Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,921

Total Advisories

1,820

With Dependabot PRs

3,520

Critical Severity

8,659

High Severity

Clear All Filters
Dragonfly's manager makes requests to external endpoints with disabled TLS authentication
GHSA-98x5-jw98-6c97 CVE-2025-59347 MODERATE 3 months ago
### Impact The Manager disables TLS certificate verification in two HTTP clients (figures 3.1 and 3.2). The clients are not configurable, so users...
go
No PRs yet
esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header
GHSA-g2h5-cvvr-7gmw CVE-2025-59342 MODERATE 3 months ago
## Summary A path-traversal flaw in the handling of the `X-Zone-Id` HTTP header allows an attacker to cause the application to write files outside...
go
No PRs yet
Jenkins has a missing permission check, allowing users to obtain agent names
GHSA-67v4-38h7-9jjp CVE-2025-59474 MODERATE 3 months ago
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users...
maven
No PRs yet
Jenkins has a log message injection vulnerability
GHSA-qrh5-jg98-cr48 CVE-2025-59476 MODERATE 3 months ago
In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output (including `jenkins.log` and...
maven
No PRs yet
Jenkins is missing a permission check in the authenticated users' profile menu
GHSA-223m-4rfp-646h CVE-2025-59475 MODERATE 3 months ago
Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu. This allow...
maven
No PRs yet
Liferay search widget vulnerable to Cross-site Scripting
GHSA-ccrc-5vp5-vp5j CVE-2025-43804 MODERATE 3 months ago
There is a Cross-site scripting (XSS) vulnerability in Liferay Portal's Search widget . Versions 7.4.3.93 through 7.4.3.111, and Liferay DXP 2023.Q...
maven
No PRs yet
Kubernetes C# client accepts certificates from any CA without properly verifying the trust chain
GHSA-w7r3-mgwf-4mqq CVE-2025-9708 MODERATE 3 months ago
A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certificates from any Certif...
nuget
No PRs yet
Liferay Portal allows remote attackers to view display page templates via crafted URLs
GHSA-5pp7-m8x8-rc82 CVE-2025-43805 MODERATE 3 months ago
Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update...
maven
No PRs yet
Timing Attack Vulnerability in SCRAM Authentication
GHSA-3wfh-36rx-9537 CVE-2025-59432 MODERATE 3 months ago
### Impact A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because `Arrays.equals` was used to compare sec...
maven
2
Dependabot PRs
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another
GHSA-mp7c-m3rh-r56v CVE-2025-59160 MODERATE 3 months ago
### Impact matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in `MatrixClient::getJoinedRooms`, allowing a remote a...
npm
No PRs yet
Liferay Portal has unchecked input for loop condition vulnerability in XML-RPC
GHSA-95h4-8mqc-4mpf CVE-2025-43801 MODERATE 3 months ago
Unchecked input for loop condition vulnerability in XML-RPC in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay ...
maven
No PRs yet
Openfire has potential identity spoofing issue via unsafe CN parsing
GHSA-w252-645g-87mp CVE-2025-59154 MODERATE 3 months ago
## Summary Identity spoofing in X.509 client certificate authentication in Openfire allows internal attackers to impersonate other users via craft...
maven
No PRs yet
Liferay Stored Cross-site Scripting vulnerability
GHSA-vg6h-g5mr-9hgv CVE-2025-43802 MODERATE 3 months ago
Stored cross-site scripting (XSS) vulnerability in a custom object’s /o/c/<object-name> API endpoint in Liferay Portal 7.4.3.51 through 7.4.3.109, ...
maven
No PRs yet
Liferay has Insecure Default Initialization of Resource issue
GHSA-25m3-w28p-v3v3 CVE-2025-43797 MODERATE 3 months ago
In Liferay Portal 7.1.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update ...
maven
No PRs yet
Liferay Portal Uses Default Password
GHSA-43xf-59vr-g4f2 CVE-2025-43799 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through upda...
maven
No PRs yet
Liferay Portal Cross-site Scripting (XSS) vulnerability
GHSA-jfv5-r382-xvwh CVE-2025-43800 MODERATE 3 months ago
Cross-site scripting (XSS) vulnerability in Objects in Liferay Portal 7.4.3.20 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023...
maven
No PRs yet
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability
GHSA-g5cg-6c7v-mmpw CVE-2025-59155 MODERATE 3 months ago
### Impact A Server-Side Request Forgery (SSRF) vulnerability that affects all users running the HackMD MCP server in HTTP mode. Attackers could e...
npm
No PRs yet
Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark
GHSA-f7qg-xj45-w956 CVE-2025-9862 MODERATE 3 months ago
### Impact A vulnerability in Ghost's oEmbed mechanism allows staff users to exfiltrate data from internal systems via SSRF. ### Vulnerable versi...
npm
No PRs yet
Liferay Portal has Improper Validation of Specified Quantity in Input
GHSA-xvgg-9h29-4g34 CVE-2025-43793 MODERATE 3 months ago
Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through upda...
maven
No PRs yet
Open Web Analytics Server is vulnerable to SQL Injection
GHSA-6w8r-xgqq-qg6g CVE-2025-59397 MODERATE 3 months ago
Open Web Analytics (OWA) before 1.8.1 allows SQL injection.
packagist
No PRs yet
Liferay Portal vulnerable to Cross-site Scripting
GHSA-5c6v-fqcw-w6q5 CVE-2025-43791 MODERATE 3 months ago
Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3...
maven
No PRs yet
Apache Fory Deserialization of Untrusted Data vulnerability
GHSA-5hmf-8wx5-4qq3 CVE-2025-59328 MODERATE 3 months ago
A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of un...
maven
No PRs yet
Stored XSS in n8n LangChain Chat Trigger Node via initialMessages Parameter
GHSA-mvh4-2cm2-6hpg CVE-2025-58177 MODERATE 3 months ago
### Impact A stored Cross-Site Scripting (XSS) vulnerability was identified in the `@n8n/n8n-nodes-langchain.chatTrigger` node in n8n. If an author...
npm
No PRs yet
Temporal OSS Server Vulnerable to Allocation of Resources Without Limits or Throttling
GHSA-p768-c3pr-6459 CVE-2025-8396 MODERATE 3 months ago
Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to exce...
go
No PRs yet
mcp-kubernetes-server has a Command Injection vulnerability
GHSA-hjm5-xgj8-vwj6 CVE-2025-59376 MODERATE 3 months ago
`mcp-kubernetes-server` does not correctly enforce the `--disable-write` / `--disable-delete` protections when commands are chained. The server onl...
pypi
No PRs yet
serde_yml crate is unsound and unmaintained
GHSA-hhw4-xg65-fp2x MODERATE 3 months ago
Using `serde_yml::ser::Serializer.emitter` can cause a segmentation fault, which is unsound. The GitHub project for `serde_yml` was archived after...
cargo
No PRs yet
MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency
GHSA-qj3p-xc97-xw74 MODERATE 3 months ago
### Who is affected? This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC...
npm
1
Dependabot PRs
Liferay Portal has stored cross-site scripting (XSS) vulnerability
GHSA-r45v-2289-jgr4 CVE-2025-43794 MODERATE 3 months ago
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4....
maven
No PRs yet
Mattermost makes Use of Weak Hash
GHSA-9p92-x77w-9fw2 CVE-2025-9078 MODERATE 3 months ago
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache key...
go
No PRs yet
Mattermost Missing Authorization vulnerability
GHSA-3vcm-c42p-3hhf CVE-2025-9076 MODERATE 3 months ago
Mattermost versions 10.10.x <= 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious...
go
No PRs yet
Hugging Face Transformers library has Regular Expression Denial of Service
GHSA-rcv9-qm8p-9p6j CVE-2025-6051 MODERATE 3 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the `norm...
pypi
No PRs yet
Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect
GHSA-m55r-9fx8-725j CVE-2025-43795 MODERATE 3 months ago
Open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA ...
maven
No PRs yet
Hono has Body Limit Middleware Bypass
GHSA-92vj-g62v-jqhh CVE-2025-59139 MODERATE 3 months ago
### Summary A flaw in the `bodyLimit` middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were pr...
npm
2
Dependabot PRs
httpsig-rs: HMAC verification is vulnerable to timing attack
GHSA-q7pg-9pr4-mrp2 CVE-2025-59058 MODERATE 3 months ago
### Summary HMAC signature comparison is not timing-safe and is vulnerable to timing attacks. ### Details `SharedKey::sign()` returns a `Vec<u8>` ...
cargo
No PRs yet
Liferay Portal's selection modal is vulnerable to XSS
GHSA-g8fh-pfw3-8rmr CVE-2025-43787 MODERATE 3 months ago
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12...
maven
No PRs yet
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
GHSA-59p9-h35m-wg4g CVE-2025-6638 MODERATE 3 months ago
A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the Ma...
pypi
No PRs yet
Liferay Portal's Organization Selector exposes organization data to remote authenticated users
GHSA-v53g-736w-mgw4 CVE-2025-43788 MODERATE 3 months ago
The organization selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update ...
maven
No PRs yet
SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions
GHSA-7vm2-j586-vcvc CVE-2025-11060 MODERATE 3 months ago
`LIVE SELECT` statements are used to capture changes to data within a table in real time. Documents included in `WHERE` conditions and `DELETE` not...
cargo
No PRs yet
Subrion CMS: Authenticated administrators are able to gain escalated access through Run SQL Query tool
GHSA-h8wv-vv58-468h CVE-2025-56556 MODERATE 3 months ago
An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature ...
packagist
No PRs yet
Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name
GHSA-wr8m-5h2p-4432 CVE-2025-43782 MODERATE 3 months ago
Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024....
maven
No PRs yet
Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods
GHSA-765j-9r45-w2q2 CVE-2025-58065 MODERATE 3 months ago
### Impact When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remain...
pypi
No PRs yet
jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin
GHSA-33vc-wfww-vjfv CVE-2025-9910 MODERATE 3 months ago
### Vulnerability in jsondiffpatch Versions of `jsondiffpatch` prior to `0.7.2` are vulnerable to Cross-site Scripting (XSS) in the `HtmlFormatter...
npm
No PRs yet
Liferay Portal's Incorrect Authorization vulnerability can lead to guest users to obtaining sensitive data
GHSA-fvp7-jj9m-3qpf CVE-2025-43784 MODERATE 3 months ago
Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 20...
maven
No PRs yet
Liferay Portal is vulnerable to Reflected XSS attack through get_editor path
GHSA-jhgr-j9cj-8j62 CVE-2025-43783 MODERATE 3 months ago
Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024....
maven
No PRs yet
Infrahub: Deleted and expired API tokens can still authenticate
GHSA-v2p7-4pv4-3wwh CVE-2025-59036 MODERATE 3 months ago
### Impact A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API...
pypi
No PRs yet
Indico vulnerable to Cross-Site Scripting via LaTeX math code
GHSA-7cf7-9wrr-vrf4 CVE-2025-59035 MODERATE 3 months ago
### Impact There is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. ### Patches You...
pypi
No PRs yet
Indico may disclose unauthorized user details access via legacy API
GHSA-4269-mcfh-cp7q CVE-2025-59034 MODERATE 3 months ago
### Impact A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due t...
pypi
No PRs yet
Liferay Portal and Liferay DXP vulnerable to Stored Cross-site Scripting
GHSA-66x6-8jgv-qpfh CVE-2025-43785 MODERATE 3 months ago
Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1....
maven
No PRs yet
Decap CMS Cross Site Scripting (XSS) vulnerability
GHSA-xp8g-32qh-mv28 CVE-2025-57520 MODERATE 3 months ago
Decap CMS through 3.8.3 is vulnerable to stored Cross-Site Scripting (XSS) in the admin preview pane. User-controlled fields (e.g., title, descript...
npm
No PRs yet
Liferay Portal exposes ERC which can lead to exploit the time response attack
GHSA-9p7x-8c57-4pqv CVE-2025-43786 MODERATE 3 months ago
Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024...
maven
No PRs yet