA-r4mg-4433-c7g3 CVE-2025-24293 CRITICAL 4 months ago
Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list ...
rubygems
7046
Dependabot PRs
8%
Merged
Helm May Panic Due To Incorrect YAML Content
GHSA-f9f8-9pmf-xv68 CVE-2025-55198 MODERATE 4 months ago
A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic. ### Impa...
go
365
Dependabot PRs
18%
Merged
Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion
GHSA-9h84-qmv7-982p CVE-2025-55199 MODERATE 4 months ago
A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and h...
go
365
Dependabot PRs
18%
Merged
swift-nio-http2 affected by HTTP/2 MadeYouReset vulnerability
GHSA-xvr7-p2c6-j83w MODERATE 4 months ago
The HTTP/2 [MadeYouReset vulnerability](https://galbarnahum.com/made-you-reset) has a mild effect on swift-nio-http2. swift-nio-http2 mostly prote...
swift
No PRs yet
m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials
GHSA-x6gv-2rvh-qmp6 CRITICAL 4 months ago
## Summary The `steam-workshop-deploy` github action does not exclude the `.git` directory when packaging content for deployment and provides no bu...
actions
12
Dependabot PRs
50%
Merged
Active Record logging vulnerable to ANSI escape injection
GHSA-76r7-hhxj-r776 CVE-2025-55193 MODERATE 4 months ago
This vulnerability has been assigned the CVE identifier CVE-2025-55193 ### Impact The ID passed to `find` or similar methods may be logged without...
rubygems
7041
Dependabot PRs
8%
Merged
PyPDF's Manipulated FlateDecode streams can exhaust RAM
GHSA-7hfw-26vp-jp8m CVE-2025-55197 MODERATE 4 months ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a...
pypi
16
Dependabot PRs
External Secrets Operator's Missing Namespace Restriction Allows Unauthorized Secret Access
GHSA-fcxq-v2r3-cc8h CVE-2025-55196 HIGH 4 months ago
## Summary A vulnerability was discovered in the External Secrets Operator where the `List()` calls for Kubernetes Secret and SecretStore resources...
go
No PRs yet
Netty affected by MadeYouReset HTTP/2 DDoS vulnerability
GHSA-prj3-ccx8-p6x4 CVE-2025-55163 HIGH 4 months ago
Below is a technical explanation of a newly discovered vulnerability in HTTP/2, which we refer to as “MadeYouReset.” ### MadeYouReset Vulnerabilit...
maven
70
Dependabot PRs
27%
Merged
OMERO.web displays unecessary user information when requesting password reset
GHSA-gpmg-4x4g-mr5r CVE-2025-54791 MODERATE 4 months ago
### Background If an error occurred when resetting a user's password using the ``Forgot Password`` option in OMERO.web, the error message displaye...
pypi
No PRs yet
OliveTin OS Command Injection vulnerability
GHSA-p3qf-84rg-jxfc CVE-2025-50946 HIGH 4 months ago
OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go.
go
No PRs yet
Apache Tomcat Improper Resource Shutdown or Release vulnerability
GHSA-gqp3-2cvr-x8m3 CVE-2025-48989 HIGH 4 months ago
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apach...
maven
1
Dependabot PRs
100%
Merged
Soosyze CMS's /user/login endpoint missing rate-limiting and lockout mechanisms
GHSA-vq9x-w82r-rhmc CVE-2025-52392 HIGH 4 months ago
Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. An attacker can ...
packagist
No PRs yet
Apache Tomcat Session Fixation vulnerability
GHSA-23hv-mwm6-g8jf CVE-2025-55668 MODERATE 4 months ago
Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1...
maven
No PRs yet
Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation
GHSA-4cx2-fc23-5wg6 CVE-2025-8916 MODERATE 4 months ago
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpki...
maven
10
Dependabot PRs
Liferay Portal 7.4.0 and Liferay DXP have a reflected cross-site scripting (XSS) vulnerability
GHSA-m5c7-5gv3-hcpf CVE-2025-43734 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2...
maven
No PRs yet
svg-sanitizer Bypasses Attribute Sanitization
GHSA-22wq-q86m-83fh CVE-2025-55166 MODERATE 4 months ago
#### Problem The sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lowe...
packagist
No PRs yet
Keras vulnerable to CVE-2025-1550 bypass via reuse of internal functionality
GHSA-c9rc-mg46-23w3 CVE-2025-8747 HIGH 4 months ago
### Summary It is possible to bypass the mitigation introduced in response to [CVE-2025-1550](https://github.com/keras-team/keras/security/advisori...
pypi
No PRs yet
Magento Cross-Site Request Forgery (CSRF) vulnerability
GHSA-5777-jj7p-mpqw CVE-2025-49555 HIGH 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) ...
packagist
No PRs yet
Magento Cross-site Scripting vulnerability
GHSA-8mq8-c243-2335 CVE-2025-49557 HIGH 4 months ago
Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting...
packagist
No PRs yet
Magento vulnerable to path traversal
GHSA-h4f4-gv6h-x824 CVE-2025-49559 MODERATE 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname...
packagist
No PRs yet
Magento Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability
GHSA-wcmw-8xpp-rwfj CVE-2025-49558 MODERATE 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU)...
packagist
No PRs yet
Magento has incorrect authorization issue that leads to arbitrary file system read
GHSA-7hrj-3c9x-xv5h CVE-2025-49556 HIGH 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento vulnerable to denial of service
GHSA-xgfm-992v-h2hr CVE-2025-49554 HIGH 4 months ago
Magento versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnera...
packagist
No PRs yet
content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE
GHSA-w2cq-g8g3-gm83 CVE-2025-55164 HIGH 4 months ago
### Impact A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if you provide a policy name called `__proto__` you ca...
npm
No PRs yet
Liferay Portal and Liferay DXP have a reflected cross-site scripting vulnerability
GHSA-222w-xmc5-jhp3 CVE-2025-43735 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 20...
maven
No PRs yet
Bouncy Castle for Java on All (API modules) allows Excessive Allocation
GHSA-67mf-3cr5-8w23 CVE-2025-8885 MODERATE 4 months ago
A resource allocation vulnerability exists in Bouncy Castle for Java (by Legion of the Bouncy Castle Inc.) that affects all API modules. The vulner...
maven
No PRs yet
Liferay Portal and Liferay DXP have a Denial Of Service via File Upload (DOS) vulnerability
GHSA-cg99-m88x-422c CVE-2025-43736 MODERATE 4 months ago
A Denial Of Service via File Upload (DOS) vulnerability in Liferay Portal 7.4.3.0 through 7.4.3.132, Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024....
maven
No PRs yet
Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers
GHSA-r3v7-pc4g-7xp9 CVE-2025-55152 MODERATE 4 months ago
### Summary With specially crafted value of the `x-forwarded-proto` or `x-forwarded-for` headers, it's possible to significantly slow down an oak ...
npm
No PRs yet
Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass
GHSA-9gvj-pp9x-gcfr HIGH 4 months ago
### Details There's a parsing logic error in picklescan and modelscan while trying to deal with opcode `STACK_GLOBAL`. Function `_list_globals` whe...
pypi
2
Dependabot PRs
50%
Merged
PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter
GHSA-pwh4-6r3m-j2rf CVE-2025-55156 HIGH 4 months ago
### Summary The parameter `add_links` in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensit...
pypi
No PRs yet
Komari vulnerable to 2FA Authentication Bypass
GHSA-jhmr-57cj-q6g9 HIGH 4 months ago
### Summary Logic error in 2FA verification condition allows bypass of two-factor authentication ### Details https://github.com/komari-monitor/k...
go
No PRs yet
Komari vulnerable to Cross-site WebSocket Hijacking
GHSA-q355-h244-969h HIGH 4 months ago
### Summary WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users ...
go
No PRs yet
HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit
GHSA-xcxh-6cv4-q8p8 LOW 4 months ago
### Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with `target="_blank"` but without the `rel="noopener nor...
npm
No PRs yet
Litestar has potential log injection in exception logging
GHSA-674p-xv2x-rf3g LOW 4 months ago
### Summary Litestar does not escape url paths when logging exceptions. This makes logger vulnerable to CRLF injection if logging level is configu...
pypi
No PRs yet
slab allows out-of-bounds access in `get_disjoint_mut` due to incorrect bounds check
GHSA-qx2v-8332-m4fv CVE-2025-55159 MODERATE 4 months ago
### Impact The `get_disjoint_mut` method in slab v0.4.10 incorrectly checked if indices were within the slab's capacity instead of its length, all...
cargo
No PRs yet
Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions
GHSA-gjpm-6w34-ppvf CVE-2025-54463 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits t...
go
No PRs yet
Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions
GHSA-w92j-c6gr-hj8r CVE-2025-53514 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allow\ing attackers to crash the plugin via constant hits t...
go
No PRs yet
Mattermost Confluence Plugin has Improper Check for Unusual or Exceptional Conditions
GHSA-vc77-c2hx-h5x2 CVE-2025-52931 HIGH 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fails to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits t...
go
No PRs yet