Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Drupal CivicTheme Design System allows Cross-Site Scripting (XSS)
GHSA-h72q-cq3w-h3wc CVE-2025-12083 MODERATE 30 days ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CivicTheme Design System allows Cross-...
packagist
No PRs yet
Drupal Currency allows Cross Site Request Forgery
GHSA-27fv-rpgj-4c6m CVE-2025-10930 MODERATE 30 days ago
Cross-Site Request Forgery (CSRF) vulnerability in Drupal Currency allows Cross Site Request Forgery. This issue affects Currency: from 0.0.0 befor...
packagist
No PRs yet
Drupal JSON Field is vulnerable to XSS
GHSA-m3f2-xjgc-2wp2 CVE-2025-10926 MODERATE 30 days ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal JSON Field allows Cross-Site Scripting...
packagist
No PRs yet
Drupal Plausible tracking is vulnerable to XSS
GHSA-pr6m-qwrr-mrw9 CVE-2025-10927 MODERATE 30 days ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Plausible tracking allows Cross-Site S...
packagist
No PRs yet
Drupal CivicTheme Design System allows Forceful Browsing
GHSA-qxr9-f877-9842 CVE-2025-12082 HIGH 30 days ago
Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing. This issue affects CivicTheme Design System: fro...
packagist
No PRs yet
Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables
GHSA-fg8x-q69g-4qp3 CVE-2025-10929 MODERATE 30 days ago
Improper Validation of Consistency within Input vulnerability in Drupal Reverse Proxy Header allows Manipulating User-Controlled Variables. This is...
packagist
No PRs yet
Drupal Access code allows Brute Force Attempts
GHSA-27mc-9399-r9mx CVE-2025-10928 MODERATE 30 days ago
Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force. This issue affects Access code: f...
packagist
No PRs yet
Drupal Umami Analytics allows Cross-Site Scripting (XSS)
GHSA-jxp8-4jw5-5xjc CVE-2025-10931 LOW 30 days ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scri...
packagist
No PRs yet
LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore
GHSA-7p73-8jqx-23r8 CVE-2025-64104 HIGH 30 days ago
### Summary LangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper paramet...
pypi
No PRs yet
Zitadel May Bypass Second Authentication Factor
GHSA-cfjq-28r2-4jv5 CVE-2025-64103 HIGH 30 days ago
### Summary A vulnerability in Zitadel's token verification prematurely marked sessions as authenticated when only one factor was verified. ### ...
go
No PRs yet
Zitadel allows brute-forcing authentication factors
GHSA-xrw9-r35x-x878 CVE-2025-64102 HIGH 30 days ago
### Summary A vulnerability in Zitadel allowed brute-force attack on OTP, TOTP and password allowing to impersonate the attacked user. ### Impact...
go
No PRs yet
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
GHSA-mwmh-7px9-4c23 CVE-2025-64101 HIGH 30 days ago
### Impact A potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from ...
go
No PRs yet
OpenUSD File Parsing Use-After-Free Remote Code Execution Vulnerability
GHSA-grjp-54v3-c442 MODERATE 30 days ago
# Patch This is fixed with [commit b953092](https://github.com/PixarAnimationStudios/OpenUSD/commit/b9530922b6a8ea72cd43661226b693fff8abbe4c), with...
pypi
No PRs yet
uv allows ZIP payload obfuscation through parsing differentials
GHSA-pqhf-p39g-3x64 MODERATE 30 days ago
### Impact In versions 0.9.5 and earlier of uv, ZIP archives were handled in a manner that enabled two parsing differentials against other compone...
pypi
4
Dependabot PRs
CKAN vulnerable to fixed session IDs
GHSA-2hvh-cw5c-8q8q CVE-2025-64100 MODERATE 30 days ago
### Impact Session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session st...
pypi
No PRs yet
DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite
GHSA-3m8r-w7xg-jqvw CVE-2025-64095 CRITICAL 30 days ago
### Summary The default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. ### Description An unaut...
nuget
No PRs yet
DNN vulnerable to stored cross-site-scripting (XSS) via SVG upload
GHSA-hmvq-8p83-cq52 CVE-2025-64094 MODERATE 30 days ago
### Summary Sanitization of the content of uploaded SVG files was not covering all possible XSS scenarios. ### Details DNN validates the contents ...
nuget
No PRs yet
DNN CKEditor Provider allows unauthenticated upload out-of-the-box
GHSA-2374-6cvw-qmx6 CVE-2025-62802 MODERATE 30 days ago
### Summary The out-of-box experience for HTML editing allows unauthenticated users to upload files. This opens a potential vector to other securit...
nuget
No PRs yet
MLflow Weak Password Requirements Authentication Bypass Vulnerability
GHSA-6xj8-rrqx-r4cv CVE-2025-11200 HIGH 30 days ago
MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affec...
pypi
No PRs yet
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability
GHSA-5cvj-7rg6-jggj CVE-2025-11201 HIGH 30 days ago
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execut...
pypi
No PRs yet
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
GHSA-q2pj-6v73-8rgj CVE-2025-60542 HIGH about 1 month ago
### Summary SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring ...
npm
No PRs yet
FastMCP vulnerable to windows command injection in FastMCP Cursor installer via server_name
GHSA-rj5c-58rq-j5g5 CVE-2025-62801 MODERATE about 1 month ago
### Summary A command-injection vulnerability lets any attacker who can influence the server_name field of an MCP execute arbitrary OS commands on ...
pypi
No PRs yet
FastMCP vulnerable to reflected XSS in client's callback page
GHSA-mxxr-jv3v-6pgc CVE-2025-62800 MODERATE about 1 month ago
### Summary While setting up an oauth client, it was noticed that the callback page hosted by the client during the flow embeds user-controlled con...
pypi
No PRs yet
FastMCP Auth Integration Allows for Confused Deputy Account Takeover
GHSA-c2jp-c369-7pvx HIGH about 1 month ago
### Summary FastMCP documentation [covers the scenario](https://gofastmcp.com/integrations/azure) where it is possible to use Entra ID or other pr...
pypi
No PRs yet
CKAN vulnerable to stored XSS in resource description
GHSA-2r4h-8jxv-w2j8 CVE-2025-54384 MODERATE about 1 month ago
### Impact The `helpers.markdown_extract()` function did not perform sufficient sanitization of input data before wrapping in an HTML literal elem...
pypi
No PRs yet
Jenkins Publish to Bitbucket Plugin vulnerable to CSRF and missing permissions check
GHSA-m244-6mff-p355 CVE-2025-64149 MODERATE about 1 month ago
Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Re...
maven
No PRs yet
Jenkins Publish to Bitbucket Plugin is missing a permissions check
GHSA-v549-7pm5-f8qr CVE-2025-64148 MODERATE about 1 month ago
Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in a method implementing form validation. This allows atta...
maven
No PRs yet
Jenkins Curseforge Publisher Plugin does not mask API Keys displayed on the job configuration form
GHSA-hv42-crpx-q355 CVE-2025-64147 MODERATE about 1 month ago
Jenkins Curseforge Publisher Plugin 1.0 and earlier stores API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its ...
maven
No PRs yet
Jenkins Publish to Bitbucket Plugin is missing a permissions check
GHSA-wpr5-rc2j-99p2 CVE-2025-64150 MODERATE about 1 month ago
Jenkins Publish to Bitbucket Plugin 0.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Re...
maven
No PRs yet
Jenkins Nexus Task Runner Plugin is missing a permission check
GHSA-h83r-7f9f-mqjj CVE-2025-64142 MODERATE about 1 month ago
Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Rea...
maven
No PRs yet
Jenkins Nexus Task Runner Plugin vulnerable to cross-site request forgery
GHSA-x2pv-fph3-phfx CVE-2025-64141 MODERATE about 1 month ago
Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Rea...
maven
No PRs yet
Jenkins Themis Plugin is missing a permission check
GHSA-jwm4-955w-4hj3 CVE-2025-64137 MODERATE about 1 month ago
Jenkins Themis Plugin 1.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permissio...
maven
No PRs yet
Jenkins JDepend Plugin vulnerable to XML external entity attacks
GHSA-jfg6-4gx3-3v7w CVE-2025-64134 HIGH about 1 month ago
Jenkins JDepend Plugin 1.3.1 and earlier includes an outdated version of JDepend Maven Plugin that does not configure its XML parser to prevent XML...
maven
No PRs yet
Jenkins SAML Plugin does not implement a replay cache
GHSA-j7r7-7qmf-xq87 CVE-2025-64131 HIGH about 1 month ago
Jenkins SAML Plugin 4.583.vc68232f7018a_ and earlier does not implement a replay cache. This allows attackers able to obtain information about the...
maven
No PRs yet
Jenkins Azure CLI Plugin does not restrict the commands it executes
GHSA-rh72-238f-g26q CVE-2025-64140 HIGH about 1 month ago
Jenkins Azure CLI Plugin 0.9 and earlier does not restrict which commands it executes on the Jenkins controller. This allows attackers with Item/C...
maven
No PRs yet
Jenkins OpenShift Pipeline Plugin stores authorization tokens unencrypted in job config.xml files
GHSA-4653-9q2r-684q CVE-2025-64143 MODERATE about 1 month ago
Jenkins OpenShift Pipeline Plugin 1.0.57 and earlier stores authorization tokens unencrypted in job `config.xml` files on the Jenkins controller as...
maven
No PRs yet
Jenkins Themis Plugin vulnerable to cross-site request forgery
GHSA-93mh-mx9w-m69q CVE-2025-64136 MODERATE about 1 month ago
Jenkins Themis Plugin 1.4.1 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permissio...
maven
No PRs yet
Jenkins Curseforge Publisher Plugin stores API Keys unencrypted in job config.xml files
GHSA-23vj-j6jc-w892 CVE-2025-64146 MODERATE about 1 month ago
Jenkins Curseforge Publisher Plugin 1.0 and earlier stores API Keys unencrypted in job `config.xml` files on the Jenkins controller as part of its ...
maven
No PRs yet
Jenkins MCP Server Plugin does not perform permission checks in multiple MCP tools
GHSA-mrpq-9jr3-rqq9 CVE-2025-64132 MODERATE about 1 month ago
Jenkins MCP Server Plugin 0.84.v50ca_24ef83f2 and earlier does not perform permission checks in several MCP tools. This allows to do the following...
maven
No PRs yet
Jenkins ByteGuard Build Actions Plugin does not mask API tokens displayed on the job configuration form
GHSA-vmm2-53rc-43v3 CVE-2025-64145 MODERATE about 1 month ago
Jenkins ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job `config.xml` files on the Jenkins controller as part of...
maven
No PRs yet
Jenkins Start Windocks Containers Plugin is missing a permission check
GHSA-mj6v-4wr4-gj57 CVE-2025-64139 MODERATE about 1 month ago
Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overa...
maven
No PRs yet
Jenkins Start Windocks Containers Plugin vulnerable to cross-site request forgery
GHSA-6mgr-3374-4p3c CVE-2025-64138 MODERATE about 1 month ago
Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overa...
maven
No PRs yet
Jenkins Extensible Choice Parameter Plugin vulnerable to cross-site request forgery
GHSA-3jw2-5hjg-hc2c CVE-2025-64133 MODERATE about 1 month ago
Jenkins Extensible Choice Parameter Plugin 239.v5f5c278708cf and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-...
maven
No PRs yet
Jenkins ByteGuard Build Actions Plugin stores API tokens unencrypted in job config.xml files
GHSA-2vmr-8c82-x8xq CVE-2025-64144 MODERATE about 1 month ago
Jenkins ByteGuard Build Actions Plugin 1.0 and earlier stores API tokens unencrypted in job `config.xml` files on the Jenkins controller as part of...
maven
No PRs yet
Jenkins Eggplant Runner Plugin protection mechanism disabled
GHSA-w5r3-gr8w-7fj5 CVE-2025-64135 MODERATE about 1 month ago
Jenkins Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property `jdk.http.auth.tunneling.disabledSchemes` to an e...
maven
No PRs yet
Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
GHSA-9f58-4465-23c7 CVE-2025-62798 MODERATE about 1 month ago
A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affect...
packagist
No PRs yet
NextAuthjs Email misdelivery Vulnerability
GHSA-5jpx-9hw9-2fx4 MODERATE about 1 month ago
### Summary NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in `nodemail...
npm
No PRs yet
Keras is vulnerable to arbitrary local file loading and Server-Side Request Forgery
GHSA-mq84-hjqx-cwf2 CVE-2025-12058 MODERATE about 1 month ago
The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vulnerable to arbitrary local f...
pypi
No PRs yet
Consul event endpoint is vulnerable to denial of service
GHSA-qh7p-pfq3-677h CVE-2025-11375 MODERATE about 1 month ago
Consul and Consul Enterprise’s (“Consul”) event endpoint is vulnerable to denial of service (DoS) due to lack of maximum value on the Content Lengt...
go
3
Dependabot PRs
Consul key/value endpoint is vulnerable to denial of service
GHSA-7g3r-8c6v-hfmr CVE-2025-11374 MODERATE about 1 month ago
Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header valida...
go
3
Dependabot PRs