Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,791

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
GHSA-wmjr-v86c-m9jj LOW 1 day ago
## Summary - Vulnerable component: `multi-session` plugin’s `/sign-out` after-hook (`packages/better-auth/src/plugins/multi-session/index.ts`) - Is...
npm
No PRs yet
Contao is vulnerable to cross-site scripting in templates
GHSA-68q5-78xp-cwwc CVE-2025-65961 LOW 2 days ago
### Impact It is possible to inject code into the template output that will be executed in the browser in the front end and back end. ### Patches...
packagist
No PRs yet
VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM
GHSA-66jq-2c23-2xh5 CVE-2025-65942 LOW 2 days ago
### Impact Affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malforme...
go
No PRs yet
OMERO.web uses jquery-form library, which may be vulnerable to XSS attack
GHSA-j4gv-6x9v-v23g LOW 3 days ago
### Impact OMERO.web uses the jquery-form library throughout to handle form submission and response processing. Due to some unpatched potential vul...
pypi
No PRs yet
SpiceDB: LookupResources with Multiple Entrypoints across Different Definitions Can Return Incomplete Results
GHSA-9m7r-g8hg-x3vr CVE-2025-65111 LOW 6 days ago
### Impact If a schema includes the following characteristics: 1. Permission defined in terms of a union (`+`) 1. That union references the same ...
go
No PRs yet
OSV-SCALIBR has NULL Pointer Dereference
GHSA-f786-75f3-74xj CVE-2025-13425 LOW 7 days ago
A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next() to overindex an empty slice when ReadDir returns nil for ...
go
No PRs yet
phppgadmin vulnerable to Cross-site Scripting
GHSA-h369-cpjj-qfff CVE-2025-60796 LOW 8 days ago
phpPgAdmin versions 7.13.0 and earlier contain multiple cross-site scripting (XSS) vulnerabilities across various components. User-supplied inputs ...
packagist
No PRs yet
Resty has a Path Traversal vulnerability
GHSA-cv3m-hxpc-4hvm CVE-2025-13435 LOW 8 days ago
A security vulnerability has been detected in Dreampie Resty versions up to the 1.3.1.SNAPSHOT. This affects the function Request of the file /rest...
maven
No PRs yet
Astro Development Server has Arbitrary Local File Read
GHSA-x3h8-62x9-952g CVE-2025-64757 LOW 8 days ago
### Summary A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through th...
npm
No PRs yet
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
GHSA-mhpg-hpj5-73r2 CVE-2025-13083 LOW 9 days ago
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Contr...
packagist
No PRs yet
Drupal core allows Forceful Browsing
GHSA-83v7-c2cf-p9c2 CVE-2025-13080 LOW 9 days ago
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: ...
packagist
No PRs yet
Drupal core allows Content Spoofing
GHSA-h89p-5896-f4q8 CVE-2025-13082 LOW 9 days ago
User Interface (UI) Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupa...
packagist
No PRs yet
Mattermost allows other users to determine when users had read channels via channel member objects
GHSA-9hh7-6558-qfp2 CVE-2025-55074 LOW 9 days ago
Mattermost versions 10.11.x <= 10.11.3, and 10.5.x <= 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to d...
go
No PRs yet
Drupal Simple multi step form allows Cross-Site Scripting
GHSA-gg35-374m-9ph8 CVE-2025-12761 LOW 9 days ago
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Simple multi step form allows Cross-Si...
packagist
No PRs yet
LibreNMS has Weak Password Policy
GHSA-5mrf-j8v6-f45g CVE-2025-65014 LOW 9 days ago
## Summary A **Weak Password Policy** vulnerability was identified in the user management functionality of the _LibreNMS_ application. This vulner...
packagist
No PRs yet
PrivateBin vulnerable to malicious filename use for self-XSS / HTML injection locally for users
GHSA-r9x7-7ggj-fx9f CVE-2025-64711 LOW 13 days ago
## Summary Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a ...
packagist
No PRs yet
Mattermost allows regular users to access archived channel content and files
GHSA-x3hx-ch7p-8xgg CVE-2025-41436 LOW 14 days ago
Mattermost versions < 11.0 fail to properly enforce the "Allow users to view archived channels" setting which allows regular users to access archiv...
go
No PRs yet
SpiceDB WriteRelationships fails silently if payload is too big
GHSA-pm3x-jrhh-qcr7 CVE-2025-64529 LOW 14 days ago
### Impact Users who: 1. Use the exclusion operator somewhere in their authorization schema. 1. Have configured their SpiceDB server such that `--...
go
No PRs yet
Astro development server error page is vulnerable to reflected Cross-site Scripting
GHSA-w2vj-39qv-7vh7 CVE-2025-64745 LOW 14 days ago
## Summary A Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configur...
npm
No PRs yet
Mattermost Incorrect Authorization vulnerability
GHSA-mqcj-8c2g-h97q CVE-2025-11777 LOW 14 days ago
Mattermost versions 10.11.x <= 10.11.3, 10.5.x <= 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, whic...
go
No PRs yet
Wasmtime provides unsound API access to a WebAssembly shared linear memory
GHSA-hc7m-r6v8-hg9q CVE-2025-64345 LOW 15 days ago
### Impact Wasmtime's Rust embedder API contains an unsound interaction where a WebAssembly shared linear memory could be viewed as a type which p...
cargo
2
Dependabot PRs
sudo-rs: Partial password reveal is possible after timeout
GHSA-c978-wq47-pvvw CVE-2025-64170 LOW 15 days ago
### Summary If a user begins entering a password but does not press return for an extended period, a password timeout may occur. When this happens,...
cargo
No PRs yet
changedetection.io: Stored XSS in Watch update via API
GHSA-4c3j-3h7v-22q9 CVE-2025-62780 LOW 15 days ago
### Summary A Stored Cross Site Scripting is present in the changedetection.io Watch update API due to unsufficient security checks. ### Details ...
pypi
No PRs yet
EverShop is vulnerable to Unauthorized Order Information Access (IDOR)
GHSA-c73g-mx2w-cc93 CVE-2025-12919 LOW 18 days ago
A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolv...
npm
No PRs yet
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files
GHSA-rwvc-j5jr-mgvh CVE-2025-48985 LOW 21 days ago
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass fil...
npm
No PRs yet
OpenTofu affected denials of service in "tofu init" with maliciously-crafted module package responses
GHSA-w2jf-268q-mrvh LOW 22 days ago
### Impact Unauthenticated denial of service. ### Summary When installing module packages from attacker-controlled sources, `tofu init` may use ...
go
No PRs yet
Open redirect endpoint in Datasette
GHSA-w832-gg5g-x44m CVE-2025-64481 LOW 22 days ago
### Impact Deployed instances of Datasette prior to `0.65.2` and `1.0a21` include an open redirect vulnerability. Hits to the path `//example.com...
pypi
No PRs yet
Weblate leaks the IP of project member inviting user to be reviewer in Audit log
GHSA-gr35-vpx2-qxhc CVE-2025-64326 LOW 22 days ago
### Summary Weblate leaks the IP address of the project member inviting the user to the project in the audit log. ### Details The audit log includ...
pypi
No PRs yet
Protobuf Maven Plugin protocDigest is ignored when using protoc from PATH
GHSA-j2pc-v64r-mv4f LOW 24 days ago
### Summary The expected `protocDigest` is ignored when protoc is taken from the `PATH`. ### Details The documentation for the `protocDigest` para...
maven
No PRs yet
Shaman has soundness issues and is unmaintained
GHSA-7vjm-6qgq-3mrq LOW 24 days ago
`shaman::cryptoutil::write_u64v_le` and other functions mentioned above cannot garantee memory safety of get_unchecked later if both length are zer...
cargo
No PRs yet
Byaidu PDFMathTranslate vulnerable to open redirect
GHSA-pfrv-63w8-q7rq CVE-2025-50736 LOW 29 days ago
An open redirect vulnerability exists in Byaidu PDFMathTranslate v1.9.9 that allows attackers to craft URLs that cause the application to redirect ...
pypi
No PRs yet
Drupal Umami Analytics allows Cross-Site Scripting (XSS)
GHSA-jxp8-4jw5-5xjc CVE-2025-10931 LOW 29 days ago
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Umami Analytics allows Cross-Site Scri...
packagist
No PRs yet
Keycloak allows access to admin path through flaw
GHSA-c6cm-5gc7-c3f4 CVE-2025-10939 LOW about 1 month ago
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The...
maven
No PRs yet
Wasmtime vulnerable to segfault when using component resources
GHSA-4h67-722j-5pmc CVE-2025-62711 LOW about 1 month ago
### Impact The implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully cra...
cargo
1
Dependabot PRs
Apache Tomcat Vulnerable to Improper Resource Shutdown or Release
GHSA-hgrr-935x-pq79 CVE-2025-61795 LOW about 1 month ago
If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to di...
maven
No PRs yet
Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences
GHSA-vfww-5hm6-hx2j CVE-2025-55754 LOW about 1 month ago
Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supp...
maven
No PRs yet
Liferay Portal Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page
GHSA-gccf-r9xp-x8jx CVE-2025-62255 LOW about 1 month ago
Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsuppor...
maven
No PRs yet
Liferay Portal and DXP are Missing Authorization in Collection Provider
GHSA-cqwv-9xh5-25fg CVE-2025-62247 LOW about 1 month ago
Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, ...
maven
No PRs yet
Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names
GHSA-45p5-v273-3qqr CVE-2025-11966 LOW about 1 month ago
# Description - In the `StaticHandlerImpl#sendDirectoryListing(...)` method under the `text/html` branch, file and directory names are directly em...
maven
2
Dependabot PRs
Borrowck Scarifices exposes uninitialized memory in any_as_u8_slice
GHSA-xcpm-76hf-c9cc LOW about 1 month ago
The safe function `any_as_u8_slice` can create byte slices that reference uninitialized memory when used with types containing padding bytes. The ...
cargo
No PRs yet
Direct Ring Buffer has uninitialized memory exposure in create_ring_buffer
GHSA-fp5x-7m4q-449f LOW about 1 month ago
The safe function `create_ring_buffer` allocates a buffer using `Vec::with_capacity` followed by `set_len`, creating a `Box<[T]>` containing uninit...
cargo
No PRs yet
orx-pinned-vec has undefined behavior in index_of_ptr with empty slices
GHSA-h5j3-crg5-8jqm LOW about 1 month ago
The safe function `index_of_ptr` causes undefined behavior when called with an empty slice. The issue occurs in the line `ptr.add(slice.len() - 1)...
cargo
No PRs yet
uv has differential in tar extraction with PAX headers
GHSA-w476-p2h3-79g9 LOW about 1 month ago
### Impact In versions 0.9.4 and earlier of uv, tar archives containing PAX headers with file size overrides were not handled properly. As a resul...
pypi
1
Dependabot PRs
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
GHSA-3cpp-fv95-mpr5 LOW about 1 month ago
### Impact This vulnerability allows malicious actors to force the application server to send HTTP requests to both external and internal servers. ...
packagist
No PRs yet
Shopware vulnerable to path traversal via Plugin upload
GHSA-6wh5-mw9h-5c3w LOW about 1 month ago
### Impact Malicious actors can exploit this vulnerability to write files within arbitrary directories on the filesystem of the Shopware web contai...
packagist
No PRs yet
rollbar vulnerable to prototype pollution
GHSA-r8c2-2qwq-94p6 CVE-2025-57325 LOW about 1 month ago
### Impact Prototype pollution potential with the utility function `rollbar/src/utility`.`set()`. No impact when using the published public interf...
npm
No PRs yet
TastyIgniter vulnerable to Cross-Site Scripting
GHSA-4vrf-42cm-7xfw CVE-2025-61417 LOW about 1 month ago
Cross-Site Scripting (XSS) vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/media_manager component. Attackers can upload a malicio...
packagist
No PRs yet
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
GHSA-fgx4-p8xf-qhp9 CVE-2025-62505 LOW about 1 month ago
### Vulnerability Description --- Vulnerability Overview - When the client sends an arbitrary URL array and impl: ["naive"] to the tRPC endpoint...
npm
No PRs yet
LibreNMS alert-rules has a Cross-Site Scripting Vulnerability
GHSA-6g2v-66ch-6xmh CVE-2025-62412 LOW about 1 month ago
## Executive Summary **Product:** LibreNMS **Vendor:** LibreNMS **Vulnerability Type:** Cross-Site Scripting (XSS) **CVSS Score:** 4.3 (AV:N...
packagist
No PRs yet
PrestaShop Checkout Target PayPal merchant account hijacking from backoffice
GHSA-wvpg-4wrh-5889 CVE-2025-61924 LOW about 1 month ago
### Impact Wrong usage of the PHP `array_search()` allows bypass of validation. ### Patches The problem has been patched in versions: - v4.4.1 for...
packagist
No PRs yet