Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
bagisto has Cross Site Scripting (XSS) in Create New Customer
GHSA-r9xj-mvqf-jm7w CVE-2025-62414 MODERATE about 1 month ago
### Summary In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to reflected / stored Cross-Site Scripting (XSS...
packagist
No PRs yet
bagisto has a Cross Site Scripting (XSS) vulnerability in TinyMCE Image Upload (SVG)
GHSA-fg89-g389-p346 CVE-2025-62418 MODERATE about 1 month ago
### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafte...
packagist
No PRs yet
bagisto has Server Side Template Injection (SSTI) in Product Description
GHSA-527q-4wqv-g9wj CVE-2025-62416 MODERATE about 1 month ago
### Summary Bagisto v2.3.7 is vulnerable to Server-Side Template Injection (SSTI) due to unsanitized user input being processed by the server-side ...
packagist
No PRs yet
PrestaShop Checkout Backoffice directory traversal allows arbitrary file disclosure
GHSA-fpxp-pfqm-x54w CVE-2025-61923 MODERATE about 1 month ago
# Impact Missing validation on input vulnerable to directory traversal. # Patches The problem has been patched in versions: v4.4.1 for PrestaShop...
packagist
No PRs yet
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
GHSA-9329-mxxw-qwf8 CVE-2025-53092 MODERATE about 1 month ago
### Summary A CORS misconfiguration vulnerability exists in default installations of Strapi where attacker-controlled origins are improperly refle...
npm
No PRs yet
Strapi Password Hashing is Missing Maximum Password Length Validation
GHSA-2cjv-6wg9-f4f3 CVE-2025-25298 MODERATE about 1 month ago
## Summary Strapi's password hashing implementation using bcryptjs lacks maximum password length validation. Since bcryptjs truncates passwords ex...
npm
No PRs yet
Smidge is vulnerable to Path Traversal
GHSA-9rvm-p3qm-f4vv CVE-2025-11842 MODERATE about 1 month ago
A security vulnerability has been detected in Shazwazza Smidge up to 4.5.1. The impacted element is an unknown function of the component Bundle Han...
nuget
No PRs yet
bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)
GHSA-67px-r26w-598x CVE-2025-62415 MODERATE about 1 month ago
### Summary In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafte...
packagist
No PRs yet
LibreNMS has a Stored XSS vulnerability in its Alert Transport name field
GHSA-frc6-pwgr-c28w CVE-2025-62411 MODERATE about 1 month ago
### Summary LibreNMS <= 25.8.0 contains a **Stored Cross-Site Scripting (XSS)** vulnerability in the Alert Transports management functionality. Wh...
packagist
No PRs yet
Spring Framework STOMP over WebSocket applications may allow attackers to send unauthorized messages
GHSA-7fch-4f2f-jcgm CVE-2025-41254 MODERATE about 1 month ago
STOMP over WebSocket applications may be vulnerable to a security bypass that allows an attacker to send unauthorized messages. ### Affected Sprin...
maven
No PRs yet
Strapi is vulnerable to Insufficient Session Expiration
GHSA-4r8w-3jww-m2rp CVE-2025-3930 MODERATE about 2 months ago
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker wh...
npm
No PRs yet
Mattermost has a Missing Authorization vulnerability
GHSA-7cr3-38jm-6p45 CVE-2025-41443 MODERATE about 2 months ago
Mattermost versions 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to properly validate guest user permissions when accessing channel information which...
go
No PRs yet
Mattermost has a Missing Authorization vulnerability
GHSA-3q4q-wqm6-hvf3 CVE-2025-41410 MODERATE about 2 months ago
Mattermost versions 10.10.x <= 10.10.2, 10.5.x <= 10.5.10, 10.11.x <= 10.11.2 fail to validate email ownership during Slack import process which al...
go
No PRs yet
GeoIP processor disables SSL certificate validation when downloading databases
GHSA-3xgr-h5hq-7299 MODERATE about 2 months ago
### Impact The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading Geo...
maven
No PRs yet
OpenSearch Data Prepper uses deprecated SSL protocol identifier
GHSA-28gg-8qqj-fhh5 MODERATE about 2 months ago
### Impact The GeoIP processor and Kafka source and buffer were using the deprecated "SSL" protocol identifier when creating SSL contexts, potenti...
maven
No PRs yet
go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents
GHSA-72c7-4g63-hpw5 CVE-2025-62375 MODERATE about 2 months ago
### Impact This vulnerability only affects users of the AWS attestor. Users of the AWS attestor could have unknowingly received a forged identity ...
go
No PRs yet
gnark-crypto doesn't range check input values during ECDSA and EdDSA signature deserialization
GHSA-fr8m-434r-g3xp MODERATE about 2 months ago
### Impact During deserialization of ECDSA and EdDSA signatures gnark-crypto did not check that the values are in the range `[1, n-1]` with `n` be...
go
No PRs yet
Microsoft Security Advisory CVE-2025-55248: .NET Information Disclosure Vulnerability
GHSA-gwq6-fmvp-qp68 CVE-2025-55248 MODERATE about 2 months ago
# Microsoft Security Advisory CVE-2025-55248 | .NET Information Disclosure Vulnerability ## <a name="executive-summary"></a>Executive summary Mic...
nuget
No PRs yet
Apache Spark has Inadequate Encryption Strength
GHSA-6p6v-m64v-jx8q CVE-2025-55039 MODERATE about 2 months ago
This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0. Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure defau...
maven
No PRs yet
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
GHSA-9f2h-7v79-mxw3 CVE-2025-62374 MODERATE about 2 months ago
### Summary Prototype pollution capabilities on various APIs. ### Details Injection of malicious payload allows attacker to remotely execute arb...
npm
2
Dependabot PRs
50%
Merged
Magento vulnerable to stored Cross-Site Scripting (XSS)
GHSA-pcrx-r49h-x2w5 CVE-2025-54266 MODERATE about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by a stored Cross-Site Scripting (XSS) ...
packagist
No PRs yet
Magento allows incorrect authorization
GHSA-r355-75hw-r8jf CVE-2025-54265 MODERATE about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Magento vulnerable to privilege escalation due to incorrect authorization
GHSA-qvwr-p3hj-j6jf CVE-2025-54267 MODERATE about 2 months ago
Magento versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerabi...
packagist
No PRs yet
Apache Geode web-api is vulnerable to Cross-site Scripting
GHSA-w595-4975-gm3h CVE-2024-44088 MODERATE about 2 months ago
Malicious script injection ('Cross-site Scripting') vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks...
maven
No PRs yet
Liferay has Incorrect Permission Assignment for Critical Resource
GHSA-j4f7-gj7q-xg9m CVE-2025-62251 MODERATE about 2 months ago
Liferay Portal 7.3.0 through 7.4.3.119, and Liferay DXP 2023.Q3.1 through 2023.Q3.8, 2023.Q4.0 through 2023.Q4.5, 7.4 GA through update 92 and 7.3 ...
maven
No PRs yet
LibreNMS is vulnerable to Reflected-XSS in `report_this` function
GHSA-86rg-8hc8-v82p CVE-2025-62365 MODERATE about 2 months ago
### Summary Reflected-XSS in `report_this` function in `librenms/includes/functions.php` ### Details Recently, it was discovered that the `report...
packagist
No PRs yet
Liferay Mentions Web is Vulnerable to Cross-site Scripting
GHSA-mj68-2xr5-28xh CVE-2025-62246 MODERATE about 2 months ago
Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay D...
maven
No PRs yet
Liferay Commerce Order Content Web is Vulnerable to Authorization Bypass Through User-Controlled Key
GHSA-fhcw-px4q-pmvv CVE-2025-62241 MODERATE about 2 months ago
Insecure Direct Object Reference (IDOR) vulnerability with shipment addresses in Liferay DXP 2023.Q4.1 through 2023.Q4.5 allows remote authenticate...
maven
No PRs yet
Liferay is Vulnerable to Authorization Bypass Through User-Controlled Key
GHSA-pfwq-mr9g-gq6m CVE-2025-62252 MODERATE about 2 months ago
Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 20...
maven
No PRs yet
Liferay Account Admin Web vulnerable to Authorization Bypass Through User-Controlled Key
GHSA-3cm9-jrf5-h2cx CVE-2025-62242 MODERATE about 2 months ago
Insecure Direct Object Reference (IDOR) vulnerability with account addresses in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0...
maven
No PRs yet
Omni is Vulnerable to DoS via Empty Create/Update Resource Requests
GHSA-4p3p-cr38-v5xp CVE-2025-59836 MODERATE about 2 months ago
## Summary A nil pointer dereference vulnerability in the Omni Resource Service allows unauthenticated users to cause a server panic and denial of...
go
No PRs yet
Liferay Publications is vulnerable to Incorrect Authorization
GHSA-894w-w643-qvxv CVE-2025-62243 MODERATE about 2 months ago
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through ...
maven
No PRs yet
Liferay Publications vulnerable to Authorization Bypass Through User-Controlled Key
GHSA-2hfj-jv6q-762v CVE-2025-62244 MODERATE about 2 months ago
Insecure direct object reference (IDOR) vulnerability in Publications in Liferay Portal 7.3.1 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through ...
maven
No PRs yet
CommandKit has incorrect command name exposure in context object for message command aliases
GHSA-fhwm-pc6r-4h2f CVE-2025-62378 MODERATE about 2 months ago
### Impact A logic flaw exists in the message command handler of CommandKit that affects how the `commandName` property is exposed to both middlew...
npm
No PRs yet
QGIS QWC2 Cross-Site Scripting vulnerability
GHSA-gxp8-m5rq-3m38 CVE-2025-11183 MODERATE about 2 months ago
Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 < 2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in...
npm
No PRs yet
Astro's `X-Forwarded-Host` is reflected without validation
GHSA-5ff5-9fcw-vg88 CVE-2025-61925 MODERATE about 2 months ago
### Summary When running Astro in on-demand rendering mode using a adapter such as the node adapter it is possible to maliciously send an `X-Forwar...
npm
No PRs yet
Authlib : JWE zip=DEF decompression bomb enables DoS
GHSA-g7f3-828f-7h7m CVE-2025-62706 MODERATE about 2 months ago
### Summary _Authlib’s JWE `zip=DEF` path performs unbounded DEFLATE decompression. A very small ciphertext can expand into tens or hundreds of meg...
pypi
4
Dependabot PRs
Allstar Reviewbot has Authentication Bypass via Hard-coded Webhook Secret
GHSA-33f4-mjch-7fpr CVE-2025-61926 MODERATE about 2 months ago
A vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret: https://gith...
go
No PRs yet
python-ldap is Vulnerable to Improper Encoding or Escaping of Output and Improper Null Termination
GHSA-p34h-wq7j-h5v6 CVE-2025-61912 MODERATE about 2 months ago
### Summary `ldap.dn.escape_dn_chars()` escapes `\x00` incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514...
pypi
No PRs yet
python-ldap has sanitization bypass in ldap.filter.escape_filter_chars
GHSA-r7r6-cc7p-4v5m CVE-2025-61911 MODERATE about 2 months ago
### Summary The sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` o...
pypi
No PRs yet
Liferay Portal is vulnerable to CSRF through publication comments
GHSA-9676-rh83-cr86 CVE-2025-62245 MODERATE about 2 months ago
Cross-site request forgery (CSRF) vulnerability in Liferay Portal 7.4.1 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 t...
maven
No PRs yet
PowerJob OpenAPIController is missing authorization
GHSA-9wq6-87hw-6mhc CVE-2025-11581 MODERATE about 2 months ago
A security vulnerability has been detected in PowerJob up to 5.1.2. This vulnerability affects unknown code of the file /openApi/runJob of the comp...
maven
No PRs yet
Rack has a Possible Information Disclosure Vulnerability
GHSA-r657-rxjc-j557 CVE-2025-61780 MODERATE about 2 months ago
## Summary A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` head...
rubygems
21
Dependabot PRs
14%
Merged
Liferay Portal Commerce is vulnerable to XSS through account "name" field
GHSA-m4g9-5mg6-gfr3 CVE-2025-62237 MODERATE about 2 months ago
Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4....
maven
No PRs yet
Alt Redirect: Potential Authentication Bypass by Spoofing through query-string stripping logic flaw
GHSA-rpjr-pcmr-9ppw CVE-2025-60868 MODERATE about 2 months ago
The Alt Redirect 1.6.3 addon for Statamic fails to consistently strip query string parameters when the "Query String Strip" feature is enabled. Cas...
packagist
No PRs yet
Liferay Portal is vulnerable to XSS through its workflow process builder
GHSA-xcvw-hh99-qm73 CVE-2025-62239 MODERATE about 2 months ago
Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 throug...
maven
No PRs yet
Liferay Portal's Membership page is vulnerable to XSS through “name“ text field
GHSA-xw6m-3m5q-mxpm CVE-2025-62238 MODERATE about 2 months ago
Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay Portal 7.4.3.21 through 7.4.3.111, and Lifera...
maven
No PRs yet
rardecode: DoS risk due to unrestricted RAR dictionary sizes
GHSA-rwvp-r38j-9rgg CVE-2025-11579 MODERATE about 2 months ago
rardecode versions <= 2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a spe...
go
No PRs yet
Elasticsearch: Insertion of Sensitive Information into Log File via reindex API
GHSA-56r7-h6mw-rcfv CVE-2025-37727 MODERATE about 2 months ago
Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requ...
maven
No PRs yet
BBOT's git_clone.py can expose users' GitHub API keys to an attacker-controlled webserver
GHSA-63wh-p5fx-h4vc CVE-2025-10281 MODERATE about 2 months ago
### Summary Due to unsafe URL handling, bbot's `git_clone.py` can be made to leak a user's github.com API key to an attacker-controlled webserver....
pypi
No PRs yet