14 Pull requests merged by 4 people

• [GHSA-c352-x843-ggpq] XXL-JOB vulnerable to Server-Side Request Forgery

  #5833 merged Jul 18, 2025

• [GHSA-g5cj-5h58-j93w] Jeecg-boot vulnerable to SQL Injection

  #5831 merged Jul 18, 2025

• [GHSA-v87q-rpwp-qr7q] Jeecg-boot vulnerable to SQL Injection

  #5832 merged Jul 18, 2025

• [GHSA-4j2x-v3mr-467m] Jeecg-boot vulnerable to SQL injection via updateNullByEmptyString

  #5830 merged Jul 18, 2025

• [GHSA-25gv-mvm7-5h3h] Jeecg-boot vulnerable to SQL injection via /sys/user/putRecycleBin

  #5829 merged Jul 18, 2025

• [GHSA-4gr7-qw2q-jxh6] Cross-site Scripting in Nacos

  #5824 merged Jul 18, 2025

• [GHSA-83w4-x5w9-hf4h] XXL-JOB vulnerable to Server-Side Request Forgery (SSRF)

  #5828 merged Jul 18, 2025

• [GHSA-c6mx-3fj9-9j7q] PowerJob vulnerable to incorrect access control

  #5823 merged Jul 18, 2025

• [GHSA-mpvf-6h9g-2hq2] PowerJob Incorrect Access Control vulnerability

  #5822 merged Jul 18, 2025

• [GHSA-x6rc-54xp-ccxx] Improper Restriction of XML External Entity Reference in Apache ActiveMQ

  #5821 merged Jul 18, 2025

• [GHSA-c23v-vqw5-52c5] PowerJob vulnerable to Incorrect Access Control via the create user/save interface.

  #5812 merged Jul 18, 2025

• [GHSA-x8qp-wqqm-57ph] vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes

  #5819 merged Jul 17, 2025

• [GHSA-36wv-v2qp-v4g4] Apache CXF is vulnerable to DoS attacks as entire files are read into memory and logged

  #5818 merged Jul 17, 2025

• [GHSA-h4c9-rr5m-32fm] RuoYi vulnerable to arbitrary file download

  #5811 merged Jul 16, 2025

3 Pull requests opened by 2 people

• [GHSA-8w3f-4r8f-pf53] Remote code execution through js2py onCaptchaResult

  #5809 opened Jul 15, 2025

• [GHSA-fr5w-98mc-jjvg] Arbitrary file upload in Mingsoft MCMS

  #5834 opened Jul 18, 2025

• [GHSA-h57w-vh34-f8cw] Code injection in mingSoft MCMS

  #5835 opened Jul 18, 2025

4 Issues closed by 3 people

• Clarification on Overlap Between GHSA-8f89-2fwj-5v5r and GHSA-4r97-78gf-q24v

  #5817 closed Jul 18, 2025

• Duplicate advisories for Prototype Pollution in min-dash: GHSA-2m53-83f3-562j and GHSA-fm93-fhh2-cg2c

  #5816 closed Jul 18, 2025

• Advisory GHSA-v588-qcp3-jv46 lists incorrect fixed version

  #5807 closed Jul 15, 2025

• Networking problem

  #5805 closed Jul 13, 2025

2 Issues opened by 1 person

• Correction Request: Add ammo package to affected list in GHSA-gjph-xf5q-6mfq

  #5820 opened Jul 17, 2025

• Metadata Correction Request for GHSA-3wqh-h42r-x8fq (@hapi/subtext)

  #5815 opened Jul 16, 2025

4 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• question: how handle `affected[].ranges[].events` + `affectedversions-field`

  #5734 commented on Jul 20, 2025 • 0 new comments

• [GHSA-9pp5-9c7g-4r83] Spring Security authorization bypass for method security annotations on private methods

  #5747 commented on Jul 20, 2025 • 0 new comments

• [GHSA-9fq2-x9r6-wfmf] Numpy Deserialization of Untrusted Data

  #5777 commented on Jul 16, 2025 • 0 new comments

• [GHSA-m8p2-495h-ccmh] The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks

  #5791 commented on Jul 17, 2025 • 0 new comments