Security Advisories
Browse security advisories and track which Dependabot PRs address them.
24,785
Total Advisories
1,792
With Dependabot PRs
3,506
Critical Severity
8,617
High Severity
private-ip vulnerable to Server-Side Request Forgery
GHSA-9h3q-32c7-r533 CVE-2025-8020 HIGH 4 months ago
All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF), where an attacker can provide an IP or hostname that r...
npm
No PRs yet
Ollama vulnerable to Cross-Domain Token Exposure
GHSA-x9hg-5q6g-q3jr CVE-2025-51471 MODERATE 4 months ago
Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass ...
go
No PRs yet
Aim vulnerable to Cross-site Scripting
GHSA-gmvv-rj92-9w35 CVE-2025-51464 MODERATE 4 months ago
Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python ...
pypi
No PRs yet
Dagster Local File Inclusion vulnerability
GHSA-h7x8-jv97-fvvm CVE-2025-51481 MODERATE 4 months ago
Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary f...
pypi
No PRs yet
Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources
GHSA-9g4j-v8w5-7x42 CVE-2025-53942 HIGH 4 months ago
### Summary
Deactivated users that had either enrolled via OAuth/SAML or had their account connected to an OAuth/SAML account can still partially ...
go
No PRs yet
Kyverno's Improper JMESPath Variable Evaluation Lead to Denial of Service
GHSA-r5p3-955p-5ggq CVE-2025-47281 HIGH 4 months ago
### Summary
A Denial of Service (DoS) vulnerability exists in Kyverno due to improper handling of JMESPath variable substitutions. Attackers with p...
go
No PRs yet
Powermail extension for TYPO3 allows Insecure Direct Object Reference
GHSA-x769-3cwv-f8hc CVE-2025-7899 MODERATE 4 months ago
The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue a...
packagist
No PRs yet
Femanager extension for TYPO3 allows Insecure Direct Object Reference
GHSA-rc5f-3hfv-jxp2 CVE-2025-7900 MODERATE 4 months ago
The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects fe...
packagist
No PRs yet
`pyLoad` has Path Traversal Vulnerability in `json/upload` Endpoint that allows Arbitrary File Write
GHSA-xqpg-92fq-grfg CVE-2025-54140 HIGH 4 months ago
## Summary
An **authenticated path traversal vulnerability** exists in the `/json/upload` endpoint of the `pyLoad` By **manipulating the filename o...
pypi
No PRs yet
HAX CMS application pages vulnerable to clickjacking
GHSA-54vw-f4xf-f92j CVE-2025-54139 MODERATE 4 months ago
### Summary
All pages within the HAX CMS application do not contain headers to stop other websites from loading the site within an iframe. This ap...
npm
packagist
No PRs yet
LibreNMS has Authenticated Remote File Inclusion in ajax_form.php that Allows RCE
GHSA-gq96-8w38-hhj2 CVE-2025-54138 HIGH 4 months ago
LibreNMS 25.6.0 contains an architectural vulnerability in the `ajax_form.php` endpoint that permits Remote File Inclusion based on user-controlled...
packagist
No PRs yet
NodeJS version of the HAX CMS application is distributed with Default Secrets
GHSA-5fpv-5qvh-7cf3 CVE-2025-54137 HIGH 4 months ago
### Summary
The NodeJS version of the HAX CMS application is distributed with hardcoded default credentials for the user and superuser accounts. A...
npm
No PRs yet
HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service
GHSA-pjj3-j5j6-qj27 CVE-2025-54134 HIGH 4 months ago
### Summary
The HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vul...
npm
No PRs yet
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
GHSA-59g8-h59f-8hjp CVE-2025-54128 HIGH 4 months ago
### Summary
The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application...
npm
No PRs yet
NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
GHSA-f38f-jvqj-mfg6 CVE-2025-54127 CRITICAL 4 months ago
### Summary
The NodeJS version of HAX CMS uses an insecure default configuration designed for local
development. The default configuration does not...
npm
No PRs yet
Nokogiri patches vendored libxml2 to resolve multiple CVEs
GHSA-353f-x4gh-cqq8 CRITICAL 4 months ago
## Summary
Nokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-497...
rubygems
3380
Dependabot PRs
35%
Merged
Starlette has possible denial-of-service vector when parsing large files in multipart forms
GHSA-2c2j-9gv5-cj73 CVE-2025-54121 MODERATE 4 months ago
### Summary
When parsing a multi-part form with large files (greater than the [default max spool size](https://github.com/encode/starlette/blob/fa5...
pypi
No PRs yet
Dolibarr has Remote Code Execution Vulnerability (Bypass)
GHSA-49xw-hw94-fmv2 HIGH 4 months ago
# Summary
The Dolibarr backend provides the function of adding Menu, and supports setting permissions for the added Menu:
` to select a boundary value for multipart form-encoded data. This can lead to a security issue if an att...
npm
313
Dependabot PRs
17%
Merged
Jakarta Mail vulnerable to SMTP Injection
GHSA-9342-92gg-6v29 CVE-2025-7962 MODERATE 4 months ago
In Jakarta Mail 2.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
maven
5
Dependabot PRs
Alchemy Non-SMA and Webauthn Account Security Advisory
GHSA-56r6-ccm5-8hg3 HIGH 4 months ago
### Impact
A potential security issue has been mitigated on old account deployment functions from the factory. Smart wallets in use on all existing...
npm
No PRs yet
@translated/lara-mcp vulnerable to command injection in import_tmx tool
GHSA-xj5p-8h7g-76m7 CVE-2025-53832 HIGH 4 months ago
### Summary
A command injection vulnerability exists in the `@translated/lara-mcp` MCP Server. The vulnerability is caused by the unsanitized use ...
npm
No PRs yet
Cadwyn vulnerable to XSS on the docs page
GHSA-2gxp-6r36-m97r CVE-2025-53528 HIGH 4 months ago
### Summary
The `version` parameter of the `/docs` endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack.
### PoC
1. Setup a min...
pypi
No PRs yet
Apache Jena allows users with administrator access to create databases files outside the files area of the Fuseki server
GHSA-jq2c-m8gg-mqcm CVE-2025-49656 MODERATE 4 months ago
Users with administrator access can create databases files outside the files area of the Fuseki server.
This issue affects Apache Jena version up ...
maven
No PRs yet
Apache Jena doesn't validate file access paths in configuration files uploaded by users with administrator access
GHSA-xg9p-p463-3qjp CVE-2025-50151 HIGH 4 months ago
File access paths in configuration files uploaded by users with administrator access are not validated.
This issue affects Apache Jena version up ...
maven
No PRs yet
Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering
GHSA-cj6r-rrr9-fg82 CVE-2025-54075 HIGH 4 months ago
### Summary
A **remote script-inclusion / stored XSS** vulnerability in **@nuxtjs/mdc** lets a Markdown author inject a `<base href="https://attack...
npm
38
Dependabot PRs
23%
Merged
WebSSH Cross-site Scripting vulnerability
GHSA-9cg4-9hv5-3376 CVE-2025-7885 LOW 4 months ago
A vulnerability, which was classified as problematic, has been found in Huashengdun WebSSH up to 1.6.2. Affected by this issue is some unknown func...
pypi
No PRs yet
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
GHSA-f29h-pxvx-f335 CVE-2025-54313 HIGH 4 months ago
eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package ...
npm
No PRs yet
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
GHSA-xffm-g5w8-qvg7 LOW 5 months ago
### Summary
The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only a...
npm
No PRs yet
melange's world-writable permissions expose SBOM files to potential image tampering
GHSA-5662-cv6m-63wh CVE-2025-54059 MODERATE 5 months ago
It was discovered that the SBOM files generated by melange in apks had file system permissions mode 666:
```
$ apkrane ls https://packages.wolfi.de...
go
No PRs yet
apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files
GHSA-x6ph-r535-3vjw CVE-2025-53945 HIGH 5 months ago
It was discovered that the ld.so.cache in images generated by apko had file system permissions mode `0666`:
```
bash-5.3# find / -type f -perm -o+w...
go
No PRs yet
Wasmtime CLI is vulnerable to host panic through its fd_renumber function
GHSA-fm79-3f68-h2fc CVE-2025-53901 LOW 5 months ago
### Summary
A bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host ...
cargo
34
Dependabot PRs
20%
Merged
golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability
GHSA-6v2p-p543-phr9 CVE-2025-22868 HIGH 5 months ago
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
go
49
Dependabot PRs
10%
Merged
Filemanager is vulnerable to Relative Path Traversal through filemanager.php
GHSA-r7q6-6fmq-mx4c CVE-2025-46002 MODERATE 5 months ago
An issue in Filemanager v2.5.0 and below allows attackers to execute a directory traversal via sending a crafted HTTP request to the filemanager.ph...
packagist
No PRs yet
XXL-JOB is vulnerable to SSRF attacks
GHSA-f8vw-8vgh-22r9 CVE-2025-7787 LOW 5 months ago
A vulnerability, which was classified as critical, was found in Xuxueli xxl-job up to 3.1.1. Affected is the function httpJobHandler of the file sr...
maven
3
Dependabot PRs
simogeo/filemanager arbitrary file upload vulnerability
GHSA-m5hw-rhvr-f47c CVE-2025-46001 CRITICAL 5 months ago
An arbitrary file upload vulnerability in the is_allowed_file_type() function of Filemanager v2.3.0 allows attackers to execute arbitrary code via ...
packagist
No PRs yet
Mattermost Path Traversal vulnerability
GHSA-wvw2-3jh4-4c39 CVE-2025-6233 MODERATE 5 months ago
Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the...
go
No PRs yet
Mattermost has Insufficiently Protected Credentials
GHSA-4fwj-8595-wp25 CVE-2025-6227 LOW 5 months ago
Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts...
go
No PRs yet
Mattermost Missing Authentication for Critical Function
GHSA-7h34-9chr-58qh CVE-2025-6226 MODERATE 5 months ago
Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached pos...
go
No PRs yet
Grafana is vulnerable to XSS attacks through open redirects and path traversal
GHSA-vqph-p5vc-g644 CVE-2025-6023 HIGH 5 months ago
An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in...
go
5
Dependabot PRs
NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook
GHSA-67jc-hmvg-q4c7 CVE-2025-23267 HIGH 5 months ago
NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook, where an attacker could cause a link following by u...
go
No PRs yet
NVIDIA Container Toolkit for all platforms contains an Untrusted Search Path
GHSA-vmg3-7v43-9g23 CVE-2025-23266 CRITICAL 5 months ago
NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute...
go
No PRs yet
OpenZeppelin Contracts Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffers
GHSA-9rcw-c2f9-2j55 CVE-2025-54070 MODERATE 5 months ago
### Impact
The `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when the following two condit...
npm
No PRs yet
on-headers is vulnerable to http response header manipulation
GHSA-76c9-3jph-rj3q CVE-2025-7339 LOW 5 months ago
### Impact
A bug in on-headers versions `< 1.1.0` may result in response headers being inadvertently modified when an array is passed to `response...
npm
50410
Dependabot PRs
5%
Merged
Multer vulnerable to Denial of Service via unhandled exception from malformed request
GHSA-fjgf-rc76-4x9p CVE-2025-7338 HIGH 5 months ago
### Impact
A vulnerability in Multer versions >= 1.4.4-lts.1, < 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malform...
npm
1955
Dependabot PRs
26%
Merged
Livewire is vulnerable to remote command execution during component property update hydration
GHSA-29cq-5w36-x7w3 CVE-2025-54068 CRITICAL 5 months ago
### Impact
In Livewire v3 (≤ 3.6.3), a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. Th...
packagist
No PRs yet
DiracX-Web is vulnerable to attack through an Open Redirect on its login page
GHSA-hfj7-542q-8fvv CVE-2025-54066 MODERATE 5 months ago
### Summary
An attacker can forge a request to redirect an authenticated user to any arbitrary website.
### Details
On the login page, we have a...
npm
No PRs yet