Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Apache JSPWiki Cross-Site Scripting (XSS) Vulnerability via Header Link Rendering
GHSA-rrff-chj9-w4c7 CVE-2025-24853 MODERATE 4 months ago
A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the v...
maven
No PRs yet
Apache JSPWiki Cross-Site Scripting (XSS) Vulnerability in the Image Plugin
GHSA-72ww-4rcw-mc62 CVE-2025-24854 MODERATE 4 months ago
A carefully crafted request using the Image plugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute ...
maven
No PRs yet
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion
GHSA-7rh7-c77v-6434 CVE-2025-54576 CRITICAL 4 months ago
### Impact This vulnerability affects oauth2-proxy deployments using the `skip_auth_routes` configuration option with regex patterns. The vulnerabi...
go
3
Dependabot PRs
Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability
GHSA-cx25-xg7c-xfm5 CVE-2025-54656 MODERATE 4 months ago
** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: b...
maven
No PRs yet
GitProxy Hidden Commits Injection
GHSA-v98g-8rqx-g93g CVE-2025-54586 HIGH 4 months ago
### Summary An attacker can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden...
npm
No PRs yet
GitProxy New Branch Approval Exploit
GHSA-39p2-8hq9-fwj6 CVE-2025-54585 HIGH 4 months ago
### Summary An attacker can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. Bec...
npm
No PRs yet
GitProxy Backfile Parsing Exploit
GHSA-xxmh-rf63-qwjv CVE-2025-54584 HIGH 4 months ago
### Summary An attacker can craft a malicious Git packfile to exploit the PACK signature detection in the `parsePush.ts`. By embedding a misleading...
npm
No PRs yet
GitProxy Approval Bypass When Pushing Multiple Branches
GHSA-qr93-8wwf-22g4 CVE-2025-54583 HIGH 4 months ago
### Summary This vulnerability allows a user to push to the remote repository while bypassing policies and explicit approval. Since checks and plug...
npm
No PRs yet
vproxy Divide by Zero DoS Vulnerability
GHSA-7h24-c332-p48c CVE-2025-54581 HIGH 4 months ago
### Summary Untrusted, user-controlled data from the HTTP Proxy-Authorization header can induce a denial of service state. ### Details Untrusted d...
cargo
No PRs yet
OAuth2-Proxy's `--gitlab-group` GitLab Group Authorization config flag stopped working in v7.0.0
GHSA-652x-m2gr-hppm CVE-2021-21411 MODERATE 4 months ago
The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag setti...
go
No PRs yet
SixLabors ImageSharp Has Infinite Loop in GIF Decoder When Skipping Malformed Comment Extension Blocks
GHSA-rxmq-m78w-7wmc CVE-2025-54575 MODERATE 4 months ago
### Impact A specially crafted GIF file containing a malformed comment extension block (with a missing block terminator) can cause the ImageSharp G...
nuget
No PRs yet
Ruby SAML DOS vulnerability with large SAML response
GHSA-rrqh-93c8-j966 CVE-2025-54572 MODERATE 4 months ago
### Summary A denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs b...
rubygems
23
Dependabot PRs
52%
Merged
Pyload log Injection via API /json/add_package in add_name parameter
GHSA-3wwm-hjv7-23r3 MODERATE 4 months ago
### Summary A log injection vulnerability was identified in `pyload` in API `/json/add_package`. This vulnerability allows user with add packages p...
pypi
No PRs yet
Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled)
GHSA-27gp-8389-hm4w CVE-2025-7784 MODERATE 4 months ago
A Privilege Escalation vulnerability was identified in the Keycloak identity and access management solution, specifically when FGAPv2 is enabled in...
maven
No PRs yet
Keycloak phishing attack via email verification step in first login flow
GHSA-xhpr-465j-7p9q CVE-2025-7365 MODERATE 4 months ago
There is a flaw with the first login flow where, during a IdP login, an attacker with a registered account can initiate the process to merge accoun...
maven
No PRs yet
Bacula-web SQL Injection Vulnerability
GHSA-hq25-vp56-qr86 CVE-2025-45346 HIGH 4 months ago
SQL Injection vulnerability in Bacula-web before v.9.7.1 allows a remote attacker to execute arbitrary code via a crafted HTTP GET request.
packagist
No PRs yet
Bugsink path traversal via event_id in ingestion
GHSA-q78p-g86f-jg6q CVE-2025-54433 HIGH 4 months ago
## Summary In affected versions, ingestion paths construct file locations directly from untrusted `event_id` input without validation. A specially...
pypi
No PRs yet
Moby firewalld reload removes bridge network isolation
GHSA-4vq8-7jfc-9cvp CVE-2025-54410 LOW 4 months ago
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various o...
go
No PRs yet
Moby firewalld reload makes published container ports accessible from remote hosts
GHSA-x4rx-4gw3-53p4 CVE-2025-54388 MODERATE 4 months ago
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various o...
go
715
Dependabot PRs
24%
Merged
BentoML SSRF Vulnerability in File Upload Processing
GHSA-mrmq-3q62-6cc8 CVE-2025-54381 CRITICAL 4 months ago
### Description There's an SSRF in the file upload processing system that allows remote attackers to make arbitrary HTTP requests from the server ...
pypi
No PRs yet
Koa Open Redirect via Referrer Header (User-Controlled)
GHSA-jgmv-j7ww-jx2x CVE-2025-8129 LOW 4 months ago
## Summary In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-contro...
npm
33
Dependabot PRs
3%
Merged
Umbraco Delivery API allows for cached requests to be returned with an invalid API key
GHSA-75vq-qvhr-7ffr CVE-2025-54425 MODERATE 4 months ago
### Impact Umbraco's [content delivery API](https://docs.umbraco.com/umbraco-cms/reference/content-delivery-api) can be restricted from public acce...
nuget
18
Dependabot PRs
5%
Merged
Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs
GHSA-hfcf-79gh-f3jc CVE-2025-50738 MODERATE 4 months ago
The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing ...
go
No PRs yet
z-push/z-push-dev SQL Injection Vulnerability
GHSA-w832-w3p8-cw29 CVE-2025-8264 HIGH 4 months ago
Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attac...
packagist
No PRs yet
Netavark Has Possible DNS Resolve Confusion
GHSA-rpcf-rmh6-42xr CVE-2025-8283 LOW 4 months ago
A vulnerability was found in the netavark package, a network stack for containers used with Podman. Due to dns.podman search domain being removed, ...
cargo
No PRs yet
Node-SAML SAML Signature Verification Vulnerability
GHSA-4mxg-3p6v-xgq3 CVE-2025-54419 CRITICAL 4 months ago
Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking sign...
npm
No PRs yet
copyparty has DOM-Based XSS vulnerability when displaying multimedia metadata
GHSA-9q4r-x2hj-jmvr CVE-2025-54423 MODERATE 4 months ago
### Summary An unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multime...
pypi
No PRs yet
webfinger.js Blind SSRF Vulnerability
GHSA-8xq3-w9fx-74rv CVE-2025-54590 MODERATE 4 months ago
### Description The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.o...
npm
No PRs yet
CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability
GHSA-9952-gv64-x94c CVE-2025-54418 CRITICAL 4 months ago
### Impact This vulnerability affects applications that: * Use the ImageMagick handler for image processing (`imagick` as the image library) * **AN...
packagist
No PRs yet
ssrfcheck has Incomplete IP Address Deny List that leads to Server-Side Request Forgery Vulnerability
GHSA-c2fv-2fmj-9xrx CVE-2025-8267 HIGH 4 months ago
Versions of the package ssrfcheck below 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address rang...
npm
No PRs yet
smolagents has Sandbox Escape Vulnerability in the local_python_executor.py Module
GHSA-6v92-r5mx-h5fx CVE-2025-5120 CRITICAL 4 months ago
A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution envir...
pypi
No PRs yet
Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
GHSA-95jq-xph2-cx9h CVE-2025-8101 HIGH 4 months ago
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting...
npm
No PRs yet
Opencast still publishes global system account credentials
GHSA-j63h-hmgw-x4j7 CVE-2025-54380 MODERATE 4 months ago
### Description Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials (ie: `org.opencastproject.secur...
maven
No PRs yet
HAX CMS API Lacks Authorization Checks
GHSA-9jr9-8ff3-m894 CVE-2025-54378 HIGH 4 months ago
### Summary The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CM...
npm packagist
No PRs yet
tj-actions/branch-names has a Command Injection Vulnerability
GHSA-gq52-6phf-x2r6 CVE-2025-54416 CRITICAL 4 months ago
#### **Overview** A critical vulnerability has been identified in the `tj-actions/branch-names` GitHub Action workflow which allows arbitrary comm...
actions
No PRs yet
Skops may allow MethodNode to access unexpected object fields through dot notation, leading to arbitrary code execution at load time
GHSA-4v6w-xpmh-gfgp CVE-2025-54413 HIGH 4 months ago
## Summary An inconsistency in `MethodNode` can be exploited to access unexpected object fields through dot notation. This can be used to achieve ...
pypi
No PRs yet
Skops has Inconsistent Trusted Type Validation that Enables Hidden `operator` Methods Execution
GHSA-m7f4-hrc6-fwg3 CVE-2025-54412 HIGH 4 months ago
## Summary An inconsistency in `OperatorFuncNode` can be exploited to hide the execution of untrusted `operator.xxx` methods. This can then be used...
pypi
No PRs yet
Assemblyline 4 service client vulnerable to Arbitrary Write through path traversal in Client code
GHSA-75jv-vfxf-3865 CVE-2025-55013 MODERATE 4 months ago
**Path-Traversal -> Arbitrary File Write in Assemblyline Service Client** **IMPORTANT**: This vulnerability is valid if you decide to use the asse...
pypi
No PRs yet
XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API
GHSA-p9qm-p942-q3w5 CVE-2025-54385 HIGH 4 months ago
### Impact It's possible to execute any SQL query in Oracle by using the function like [DBMS_XMLGEN or DBMS_XMLQUERY](https://docs.oracle.com/en/d...
maven
No PRs yet
Node-SAML SAML Authentication Bypass
GHSA-m837-g268-mmv7 CVE-2025-54369 CRITICAL 4 months ago
Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking sign...
npm
No PRs yet
Calibre Web and Autocaliweb have OS Command Injection vulnerability
GHSA-qc4j-v7h6-xr5h CVE-2025-7404 MODERATE 4 months ago
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind O...
pypi
No PRs yet
Calibre Web and Autocaliweb have a ReDoS vulnerability
GHSA-2g7m-ph9x-7q7m CVE-2025-6998 HIGH 4 months ago
ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denia...
pypi
No PRs yet
XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
GHSA-vr59-gm53-v7cq CVE-2025-32429 CRITICAL 4 months ago
### Impact It's possible for anyone to inject SQL using the parameter sort of the `getdeleteddocuments.vm`. It's injected as is as an ORDER BY val...
maven
No PRs yet
eKuiper API endpoints handling SQL queries with user-controlled table names.
GHSA-526j-mv3p-f4vv CVE-2025-54379 HIGH 4 months ago
### Summary A critical SQL Injection vulnerability exists in the `getLast` API functionality of the eKuiper project. This flaw allows unauthenticat...
go
No PRs yet
ImageMagick has XMP profile write that triggers hang due to unbounded loop
GHSA-vmhh-8rxq-fp9g CVE-2025-53015 HIGH 4 months ago
### Summary Infinite lines occur when writing during a specific XMP file conversion command ### Details ``` #0 GetXmpNumeratorAndDenominator (deno...
nuget
5
Dependabot PRs
Mezzanine CMS vulnerable to Cross-site Scripting
GHSA-269j-37ww-cmh3 CVE-2025-50481 MODERATE 4 months ago
A cross-site scripting (XSS) vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web sc...
pypi
No PRs yet
Possible ORM Leak Vulnerability in the Harbor
GHSA-h27m-3qw8-3pw8 CVE-2025-30086 MODERATE 4 months ago
### Impact Administrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was...
go
No PRs yet
FastAPI Guard has a regex bypass
GHSA-rrf6-pxg8-684g CVE-2025-54365 HIGH 4 months ago
### Summary The regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch inputs that exceed ...
pypi
No PRs yet
Harbor repository description page has Cross-site Scripting vulnerability
GHSA-f9vc-vf3r-pqqq CVE-2025-32019 MODERATE 4 months ago
### Impact In the Harbor repository information, it is possible to inject code resulting in a stored XSS issue. ### Patches Harbor v2.12.3 Harbor...
go
No PRs yet
files-bucket-server vulnerable to Directory Traversal
GHSA-3r3j-4vrw-884j CVE-2025-8021 HIGH 4 months ago
All versions of the package files-bucket-server are vulnerable to Directory Traversal, where an attacker can traverse the file system and access fi...
npm
No PRs yet