Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,785

Total Advisories

1,793

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Ray is vulnerable to Critical RCE via Safari & Firefox Browsers through DNS Rebinding Attack
GHSA-q279-jhrf-cc6v CVE-2025-62593 CRITICAL 5 days ago
# Summary Developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. ...
pypi
No PRs yet
Apache Druid’s Kerberos authenticator uses a weak fallback secret
GHSA-w88f-4875-99c8 CVE-2025-59390 CRITICAL 5 days ago
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration ...
maven
No PRs yet
libnftnl has Heap-based Buffer Overflow in nftnl::Batch::with_page_size (nftnl-rs)
GHSA-2fjw-whxm-9v4q CRITICAL 6 days ago
A heap-buffer-overflow vulnerability exists in the Rust wrapper for libnftnl, triggered via the nftnl::Batch::with_page_size constructor. When a sm...
cargo
No PRs yet
cggmp21 has a missing check in the ZK proof used in CGGMP21
GHSA-m95p-425x-x889 CVE-2025-66016 CRITICAL 6 days ago
### Impact cggmp21 concerns a missing check in the ZK proof that enables an attack in which a single malicious signer can reconstruct full private...
cargo
No PRs yet
LF Edge eKuiper is vulnerable to Arbitrary File Read/Write via unsanitized names and zip extraction
GHSA-rj4j-2jph-gg43 CRITICAL 7 days ago
### Summary Multiple path traversal and unsafe path handling vulnerabilities were discovered in eKuiper prior to the fixes implemented in PR [lf-ed...
go
No PRs yet
Grafana Incorrect Privilege Assignment vulnerability
GHSA-w62r-7c53-fmc5 CVE-2025-41115 CRITICAL 10 days ago
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by...
go
1
Dependabot PRs
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
GHSA-547r-qmjm-8hvw CVE-2025-65108 CRITICAL 11 days ago
### Summary A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code ...
npm
No PRs yet
@hpke/core reuses AEAD nonces
GHSA-73g8-5h73-26h4 CVE-2025-64767 CRITICAL 11 days ago
### Summary The public SenderContext Seal() API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal() calls....
npm
3
Dependabot PRs
Apache Causeway vulnerable to deserialization in Java
GHSA-wq4c-57mh-5f7g CVE-2025-64408 CRITICAL 12 days ago
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These v...
maven
No PRs yet
Modular Max Serve has Unsafe Deserialization vulnerability
GHSA-7xcv-9j6c-2fmc CVE-2025-60455 CRITICAL 13 days ago
Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used ...
pypi
No PRs yet
Eclipse Jersey has a Race Condition
GHSA-7p63-w6x9-6gr7 CVE-2025-12383 CRITICAL 13 days ago
In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, ...
maven
No PRs yet
joserfc has Possible Uncontrolled Resource Consumption Vulnerability Triggered by Logging Arbitrarily Large JWT Token Payloads
GHSA-frfh-8v73-gjg4 CVE-2025-65015 CRITICAL 13 days ago
### Summary The `ExceededSizeError` exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbi...
pypi
No PRs yet
AstrBot is vulnerable to RCE with hard-coded JWT signing keys
GHSA-4m32-cjv7-f425 CVE-2025-55449 CRITICAL 17 days ago
### Summary AstrBot uses a hard-coded JWT signing key, allowing attackers to execute arbitrary commands by installing a malicious plugin. ### Deta...
pypi
No PRs yet
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
GHSA-6jqf-mv7m-3q7p CRITICAL 18 days ago
The standard library `net/http` package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-siz...
go
No PRs yet
Milvus Proxy has a Critical Authentication Bypass Vulnerability
GHSA-mhjq-8c7m-3f7p CVE-2025-64513 CRITICAL 18 days ago
### Impact _What kind of vulnerability is it? Who is impacted?_ An unauthenticated attacker can exploit this vulnerability to bypass all authentica...
go
No PRs yet
pgAdmin4 vulnerable to Remote Code Execution (RCE) when running in server mode
GHSA-w2p4-p4rh-qcm3 CVE-2025-12762 CRITICAL 18 days ago
pgAdmin versions up to 9.9 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing resto...
pypi
No PRs yet
Soft Serve is vulnerable to SSRF through its Webhooks
GHSA-vwq2-jx9q-9h9f CVE-2025-64522 CRITICAL 21 days ago
SUMMARY We have identified and verified an SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create w...
go
No PRs yet
Django vulnerable to SQL injection via _connector keyword argument in QuerySet and Q objects.
GHSA-frmv-pr5f-9mcr CVE-2025-64459 CRITICAL 26 days ago
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `...
pypi
104
Dependabot PRs
@react-native-community/cli has arbitrary OS command injection
GHSA-399j-vxmf-hjvr CVE-2025-11953 CRITICAL 28 days ago
The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that...
npm
No PRs yet
DNN Insufficient Access Control - Image Upload allows for Site Content Overwrite
GHSA-3m8r-w7xg-jqvw CVE-2025-64095 CRITICAL about 1 month ago
### Summary The default HTML editor provider allows unauthenticated file uploads and images can overwrite existing files. ### Description An unaut...
nuget
No PRs yet
Karmada Dashboard API Unauthorized Access Vulnerability
GHSA-5qjg-9mjh-4r92 CVE-2025-62714 CRITICAL about 1 month ago
### Impact This is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints (e.g., /api/v1/secret, /api/v1/se...
go
No PRs yet
NeuVector Enforcer is vulnerable to Command Injection and Buffer overflow
GHSA-c8g6-qrwh-m3vp CVE-2025-54469 CRITICAL about 1 month ago
### Impact A vulnerability was identified in NeuVector, where the enforcer used environment variables `CLUSTER_RPC_PORT` and `CLUSTER_LAN_PORT` to ...
go
No PRs yet
Cosmos EVM Vulnerability
GHSA-8pfh-j44r-f654 CRITICAL about 1 month ago
## Patches Patched in versions `v0.3.1`, `v0.4.2`, and in the `v0.5.0` release. More information will be disclosed at a later point to ensure chain...
go
No PRs yet
NetBird VPN does not remove the default password of an admin account
GHSA-g3j4-58mp-3x25 CVE-2025-10678 CRITICAL about 1 month ago
NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL. This ...
go
No PRs yet
MCMS vulnerable SQL injection via the content_title parameter
GHSA-54wc-49qj-5ghj CVE-2025-56316 CRITICAL about 1 month ago
A SQL injection vulnerability in the content_title parameter of the /cms/content/list endpoint in MCMS 5.5.0 through 6.0.1 allows remote attackers ...
maven
No PRs yet
Keras framework vulnerable to deserialization of untrusted data
GHSA-cvhh-q5g5-qprp CVE-2025-49655 CRITICAL about 1 month ago
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a m...
pypi
No PRs yet
pyquokka is Vulnerable to Remote Code Execution by Pickle Deserialization via FlightServer
GHSA-f74j-gffq-vm9p CVE-2025-62515 CRITICAL about 1 month ago
### Description In the FlightServer class of the pyquokka framework, the do_action() method directly uses pickle.loads() to deserialize action bod...
pypi
No PRs yet
bagisto has CSV Formula Injection in Create New Product
GHSA-jqrp-58fv-w8cq CVE-2025-62417 CRITICAL about 2 months ago
### Summary When product data that begins with a spreadsheet formula character (for example =, +, -, or @) is accepted and later exported or saved ...
packagist
No PRs yet
PrestaShop Checkout allows customer account takeover via email
GHSA-54hq-mf6h-48xh CVE-2025-61922 CRITICAL about 2 months ago
# Impact Missing validation on Express Checkout feature allows silent log-in ## Affected versions The issue was introduced in PrestaShop Checkout...
packagist
No PRs yet
Apache ActiveMQ NMS AMQP Client has a Deserialization of Untrusted Data vulnerability
GHSA-4mjw-xr5x-prpc CVE-2025-54539 CRITICAL about 2 months ago
A Deserialization of Untrusted Data vulnerability exists in the Apache ActiveMQ NMS AMQP Client. This issue affects all versions of Apache ActiveM...
nuget
No PRs yet
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
GHSA-qpm2-6cq5-7pq5 CVE-2025-62410 CRITICAL about 2 months ago
### Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice,...
npm
No PRs yet
Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability
GHSA-5rrx-jjjq-q2r5 CVE-2025-55315 CRITICAL about 2 months ago
# Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability ## <a name="executive-summary"></a>Executive summary Mic...
nuget
5
Dependabot PRs
Happy DOM: VM Context Escape can lead to Remote Code Execution
GHSA-37j7-fg3j-429f CVE-2025-61927 CRITICAL about 2 months ago
# Escape of VM Context gives access to process level functionality ## Summary Happy DOM v19 and lower contains a security vulnerability that puts ...
npm
224
Dependabot PRs
12%
Merged
BBOT's insufficient sanitization issues in gitdumper.py can lead to RCE
GHSA-h6m2-r6h9-4c44 CVE-2025-10283 CRITICAL about 2 months ago
### Summary bbot's `gitdumper.py` insufficiently sanitises a `.git/config` file, leading to Remote Code Execution (RCE). bbot's `gitdumper.py` ca...
pypi
No PRs yet
BBOT's various issues in unarchive.py can cause arbitrary file write and RCE
GHSA-fhw8-8v9p-7jp7 CVE-2025-10284 CRITICAL about 2 months ago
### Summary Various issues in bbot's `unarchive.py` allow a malicious site to cause bbot to write arbitrary files to arbitrary locations. This can...
pypi
No PRs yet
Better Auth: Unauthenticated API key creation through api-key plugin
GHSA-99h5-pjcv-gr6v CVE-2025-61928 CRITICAL about 2 months ago
### Summary Unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api...
npm
No PRs yet
Flowise is vulnerable to arbitrary file write through its WriteFileTool
GHSA-jv9m-vf54-chjj CVE-2025-61913 CRITICAL about 2 months ago
### Summary The WriteFileTool in Flowise does not restrict the file path for reading, allowing authenticated attackers to exploit this vulnerabili...
npm
No PRs yet
scio is vunerable to Remote Command Execution through PyTorch
GHSA-m9mp-6x32-5rhg CRITICAL about 2 months ago
### Impact PyTorch reported a [**critical** vulnerability](https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6) when using `...
pypi
No PRs yet
Melis Platform CMS SQL Injection
GHSA-mrmx-jfw8-qhgv CVE-2025-10351 CRITICAL about 2 months ago
SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to ret...
packagist
No PRs yet
Melis Platform CMS Unauthenticated File Upload Leading to RCE
GHSA-chw4-gjvw-3gxc CVE-2025-10353 CRITICAL about 2 months ago
File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows...
packagist
No PRs yet
Melis Platform CMS Unauthenticated Admin Account Creation
GHSA-p3vc-g9f9-mgw4 CVE-2025-10352 CRITICAL about 2 months ago
Vulnerability in the melis-core module of Melis Technology's Melis Platform, which, if exploited, allows an unauthenticated attacker to create an a...
packagist
No PRs yet
Akka.Remote TLS did not properly implement certificate-based authentication
GHSA-jhpv-4q4f-43g5 CVE-2025-61778 CRITICAL about 2 months ago
### Impact This is a critical network security vulnerability for Akka.Remote **users who have SSL / TLS enabled** on their Akka.Remote connections...
nuget
No PRs yet
SillyTavern Web Interface Vulnerable DNS Rebinding
GHSA-7cxj-w27x-x78q CVE-2025-59159 CRITICAL about 2 months ago
### Summary The web UI for SillyTavern is susceptible to DNS rebinding, allowing attackers to perform actions like install malicious extensions, re...
npm
No PRs yet
XWiki Platform is vulnerable to HQL injection via wiki and space search REST API
GHSA-gprp-h92g-gc2h CVE-2025-52472 CRITICAL about 2 months ago
### Impact The REST search URL is vulnerable to HQL injection via the `orderField` parameter. The specified value is added twice in the query, tho...
maven
No PRs yet
XWiki OIDC Authenticator: Users with "view" access can create tokens for any users they can view
GHSA-f2hf-pfrj-vrm7 CVE-2025-49594 CRITICAL about 2 months ago
### Impact Anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authent...
maven
No PRs yet
Flowise vulnerable to RCE via Dynamic function constructor injection
GHSA-hmgh-466j-fx4c CVE-2025-55346 CRITICAL about 2 months ago
### Summary User-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in...
npm
No PRs yet
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
GHSA-964p-j4gg-mhwc CVE-2025-50538 CRITICAL about 2 months ago
### Summary A stored Cross-Site Scripting (XSS) vulnerability in FlowiseAI allows a user to inject arbitrary JavaScript code via message input. Whe...
npm
No PRs yet
risc0 vulnerable to arbitrary code execution in guest via memory safety failure in `sys_read`
GHSA-jqq4-c7wq-36h7 CVE-2025-61588 CRITICAL 2 months ago
# Arbitrary code execution in guest via memory safety failure in `sys_read` In affected versions of `risc0-zkvm-platform`, when the zkVM guest cal...
cargo
No PRs yet
Apache Pyfory python is vulnerable to deserialization of untrusted data
GHSA-538v-3wq9-4h3r CVE-2025-61622 CRITICAL 2 months ago
Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allo...
pypi
No PRs yet
check-branches is vulnerable to command Injection
GHSA-9c4g-fp4r-prrv CVE-2025-11148 CRITICAL 2 months ago
All versions of the package check-branches are vulnerable to Command Injection. check-branches is a command-line tool that is interacted with loca...
npm
No PRs yet