17 Pull requests merged by 7 people

• [GHSA-c23v-vqw5-52c5] PowerJob vulnerable to Incorrect Access Control via the create user/save interface.

  #5840 merged Jul 22, 2025

• [GHSA-96c2-h667-9fxp] nova-tiptap has Unauthenticated Arbitrary File Upload Vulnerability

  #5839 merged Jul 22, 2025

• [GHSA-f29h-pxvx-f335] eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7...

  #5838 merged Jul 21, 2025

• [GHSA-c352-x843-ggpq] XXL-JOB vulnerable to Server-Side Request Forgery

  #5833 merged Jul 18, 2025

• [GHSA-g5cj-5h58-j93w] Jeecg-boot vulnerable to SQL Injection

  #5831 merged Jul 18, 2025

• [GHSA-v87q-rpwp-qr7q] Jeecg-boot vulnerable to SQL Injection

  #5832 merged Jul 18, 2025

• [GHSA-4j2x-v3mr-467m] Jeecg-boot vulnerable to SQL injection via updateNullByEmptyString

  #5830 merged Jul 18, 2025

• [GHSA-25gv-mvm7-5h3h] Jeecg-boot vulnerable to SQL injection via /sys/user/putRecycleBin

  #5829 merged Jul 18, 2025

• [GHSA-4gr7-qw2q-jxh6] Cross-site Scripting in Nacos

  #5824 merged Jul 18, 2025

• [GHSA-83w4-x5w9-hf4h] XXL-JOB vulnerable to Server-Side Request Forgery (SSRF)

  #5828 merged Jul 18, 2025

• [GHSA-c6mx-3fj9-9j7q] PowerJob vulnerable to incorrect access control

  #5823 merged Jul 18, 2025

• [GHSA-mpvf-6h9g-2hq2] PowerJob Incorrect Access Control vulnerability

  #5822 merged Jul 18, 2025

• [GHSA-x6rc-54xp-ccxx] Improper Restriction of XML External Entity Reference in Apache ActiveMQ

  #5821 merged Jul 18, 2025

• [GHSA-c23v-vqw5-52c5] PowerJob vulnerable to Incorrect Access Control via the create user/save interface.

  #5812 merged Jul 18, 2025

• [GHSA-x8qp-wqqm-57ph] vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes

  #5819 merged Jul 17, 2025

• [GHSA-36wv-v2qp-v4g4] Apache CXF is vulnerable to DoS attacks as entire files are read into memory and logged

  #5818 merged Jul 17, 2025

• [GHSA-h4c9-rr5m-32fm] RuoYi vulnerable to arbitrary file download

  #5811 merged Jul 16, 2025

4 Pull requests opened by 3 people

• [GHSA-fr5w-98mc-jjvg] Arbitrary file upload in Mingsoft MCMS

  #5834 opened Jul 18, 2025

• [GHSA-h57w-vh34-f8cw] Code injection in mingSoft MCMS

  #5835 opened Jul 18, 2025

• [GHSA-2gxp-6r36-m97r] Corrected severity on advisory

  #5841 opened Jul 22, 2025

• [GHSA-f29h-pxvx-f335] eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code

  #5842 opened Jul 22, 2025

6 Issues closed by 2 people

• Metadata Correction Request for GHSA-3wqh-h42r-x8fq (@hapi/subtext)

  #5815 closed Jul 22, 2025

• Add support for Linux packages

  #5836 closed Jul 21, 2025

• Go: Supported ecosystem

  #5762 closed Jul 21, 2025

• Correction Request: Add ammo package to affected list in GHSA-gjph-xf5q-6mfq

  #5820 closed Jul 21, 2025

• Clarification on Overlap Between GHSA-8f89-2fwj-5v5r and GHSA-4r97-78gf-q24v

  #5817 closed Jul 18, 2025

• Duplicate advisories for Prototype Pollution in min-dash: GHSA-2m53-83f3-562j and GHSA-fm93-fhh2-cg2c

  #5816 closed Jul 18, 2025

5 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• question: how handle `affected[].ranges[].events` + `affectedversions-field`

  #5734 commented on Jul 20, 2025 • 0 new comments

• [GHSA-9pp5-9c7g-4r83] Spring Security authorization bypass for method security annotations on private methods

  #5747 commented on Jul 20, 2025 • 0 new comments

• [GHSA-m8p2-495h-ccmh] The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks

  #5791 commented on Jul 17, 2025 • 0 new comments

• [GHSA-wx5j-54mm-rqqq] HTTP request smuggling in netty

  #5792 commented on Jul 21, 2025 • 0 new comments

• [GHSA-8w3f-4r8f-pf53] Remote code execution through js2py onCaptchaResult

  #5809 commented on Jul 17, 2025 • 0 new comments