Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,842

Total Advisories

1,805

With Dependabot PRs

3,510

Critical Severity

8,633

High Severity

Clear All Filters
Kgateway transformation policy template can emit files from the container
GHSA-5pmx-7r6r-wfqq MODERATE 28 days ago
## Summary The transformation policy template feature in Kgateway versions through 2.0.4 allows users with TrafficPolicy creation permissions to c...
go
No PRs yet
kgateway is missing xDS authorization
GHSA-4766-x535-jw3r CVE-2025-64323 MODERATE 28 days ago
## Summary The xDS interface in Kgateway versions 2.0.0 through 2.0.4 lacks authentication, allowing any client with unrestricted network access t...
go
No PRs yet
OctoPrint vulnerable to XSS in Action Commands Notification and Prompt
GHSA-crvm-xjhm-9h29 CVE-2025-64187 MODERATE 28 days ago
### Impact OctoPrint versions up to and including 1.11.3 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript in...
pypi
No PRs yet
DSPy does not properly restrict file reads
GHSA-vvw2-h478-xwr3 CVE-2025-12695 MODERATE 28 days ago
The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes ...
pypi
No PRs yet
lakeFS affected by unauthenticated access to API usage metrics
GHSA-h238-5mwf-8xw8 CVE-2025-64179 MODERATE 29 days ago
### Impact Missing authentication in the `/api/v1/usage-report/summary` endpoint allows anyone to retrieve aggregate API usage counts. While no se...
go
No PRs yet
OpenMage vulnerable to XSS in Admin Notifications
GHSA-qv78-c8hc-438r CVE-2025-64174 MODERATE 29 days ago
### Summary OpenMage versions v20.15.0 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an adm...
packagist
No PRs yet
MantisBT unauthorized disclosure of private project column configuration
GHSA-g582-8vwr-68h2 CVE-2025-62520 MODERATE 29 days ago
### Impact Due to insufficient access-level checks, any non-admin user having access to _manage_config_columns_page.php_ (typically project manage...
packagist
No PRs yet
MantisBT lacks verification when changing a user's email address
GHSA-q747-c74m-69pr CVE-2025-55155 MODERATE 29 days ago
When a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. ### I...
packagist
No PRs yet
MantisBT Vulnerable to Denial-of-Service (DoS) via Excessive Note Length
GHSA-r3jf-hm7q-qfw5 CVE-2025-46556 MODERATE 29 days ago
A lack of server-side validation for note length in MantisBT allows attackers to permanently corrupt issue activity logs by submitting extremely lo...
packagist
No PRs yet
Liferay Portal and DXP do not check permissions of images in a blog entry
GHSA-xf7m-v66q-76w8 CVE-2025-62275 MODERATE about 1 month ago
Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 20...
maven
No PRs yet
Liferay Portal and DXP use an incorrect cache-control header
GHSA-6533-fhr2-f38h CVE-2025-62276 MODERATE about 1 month ago
The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023...
maven
No PRs yet
Liferay Portal and DXP affected by multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page
GHSA-q285-wfpg-93hr CVE-2025-62267 MODERATE about 1 month ago
Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, a...
maven
No PRs yet
Liferay Portal Vulnerable to Reflected XSS via the selectedLanguageId Parameter
GHSA-2j97-4jmq-c4xf CVE-2025-62264 MODERATE about 1 month ago
Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 thr...
maven
No PRs yet
Ansible does not collect garbage after playbook run
GHSA-f556-49jc-4rvc CVE-2020-25635 MODERATE about 1 month ago
A flaw was found in Ansible Base when using the aws_ssm connection plugin as its garbage collector is not happening after the playbook run is compl...
pypi
No PRs yet
cryptidy allows code execution via untrusted data due to pickle.loads
GHSA-97w9-v595-3h5q CVE-2025-63675 MODERATE about 1 month ago
cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encry...
pypi
No PRs yet
Liferay Portal is vulnerable to XSS in the Blogs widget
GHSA-56jv-4ww3-65mw CVE-2025-62265 MODERATE about 1 month ago
Cross-site scripting (XSS) vulnerability in the Blogs widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay...
maven
No PRs yet
Liferay Portal is vulnerable to DNS rebinding attacks
GHSA-f5vh-4rj2-w8r8 CVE-2025-62266 MODERATE about 1 month ago
By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through ...
maven
No PRs yet
node-tar has a race condition leading to uninitialized memory exposure
GHSA-29xp-372q-xqph CVE-2025-64118 MODERATE about 1 month ago
### Summary Using `.t` (aka `.list`) with `{ sync: true }` to read tar entry contents returns uninitialized memory contents if tar file was change...
npm
5
Dependabot PRs
Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode
GHSA-cf57-c578-7jvv CVE-2025-64716 MODERATE about 1 month ago
### Summary When using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. Whil...
go
No PRs yet
Apache Airflow has a command injection vulnerability in "example_dag_decorator"
GHSA-v3c9-j6h9-66v4 CVE-2025-54941 MODERATE about 1 month ago
An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execu...
pypi
No PRs yet
Apache Airflow's create action can upsert existing Pools/Connections/Variables
GHSA-gp5f-cx7h-8q6f CVE-2025-62503 MODERATE about 1 month ago
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
pypi
No PRs yet
Apache Airflow `/api/v2/dagReports` executes DAG Python in API
GHSA-273c-4g26-4jpm CVE-2025-62402 MODERATE about 1 month ago
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environm...
pypi
No PRs yet
Liferay Portal vulnerable to password enumeration
GHSA-8hw3-ghwv-crfh CVE-2025-62257 MODERATE about 1 month ago
Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 202...
maven
No PRs yet
Drupal CivicTheme Design System allows Cross-Site Scripting (XSS)
GHSA-h72q-cq3w-h3wc CVE-2025-12083 MODERATE about 1 month ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-...
packagist
No PRs yet
Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables
GHSA-fg8x-q69g-4qp3 CVE-2025-10929 MODERATE about 1 month ago
Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables. This is...
packagist
No PRs yet
Drupal Access code allows Brute Force Attempts
GHSA-27mc-9399-r9mx CVE-2025-10928 MODERATE about 1 month ago
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force. This issue affects Access code: f...
packagist
No PRs yet
Drupal Currency allows Cross Site Request Forgery
GHSA-27fv-rpgj-4c6m CVE-2025-10930 MODERATE about 1 month ago
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery. This issue affects Currency: from 0.0.0 befor...
packagist
No PRs yet
Drupal JSON Field is vulnerable to XSS
GHSA-m3f2-xjgc-2wp2 CVE-2025-10926 MODERATE about 1 month ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal JSON Field allows Cross-Site Scripting...
packagist
No PRs yet
Drupal Plausible tracking is vulnerable to XSS
GHSA-pr6m-qwrr-mrw9 CVE-2025-10927 MODERATE about 1 month ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site S...
packagist
No PRs yet
OpenUSD File Parsing Use-After-Free Remote Code Execution Vulnerability
GHSA-grjp-54v3-c442 MODERATE about 1 month ago
# Patch This is fixed with [commit b953092](https://github.com/PixarAnimationStudios/OpenUSD/commit/b9530922b6a8ea72cd43661226b693fff8abbe4c), with...
pypi
No PRs yet
uv allows ZIP payload obfuscation through parsing differentials
GHSA-pqhf-p39g-3x64 MODERATE about 1 month ago
### Impact In versions 0.9.5 and earlier of uv, ZIP archives were handled in a manner that enabled two parsing differentials against other compone...
pypi
5
Dependabot PRs
CKAN vulnerable to fixed session IDs
GHSA-2hvh-cw5c-8q8q CVE-2025-64100 MODERATE about 1 month ago
### Impact Session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session st...
pypi
No PRs yet
DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload
GHSA-hmvq-8p83-cq52 CVE-2025-64094 MODERATE about 1 month ago
### Summary Sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. ### Details DNN validates the contents ...
nuget
No PRs yet
DNN CKEditor Provider allows unauthenticated upload out-of-the-box
GHSA-2374-6cvw-qmx6 CVE-2025-62802 MODERATE about 1 month ago
### Summary The out-of-box experience for HTML editing allows unauthenticated users to upload files. This opens a potential vector to other securit...
nuget
No PRs yet
FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name
GHSA-rj5c-58rq-j5g5 CVE-2025-62801 MODERATE about 1 month ago
### Summary A command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on ...
pypi
No PRs yet
FastMCP vulnerable to reflected XSS in client's callback page
GHSA-mxxr-jv3v-6pgc CVE-2025-62800 MODERATE about 1 month ago
### Summary While setting up an oauth client, it was noticed that the callback page hosted by the client during the flow embeds user-controlled con...
pypi
No PRs yet
CKAN vulnerable to stored XSS in resource description
GHSA-2r4h-8jxv-w2j8 CVE-2025-54384 MODERATE about 1 month ago
### Impact The `helpers.markdown_extract()` function did not perform sufficient sanitization of input data before wrapping in an HTML literal elem...
pypi
No PRs yet
Jenkins Publish to Bitbucket Plugin vulnerable to CSRF and missing permissions check
GHSA-m244-6mff-p355 CVE-2025-64149 MODERATE about 1 month ago
Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Re...
maven
No PRs yet
Jenkins Publish to Bitbucket Plugin is missing a permissions check
GHSA-v549-7pm5-f8qr CVE-2025-64148 MODERATE about 1 month ago
Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in a method implementing form validation. This allows atta...
maven
No PRs yet
Jenkins Curseforge Publisher Plugin does not mask API Keys displayed on the job configuration form
GHSA-hv42-crpx-q355 CVE-2025-64147 MODERATE about 1 month ago
Jenkins Curseforge Publisher Plugin 1.0 and earlier stores API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its ...
maven
No PRs yet
Jenkins Publish to Bitbucket Plugin is missing a permissions check
GHSA-wpr5-rc2j-99p2 CVE-2025-64150 MODERATE about 1 month ago
Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Re...
maven
No PRs yet
Jenkins OpenShift Pipeline Plugin stores authorization tokens unencrypted in job config.xml files
GHSA-4653-9q2r-684q CVE-2025-64143 MODERATE about 1 month ago
Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job `config.xml` files on the Jenkins controller as...
maven
No PRs yet
Jenkins ByteGuard Build Actions Plugin does not mask API tokens displayed on the job configuration form
GHSA-vmm2-53rc-43v3 CVE-2025-64145 MODERATE about 1 month ago
Jenkins ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job `config.xml` files on the Jenkins controller as part of...
maven
No PRs yet
Jenkins MCP Server Plugin does not perform permission checks in multiple MCP tools
GHSA-mrpq-9jr3-rqq9 CVE-2025-64132 MODERATE about 1 month ago
Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in several MCP tools. This allows to do the following...
maven
No PRs yet
Jenkins Themis Plugin is missing a permission check
GHSA-jwm4-955w-4hj3 CVE-2025-64137 MODERATE about 1 month ago
Jenkins Themis Plugin 1.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permissio...
maven
No PRs yet
Jenkins Nexus Task Runner Plugin is missing a permission check
GHSA-h83r-7f9f-mqjj CVE-2025-64142 MODERATE about 1 month ago
Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Rea...
maven
No PRs yet
Jenkins Nexus Task Runner Plugin vulnerable to cross-site request forgery
GHSA-x2pv-fph3-phfx CVE-2025-64141 MODERATE about 1 month ago
Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Rea...
maven
No PRs yet
Jenkins Themis Plugin vulnerable to cross-site request forgery
GHSA-93mh-mx9w-m69q CVE-2025-64136 MODERATE about 1 month ago
Jenkins Themis Plugin 1.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permissio...
maven
No PRs yet
Jenkins Curseforge Publisher Plugin stores API Keys unencrypted in job config.xml files
GHSA-23vj-j6jc-w892 CVE-2025-64146 MODERATE about 1 month ago
Jenkins Curseforge Publisher Plugin 1.0 and earlier stores API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its ...
maven
No PRs yet
Jenkins Start Windocks Containers Plugin is missing a permission check
GHSA-mj6v-4wr4-gj57 CVE-2025-64139 MODERATE about 1 month ago
Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overa...
maven
No PRs yet