Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,821

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Python Social Auth - Django has unsafe account association
GHSA-wv4w-6qv2-qqfg CVE-2025-61783 MODERATE about 2 months ago
### Impact Upon authentication, the user could be associated by e-mail even if the `associate_by_email` pipeline was not included. This could lead...
pypi
5
Dependabot PRs
20%
Merged
Apache Flink CDC is vulnerable to SQL Injection through maliciously crafted identifiers
GHSA-wqm3-w3p6-xjgm CVE-2025-62228 MODERATE about 2 months ago
Apache Flink CDC version 3.0.0 to before 3.5.0 are vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or c...
maven
No PRs yet
Keycloak Potential Variable Reference in Model Storage Services
GHSA-8hxp-qmph-w5gq CVE-2025-9162 MODERATE about 2 months ago
A flaw was found in org.keycloak/keycloak-model-storage-service. The `KeycloakRealmImport` custom resource substitutes placeholders within imported...
maven
No PRs yet
Opencast's Paella Player 7 is vulnerable to Cross-Site Scripting
GHSA-m2vg-rmq6-p62r CVE-2025-61788 MODERATE about 2 months ago
Prior to Opencast 17.8 and 18.2 the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodi...
maven
No PRs yet
Synapse's invalid device keys degrade federation functionality
GHSA-fh66-fcv5-jjfr CVE-2025-61672 MODERATE about 2 months ago
### Impact Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserv...
pypi
No PRs yet
Liferay Portal Notifications Widget has multiple XSS vulnerabilities through various text fields
GHSA-q8fj-76q7-4p7h CVE-2025-43771 MODERATE about 2 months ago
Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023...
maven
No PRs yet
VaahCMS is vulnerable to XSS through its Avatar Upload endpoint
GHSA-q769-phqg-263r CVE-2025-61183 MODERATE about 2 months ago
Cross-Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBas...
packagist
No PRs yet
Liferay Portal is vulnerable to Stored XSS through Forms text type field
GHSA-378f-8q54-3fqx CVE-2025-43830 MODERATE about 2 months ago
Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 20...
maven
No PRs yet
Liferay Portal Commerce Shop is vulnerable to Stored XSS through SVG file
GHSA-893r-jr58-3hxr CVE-2025-43829 MODERATE about 2 months ago
Stored Cross-Site Scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP ...
maven
No PRs yet
Liferay Portal is vulnerable to XXS through its Commerce Product's Name text field
GHSA-fjrp-77f3-43xj CVE-2025-43821 MODERATE about 2 months ago
Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP...
maven
No PRs yet
Liferay Portal has multiple Stored XSS vulnerabilities on its View Order page
GHSA-4mqx-4p8g-995w CVE-2025-43822 MODERATE 2 months ago
Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4....
maven
No PRs yet
Liferay Portal is vulnerable to XSS through its Commerce Search Result widget
GHSA-xx7h-2wf7-hc7p CVE-2025-43823 MODERATE 2 months ago
Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 be...
maven
No PRs yet
vLLM: Resource-Exhaustion (DoS) through Malicious Jinja Template in OpenAI-Compatible Server
GHSA-6fvq-23cw-5628 CVE-2025-61620 MODERATE 2 months ago
### Summary A resource-exhaustion (denial-of-service) vulnerability exists in multiple endpoints of the OpenAI-Compatible Server due to the abilit...
pypi
No PRs yet
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
GHSA-mm7p-fcc7-pg87 CVE-2025-13033 MODERATE 2 months ago
The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extra...
npm
No PRs yet
python-socketio vulnerable to arbitrary Python code execution (RCE) through malicious pickle deserialization in certain multi-server deployments
GHSA-g8c6-8fjj-2r4m CVE-2025-61765 MODERATE 2 months ago
### Summary A remote code execution vulnerability in python-socketio versions prior to 5.14.0 allows attackers to execute arbitrary Python code thr...
pypi
No PRs yet
Liferay Profile Widget does not prevent vCard extension spoofing
GHSA-pfxj-gvqg-mj44 CVE-2025-43824 MODERATE 2 months ago
The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3....
maven
No PRs yet
clearml is vulnerable to Path Traversal through its `safe_extract` function
GHSA-579p-qf78-fqm2 CVE-2025-8917 MODERATE 2 months ago
A vulnerability in clearml versions before 2.0.2 allows for path traversal due to improper handling of symbolic and hard links in the `safe_extract...
pypi
No PRs yet
ZenML is vulnerable to Path Traversal through its `PathMaterializer` class
GHSA-q92x-2x5g-h365 CVE-2025-8406 MODERATE 2 months ago
ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_direct...
pypi
No PRs yet
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function
GHSA-v7c4-33vf-cqqq CVE-2025-11287 MODERATE 2 months ago
A vulnerability was identified in samanhappy MCPHub up to 0.9.10. This vulnerability affects the function handleSseConnection of the file src/servi...
npm
No PRs yet
Liferay Portal exposes sensitive user data through its Freemarker template
GHSA-rggc-gf6w-9q73 CVE-2025-43825 MODERATE 2 months ago
A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 thro...
maven
No PRs yet
Flowise Stored XSS vulnerability through logs in chatbot
GHSA-7r4h-vmj9-wg42 CVE-2025-29192 MODERATE 2 months ago
### Description In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject maliciou...
npm
No PRs yet
Flowise vulnerable to XSS
GHSA-4fr9-3x69-36wv MODERATE 2 months ago
### Summary A XSS(cross-site scripting) vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this...
npm
No PRs yet
NiceGUI has a Reflected XSS
GHSA-8c95-hpq2-w46f CVE-2025-53354 MODERATE 2 months ago
### Summary A Cross-Site Scripting (XSS) risk exists in NiceGUI when developers render unescaped user input into the DOM using `ui.html()`. Before...
pypi
No PRs yet
Canonical LXD Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server
GHSA-7232-97c6-j525 CVE-2025-54288 MODERATE 2 months ago
### Impact In LXD's devLXD server, the source container identification process uses process cmdline (command line) information, allowing attackers ...
go
No PRs yet
Canonical LXD Project Existence Determination Through Error Handling in Image Export Function
GHSA-p3x5-mvmp-5f35 CVE-2025-54290 MODERATE 2 months ago
### Impact In LXD's images export API (`/1.0/images/{fingerprint}/export`), implementation differences in error handling allow determining project ...
go
No PRs yet
Canonical LXD Project Existence Determination Through Error Handling in Image Get Function
GHSA-xch9-h8qw-85c7 CVE-2025-54291 MODERATE 2 months ago
### Impact The LXD /1.0/images endpoint is implemented as an AllowUntrusted API that requires no authentication, making it accessible to users with...
go
No PRs yet
marimo vulnerable to proxy abuse of /mpl/{port}/
GHSA-xjv7-6w92-42r7 MODERATE 2 months ago
### Summary The `/mpl/<port>/<route>` endpoint, which is accessible without authentication on default Marimo installations allows for external att...
pypi
No PRs yet
SPDK is vulnerable to buffer overflow in the NVMe-oF target component
GHSA-5m5w-w2h2-fqgq CVE-2025-57275 MODERATE 2 months ago
Storage Performance Development Kit (SPDK) 25.05 is vulnerable to Buffer Overflow in the NVMe-oF target component in SPDK - lib/nvmf.
pypi
No PRs yet
QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing
GHSA-25qh-j22f-pwp8 CVE-2025-11226 MODERATE 2 months ago
QOS.CH logback-core versions up to 1.5.18 contain an ACE vulnerability in conditional configuration file processing in Java applications. This vuln...
maven
42
Dependabot PRs
4%
Merged
Liferay Portal Vulnerable to XSS in Web Content translation
GHSA-qh92-cr5f-3595 CVE-2025-43826 MODERATE 2 months ago
Stored cross-site scripting (XSS) vulnerabilities in Web Content translation in Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versi...
maven
No PRs yet
Liferay Portal Vulnerable to IDOR via audit events
GHSA-pw86-qvx9-34r7 CVE-2025-43827 MODERATE 2 months ago
Insecure Direct Object Reference (IDOR) vulnerability with audit events in Liferay Portal 7.4.0 through 7.4.3.117, and older unsupported versions, ...
maven
No PRs yet
validator.js has a URL validation bypass vulnerability in its isURL function
GHSA-9965-vmph-33xx CVE-2025-56200 MODERATE 2 months ago
A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse pro...
npm
969
Dependabot PRs
Joomla! CMS vulnerable to XSS via the input filter
GHSA-fm22-g2q9-j3pw CVE-2025-54476 MODERATE 2 months ago
Improper handling of input could lead to a cross-site scripting (XSS) vector in the checkAttribute method of the input filter framework class.
packagist
No PRs yet
FormCMS has an improper access control vulnerability in the /api/schemas/history/[schemaId] endpoint
GHSA-6cwx-42hw-w69c CVE-2025-55797 MODERATE 2 months ago
An improper access control vulnerability in FormCms v0.5.4 in the /api/schemas/history/[schemaId] endpoint allows unauthenticated attackers to acce...
nuget
No PRs yet
Repository Credentials Race Condition Crashes Argo CD Server
GHSA-g88p-r42r-ppp9 CVE-2025-55191 MODERATE 2 months ago
### Summary A race condition in the repository credentials handler can cause the Argo CD server to panic and crash when concurrent operations are ...
go
No PRs yet
Liferay Portal vulnerable to cross-site scripting in the related asset selector
GHSA-2856-xf2f-6vrf CVE-2025-43811 MODERATE 2 months ago
Multiple stored cross-site scripting (XSS) vulnerability in the related asset selector in Liferay Portal 7.4.3.50 through 7.4.3.111, and Liferay DX...
maven
No PRs yet
Liferay Portal vulnerable to reflected cross-site scripting on the page configuration page
GHSA-wmjx-xv9v-r89q CVE-2025-43815 MODERATE 2 months ago
Reflected cross-site scripting (XSS) vulnerability on the page configuration page in Liferay Portal 7.4.3.102 through 7.4.3.110, and Liferay DXP 20...
maven
No PRs yet
Liferay Portal vulnerable to path traversal and denial-of-service in the ComboServlet
GHSA-2hm7-r8f3-423h CVE-2025-43813 MODERATE 2 months ago
Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported ve...
maven
No PRs yet
Liferay Portal vulnerable to cross-site scripting in the Calendar widget
GHSA-pf86-4w35-cj89 CVE-2025-43820 MODERATE 2 months ago
Multiple cross-site scripting (XSS) vulnerabilities in the Calendar widget when inviting users to a event in Liferay Portal 7.4.3.35 through 7.4.3....
maven
No PRs yet
Liferay Portal vulnerable to reflected cross-site scripting via the `redirect` parameter
GHSA-m4hg-46pw-6mmv CVE-2025-43817 MODERATE 2 months ago
Multiple reflected cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.74 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023....
maven
No PRs yet
Liferay Portal vulnerable to cross-site scripting in the Calendar widget
GHSA-gj92-p9mh-83j8 CVE-2025-43818 MODERATE 2 months ago
Cross-site scripting (XSS) vulnerability in the Calendar widget in Liferay Portal 7.4.3.35 through 7.4.3.110, and Liferay DXP 2023.Q4.0 through 202...
maven
No PRs yet
Liferay Portal vulnerable to cross-site scripting in the web content template
GHSA-jv8x-mm3v-75r7 CVE-2025-43812 MODERATE 2 months ago
Cross-site scripting (XSS) vulnerability in web content template in Liferay Portal 7.4.3.4 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 202...
maven
No PRs yet
Coder AgentAPI exposed user chat history via a DNS rebinding attack
GHSA-w64r-2g3w-w8w4 CVE-2025-59956 MODERATE 2 months ago
### Summary AgentAPI prior to version [0.4.0](https://github.com/coder/agentapi/releases/tag/v0.4.0) was susceptible to a client-side DNS rebinding...
go
No PRs yet
go-f3 Vulnerable to Cached Justification Verification Bypass
GHSA-7pq9-rf9p-wcrf CVE-2025-59941 MODERATE 2 months ago
### Description A vulnerability exists in go-f3's justification verification caching mechanism where verification results are cached without proper...
go
No PRs yet
mkdocs-include-markdown-plugin susceptible to unvalidated input colliding with substitution placeholders
GHSA-v39m-5m9j-m9w9 CVE-2025-59940 MODERATE 2 months ago
### Impact CWE-20: Improper Input Validation Low impact ### Patches Patched in v7.1.8 (commit https://github.com/mondeja/mkdocs-include-markdown-p...
pypi
No PRs yet
github.com/nyaruka/phonenumbers Vulnerable to Improper Validation of Syntactic Correctness of Input
GHSA-fmjh-f678-cv3x CVE-2025-10954 MODERATE 2 months ago
Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the...
go
No PRs yet
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
GHSA-529q-4j3p-7c5r CVE-2025-3193 MODERATE 2 months ago
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in mer...
npm
No PRs yet
PiranhaCMS stored XSS
GHSA-456v-f425-8mcv CVE-2025-57692 MODERATE 2 months ago
PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitr...
nuget
No PRs yet
OpenMLS improper persistence of the secret tree during message processing
GHSA-qr9h-x63w-vqfm MODERATE 2 months ago
### Summary A bug in the OpenMLS library prevented private key material from being updated in storage during message processing. The key material ...
cargo
No PRs yet
express-xss-sanitizer has an unbounded recursion depth
GHSA-hvq2-wf92-j4f3 CVE-2025-59364 MODERATE 2 months ago
# Security Advisory: express-xss-sanitizer ## Overview A vulnerability was discovered in express-xss-sanitizer that allowed unbounded recursion de...
npm
No PRs yet