Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
XWiki leaks password hashes and other accessible password properties
GHSA-r38m-cgpg-qj69 CVE-2025-54124 HIGH 4 months ago
### Impact Any user with edit right on a page of the wiki can create an XClass with a database list property that references a password property, f...
maven
No PRs yet
XWiki allows Reflected XSS in two templates
GHSA-m9x4-w7p9-mxhx CVE-2025-32430 MODERATE 4 months ago
### Impact Reflected XSS vulnerabilities in two templates allow an attacker to execute malicious JavaScript code in the context of the victim's ses...
maven
No PRs yet
ThinkPHP Path Traversal Vulnerability
GHSA-mrwc-mvr8-9xq5 CVE-2025-50706 CRITICAL 4 months ago
An issue in ThinkPHP Framework v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function.
packagist
No PRs yet
FPDI allows Memory Exhaustion (OOM) in PDF Parser which leads to Denial of Service
GHSA-jxhh-4648-vpp3 CVE-2025-54869 MODERATE 4 months ago
### Impact This is a significant Denial of Service (DoS) vulnerability. Any application that uses FPDI to process user-supplied PDF files is at ris...
packagist
28
Dependabot PRs
39%
Merged
Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder
GHSA-qx2q-88mx-vhg7 CVE-2025-54801 HIGH 4 months ago
### Description When using Fiber's `Ctx.BodyParser` to parse form data containing a large numeric key that represents a slice index (e.g., `test.1...
go
No PRs yet
mcp-package-docs vulnerable to command injection in several tools
GHSA-vf9j-h32g-2764 CVE-2025-54073 HIGH 4 months ago
### Summary A command injection vulnerability exists in the `mcp-package-docs` MCP Server. The vulnerability is caused by the unsanitized use of i...
npm
No PRs yet
Liferay Portal CAPTCHA Bypass for Gogo Shell
GHSA-3j6h-5v68-hvqg CVE-2025-4604 MODERATE 4 months ago
The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q...
maven
No PRs yet
RatPanel can perform remote command execution without authorization
GHSA-fm3m-jrgm-5ppg CVE-2025-53534 HIGH 4 months ago
### Summary * When an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, ...
go
No PRs yet
russh is missing overflow checks during channel windows adjust
GHSA-h5rc-j5f5-3gcm CVE-2025-54804 MODERATE 4 months ago
### Summary The channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a chan...
cargo
17
Dependabot PRs
29%
Merged
js-toml Prototype Pollution Vulnerability
GHSA-65fc-cr5f-v7r2 CVE-2025-54803 HIGH 4 months ago
A prototype pollution vulnerability in `js-toml` allows a remote attacker to add or modify properties of the global `Object.prototype` by parsing a...
npm
No PRs yet
pyLoad CNL Blueprint allows Path Traversal through `dlc_path` which leads to Remote Code Execution (RCE)
GHSA-48rp-jc79-2264 CVE-2025-54802 CRITICAL 4 months ago
### Summary **Path Traversal in pyLoad-ng CNL Blueprint via `package` parameter allows Arbitrary File Write leading to Remote Code Execution (RCE)*...
pypi
No PRs yet
copyparty allows Regex Denial of Service (ReDoS) in the upload listing
GHSA-5662-2rj7-f2v6 CVE-2025-54796 HIGH 4 months ago
### Summary The `filter` parameter for the "Recent uploads" page allows arbitrary Regexes. If this feature is enabled (which is the default), an at...
pypi
No PRs yet
Claude Code echo command allowed bypass of user approval prompt for command execution
GHSA-x56v-x2h6-7j34 CVE-2025-54795 HIGH 4 months ago
Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Rel...
npm
No PRs yet
Claude Code Research Preview has a Path Restriction Bypass which could allow unauthorized file access
GHSA-pmw4-pwvc-3hx2 CVE-2025-54794 HIGH 4 months ago
Due to a path validation flaw using prefix matching instead of canonical path comparison, it was possible to bypass directory restrictions and acce...
npm
No PRs yet
The ADOdb sqlite3 driver allows SQL injection
GHSA-vf2r-cxg9-p7rf CVE-2025-54119 CRITICAL 4 months ago
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 da...
packagist
11
Dependabot PRs
18%
Merged
IPX Allows Path Traversal via Prefix Matching Bypass
GHSA-mm3p-j368-7jcr CVE-2025-54387 MODERATE 4 months ago
### Summary The approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directori...
npm
No PRs yet
Grafana Infinity Datasource Plugin SSRF Vulnerability
GHSA-3c93-92r7-j934 CVE-2025-8341 MODERATE 4 months ago
Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing...
go
No PRs yet
Apache Zeppelin: Missing Origin Validation in WebSockets vulnerability
GHSA-xg8j-j6vp-6h5w CVE-2024-51775 MODERATE 4 months ago
Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin withou...
maven
No PRs yet
Apache Zeppelin: XSS in the Helium module
GHSA-p288-459w-jxj6 CVE-2024-41177 MODERATE 4 months ago
Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin. This issue affects Apache Zeppelin: before 0.12.0. Users are recom...
maven
No PRs yet
Apache Zeppelin: Arbitrary file read by adding malicious JDBC connection string
GHSA-jr43-q92q-5q82 CVE-2024-52279 MODERATE 4 months ago
Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input...
maven
No PRs yet
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
GHSA-85cg-cmq5-qjm7 CVE-2025-54782 CRITICAL 4 months ago
## Summary A critical Remote Code Execution (RCE) vulnerability was discovered in the `@nestjs/devtools-integration` package. When enabled, the pac...
npm
No PRs yet
Hashicorp Vault has Lockout Feature Authentication Bypass
GHSA-qgj7-fmq2-6cc4 CVE-2025-6004 MODERATE 4 months ago
Vault and Vault Enterprise’s (“Vault”) user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Communit...
go
13
Dependabot PRs
7%
Merged
Hashicorp Vault has Privilege Escalation Vulnerability
GHSA-6h4p-m86h-hhgh CVE-2025-5999 HIGH 4 months ago
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privi...
go
8
Dependabot PRs
25%
Merged
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration
GHSA-mr4h-qf9j-f665 CVE-2025-6000 CRITICAL 4 months ago
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a ...
go
13
Dependabot PRs
7%
Merged
Hashicorp Vault has Incorrect Validation for Non-CA Certificates
GHSA-6c5r-4wfc-3mcx CVE-2025-6037 MODERATE 4 months ago
Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certi...
go
12
Dependabot PRs
Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability
GHSA-v6r4-35f9-9rpw CVE-2025-6015 MODERATE 4 months ago
Vault and Vault Enterprise’s (“Vault”) login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1....
go
13
Dependabot PRs
7%
Merged
Hashicorp Vault has an Observable Discrepancy on Existing and Non-Existing Users
GHSA-mwgr-84fv-3jh9 CVE-2025-6011 LOW 4 months ago
A timing side channel in Vault and Vault Enterprise’s (“Vault”) userpass auth method allowed an attacker to distinguish between existing and non-ex...
go
13
Dependabot PRs
7%
Merged
Hashicorp Vault's TOTP Secrets Engine Susceptible to Code Reuse
GHSA-qv3p-fmv3-9hww CVE-2025-6014 MODERATE 4 months ago
Vault and Vault Enterprise’s (“Vault”) TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed ...
go
13
Dependabot PRs
7%
Merged
Microweber XSS Vulnerability in the homepage Endpoint
GHSA-2x2j-3c2v-g3c2 CVE-2025-51504 MODERATE 4 months ago
Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS) in the /projects/profile, homepage endpoint via the last name field.
packagist
No PRs yet
Microweber has Reflected XSS Vulnerability in the layout Parameter
GHSA-mvj3-hc7j-vp74 CVE-2025-51502 MODERATE 4 months ago
Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript exec...
packagist
No PRs yet
Microweber has Reflected XSS Vulnerability in the id Parameter
GHSA-8357-fjvx-xrm8 CVE-2025-51501 MODERATE 4 months ago
Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arb...
packagist
No PRs yet
OpenSearch unauthorized data access on fields protected by field level security if field is a member of an object
GHSA-2rjv-cv85-xhgm MODERATE 4 months ago
### Impact OpenSearch versions 2.19.2 and earlier improperly apply Field Level Security (FLS) rules on fields which are not at the top level of th...
maven
No PRs yet
OpenSearch unauthorized data access on fields protected by field masking for fields of type ip, geo_point, geo_shape, xy_point, xy_shape
GHSA-rrmm-wq7q-h4v5 MODERATE 4 months ago
### Impact OpenSearch versions 2.19.2 and earlier improperly apply field masking rules on fields of the types `ip`, `geo_point`, `geo_shape`, `xy_...
maven
No PRs yet
1Panel agent certificate verification bypass leading to arbitrary command execution
GHSA-8j63-96wh-wh3j CVE-2025-54424 HIGH 4 months ago
### Project Address: Project Address [1Panel](https://github.com/1Panel-dev/1Panel) ### Official website: https://www.1panel.cn/ ### Time: 2025 07 ...
go
No PRs yet
Traefik Client Plugin's Path Traversal Vulnerability Allows Arbitrary File Overwrite and Remote Code Execution
GHSA-q6gg-9f92-r9wg CVE-2025-54386 HIGH 4 months ago
### Summary A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP a...
go
No PRs yet
MaterialX Lack of MTLX Import Depth Limit Leads to DoS (Denial-Of-Service) Via Stack Exhaustion
GHSA-qc2h-74x3-4v3w CVE-2025-53012 MODERATE 4 months ago
### Summary Nested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the "import chain" dep...
pypi
No PRs yet
MaterialX Stack Overflow via Lack of MTLX XML Parsing Recursion Limit
GHSA-wx6g-fm6f-w822 CVE-2025-53009 MODERATE 4 months ago
### Summary When parsing an MTLX file with multiple nested `nodegraph` implementations, the MaterialX XML parsing logic can potentially crash due ...
pypi
No PRs yet
num2words subjected to phishing attack, two versions published containing malware
GHSA-jxr6-qrxx-2ph2 CRITICAL 4 months ago
The `num2words` project was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected ve...
pypi
No PRs yet
OpenEXR Out-Of-Memory via Unbounded File Header Values
GHSA-x22w-82jp-8rvf CVE-2025-48074 MODERATE 4 months ago
### Summary The OpenEXR file format defines many information about the final image inside of the file header, such as the size of data/display wind...
pypi
No PRs yet
OpenEXR ScanLineProcess::run_fill NULL Pointer Write In "reduceMemory" Mode
GHSA-qhpm-86v7-phmm CVE-2025-48073 MODERATE 4 months ago
### Summary When reading a deep scanline image with a large sample count in `reduceMemory` mode, it is possible to crash a target application with...
pypi
No PRs yet
OpenEXR Out of Bounds Heap Read due to Bad Pointer Arithmetic in LossyDctDecoder_execute
GHSA-4r7w-q3jg-ff43 CVE-2025-48072 MODERATE 4 months ago
### Summary The OpenEXRCore code is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing D...
pypi
No PRs yet
OpenEXR Heap-Based Buffer Overflow in Deep Scanline Parsing via Forged Unpacked Size
GHSA-h45x-qhg2-q375 CVE-2025-48071 HIGH 4 months ago
### Summary The OpenEXRCore code is vulnerable to a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-l...
pypi
No PRs yet
Microweber Has Stored XSS Vulnerability in User Profile Fields
GHSA-782f-gxj5-xvqc CVE-2025-51503 LOW 4 months ago
A Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2.0 allows attackers to inject malicious scripts into user profile fields, lead...
packagist
No PRs yet
MaterialX Null Pointer Dereference in MaterialXCore Shader Generation due to Unchecked implGraphOutput
GHSA-7qw8-3vmf-gj32 CVE-2025-53011 LOW 4 months ago
### Summary When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with m...
pypi
No PRs yet
MaterialX Null Pointer Dereference in getShaderNodes due to Unchecked nodeGraph->getOutput return
GHSA-3jhf-gxhr-q4cx CVE-2025-53010 LOW 4 months ago
### Summary When parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with m...
pypi
No PRs yet
@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
GHSA-9qm3-6qrr-c76m CVE-2025-34146 HIGH 4 months ago
A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.p...
npm
No PRs yet
MS SWIFT Deserialization RCE Vulnerability
GHSA-r54c-2xmf-2cf3 MODERATE 4 months ago
This appears to be a security vulnerability report describing a remote code execution (RCE) exploit in the ms-swift framework through malicious pic...
pypi
No PRs yet
MS SWIFT WEB-UI RCE Vulnerability
GHSA-7c78-rm87-5673 CVE-2025-41419 MODERATE 4 months ago
**I. Detailed Description:** This includes scenarios, screenshots, vulnerability reproduction methods. For account-related vulnerabilities, pleas...
pypi
No PRs yet
MS SWIFT Remote Code Execution via unsafe PyYAML deserialization
GHSA-fm6c-f59h-7mmg CVE-2025-50460 LOW 4 months ago
## Description A Remote Code Execution (RCE) vulnerability exists in the [modelscope/ms-swift](https://github.com/modelscope/ms-swift) project due...
pypi
No PRs yet
copyparty Reflected XSS via Filter Parameter
GHSA-8mx2-rjh8-q3jq CVE-2025-54589 MODERATE 4 months ago
### Summary Unauthorized reflected Cross-Site-Scripting when accessing the URL for recent uploads with the `filter` parameter containing JavaScript...
pypi
No PRs yet