Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,842

Total Advisories

1,801

With Dependabot PRs

3,510

Critical Severity

8,633

High Severity

Clear All Filters
Jenkins Start Windocks Containers Plugin vulnerable to cross-site request forgery
GHSA-6mgr-3374-4p3c CVE-2025-64138 MODERATE about 1 month ago
Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overa...
maven
No PRs yet
Jenkins Extensible Choice Parameter Plugin vulnerable to cross-site request forgery
GHSA-3jw2-5hjg-hc2c CVE-2025-64133 MODERATE about 1 month ago
Jenkins Extensible Choice Parameter Plugin 239.v5f5c278708cf and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-...
maven
No PRs yet
Jenkins ByteGuard Build Actions Plugin stores API tokens unencrypted in job config.xml files
GHSA-2vmr-8c82-x8xq CVE-2025-64144 MODERATE about 1 month ago
Jenkins ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job `config.xml` files on the Jenkins controller as part of...
maven
No PRs yet
Jenkins Eggplant Runner Plugin protection mechanism disabled
GHSA-w5r3-gr8w-7fj5 CVE-2025-64135 MODERATE about 1 month ago
Jenkins Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property `jdk.http.auth.tunneling.disabledSchemes` to an e...
maven
No PRs yet
Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
GHSA-9f58-4465-23c7 CVE-2025-62798 MODERATE about 1 month ago
A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affect...
packagist
No PRs yet
NextAuthjs Email misdelivery Vulnerability
GHSA-5jpx-9hw9-2fx4 MODERATE about 1 month ago
### Summary NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in `nodemail...
npm
No PRs yet
Keras is vulnerable to arbitrary local file loading and Server-Side Request Forgery
GHSA-mq84-hjqx-cwf2 CVE-2025-12058 MODERATE about 1 month ago
The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local f...
pypi
No PRs yet
Consul event endpoint is vulnerable to denial of service
GHSA-qh7p-pfq3-677h CVE-2025-11375 MODERATE about 1 month ago
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Lengt...
go
3
Dependabot PRs
Consul key/value endpoint is vulnerable to denial of service
GHSA-7g3r-8c6v-hfmr CVE-2025-11374 MODERATE about 1 month ago
Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header valida...
go
3
Dependabot PRs
PrivateBin is missing HTML sanitization of attached filename in file size hint
GHSA-867c-p784-5q6g CVE-2025-62796 MODERATE about 1 month ago
We’ve identified an HTML injection/XSS vulnerability in PrivateBin service that allows the injection of arbitrary HTML markup via the attached file...
packagist
No PRs yet
Contrast has insecure LUKS2 persistent storage partitions may be opened and used
GHSA-f5p4-p5q5-jv3h MODERATE about 1 month ago
### Summary A malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the [secure persistent volume](https://docs.edgeles...
go
No PRs yet
InventoryGui allows item duplication in GUIs which use GuiStorageElement
GHSA-7whh-79j3-7c55 CVE-2025-62784 MODERATE about 1 month ago
### Impact Any plugin using a GUI with the GuiStorageElement and allows taking out items out of that element. ### Patches InventoryGui 1.6.5 (incl...
maven
No PRs yet
Silver has unrestricted traffic between Wireguard clients
GHSA-q8j9-34qf-7vq7 CVE-2025-27093 MODERATE about 1 month ago
### Summary Sliver's custom Wireguard netstack doesn't limit traffic between Wireguard clients, this could lead to: 1. Leaked/recovered keypair (fr...
go
No PRs yet
Keycloak vulnerable to session takeovers due to reuse of session identifiers
GHSA-rg35-5v25-mqvp CVE-2025-12390 MODERATE about 1 month ago
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browse...
maven
No PRs yet
ImageMagick has Integer Overflow in BMP Decoder (ReadBMP)
GHSA-9pp9-cfwx-54rm CVE-2025-62171 MODERATE about 1 month ago
## Summary CVE-2025-57803 claims to be patched in ImageMagick 7.1.2-2, but **the fix is incomplete and ineffective**. The latest version **7.1.2-5...
nuget
2
Dependabot PRs
Liferay Portal Does Not Limit Access to APIs Before Email Verification
GHSA-gv7w-jh8g-vr73 CVE-2025-62259 MODERATE about 1 month ago
Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 ...
maven
No PRs yet
Liferay Portal Stores Password Reset Tokens in Plain Text
GHSA-xcj6-xpjg-c4xr CVE-2025-62261 MODERATE about 1 month ago
Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 G...
maven
No PRs yet
ImageMagick CLAHE : Unsigned underflow and division-by-zero lead to OOB pointer arithmetic and process crash (DoS)
GHSA-wpp4-vqfq-v4hp CVE-2025-62594 MODERATE about 1 month ago
## Summary A single root cause in the CLAHE implementation — tile width/height becoming zero — produces two distinct but related unsafe behaviors....
nuget
1
Dependabot PRs
Liferay Portal Vulnerable to Information Exposure Through a Log File Vulnerability in LDAP Import Feature
GHSA-cw79-fq4f-9r96 CVE-2025-62262 MODERATE about 1 month ago
Information exposure through log file vulnerability in LDAP import feature in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions...
maven
No PRs yet
Liferay Portal Vulnerable to Open Redirect via the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_redirect parameter
GHSA-2pwh-9q9q-5r9c CVE-2025-62253 MODERATE about 1 month ago
Open redirect vulnerability in page administration in Liferay Portal 7.4.0 through 7.4.3.97, and older unsupported versions, and Liferay DXP 2023.Q...
maven
No PRs yet
Liferay Portal Vulnerable to Cross-Site Scripting
GHSA-8mgf-rgg5-w38q CVE-2025-62263 MODERATE about 1 month ago
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.7 through 7.4.3.103, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA ...
maven
No PRs yet
BBOT's gitlab.py exposes globally configured "gitlab" API key
GHSA-p3v4-c93g-cmhw CVE-2025-10282 MODERATE about 1 month ago
### Summary bbot's `gitlab.py` sends the user's "gitlab" API key to on-premise GitLab instances. If a user has configured a gitlab.com API key us...
pypi
No PRs yet
InventoryGui allows item duplication with experimental "Bundle" item in GUIs which use GuiStorageElement
GHSA-rgvh-4m82-fvjq CVE-2025-62782 MODERATE about 1 month ago
### Impact Any plugin using the GuiStorageElement is impacted when used on a server which allows the (currently experimental) Bundle items. ### Pa...
maven
No PRs yet
InventoryGui affected by item duplication in GUIs which use GuiStorageElement
GHSA-598q-jw82-5w66 CVE-2025-62783 MODERATE about 1 month ago
### Impact Any plugin using the `GuiStorageElement` is impacted. ### Patches Patched with https://github.com/Phoenix616/InventoryGui/commit/27a52e...
maven
No PRs yet
Bouncy Castle Vulnerable to Uncontrolled Resource Consumption
GHSA-jv6h-4262-q663 CVE-2025-12194 MODERATE about 1 month ago
Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules), Legio...
maven
No PRs yet
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
GHSA-q7jf-gf43-6x6p MODERATE about 1 month ago
### Summary A flaw in the CORS middleware allowed request `Vary` headers to be reflected into the response, enabling attacker-controlled `Vary` v...
npm
4
Dependabot PRs
Rancher exposes sensitive information through audit logs
GHSA-mw39-9qc2-f7mg CVE-2024-58269 MODERATE about 1 month ago
### Impact **Note: The exploitation of this issue requires that the malicious user have access to Rancher’s audit log storage.** A vulnerability h...
go
No PRs yet
Rancher user retains access to clusters despite Global Role removal
GHSA-j4vr-pcmw-hx59 CVE-2023-32199 MODERATE about 1 month ago
### Impact A vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or...
go
No PRs yet
Liferay Portal ComboServlet denial of service via large file combination
GHSA-q95h-87j6-273x CVE-2025-62254 MODERATE about 1 month ago
The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 ...
maven
No PRs yet
MCMS reflected cross-site scripting (XSS) vulnerability
GHSA-wvv5-5g6x-hp7j CVE-2025-60837 MODERATE about 1 month ago
A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a user's bro...
maven
No PRs yet
rollbar vulnerable to Prototype Pollution in merge()
GHSA-xcg2-9pp4-j82x CVE-2025-62517 MODERATE about 1 month ago
### Impact Prototype pollution vulnerability in merge(). If application code calls `rollbar.configure()` with untrusted input, prototype pollution...
npm
No PRs yet
Piranha CMS vulnerable to stored cross-site scripting (XSS)
GHSA-3qcp-9v8c-6jp7 CVE-2025-61413 MODERATE about 1 month ago
A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.0 allows attackers to execute arbitrary web sc...
nuget
No PRs yet
Liferay Portal and DXP do not properly restrict access to OpenAPI
GHSA-j82q-c85j-xw4w CVE-2025-62256 MODERATE about 1 month ago
Liferay Portal 7.4.0 through 7.4.3.109, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, 7.3 GA ...
maven
No PRs yet
Keycloak does not invalidate offline sessions when the offline_access scope is removed
GHSA-895x-rfqp-jh5c CVE-2025-12110 MODERATE about 1 month ago
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token ...
maven
No PRs yet
Keycloak does not invalidate sessions when "Remember Me" is disabled
GHSA-64w3-5q9m-68xf CVE-2025-11429 MODERATE about 1 month ago
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Ses...
maven
No PRs yet
Moodle exposed the names of hidden groups to users
GHSA-422v-w6c5-vq42 CVE-2025-62400 MODERATE about 1 month ago
Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal pr...
packagist
No PRs yet
Moodle's error handling leads to sensitive information disclosure
GHSA-c5cj-xp43-qcc3 CVE-2025-62396 MODERATE about 1 month ago
An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers ...
packagist
No PRs yet
Moodle has a time restriction bypass
GHSA-w29j-8phw-ffjf CVE-2025-62401 MODERATE about 1 month ago
An issue in Moodle's timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to co...
packagist
No PRs yet
Moodle does not properly enforce MFA
GHSA-25wf-7x6c-wmpf CVE-2025-62398 MODERATE about 1 month ago
A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially ...
packagist
No PRs yet
Moodle sends quiz-related messages to inactive/suspended users
GHSA-8fcv-4qp9-pg32 CVE-2025-62394 MODERATE about 1 month ago
Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-rel...
packagist
No PRs yet
Moodle course access permissions are not properly checked in course_output_fragment_course_overview
GHSA-rjcm-7v2p-9265 CVE-2025-62393 MODERATE about 1 month ago
A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users ...
packagist
No PRs yet
Slack Nebula may accept arbitrary source IP addresses
GHSA-x6fh-7qmf-69xh CVE-2025-62820 MODERATE about 1 month ago
Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.
go
No PRs yet
Liferay Portal and Liferay DXP vulnerable to reflected cross-site scripting (XSS)
GHSA-phjr-p9c5-hprx CVE-2025-62248 MODERATE about 1 month ago
A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, ...
maven
No PRs yet
OpenBao and Vault Leak []byte Fields in Audit Logs
GHSA-rc54-2g2c-g36g CVE-2025-62705 MODERATE about 1 month ago
### Impact OpenBao's audit log did not appropriately redact fields when relevant subsystems sent `[]byte` response parameters rather than `string`...
go
No PRs yet
Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl
GHSA-gr7h-xw4f-wh86 CVE-2025-62710 MODERATE about 1 month ago
### Impact EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java...
maven
No PRs yet
pypdf can exhaust RAM via manipulated LZWDecode streams
GHSA-jfx9-29x2-rv3j CVE-2025-62708 MODERATE about 1 month ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of ...
pypi
No PRs yet
pypdf possibly loops infinitely when reading DCT inline images without EOF marker
GHSA-vr63-x8vc-m265 CVE-2025-62707 MODERATE about 1 month ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a ...
pypi
2
Dependabot PRs
Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories
GHSA-h5fg-jpgr-rv9c CVE-2025-11965 MODERATE about 1 month ago
# Description There is a flaw in the hidden file protection feature of Vert.x Web’s `StaticHandler` when `setIncludeHidden(false)` is configured. ...
maven
2
Dependabot PRs
OpenBao leaks HTTPRawBody in Audit Logs
GHSA-ghfh-fmx4-26h8 CVE-2025-62513 MODERATE about 1 month ago
### Impact OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This ...
go
No PRs yet
ncurses exposes uninitialized memory in string reading functions
GHSA-x77x-7mmh-cxv3 MODERATE about 1 month ago
Multiple string reading functions expose uninitialized memory by setting length to capacity when no null terminator is found. This allows reading ...
cargo
No PRs yet