Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,050

Total Advisories

1,846

With Dependabot PRs

3,534

Critical Severity

8,712

High Severity

Clear All Filters
Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check
GHSA-mjqp-26hc-grxg CVE-2025-10156 CRITICAL 3 months ago
### Summary Picklescan's ability to scan ZIP archives for malicious pickle files is compromised when the archive contains a file with a bad Cyclic ...
pypi
No PRs yet
Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation
GHSA-r4h8-hfp2-ggmf CVE-2025-54123 CRITICAL 3 months ago
### Summary It has been discovered that the middleware functionality in Hoverfly is vulnerable to command injection through its `/api/v2/hoverfly/m...
go
No PRs yet
Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports
GHSA-f7qq-56ww-84cr CVE-2025-10157 CRITICAL 3 months ago
### Summary The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. T...
pypi
No PRs yet
Magento Community Edition Improper Input Validation vulnerability
GHSA-wh92-6q6g-px7j CVE-2025-54236 CRITICAL 3 months ago
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation ...
packagist
No PRs yet
pREST has a Systemic SQL Injection Vulnerability
GHSA-p46v-f2x8-qp98 CVE-2025-58450 CRITICAL 3 months ago
# Summary pREST provides a simple way for users to expose access their database via a REST-full API. The project is implemented using the Go progra...
go
No PRs yet
@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API
GHSA-3ch2-jxxc-v4xf CVE-2025-54994 CRITICAL 3 months ago
# Command Injection in MCP Server The MCP Server at https://github.com/akoskm/create-mcp-server-stdio is written in a way that is vulnerable to co...
npm
No PRs yet
CodeceptJS's incomprehensive sanitation can lead to Command Injection
GHSA-34w8-mcwr-vg29 CVE-2025-57285 CRITICAL 3 months ago
CodeceptJS versions 3.5.0 through 3.7.5-beta.18 contain a command injection vulnerability in the emptyFolder function (lib/utils.js). The execSync ...
npm
No PRs yet
internetarchive Vulnerable to Directory Traversal in File.download()
GHSA-wx3r-v6h7-frjp CVE-2025-58438 CRITICAL 3 months ago
### Impact **What kind of vulnerability is it?** This is a **Critical** severity directory traversal (path traversal) vulnerability in the `File.do...
pypi
No PRs yet
TkEasyGUI Vulnerable to OS Command Injection
GHSA-hfrj-3w3g-jv32 CVE-2025-55037 CRITICAL 3 months ago
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If ...
pypi
No PRs yet
Argo CD's Project API Token Exposes Repository Credentials
GHSA-786q-9hcg-v9ff CVE-2025-55190 CRITICAL 3 months ago
### Summary Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through ...
go
No PRs yet
Pixar OpenUSD Sdf_PathNode Module Use-After-Free Vulnerability Leading to Potential Remote Code Execution
GHSA-58p5-r2f6-g2cj CRITICAL 3 months ago
### Summary A Use-After-Free (UAF) vulnerability has been discovered in the Sdf_PathNode module of the Pixar OpenUSD library. This issue occurs dur...
pypi
No PRs yet
DeepDiff Class Pollution in Delta class leading to DoS, Remote Code Execution, and more
GHSA-mw26-5g2v-hqw3 CVE-2025-58367 CRITICAL 3 months ago
### Summary [Python class pollution](https://blog.abdulrah33m.com/prototype-pollution-in-python/) is a novel vulnerability categorized under [CWE-9...
pypi
1
Dependabot PRs
XWiki configuration files can be accessed through jsx and sx endpoints
GHSA-m63c-3rmg-r2cf CVE-2025-55748 CRITICAL 3 months ago
### Impact It's possible to get access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../...
maven
No PRs yet
XWiki configuration files can be accessed through the webjars API
GHSA-qww7-89xh-x7m7 CVE-2025-55747 CRITICAL 3 months ago
### Impact It's possible to get access and read configuration files by using URLs such as `http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F....
maven
No PRs yet
Valtimo scripting engine can be used to gain access to sensitive data or resources
GHSA-w48j-pp7j-fj55 CVE-2025-58059 CRITICAL 4 months ago
### Impact Any admin that can create or modify and execute process-definitions could gain access to sensitive data or resources. This includes but...
maven
No PRs yet
NeuVector admin account has insecure default password
GHSA-8pxw-9c75-6w56 CVE-2025-8077 CRITICAL 4 months ago
### Impact A vulnerability exists in NeuVector versions up to and including **5.4.5**, where a fixed string is used as the default password for th...
go
No PRs yet
Malicious versions of Nx were published
GHSA-cxm3-wv7p-598c CVE-2025-10894 CRITICAL 4 months ago
## Summary Malicious versions of the [`nx` package](https://www.npmjs.com/package/nx), as well as some supporting plugin packages, were published ...
npm
No PRs yet
The Freeform CraftCMS plugin contains an Server-side template injection (SSTI) vulnerability
GHSA-9hp3-f5g8-rccg CVE-2025-52122 CRITICAL 4 months ago
Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary co...
packagist
No PRs yet
sha.js is missing type checks leading to hash rewind and passing on crafted data
GHSA-95m3-7q98-8xr5 CVE-2025-9288 CRITICAL 4 months ago
### Summary This is the same as [GHSA-cpq7-6gpm-g9rc](https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc) but just ...
npm
7
Dependabot PRs
cipher-base is missing type checks, leading to hash rewind and passing on crafted data
GHSA-cpq7-6gpm-g9rc CVE-2025-9287 CRITICAL 4 months ago
### Summary This affects e.g. `create-hash` (and `crypto-browserify`), so I'll describe the issue against that package Also affects `create-hmac` ...
npm
No PRs yet
Apache Tika XXE Vulnerability via Crafted XFA File Inside a PDF
GHSA-p72g-pv48-7w9x CVE-2025-54988 CRITICAL 4 months ago
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry o...
maven
2
Dependabot PRs
Directus allows unauthenticated file upload and file modification due to lacking input sanitization
GHSA-mv33-9f6j-pfmc CVE-2025-55746 CRITICAL 4 months ago
## Summary A vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary conte...
npm
No PRs yet
Spree Commerce is vulnerable to RCE through Search API
GHSA-x485-rhg3-cqr4 CVE-2011-10026 CRITICAL 4 months ago
Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitatio...
rubygems
No PRs yet
screenshot-desktop vulnerable to command Injection via `format` option
GHSA-gjx4-2c7g-fm94 CVE-2025-55294 CRITICAL 4 months ago
## Impact This vulnerability is a **command injection** issue. When user-controlled input is passed into the `format` option of the screenshot fu...
npm
No PRs yet
HydrAIDE Authentication Bypass Vulnerability
GHSA-qp7j-x725-g67f CRITICAL 4 months ago
### Summary There is no authentication of any kind. ### Details TLS is implemented, the tunnel between the client and server is secure, however o...
go
No PRs yet
Capsule tenant owners with "patch namespace" permission can hijack system namespaces label
GHSA-fcpm-6mxq-m5vv CVE-2025-55205 CRITICAL 4 months ago
### Summary A namespace label injection vulnerability in Capsule v0.10.3 allows authenticated tenant users to inject arbitrary labels into system n...
go
No PRs yet
Flowise OS command remote code execution
GHSA-2vv2-3x8x-4gv7 CVE-2025-8943 CRITICAL 4 months ago
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's i...
npm
No PRs yet
Active Storage allowed transformation methods that were potentially unsafe
GHSA-r4mg-4433-c7g3 CVE-2025-24293 CRITICAL 4 months ago
Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list ...
rubygems
7052
Dependabot PRs
8%
Merged
m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials
GHSA-x6gv-2rvh-qmp6 CRITICAL 4 months ago
## Summary The `steam-workshop-deploy` github action does not exclude the `.git` directory when packaging content for deployment and provides no bu...
actions
12
Dependabot PRs
50%
Merged
Privileged OpenBao Operator May Execute Code on the Underlying Host
GHSA-xp75-r577-cvhp CVE-2025-54997 CRITICAL 4 months ago
### Impact Under certain threat models, OpenBao operators with privileged API access may not be system administrators and thus normally lack the a...
go
1
Dependabot PRs
100%
Merged
ExecuTorch integer overflow vulnerability
GHSA-84m3-f99p-cqx5 CVE-2025-30405 CRITICAL 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potential...
pypi
No PRs yet
ExecuTorch vulnerable to Heap-based Buffer Overflow
GHSA-xc7w-r669-48pf CVE-2025-54951 CRITICAL 4 months ago
A group of related buffer overflow vulnerabilities in the loading of ExecuTorch models can cause the runtime to crash and potentially result in cod...
pypi
No PRs yet
ExecuTorch integer overflow vulnerability
GHSA-hj95-mhgf-jxc4 CVE-2025-30404 CRITICAL 4 months ago
An integer overflow vulnerability in the loading of ExecuTorch models can cause overlapping allocations, potentially resulting in code execution or...
pypi
No PRs yet
ExecuTorch out-of-bounds access vulnerability
GHSA-f9hx-c6jf-3qxm CVE-2025-54950 CRITICAL 4 months ago
An out-of-bounds access vulnerability in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution o...
pypi
No PRs yet
ExecuTorch heap buffer overflow vulnerability
GHSA-9m39-3mf3-xwch CVE-2025-54949 CRITICAL 4 months ago
A heap buffer overflow vulnerability in the loading of ExecuTorch models can potentially result in code execution or other undesirable effects. Thi...
pypi
No PRs yet
JWE is missing AES-GCM authentication tag validation in encrypted JWE
GHSA-c7p4-hx26-pr73 CVE-2025-54887 CRITICAL 4 months ago
### Overview The authentication tag of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide w...
rubygems
7
Dependabot PRs
71%
Merged
ThinkPHP Path Traversal Vulnerability
GHSA-mrwc-mvr8-9xq5 CVE-2025-50706 CRITICAL 4 months ago
An issue in ThinkPHP Framework v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function.
packagist
No PRs yet
pyLoad CNL Blueprint allows Path Traversal through `dlc_path` which leads to Remote Code Execution (RCE)
GHSA-48rp-jc79-2264 CVE-2025-54802 CRITICAL 4 months ago
### Summary **Path Traversal in pyLoad-ng CNL Blueprint via `package` parameter allows Arbitrary File Write leading to Remote Code Execution (RCE)*...
pypi
No PRs yet
The ADOdb sqlite3 driver allows SQL injection
GHSA-vf2r-cxg9-p7rf CVE-2025-54119 CRITICAL 4 months ago
Improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 da...
packagist
11
Dependabot PRs
18%
Merged
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
GHSA-85cg-cmq5-qjm7 CVE-2025-54782 CRITICAL 5 months ago
## Summary A critical Remote Code Execution (RCE) vulnerability was discovered in the `@nestjs/devtools-integration` package. When enabled, the pac...
npm
No PRs yet
Hashicorp Vault has Code Execution Vulnerability via Plugin Configuration
GHSA-mr4h-qf9j-f665 CVE-2025-6000 CRITICAL 5 months ago
A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a ...
go
13
Dependabot PRs
7%
Merged
num2words subjected to phishing attack, two versions published containing malware
GHSA-jxr6-qrxx-2ph2 CRITICAL 5 months ago
The `num2words` project was compromised via a phishing attack and two new versions were uploaded to PyPI containing malicious code. The affected ve...
pypi
No PRs yet
OAuth2-Proxy has authentication bypass in oauth2-proxy skip_auth_routes due to Query Parameter inclusion
GHSA-7rh7-c77v-6434 CVE-2025-54576 CRITICAL 5 months ago
### Impact This vulnerability affects oauth2-proxy deployments using the `skip_auth_routes` configuration option with regex patterns. The vulnerabi...
go
3
Dependabot PRs
BentoML SSRF Vulnerability in File Upload Processing
GHSA-mrmq-3q62-6cc8 CVE-2025-54381 CRITICAL 5 months ago
### Description There's an SSRF in the file upload processing system that allows remote attackers to make arbitrary HTTP requests from the server ...
pypi
No PRs yet
Node-SAML SAML Signature Verification Vulnerability
GHSA-4mxg-3p6v-xgq3 CVE-2025-54419 CRITICAL 5 months ago
Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking sign...
npm
No PRs yet
CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability
GHSA-9952-gv64-x94c CVE-2025-54418 CRITICAL 5 months ago
### Impact This vulnerability affects applications that: * Use the ImageMagick handler for image processing (`imagick` as the image library) * **AN...
packagist
No PRs yet
smolagents has Sandbox Escape Vulnerability in the local_python_executor.py Module
GHSA-6v92-r5mx-h5fx CVE-2025-5120 CRITICAL 5 months ago
A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution envir...
pypi
No PRs yet
tj-actions/branch-names has a Command Injection Vulnerability
GHSA-gq52-6phf-x2r6 CVE-2025-54416 CRITICAL 5 months ago
#### **Overview** A critical vulnerability has been identified in the `tj-actions/branch-names` GitHub Action workflow which allows arbitrary comm...
actions
No PRs yet
Node-SAML SAML Authentication Bypass
GHSA-m837-g268-mmv7 CVE-2025-54369 CRITICAL 5 months ago
Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking sign...
npm
No PRs yet
XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
GHSA-vr59-gm53-v7cq CVE-2025-32429 CRITICAL 5 months ago
### Impact It's possible for anyone to inject SQL using the parameter sort of the `getdeleteddocuments.vm`. It's injected as is as an ORDER BY val...
maven
No PRs yet