Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,822

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
nest allows a remote attacker to execute arbitrary code via the Content-Type header
GHSA-cj7v-w2c7-cp7c CVE-2024-29409 MODERATE 9 months ago
File Upload vulnerability in nestjs nest prior to v.11.0.16 allows a remote attacker to execute arbitrary code via the Content-Type header.
npm
No PRs yet
Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API
GHSA-vv39-3w5q-974q CVE-2024-9042 MODERATE 9 months ago
A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoin...
go
No PRs yet
Kubernetes GitRepo Volume Inadvertent Local Repository Access
GHSA-3wgm-2gw2-vh5m CVE-2025-1767 MODERATE 9 months ago
A security vulnerability was discovered in Kubernetes that could allow a user with create pod permission to exploit gitRepo volumes to access local...
go
No PRs yet
Ed25519 Signature Malleability in ed25519-java Due to Missing Scalar Range Check
GHSA-p53j-g8pw-4w5f CVE-2020-36843 MODERATE 9 months ago
The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA (Strong...
maven
8
Dependabot PRs
12%
Merged
HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net
GHSA-qxp5-gwg8-xv66 CVE-2025-22870 MODERATE 9 months ago
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment v...
go
241
Dependabot PRs
19%
Merged
Flarum Vulnerable to Session Hijacking via Authoritative Subdomain Cookie Overwrite
GHSA-hg9j-64wp-m9px CVE-2025-27794 MODERATE 9 months ago
## **Summary** A session hijacking vulnerability exists when an attacker-controlled **authoritative subdomain** under a parent domain (e.g., `sub...
packagist
No PRs yet
Apache Felix HTTP Webconsole Plugin: XSS in HTTP Webconsole Plugin
GHSA-2cv6-4f2r-jq2c CVE-2025-27867 MODERATE 9 months ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix HTTP Webconsole Plugin. This is...
maven
No PRs yet
Apache NiFi: Potential Insertion of MongoDB Password in Provenance Record
GHSA-35gq-cvrm-xf94 CVE-2025-27017 MODERATE 9 months ago
Apache NiFi 1.13.0 through 2.2.0 includes the username and password used to authenticate with MongoDB in the NiFi provenance events that MongoDB co...
maven
No PRs yet
laravel-crud-wizard-free has File Validation Bypass
GHSA-3wgq-h4fr-cwg5 MODERATE 9 months ago
### Impact Medium ### Patches Version 3.4.17 fixes illuminate/validation v 8.0.0 to 11.44.0 ### Workarounds Register \MacropaySolutions\LaravelCr...
packagist
No PRs yet
Apache Camel Message Header Injection through request parameters
GHSA-96v5-c2h5-56hm CVE-2025-29891 MODERATE 9 months ago
Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.9.0 before 4.10.2, from 4.0.0 before 4.8.5, from 3.10.0 be...
maven
No PRs yet
XPixelGroup BasicSR Command Injection
GHSA-86w8-vhw6-q9qq CVE-2024-27763 MODERATE 9 months ago
XPixelGroup BasicSR through 1.4.2 might locally allow code execution in contrived situations where "scontrol show hostname" is executed in the pres...
pypi
No PRs yet
Pimcore Vulnerable to SQL Injection in getRelationFilterCondition
GHSA-qjpx-5m2p-5pgh CVE-2025-27617 MODERATE 9 months ago
### Summary Authenticated users can craft a filter string used to cause a SQL injection. ### Details _Give all details on the vulnerability. Point...
packagist
No PRs yet
Rembg allows SSRF via /api/remove
GHSA-r5gx-c49x-h878 CVE-2025-25301 MODERATE 9 months ago
Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the /api/remove endpoint takes a URL query parameter that allows an image...
pypi
No PRs yet
Froxlor has an HTML Injection Vulnerability
GHSA-26xq-m8xw-6373 CVE-2025-48958 MODERATE 9 months ago
### Summary _An HTML Injection vulnerability in the customer account portal allows an attacker to inject malicious HTML payloads in the email secti...
packagist
No PRs yet
Froxlor allows Multiple Accounts to Share the Same Email Address Leading to Potential Privilege Escalation or Account Takeover
GHSA-7j6w-p859-464f CVE-2025-29773 MODERATE 9 months ago
### Summary the vulnerability is that users (such as resellers or customers) are able to create accounts with the same email address as an existing...
packagist
No PRs yet
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
GHSA-968p-4wvh-cqc8 CVE-2025-27789 MODERATE 9 months ago
### Impact When using Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Referen...
npm
1261
Dependabot PRs
23%
Merged
Azure PromptFlow remote code execution related to Jinja templates
GHSA-gprr-v9f2-px3c CVE-2025-24986 MODERATE 9 months ago
Improper isolation or compartmentalization in Azure PromptFlow allows an unauthorized attacker to execute code over a network.
pypi
No PRs yet
Umbraco Allows a Restricted Editor User to Delete Media Item or Access Unauthorized Content
GHSA-wx5h-wqfq-v698 CVE-2025-27602 MODERATE 9 months ago
### Impact Via manipulation of backoffice API URLs it's possible for authenticated backoffice users to retrieve or delete content or media held wit...
nuget
16
Dependabot PRs
6%
Merged
Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality
GHSA-6ffg-mjg7-585x CVE-2025-27601 MODERATE 9 months ago
### Impact An improper API access control issue has been identified, allowing low-privilege, authenticated users to create and update data type inf...
nuget
16
Dependabot PRs
6%
Merged
Concrete CMS affected by a stored XSS in Folder Function.The "Add Folder" functionality
GHSA-pvmx-mjmh-jfcx CVE-2025-0660 MODERATE 9 months ago
Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, ...
packagist
No PRs yet
Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims
GHSA-gvgg-2r3r-53x7 CVE-2025-1391 MODERATE 9 months ago
This vulnerability is caused by the improper mapping of users to organizations based solely on email/username patterns. The issue is limited to the...
maven
No PRs yet
Authentication Bypass Due to Missing LDAP Bind After Password Reset in Keycloak
GHSA-2p82-5wwr-43cw CVE-2025-0604 MODERATE 9 months ago
The issue arises because Keycloak does not perform an LDAP bind after a password reset, leading to potential authentication bypass for expired or d...
maven
No PRs yet
PocketMine-MP allows malicious client data to waste server resources due to lack of limits for explode()
GHSA-g274-c6jj-h78p MODERATE 9 months ago
### Impact Due to lack of limits by default in the [`explode()`](https://www.php.net/manual/en/function.explode.php) function, malicious clients we...
packagist
No PRs yet
LF Edge eKuiper allows Stored XSS in Rules Functionality
GHSA-6hrw-x7pr-4mp8 CVE-2024-52812 MODERATE 9 months ago
### Summary Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious scripts into web applications, which can then be e...
go
No PRs yet
Nomad is vulnerable to unintentional exposure of the workload identity token and client secret token in audit logs
GHSA-c3q9-q986-vrwh CVE-2025-1296 MODERATE 9 months ago
Nomad Community and Nomad Enterprise (“Nomad”) are vulnerable to unintentional exposure of the workload identity token and client secret token in a...
go
2
Dependabot PRs
LocalS3 XML Parser Vulnerable to XML External Entity (XXE) Injection
GHSA-47qw-ccjm-9c2c MODERATE 9 months ago
## Description The LocalS3 project, which implements an S3-compatible storage interface, contains a critical XML External Entity (XXE) Injection v...
maven
No PRs yet
LocalS3 Project Vulnerable to XML External Entity (XXE) Injection via Bucket Tagging API
GHSA-v232-254c-m6p7 MODERATE 9 months ago
## Description The LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket taggi...
maven
No PRs yet
LocalS3 Project Bucket Operations Vulnerable to XML External Entity (XXE) Injection
GHSA-2466-4485-4pxj MODERATE 9 months ago
## Description The LocalS3 project contains an XML External Entity (XXE) Injection vulnerability in its bucket operations that process XML data. S...
maven
No PRs yet
Zip Exploit Crashes Picklescan But Not PyTorch
GHSA-7q5r-7gvp-wc82 CVE-2025-1944 MODERATE 9 months ago
### Summary PickleScan is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch mode...
pypi
2
Dependabot PRs
50%
Merged
Zip Flag Bit Exploit Crashes Picklescan But Not PyTorch
GHSA-w8jq-xcqf-f792 CVE-2025-1945 MODERATE 9 months ago
### Summary PickleScan fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipp...
pypi
2
Dependabot PRs
50%
Merged
LocalS3 CreateBucketConfiguration Endpoint XML External Entity (XXE) Injection
GHSA-g6wm-2v64-wq36 CVE-2025-27136 MODERATE 9 months ago
## Description The LocalS3 service's bucket creation endpoint is vulnerable to XML External Entity (XXE) injection. When processing the CreateBuck...
maven
No PRs yet
Laravel framework susceptible to reflected cross-site scripting
GHSA-546h-56qp-8jmw CVE-2024-13918 MODERATE 9 months ago
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of request ...
packagist
No PRs yet
Laravel framework susceptible to reflected cross-site scripting
GHSA-83wp-f5c3-hqqr CVE-2024-13919 MODERATE 9 months ago
The Laravel framework versions between 11.9.0 and 11.35.1 are susceptible to reflected cross-site scripting due to an improper encoding of route pa...
packagist
No PRs yet
GeSHi XSS possible in the get_var function of /contrib/cssgen.php
GHSA-pr6q-g5gv-qgr7 CVE-2025-2123 MODERATE 9 months ago
A vulnerability, which was classified as problematic, has been found in GeSHi up to 1.0.9.1. Affected by this issue is the function get_var of the ...
packagist
No PRs yet
Apache Camel: Camel Message Header Injection via Improper Filtering
GHSA-2c2h-2855-mf97 CVE-2025-27636 MODERATE 9 months ago
Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.9.0 through <= 4.10...
maven
No PRs yet
qcp has possible crash/DOS in some build configurations
GHSA-fmwf-c46w-r8qm MODERATE 9 months ago
**Nature of issue:** Crash (Denial of Service) **Source of issue:** Dependent package (ring) **Affected versions of qcp:** 0.1.0-0.3.2 **Recommenda...
cargo
No PRs yet
Crash due to uncontrolled recursion in protobuf crate
GHSA-2gh3-rmm4-6rq5 CVE-2025-53605 MODERATE 9 months ago
Affected version of this crate did not properly parse unknown fields when parsing a user-supplied input. This allows an attacker to cause a stack ...
cargo
No PRs yet
Some AES functions may panic when overflow checking is enabled in ring
GHSA-4p46-pwfr-66x6 MODERATE 9 months ago
`ring::aead::quic::HeaderProtectionKey::new_mask()` may panic when overflow checking is enabled. In the QUIC protocol, an attacker can induce this ...
cargo
No PRs yet
Django vulnerable to Allocation of Resources Without Limits or Throttling
GHSA-p3fp-8748-vqfq CVE-2025-26699 MODERATE 9 months ago
An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap temp...
pypi
365
Dependabot PRs
6%
Merged
Envoy Gateway Log Injection Vulnerability
GHSA-mf24-chxh-hmvj CVE-2025-25294 MODERATE 9 months ago
### Impact In all Envoy Gateway versions prior to 1.2.7 and 1.3.1 a default Envoy Proxy access log configuration is used. This format is vulnerable...
go
No PRs yet
NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page
GHSA-wf6c-hrhf-86cw CVE-2025-27506 MODERATE 9 months ago
### Summary The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. ### Details Throughout the...
npm
No PRs yet
ray vulnerable to Insertion of Sensitive Information into Log File
GHSA-w4rh-fgx7-q63m CVE-2025-1979 MODERATE 9 months ago
Versions of the package ray before 2.43.0 are vulnerable to Insertion of Sensitive Information into Log File where the redis password is being logg...
pypi
No PRs yet
Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission
GHSA-rfh6-9r2q-98vf CVE-2025-27623 MODERATE 9 months ago
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of views via REST API or...
maven
No PRs yet
Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission
GHSA-p34j-r3ch-c985 CVE-2025-27622 MODERATE 9 months ago
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API o...
maven
No PRs yet
Jenkins Open Redirect vulnerability
GHSA-8hmv-92wm-39ch CVE-2025-27625 MODERATE 9 months ago
Various features in Jenkins redirect users to partially user-controlled URLs inside Jenkins. To prevent open redirect vulnerabilities, Jenkins limi...
maven
No PRs yet
Jenkins cross-site request forgery (CSRF) vulnerability
GHSA-7g95-jmg9-h524 CVE-2025-27624 MODERATE 9 months ago
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST requests for the HTTP endpoint toggling collapsed/expanded status of sidep...
maven
No PRs yet
Jinja2 vulnerable to sandbox breakout through attr filter selecting format method
GHSA-cpwx-vrp4-4pq7 CVE-2025-27516 MODERATE 9 months ago
An oversight in how the Jinja sandboxed environment interacts with the `|attr` filter allows an attacker that controls the content of a template to...
pypi
2772
Dependabot PRs
25%
Merged
Laravel has a File Validation Bypass
GHSA-78fx-h6xr-vch4 CVE-2025-27515 MODERATE 9 months ago
When using wildcard validation to validate a given file or image field array (`files.*`), a user-crafted malicious request could potentially bypass...
packagist
No PRs yet
REDAXO allows Authenticated Reflected Cross Site Scripting - packages installation
GHSA-8366-xmgf-334f CVE-2025-27412 MODERATE 9 months ago
### Summary Reflected cross-site scripting (XSS) is a type of web vulnerability that occurs when a web application fails to properly sanitize user ...
packagist
No PRs yet
REDAXO allows Arbitrary File Upload in the mediapool page
GHSA-wppf-gqj5-fc4f CVE-2025-27411 MODERATE 9 months ago
### Summary An arbitrary file upload vulnerability was identified in the redaxo. This flaw permits users to upload malicious files, which can lead ...
packagist
No PRs yet