Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,257

Total Advisories

1,939

With Dependabot PRs

3,553

Critical Severity

8,784

High Severity

Clear All Filters
Directus has open redirect in SAML
GHSA-3573-4c68-g8cc MODERATE about 18 hours ago
## Security Advisory: Open Redirect in Directus SAML Authentication ### Summary An open redirect vulnerability exists in the Directus SAML authen...
npm
No PRs yet
Parsl Monitoring Visualization Vulnerable to SQL Injection
GHSA-f2mf-q878-gh58 MODERATE about 19 hours ago
**Affected Product:** Parsl (Python Parallel Scripting Library) **Component:** parsl.monitoring.visualization **Vulnerability Type:** SQL Injecti...
pypi
No PRs yet
Bokeh server applications have Incomplete Origin Validation in WebSockets
GHSA-793v-589g-574v CVE-2026-21883 MODERATE about 19 hours ago
This vulnerability allows for **Cross-Site WebSocket Hijacking (CSWSH)** of a deployed Bokeh server instance. ### Scope This vulnerability is on...
pypi
No PRs yet
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
GHSA-8v65-47jx-7mfr CVE-2026-21859 MODERATE about 20 hours ago
## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's `/proxy` endpoint that allows attackers to make requests to inte...
go
No PRs yet
MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download
GHSA-9rg3-9pvr-6p27 CVE-2026-21851 MODERATE about 20 hours ago
## Summary A **Path Traversal (Zip Slip)** vulnerability exists in MONAI's `_download_from_ngc_private()` function. The function uses `zipfile.Zip...
pypi
No PRs yet
Pterodactyl TOTPs can be reused during validity window
GHSA-rgmp-4873-r683 CVE-2025-69197 MODERATE about 20 hours ago
### Summary When a user signs into an account with 2FA enabled they are prompted to enter a token. When that token is used, it is not sufficiently ...
packagist
No PRs yet
AIOHTTP vulnerable to DoS through chunked messages
GHSA-g84x-mcqj-x9qq CVE-2025-69229 MODERATE 1 day ago
### Summary Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. ### Impact If an ap...
pypi
No PRs yet
AIOHTTP vulnerable to denial of service through large payloads
GHSA-6jhg-hg63-jvvf CVE-2025-69228 MODERATE 1 day ago
### Summary A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing. ### Impact If an app...
pypi
No PRs yet
AIOHTTP vulnerable to DoS when bypassing asserts
GHSA-jj3x-wxrx-4x23 CVE-2025-69227 MODERATE 1 day ago
### Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. ### Impact If ...
pypi
No PRs yet
evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API
GHSA-vp8w-wj4m-3r7j CVE-2025-67427 MODERATE 1 day ago
A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initia...
npm
No PRs yet
ERC7984ERC20Wrapper: once a wrapper is filled, subsequent wrap requests do not revert and result in loss of funds.
GHSA-hqf9-8xv5-x8xw MODERATE 1 day ago
### Impact The `ERC7984` contract tracks total supply using a confidential `euint64` value. If a call to the internal `_mint` function would result...
npm
No PRs yet
gix-date can create non-utf8 string with `TimeBuf::as_str`
GHSA-6mw6-mj76-grwc MODERATE 1 day ago
The function `gix_date::parse::TimeBuf::as_str` can create an illegal string containing non-utf8 characters. This violates the safety invariant of ...
cargo
No PRs yet
Sliver Vulnerable to Pre-Auth Memory Exhaustion via NoEncoder Bypass
GHSA-hjr9-wj7v-7hv8 MODERATE 1 day ago
### Summary A specially crafted nonce routes unauthenticated requests through the NoEncoder path, where `startSessionHandler()` reads the entire re...
go
No PRs yet
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
GHSA-742x-x762-7383 CVE-2025-68454 MODERATE 2 days ago
For this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/...
packagist
No PRs yet
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
GHSA-x27p-wfqw-hfcc CVE-2025-68437 MODERATE 2 days ago
The Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the...
packagist
No PRs yet
Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
GHSA-53vf-c43h-j2x9 CVE-2025-68436 MODERATE 2 days ago
Authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests...
packagist
No PRs yet
Apache SIS has Improper Restriction of XML External Entity Reference vulnerability
GHSA-jqmr-2pg9-vfx7 CVE-2025-68280 MODERATE 2 days ago
Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when pa...
maven
No PRs yet
Vaadin vulnerable to Cross-site Scripting
GHSA-7wwv-79xw-rvvg CVE-2025-15022 MODERATE 2 days ago
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting (XSS) if caption content is deri...
maven
No PRs yet
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
GHSA-jmr4-p576-v565 CVE-2026-21483 MODERATE 5 days ago
## Security Advisory: Stored XSS Leading to Admin Account Takeover **Affected Versions:** ≤ 5.1.0 **Vulnerability Type:** CWE-79: Stored Cross-S...
go
No PRs yet
Bagisto has HTML Filter Bypass that Enables Stored XSS
GHSA-2mwc-h2mg-v6p8 CVE-2026-21451 MODERATE 5 days ago
### Summary A stored Cross-Site Scripting (XSS) vulnerability exists in Bagisto 2.3.8 within the CMS page editor. Although the platform normally at...
packagist
No PRs yet
Signal K Server Vulnerable to Access Request Spoofing
GHSA-vfrf-vcj7-wvr8 CVE-2025-69203 MODERATE 5 days ago
The SignalK access request system has two related features that when combined by themselves and with the infromation disclosure vulnerability enabl...
npm
No PRs yet
Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints
GHSA-fpf5-w967-rr2m CVE-2025-68273 MODERATE 5 days ago
[Note] This is a separate issue from the RCE vulnerability (State Pollution) currently being patched. While related to tokensecurity.js, it involve...
npm
No PRs yet
Apache StreamPipes has Improper Privilege Management issue
GHSA-5r2g-vphf-m5xc CVE-2025-47411 MODERATE 6 days ago
A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows ...
maven
No PRs yet
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists
GHSA-pc73-rj2c-wvf9 CVE-2025-69413 MODERATE 6 days ago
In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists.
go
No PRs yet
Trix has a stored XSS vulnerability through its attachment attribute
GHSA-g9jg-w8vm-g96v MODERATE 7 days ago
### Impact The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads. An attacker could inject malici...
npm rubygems
No PRs yet
CBORDecoder reuse can leak shareable values across decode calls
GHSA-wcj4-jw5j-44wh CVE-2025-68131 MODERATE 7 days ago
### Summary When a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag (28) persist in memory an...
pypi
No PRs yet
libsodium has Incomplete List of Disallowed Inputs
GHSA-mrfv-m5wm-5w6w CVE-2025-69277 MODERATE 7 days ago
libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mish...
packagist pypi
40
Dependabot PRs
ImageMagick's failure to limit MVG mutual causes Stack Overflow
GHSA-7rvh-xqp3-pr8j CVE-2025-68950 MODERATE 8 days ago
### Summary Magick fails to check for circular references between two MVGs, leading to a stack overflow. ### Details After reading mvg1 using Mag...
nuget
6
Dependabot PRs
ImageMagick's failure to limit the depth of SVG file reads caused a DoS attack
GHSA-p27m-hp98-6637 CVE-2025-68618 MODERATE 8 days ago
### Summary Using Magick to read a malicious SVG file resulted in a DoS attack. ### Details bt obtained using gdb: ``` #4 0x0000555555794c9c in...
nuget
10
Dependabot PRs
Temporal has an Incorrect Authorization vulnerability
GHSA-hmhp-gh8m-c8xp CVE-2025-14987 MODERATE 8 days ago
When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWor...
go
No PRs yet
axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header
GHSA-x4m5-4cw8-vc44 CVE-2025-69202 MODERATE 8 days ago
## Summary When a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leadin...
npm
No PRs yet
Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)
GHSA-8wpr-639p-ccrj CVE-2025-69211 MODERATE 8 days ago
A NestJS application is vulnerable if it meets all of the following criteria: 1. Platform: Uses `@nestjs/platform-fastify`. 2. Security Mechanism:...
npm
No PRs yet
Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length
GHSA-6556-fwc2-fg2p MODERATE 8 days ago
### Summary Picklescan uses the `numpy.f2py.crackfortran._eval_length` function (a NumPy F2PY helper) to execute arbitrary Python code during unpi...
pypi
1
Dependabot PRs
Visual Studio Code Go extension has unexpected untrusted code execution
GHSA-fjmr-7667-8v4p CVE-2025-68120 MODERATE 9 days ago
To prevent unexpected untrusted code execution, the Visual Studio Code Go extension is now disabled in Restricted Mode.
go
No PRs yet
Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.param_eval
GHSA-cffc-mxrf-mhh4 MODERATE 9 days ago
### Summary Picklescan uses numpy.f2py.crackfortran.param_eval, which is a function in numpy to execute remote pickle files. ### Details The attac...
pypi
1
Dependabot PRs
phpMyFAQ has Stored XSS in user list via admin-managed display_name
GHSA-jv8r-hv7q-p6vc CVE-2025-68951 MODERATE 9 days ago
### Summary A stored cross-site scripting (XSS) vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by r...
packagist
No PRs yet
hemmelig allows SSRF Filter bypass via Secret Request functionality
GHSA-vvxf-wj5w-6gj5 CVE-2025-69206 MODERATE 9 days ago
### Summary A Server-Side Request Forgery (SSRF) filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. T...
npm
No PRs yet
ruint affected by unsoundness of safe `reciprocal_mg10`
GHSA-9fjq-45qv-pcm7 MODERATE 12 days ago
The function `reciprocal_mg10` is marked as safe but can trigger undefined behavior (out-of-bounds access) because it relies on `debug_assert!` for...
cargo
No PRs yet
Gitea: anonymous user can visit private user's project
GHSA-7xq4-mwcp-q8fx CVE-2025-68945 MODERATE 12 days ago
In Gitea before 1.21.2, an anonymous user can visit a private user's project.
go
No PRs yet
Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries
GHSA-f85h-c7m6-cfpm CVE-2025-68944 MODERATE 12 days ago
Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries.
go
No PRs yet
Gitea vulnerable to Cross-site Scripting
GHSA-hq57-c72x-4774 CVE-2025-68946 MODERATE 12 days ago
In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS.
go
No PRs yet
Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order
GHSA-jhx5-4vr4-f327 CVE-2025-68943 MODERATE 12 days ago
Gitea before 1.21.8 inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order.
go
No PRs yet
Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text
GHSA-898p-hh3p-hf9r CVE-2025-68942 MODERATE 12 days ago
Gitea before 1.22.2 allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text.
go
No PRs yet
Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources
GHSA-xfq3-qj7j-4565 CVE-2025-68941 MODERATE 12 days ago
Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.
go
No PRs yet
Gitea mishandles authorization for deletion of releases
GHSA-cm54-pfmc-xrwx CVE-2025-68938 MODERATE 12 days ago
Gitea before 1.25.2 mishandles authorization for deletion of releases.
go
No PRs yet
Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin
GHSA-vww6-79rv-3j4x CVE-2025-64641 MODERATE 14 days ago
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-iss...
go
No PRs yet
Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues
GHSA-fmqf-pmcm-8cx9 CVE-2025-13767 MODERATE 14 days ago
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attac...
go
No PRs yet
Home Assistant Core before is vulnerable to Directory Traversal
GHSA-pp3g-xmm4-5cw9 CVE-2025-65713 MODERATE 15 days ago
Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during con...
pypi
No PRs yet
LibreNMS Alert Rule API Cross-Site Scripting Vulnerability
GHSA-c89f-8g7g-59wj CVE-2025-68614 MODERATE 15 days ago
Please find POC file here https://trendmicro-my.sharepoint.com/:u:/p/kholoud_altookhy/IQCfcnOE5ykQSb6Fm-HFI872AZ_zeIJxU-3aDk0jh_eX_NE?e=zkN76d ZDI...
packagist
No PRs yet
Local Deep Research is Vulnerable to Server-Side Request Forgery (SSRF) in Download Service
GHSA-9c54-gxh7-ppjc CVE-2025-67743 MODERATE 15 days ago
## Summary The download service (`download_service.py`) makes HTTP requests using raw `requests.get()` without utilizing the application's SSRF pr...
pypi
No PRs yet