Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Moodle does not properly enforce MFA
GHSA-25wf-7x6c-wmpf CVE-2025-62398 MODERATE about 1 month ago
A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially ...
packagist
No PRs yet
Moodle sends quiz-related messages to inactive/suspended users
GHSA-8fcv-4qp9-pg32 CVE-2025-62394 MODERATE about 1 month ago
Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-rel...
packagist
No PRs yet
Moodle course access permissions are not properly checked in course_output_fragment_course_overview
GHSA-rjcm-7v2p-9265 CVE-2025-62393 MODERATE about 1 month ago
A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users ...
packagist
No PRs yet
Slack Nebula may accept arbitrary source IP addresses
GHSA-x6fh-7qmf-69xh CVE-2025-62820 MODERATE about 1 month ago
Slack Nebula before 1.9.7 mishandles CIDR in some configurations and thus accepts arbitrary source IP addresses within the Nebula network.
go
No PRs yet
binary_vec_io access memory out-of-bounds in binary_read_to_ref and binary_write_from_ref
GHSA-wwxp-hxh6-8gf8 HIGH about 1 month ago
Safe functions accept a single `&T` or `&mut T` but multiply by `n` to create slices extending beyond allocated memory when `n > 1`. These functio...
cargo
No PRs yet
Liferay Portal and DXP are Missing Authorization in Collection Provider
GHSA-cqwv-9xh5-25fg CVE-2025-62247 LOW about 1 month ago
Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, ...
maven
No PRs yet
Liferay Portal and Liferay DXP vulnerable to reflected cross-site scripting (XSS)
GHSA-phjr-p9c5-hprx CVE-2025-62248 MODERATE about 1 month ago
A reflected cross-site scripting (XSS) vulnerability, resulting from a regression, has been identified in Liferay Portal 7.4.0 through 7.4.3.132, ...
maven
No PRs yet
OpenBao and Vault Leak []byte Fields in Audit Logs
GHSA-rc54-2g2c-g36g CVE-2025-62705 MODERATE about 1 month ago
### Impact OpenBao's audit log did not appropriately redact fields when relevant subsystems sent `[]byte` response parameters rather than `string`...
go
No PRs yet
Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl
GHSA-gr7h-xw4f-wh86 CVE-2025-62710 MODERATE about 1 month ago
### Impact EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java...
maven
No PRs yet
pypdf can exhaust RAM via manipulated LZWDecode streams
GHSA-jfx9-29x2-rv3j CVE-2025-62708 MODERATE about 1 month ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of ...
pypi
No PRs yet
pypdf possibly loops infinitely when reading DCT inline images without EOF marker
GHSA-vr63-x8vc-m265 CVE-2025-62707 MODERATE about 1 month ago
### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a ...
pypi
2
Dependabot PRs
Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names
GHSA-45p5-v273-3qqr CVE-2025-11966 LOW about 1 month ago
# Description - In the `StaticHandlerImpl#sendDirectoryListing(...)` method under the `text/html` branch, file and directory names are directly em...
maven
2
Dependabot PRs
Vert.x-Web Access Control Flaw in StaticHandler’s Hidden File Protection for Files Under Hidden Directories
GHSA-h5fg-jpgr-rv9c CVE-2025-11965 MODERATE about 1 month ago
# Description There is a flaw in the hidden file protection feature of Vert.x Web’s `StaticHandler` when `setIncludeHidden(false)` is configured. ...
maven
2
Dependabot PRs
OpenBao leaks HTTPRawBody in Audit Logs
GHSA-ghfh-fmx4-26h8 CVE-2025-62513 MODERATE about 1 month ago
### Impact OpenBao's audit log experienced a regression wherein raw HTTP bodies used by few endpoints were not correctly redacted (HMAC'd). This ...
go
No PRs yet
ncurses exposes uninitialized memory in string reading functions
GHSA-x77x-7mmh-cxv3 MODERATE about 1 month ago
Multiple string reading functions expose uninitialized memory by setting length to capacity when no null terminator is found. This allows reading ...
cargo
No PRs yet
aiomysql allows arbitrary access to client files through vulnerability of a malicious MySQL server
GHSA-r397-ff8c-wv2g CVE-2025-62611 HIGH about 1 month ago
### Summary The client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the cl...
pypi
2
Dependabot PRs
Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality
GHSA-2v5m-cq9w-fc33 CVE-2025-62617 HIGH about 1 month ago
### Summary An authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticate...
packagist
No PRs yet
Scapy Session Loading Vulnerable to Arbitrary Code Execution via Untrusted Pickle Deserialization
GHSA-cq46-m9x9-j8w2 MODERATE about 1 month ago
### Summary An unsafe deserialization vulnerability in Scapy <v2.7.0 allows attackers to execute arbitrary code **when a malicious session file is...
pypi
No PRs yet
Borrowck Scarifices exposes uninitialized memory in any_as_u8_slice
GHSA-xcpm-76hf-c9cc LOW about 1 month ago
The safe function `any_as_u8_slice` can create byte slices that reference uninitialized memory when used with types containing padding bytes. The ...
cargo
No PRs yet
Hugging Face Smolagents XPath injection vulnerability in the search_item_ctrl_f function
GHSA-8mf9-rmgw-33qc CVE-2025-11844 MODERATE about 1 month ago
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/visio...
pypi
No PRs yet
Hono Improper Authorization vulnerability
GHSA-m732-5p4w-x69g CVE-2025-62610 HIGH about 1 month ago
### Improper Authorization in Hono (JWT Audience Validation) Hono’s JWT authentication middleware did not validate the `aud` (Audience) claim by d...
npm
No PRs yet
Direct Ring Buffer has uninitialized memory exposure in create_ring_buffer
GHSA-fp5x-7m4q-449f LOW about 1 month ago
The safe function `create_ring_buffer` allocates a buffer using `Vec::with_capacity` followed by `set_len`, creating a `Box<[T]>` containing uninit...
cargo
No PRs yet
orx-pinned-vec has undefined behavior in index_of_ptr with empty slices
GHSA-h5j3-crg5-8jqm LOW about 1 month ago
The safe function `index_of_ptr` causes undefined behavior when called with an empty slice. The issue occurs in the line `ptr.add(slice.len() - 1)...
cargo
No PRs yet
Nautobot Single Source of Truth (SSoT) has an unauthenticated ServiceNow configuration URL
GHSA-535g-62r7-cx6v CVE-2025-62607 MODERATE about 1 month ago
The servicenow config URL is using a generic django View with no authentication. URL: `/plugins/ssot/servicenow/config/` ### Impact _What kind of...
pypi
No PRs yet
Liferay Portal reflected cross-site scripting (XSS) vulnerability in the google_gaget
GHSA-rx48-gqc2-4w47 CVE-2025-62249 MODERATE about 1 month ago
A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 20...
maven
No PRs yet
code16 Sharp vulnerable to Cross Site Scripting (XSS)
GHSA-9778-v769-qvjf CVE-2025-61457 MODERATE about 1 month ago
code16 Sharp v9.6.6 is vulnerable to Cross Site Scripting (XSS) src/Form/Fields/SharpFormUploadField.php.
packagist
No PRs yet
NeuVector is shipping cryptographic material into its binary
GHSA-h773-7gf7-9m2x CVE-2025-54471 MODERATE about 1 month ago
### Impact NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secr...
go
No PRs yet
NeuVector telemetry sender is vulnerable to MITM and DoS
GHSA-qqj3-g7mx-5p4w CVE-2025-54470 HIGH about 1 month ago
### Impact This vulnerability affects NeuVector deployments only when the `Report anonymous cluster data option` is enabled. When this option is en...
go
No PRs yet
NeuVector Enforcer is vulnerable to Command Injection and Buffer overflow
GHSA-c8g6-qrwh-m3vp CVE-2025-54469 CRITICAL about 1 month ago
### Impact A vulnerability was identified in NeuVector, where the enforcer used environment variables `CLUSTER_RPC_PORT` and `CLUSTER_LAN_PORT` to ...
go
No PRs yet
uv has differential in tar extraction with PAX headers
GHSA-w476-p2h3-79g9 LOW about 1 month ago
### Impact In versions 0.9.4 and earlier of uv, tar archives containing PAX headers with file size overrides were not handled properly. As a resul...
pypi
1
Dependabot PRs
Liferay Portal fails to verify messages from the cluster network is trusted
GHSA-6pgj-w687-9c8c CVE-2025-62250 MODERATE about 1 month ago
Improper Authentication in Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 202...
maven
No PRs yet
ProcessWire CMS vulnerable to resource-exhaustion Denial of Service
GHSA-9p44-q66p-xm6p CVE-2025-60790 MODERATE about 1 month ago
ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limi...
packagist
No PRs yet
Cosmos EVM Vulnerability
GHSA-8pfh-j44r-f654 CRITICAL about 1 month ago
## Patches Patched in versions `v0.3.1`, `v0.4.2`, and in the `v0.5.0` release. More information will be disclosed at a later point to ensure chain...
go
No PRs yet
Shopware Customer Orders can be canceled, even if refunds are disabled
GHSA-r2vg-hvjm-fg38 MODERATE about 1 month ago
Refunds in general can be enabled through the administration setting `core.cart.enableOrderRefunds` (in the cart panel).Which visually shows and hi...
packagist
No PRs yet
Shopware exposes sensitive user information via CSV export mapping
GHSA-27c9-vp3w-6ww8 MODERATE about 1 month ago
### Impact Malicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashe...
packagist
No PRs yet
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
GHSA-3cpp-fv95-mpr5 LOW about 1 month ago
### Impact This vulnerability allows malicious actors to force the application server to send HTTP requests to both external and internal servers. ...
packagist
No PRs yet
Shopware vulnerable to path traversal via Plugin upload
GHSA-6wh5-mw9h-5c3w LOW about 1 month ago
### Impact Malicious actors can exploit this vulnerability to write files within arbitrary directories on the filesystem of the Shopware web contai...
packagist
No PRs yet
Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually
GHSA-m895-2hj3-8cg9 MODERATE about 1 month ago
In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber a...
packagist
No PRs yet
astral-tokio-tar Vulnerable to PAX Header Desynchronization
GHSA-j5gw-2vrg-8fgx CVE-2025-62518 HIGH about 1 month ago
## Summary Versions of `astral-tokio-tar` prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional arch...
cargo
7
Dependabot PRs
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
GHSA-g8mr-fgfg-5qpc CVE-2025-62595 MODERATE about 1 month ago
### Summary: A bypass was discovered in the `Koa.js` framework affecting its back redirect functionality. In certain circumstances, an attacker ca...
npm
No PRs yet
Taguette vulnerable to cross-site scripting via tag name, tag description, document name and document description
GHSA-g9qw-g6rv-3889 CVE-2025-62528 MODERATE about 1 month ago
### Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or desc...
pypi
No PRs yet
Taguette password reset link poisoning
GHSA-7rc8-5c8q-jr6j CVE-2025-62527 HIGH about 1 month ago
### Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email contai...
pypi
No PRs yet
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
GHSA-vffh-c9pq-4crh MODERATE about 1 month ago
### Summary In some Notification types (e.g., Webhook, Telegram), the `send()` function allows user-controlled renderTemplate input. This leads to...
npm
No PRs yet
vite allows server.fs.deny bypass via backslash on Windows
GHSA-93m4-6634-74q7 CVE-2025-62522 MODERATE about 1 month ago
### Summary Files denied by [`server.fs.deny`](https://vitejs.dev/config/server-options.html#server-fs-deny) were sent if the URL ended with `\` wh...
npm
No PRs yet
NetBird VPN does not remove the default password of an admin account
GHSA-g3j4-58mp-3x25 CVE-2025-10678 CRITICAL about 1 month ago
NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL. This ...
go
No PRs yet
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
GHSA-xvp7-8vm8-xfxx MODERATE about 1 month ago
### Summary The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using `console.log`and `console.debug` ...
npm
No PRs yet
rollbar vulnerable to prototype pollution
GHSA-r8c2-2qwq-94p6 CVE-2025-57325 LOW about 1 month ago
### Impact Prototype pollution potential with the utility function `rollbar/src/utility`.`set()`. No impact when using the published public interf...
npm
No PRs yet
Citizen vulnerable to stored XSS in sticky header button messages
GHSA-g955-vw6w-v6pp CVE-2025-62508 MODERATE about 1 month ago
### Summary The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored...
packagist
No PRs yet
Apache Syncope allows malicious administrators to inject Groovy code
GHSA-825g-mm5v-ggq4 CVE-2025-57738 HIGH about 1 month ago
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a fe...
maven
No PRs yet
TastyIgniter vulnerable to Cross-Site Scripting
GHSA-4vrf-42cm-7xfw CVE-2025-61417 LOW about 1 month ago
Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicio...
packagist
No PRs yet