Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,822

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
kubernetes allows nodes to bypass dynamic resource allocation authorization checks
GHSA-hj2p-8wj8-pfq4 CVE-2025-4563 LOW 6 months ago
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When th...
go
No PRs yet
spytrap-adb Omission of Security-relevant Information
GHSA-5p2p-6g2c-hf7m CVE-2025-52926 LOW 6 months ago
In scan.rs in spytrap-adb before 0.3.5, matches for known stalkerware are not rendered in the interactive user interface.
cargo
No PRs yet
zkVM Underconstrained Vulnerability
GHSA-g3qg-6746-3mg9 CVE-2025-52484 LOW 6 months ago
Due to a missing constraint in the rv32im circuit, any 3-register RISC-V instruction (including remu and divu) in risc0-zkvm 2.0.0, 2.0.1, and 2.0....
cargo
8
Dependabot PRs
Upsonic has vulnerability in Pickle Handler component that can lead to deserialization
GHSA-rpfv-46xj-5984 CVE-2025-6279 LOW 6 months ago
A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the...
pypi
No PRs yet
Upsonic is vulnerable to Path Traversal attack through its os.path.join function
GHSA-8jf4-fcjr-68c2 CVE-2025-6278 LOW 6 months ago
A vulnerability classified as critical was found in Upsonic up to 0.55.6. This vulnerability affects the function os.path.join of the file markdown...
pypi
No PRs yet
PowSyBl Core Contains a Polynomial ReDoS in RegexCriterion
GHSA-8qjw-9xgm-c9ff CVE-2025-48059 LOW 6 months ago
### Impact _What kind of vulnerability is it? Who is impacted?_ This is an advisory for a **potential polynomial Regular Expression Denial of Serv...
maven
1
Dependabot PRs
PowSyBl Core XML Reader allows XXE and SSRF
GHSA-qpj9-qcwx-8jv2 CVE-2025-47293 LOW 6 months ago
### Impact _What kind of vulnerability is it? Who is impacted?_ In certain places, powsybl-core XML parsing is vulnerable to an XXE attack and in o...
maven
1
Dependabot PRs
Apache SeaTunnel: Unauthenticated insecure access
GHSA-9x53-gr7p-4qf5 CVE-2025-32896 LOW 6 months ago
# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorize...
maven
No PRs yet
Grafana long dashboard title or panel name causes unresponsives
GHSA-crvv-6w6h-cv34 CVE-2025-1088 LOW 6 months ago
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation ...
go
No PRs yet
ash_authentication_phoenix has Insufficient Session Expiration
GHSA-f7gq-h8jv-h3cq CVE-2025-4754 LOW 6 months ago
### Impact Session tokens remain valid on the server after user logout, creating a security gap where: - Compromised tokens (via XSS, network int...
hex
1
Dependabot PRs
Weblate exposes personal IP address via e-mail
GHSA-4qqf-9m5c-w2c5 CVE-2025-49134 LOW 6 months ago
### Impact The audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP...
pypi
No PRs yet
handcraftedinthealps/goodby-csv has Potential Gadget Chain allowing Remote Code Execution
GHSA-x3c7-22c8-prg7 CVE-2025-49597 LOW 6 months ago
### Impact goodby-csv could be used as part of a chain of methods that is exploitable when an insecure deserialization vulnerability exists in an ...
packagist
1
Dependabot PRs
Vantage6 Server JWT secret not cryptographically secure
GHSA-m3mq-f375-5vgh CVE-2025-43866 LOW 6 months ago
### Impact The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not ...
pypi
No PRs yet
vantage6 lacks brute-force protection on change password functionality
GHSA-j6g5-p62x-58hw CVE-2025-43863 LOW 6 months ago
### Impact If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change password function...
pypi
No PRs yet
Mattermost allows guest users to view information about public teams they are not members of
GHSA-jwhw-xf5v-qgxc CVE-2025-4128 LOW 6 months ago
Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass pe...
go
No PRs yet
CIRCL-Fourq: Missing and wrong validation can lead to incorrect results
GHSA-2x5j-vhc8-9cwm CVE-2025-8556 LOW 6 months ago
### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allow...
go
No PRs yet
pm2 Regular Expression Denial of Service vulnerability
GHSA-x5gf-qvw8-r2rm CVE-2025-5891 LOW 6 months ago
A vulnerability classified as problematic was found in Unitech pm2 up to 6.0.8. This vulnerability affects unknown code of the file /lib/tools/Conf...
npm
No PRs yet
brace-expansion Regular Expression Denial of Service vulnerability
GHSA-v6h2-p8h4-qcjw CVE-2025-5889 LOW 6 months ago
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue ...
npm
19
Dependabot PRs
52%
Merged
SpiceDB checks involving relations with caveats can result in no permission when permission is expected
GHSA-cwwm-hr97-qfxm CVE-2025-49011 LOW 6 months ago
### Impact On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the eval...
go
12
Dependabot PRs
30%
Merged
anon-vec lacks sufficient checks in public API
GHSA-pr59-jjr4-gcf6 LOW 6 months ago
The following functions in the anon-vec crate are unsound due to insufficient checks on their arguments:: - `AnonVec::get_ref()` - `AnonVec::get_m...
cargo
No PRs yet
Mattermost fails to properly enforce access controls for guest users
GHSA-hc6v-386m-93pq CVE-2025-1792 LOW 6 months ago
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channe...
go
No PRs yet
Mattermost fails to properly enforce access control restrictions for System Manager roles
GHSA-86jg-35xj-3vv5 CVE-2025-3611 LOW 6 months ago
Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager ...
go
No PRs yet
Apache Tomcat - CGI security constraint bypass
GHSA-h2fw-rfh5-95r3 CVE-2025-46701 LOW 6 months ago
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that a...
maven
3
Dependabot PRs
33%
Merged
Gradio CORS Origin Validation Bypass Vulnerability
GHSA-wmjh-cpqj-4v6x CVE-2025-5320 LOW 6 months ago
A vulnerability classified as problematic has been found in gradio-app gradio up to 5.29.1. This affects the function is_valid_origin of the compon...
pypi
No PRs yet
Aim Vulnerable to Sandbox Escape Leading to Remote Code Execution
GHSA-gp5h-f9c5-8355 CVE-2025-5321 LOW 6 months ago
A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the...
pypi
No PRs yet
Information exposure in Next.js dev server due to lack of origin verification
GHSA-3h52-269p-cp9r CVE-2025-48068 LOW 6 months ago
## Summary A low-severity vulnerability in **Next.js** has been fixed in **version 15.2.2**. This issue may have allowed limited source code expos...
npm
No PRs yet
Potential Timing Side-Channel Vulnerability in vLLM’s Chunk-Based Prefix Caching
GHSA-4qjh-9fv9-r85r CVE-2025-46570 LOW 6 months ago
This issue arises from the prefix caching mechanism, which may expose the system to a timing side-channel attack. ## Description When a new prompt...
pypi
No PRs yet
Traefik allows path traversal using url encoding
GHSA-vrch-868g-9jx5 CVE-2025-47952 LOW 6 months ago
## Impact There is a potential vulnerability in Traefik managing the requests using a `PathPrefix`, `Path` or `PathRegex` matcher. When Traefik i...
go
12
Dependabot PRs
33%
Merged
Hackney fails to properly release HTTP connections to the pool
GHSA-9fm9-hp7p-53mf CVE-2025-3864 LOW 6 months ago
Hackney fails to properly release HTTP connections to the pool after handling 307 Temporary Redirect responses. Remote attackers can exploit this t...
hex
No PRs yet
Fess has Insecure Temporary File Permissions
GHSA-g88v-2j67-9rmx CVE-2025-48382 LOW 6 months ago
### Summary Fess (an open-source Enterprise Search Server) creates temporary files without restrictive permissions, which may allow local attackers...
maven
No PRs yet
auth-js Vulnerable to Insecure Path Routing from Malformed User Input
GHSA-8r88-6cj9-9fh5 CVE-2025-48370 LOW 6 months ago
### Impact The library functions `getUserById`, `deleteUser`, `updateUserById`, `listFactors` and `deleteFactor` did not require the user supplied ...
npm
7
Dependabot PRs
14%
Merged
SCSIR has a Potential Unsound Issue in WriteSameCommand
GHSA-cm3g-qm4h-xm6m CVE-2025-48756 LOW 7 months ago
In group_number in the scsir crate 0.2.0 for Rust, there can be an overflow because a hardware device may expect a small number of bits (e.g., 5 bi...
cargo
No PRs yet
memory_pages division by zero
GHSA-5r4r-9fgh-pw53 CVE-2025-48754 LOW 7 months ago
In the memory_pages crate 0.1.0 for Rust, division by zero can occur.
cargo
No PRs yet
Process Sync has a Potential Unsound Issue in SharedMutex
GHSA-mqwx-r894-9hfp CVE-2025-48752 LOW 7 months ago
In the process-sync crate 0.2.2 for Rust, the drop function lacks a check for whether the pthread_mutex is unlocked.
cargo
No PRs yet
process_lock has a Potential Unsound issue in unlock
GHSA-6v24-6wgf-8vj6 CVE-2025-48751 LOW 7 months ago
The process_lock crate 0.1.0 for Rust allows data races in unlock.
cargo
No PRs yet
DNN site Import could use an external source with a crafted request
GHSA-62mf-vhhw-xmf8 CVE-2025-48376 LOW 7 months ago
A malicious SuperUser (Host) could craft a request to use an external url for a site export to then be imported.
nuget
No PRs yet
Ackites KillWxapkg vulnerable to OS Command Injection
GHSA-w6p4-84vc-qc2w CVE-2025-5030 LOW 7 months ago
A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been declared as critical. This vulnerability affects the function processFile ...
go
No PRs yet
Ackites KillWxapkg Zip Bomb Resource Exhaustion
GHSA-pqqp-7cp8-vxvf CVE-2025-5031 LOW 7 months ago
A vulnerability was found in Ackites KillWxapkg up to 2.4.1. It has been rated as problematic. This issue affects some unknown processing of the co...
go
No PRs yet
The Backup Plus extension for TYPO3 (ns_backup) allows XSS
GHSA-xg53-mhh9-3cq7 CVE-2025-48206 LOW 7 months ago
The ns_backup extension through 13.0.0 for TYPO3 allows XSS.
packagist
No PRs yet
TYPO3 Unverified Password Change for Backend Users
GHSA-3jrg-97f3-rqh9 CVE-2025-47938 LOW 7 months ago
### Problem The backend user management interface allows password changes without requiring the current password. When an administrator updates the...
packagist
No PRs yet
TYPO3 Allows Information Disclosure via DBAL Restriction Handling
GHSA-x8pv-fgxp-8v3x CVE-2025-47937 LOW 7 months ago
### Problem When performing a database query involving multiple tables through the database abstraction layer (DBAL), frontend user permissions are...
packagist
No PRs yet
TYPO3 CMS Webhooks Server Side Request Forgery
GHSA-p4xx-m758-3hpx CVE-2025-47936 LOW 7 months ago
### Problem Webhooks are inherently vulnerable to Server-Side Request Forgery (SSRF), which can be exploited by adversaries to target internal reso...
packagist
No PRs yet
LibreNMS stored Cross-site Scripting vulnerability in poller group name
GHSA-hxw5-9cc5-cmw5 CVE-2025-47931 LOW 7 months ago
### LibreNMS v25.4.0 suffers from Stored Cross-Site Scripting (XSS) Vulnerability in the 'group name' parameter of the 'http://localhost/poller/gro...
packagist
No PRs yet
Spring Framework DataBinder Case Sensitive Match Exception
GHSA-4wp7-92pw-q264 CVE-2025-22233 LOW 7 months ago
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. ...
maven
1
Dependabot PRs
Vyper's `slice()` may elide side-effects when output length is 0
GHSA-3vcg-j39x-cwfm CVE-2025-47774 LOW 7 months ago
### Impact the `slice()` builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (`msg.data` or `<addres...
pypi
No PRs yet
Vyper's `concat()` builtin may elide side-effects for zero-length arguments
GHSA-qhr6-mgqr-mchm CVE-2025-47285 LOW 7 months ago
### Impact `concat()` may skip evaluation of side effects when the length of an argument is zero. this is due to a fastpath in the implementation w...
pypi
No PRs yet
Mattermost Fails to Check User Access to `ExperimentalSettings`
GHSA-fpff-wj6m-grvr CVE-2025-2570 LOW 7 months ago
Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSet...
go
No PRs yet
undici Denial of Service attack via bad certificate data
GHSA-cxrh-j4jr-qwg3 CVE-2025-47279 LOW 7 months ago
### Impact Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certifi...
npm
146
Dependabot PRs
21%
Merged
Next.js Race Condition to Cache Poisoning
GHSA-qpjv-v59x-3qc4 CVE-2025-32421 LOW 7 months ago
**Summary** We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue...
npm
No PRs yet
Flask uses fallback key instead of current signing key
GHSA-4grg-w6v8-c28g CVE-2025-47278 LOW 7 months ago
In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current si...
pypi
2439
Dependabot PRs
27%
Merged