Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-42m6-5vm7-fjv2 CVE-2025-53857 LOW 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to get channel subscription details with...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-j66h-xhpr-7q5g CVE-2025-54458 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fails to check user access of the Confluence space, allowing attackers to create a subscription to a ...
go
No PRs yet
Mattermost Confluence Plugin has Improper Validation of Specified Type of Input
GHSA-3cg3-3mmr-w8hj CVE-2025-54525 HIGH 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to handle unexpected request bodies, allowing attackers to crash the plugin via constant hits to...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-v6c8-g53h-mc2h CVE-2025-53910 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, allowing attackers to create a channel subscription without...
go
No PRs yet
Mattermost Confluence Plugin is Missing Authentication for Critical Function
GHSA-qpjq-c5hr-7925 CVE-2025-54478 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to enforce user authentication of the Mattermost instance, allowing unauthenticated attackers to...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-qjrx-j8wm-xf83 CVE-2025-8285 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check the access of the user to the channel which allows attackers to create channel subscrip...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-cmpr-8prq-w5p5 CVE-2025-48731 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to Confluence spaces, which allows attackers to edit subscriptions for Conf...
go
No PRs yet
Mattermost Confluence Plugin is Missing Authentication for Critical Function
GHSA-6ff3-jgxh-vffj CVE-2025-44004 HIGH 4 months ago
Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to creat...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-rfg4-2m63-fw2q CVE-2025-49221 LOW 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to enforce authentication of the user to the Mattermost instance, which allows unauthenticated a...
go
No PRs yet
Mattermost Confluence Plugin has Missing Authorization vulnerability
GHSA-vpcr-fqpc-386h CVE-2025-44001 MODERATE 4 months ago
Mattermost Confluence Plugin versions < 1.5.0 fail to check user access to the channel, which allows attackers to get channel subscription details ...
go
No PRs yet
TinyScientist has Path Traversal Vulnerability in PDF Review Function (CWE-22)
GHSA-rrgf-hcr9-jq6h CVE-2025-55149 MODERATE 4 months ago
## Description A critical path traversal vulnerability (CWE-22) has been identified in the `review_paper` function in `backend/app.py`. The vulnera...
pypi
No PRs yet
Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery
GHSA-c6g5-g6r7-q4j6 CVE-2025-4655 MODERATE 4 months ago
An SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 thr...
maven
No PRs yet
Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery
GHSA-6v93-frf9-2rp8 CVE-2025-4581 MODERATE 4 months ago
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 202...
maven
No PRs yet
Craft CMS has a theoretical bypass for CVE-2025-23209
GHSA-2vcf-qxv3-2mgw CVE-2025-54417 MODERATE 4 months ago
**Pre-requisites:** * Have a compromised security key (https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret) * Somehow, man...
packagist
No PRs yet
Liferay Portal Reflected XSS in blogs-web
GHSA-6qcg-28jh-hm7r CVE-2025-4576 MODERATE 4 months ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,20...
maven
No PRs yet
The AuthKit Remix Library renders sensitive auth data in HTML
GHSA-v3gr-w9gf-23cx CVE-2025-55009 HIGH 4 months ago
### Summary Before `0.15.0`, `@workos-inc/authkit-remix` returned sensitive authentication artifacts from the `authkitLoader`, specifically `seale...
npm
No PRs yet
The AuthKit React Router Library rendered sensitive auth data in HTML
GHSA-vqvc-9q8x-vmq6 CVE-2025-55008 HIGH 4 months ago
In versions before `0.7.0`, `@workos-inc/authkit-react-router` exposed sensitive authentication artifacts — specifically `sealedSession` and `acces...
npm
No PRs yet
OpenBao LDAP MFA Enforcement Bypass When Using Username As Alias
GHSA-2q8q-8fgw-9p6p CVE-2025-55001 MODERATE 4 months ago
### Impact OpenBao allows assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When using t...
go
1
Dependabot PRs
100%
Merged
OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse
GHSA-rxp7-9q75-vj3p CVE-2025-55003 MODERATE 4 months ago
### Impact OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normali...
go
1
Dependabot PRs
100%
Merged
OpenBao TOTP Secrets Engine Code Reuse
GHSA-f7c3-mhj2-9pvg CVE-2025-55000 MODERATE 4 months ago
### Impact OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normaliz...
go
1
Dependabot PRs
100%
Merged
OpenBao has a Timing Side-Channel in the Userpass Auth Method
GHSA-hh28-h22f-8357 CVE-2025-54999 LOW 4 months ago
### Impact When using OpenBao's `userpass` auth method, user enumeration was possible due to timing difference between non-existent users and user...
go
1
Dependabot PRs
100%
Merged
OpenBao Userpass and LDAP User Lockout Bypass
GHSA-j3xv-7fxp-gfhx CVE-2025-54998 MODERATE 4 months ago
### Impact Attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different...
go
1
Dependabot PRs
100%
Merged
Privileged OpenBao Operator May Execute Code on the Underlying Host
GHSA-xp75-r577-cvhp CVE-2025-54997 CRITICAL 4 months ago
### Impact Under certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the a...
go
1
Dependabot PRs
100%
Merged
OpenBao Root Namespace Operator May Elevate Token Privileges
GHSA-vf84-mxrq-crqc CVE-2025-54996 HIGH 4 months ago
### Impact Accounts with access to the highly-privileged identity entity system in the root namespace may increase their scope directly to the `ro...
go
1
Dependabot PRs
100%
Merged
@fedify/fedify has Improper Authentication and Incorrect Authorization
GHSA-6jcc-xgcr-q3h4 CVE-2025-54888 HIGH 4 months ago
### Summary An authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged acti...
npm
2
Dependabot PRs
50%
Merged
Apache Seata: Deserialization of untrusted Data in Apache Seata Server
GHSA-g358-g2pq-c46j CVE-2025-53606 HIGH 4 months ago
Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are reco...
maven
No PRs yet
Apache CXF: Untrusted JMS configuration can lead to RCE
GHSA-g4px-6qhm-hqjm CVE-2025-48913 MODERATE 4 months ago
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution c...
maven
No PRs yet
ExecuTorch integer overflow vulnerability
GHSA-84m3-f99p-cqx5 CVE-2025-30405 CRITICAL 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potential...
pypi
No PRs yet
ExecuTorch out-of-bounds access vulnerability
GHSA-f9hx-c6jf-3qxm CVE-2025-54950 CRITICAL 4 months ago
An out-of-bounds access vulnerability in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution o...
pypi
No PRs yet
ExecuTorch vulnerable to Heap-based Buffer Overflow
GHSA-xc7w-r669-48pf CVE-2025-54951 CRITICAL 4 months ago
A group of related buffer overflow vulnerabilities in the loading of ExecuTorch models can cause the runtime to crash and potentially result in cod...
pypi
No PRs yet
ExecuTorch integer overflow vulnerability
GHSA-hj95-mhgf-jxc4 CVE-2025-30404 CRITICAL 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause overlapping allocations, potentially resulting in code execution or...
pypi
No PRs yet
ExecuTorch integer overflow vulnerability leads to code execution
GHSA-33r8-vrx9-rmcv CVE-2025-54952 MODERATE 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause smaller-than-expected memory regions to be allocated, potentially r...
pypi
No PRs yet
ExecuTorch heap buffer overflow vulnerability
GHSA-9m39-3mf3-xwch CVE-2025-54949 CRITICAL 4 months ago
A heap buffer overflow vulnerability in the loading of ExecuTorch models can potentially result in code execution or other undesirable effects. Thi...
pypi
No PRs yet
operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd
GHSA-856v-8qm2-9wjv CVE-2025-7195 MODERATE 4 months ago
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK...
go
No PRs yet
JWE is missing AES-GCM authentication tag validation in encrypted JWE
GHSA-c7p4-hx26-pr73 CVE-2025-54887 CRITICAL 4 months ago
### Overview The authentication tag of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide w...
rubygems
7
Dependabot PRs
71%
Merged
quiche connection ID retirement can trigger an infinite loop
GHSA-m3hh-f9gh-74c2 CVE-2025-7054 HIGH 4 months ago
## Impact Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames. QUIC...
cargo
2
Dependabot PRs
uv allows ZIP payload obfuscation through parsing differentials
GHSA-8qf3-x8v5-2pj8 CVE-2025-54368 MODERATE 4 months ago
## Impact In versions 0.8.5 and earlier of uv, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled agai...
pypi
260
Dependabot PRs
18%
Merged
Ollama allows deletion of arbitrary files
GHSA-93jv-pvg8-hf3v CVE-2025-44779 MODERATE 4 months ago
An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull.
go
No PRs yet
SKOPS Card.get_model happily allows arbitrary code execution
GHSA-378x-6p4f-8jgm CVE-2025-54886 HIGH 4 months ago
## Summary The `Card` class of `skops`, used for model documentation and sharing, allows arbitrary code execution. When a file other than `.zip` i...
pypi
No PRs yet
Astros's duplicate trailing slash feature leads to an open redirection security issue
GHSA-cq8c-xv66-36gw CVE-2025-54793 MODERATE 4 months ago
## Summary There is an Open Redirection vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows...
npm
No PRs yet
The Thinbus Javascript Secure Remote Password (SRP) Client Generates Fewer Bits of Entropy Than Intended
GHSA-8q6v-474h-whgg CVE-2025-54885 MODERATE 4 months ago
### Impact A protocol compliance bug in thinbus-srp-npm versions prior to 2.0.1 causes the client to generate a fixed 252 bits of entropy instead o...
npm
No PRs yet
github.com/go-acme/lego/v4/acme/api does not enforce HTTPS
GHSA-q82r-2j7m-9rv4 CVE-2025-54799 LOW 4 months ago
## Summary It was discovered that the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce H...
go
1
Dependabot PRs
100%
Merged
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
GHSA-52f5-9888-hmc6 CVE-2025-54798 LOW 4 months ago
### Summary `tmp@0.2.3` is vulnerable to an Arbitrary temporary file / directory write via symbolic link `dir` parameter. ### Details According...
npm
7282
Dependabot PRs
20%
Merged
Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability
GHSA-9356-575x-2w9m CVE-2025-5197 MODERATE 4 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weigh...
pypi
16
Dependabot PRs
HashiCorp Vault ldap auth method may not have correctly enforced MFA
GHSA-7rx2-769v-hrwf CVE-2025-6013 MODERATE 4 months ago
Vault and Vault Enterprise’s (“Vault”) ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had mul...
go
1
Dependabot PRs
100%
Merged
Shopware race condition bypasses voucher restrictions
GHSA-27gv-mg7w-mm34 CVE-2025-7954 MODERATE 4 months ago
A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended vouc...
packagist
No PRs yet
Concrete CMS vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page
GHSA-4pcg-pjp5-3mc6 CVE-2025-8571 MODERATE 4 months ago
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Pag...
packagist
No PRs yet
Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard page
GHSA-c5xf-rmv4-j85h CVE-2025-8573 LOW 4 months ago
Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page.  Version 8 was not affected. A rogue...
packagist
No PRs yet
RISC Zero Underconstrained Vulnerability: Division
GHSA-f6rc-24x4-ppxp CVE-2025-54873 LOW 4 months ago
Two issues were found: For some inputs to signed integer division, the circuit allowed two outputs, only one of which was valid. Additionally, the...
cargo
9
Dependabot PRs
XWiki exposes passwords and emails stored in fields not named password/email in xml.vm
GHSA-57q2-6cp4-9mq3 CVE-2025-54125 HIGH 4 months ago
### Impact The XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending `?xpage=xml` to the URL incl...
maven
No PRs yet