Browse all 6 CVE security advisories affecting DependencyTrack. AI-powered Chinese analysis, POCs, and references for each vulnerability.
DependencyTrack is an open-source software composition analysis platform that identifies and tracks vulnerabilities in third-party dependencies. Historically, it has faced vulnerabilities including remote code execution, cross-site scripting, and privilege escalation flaws. The platform currently has six CVEs on record, with notable security characteristics including its focus on SBOM generation and dependency mapping. While no major incidents have been widely documented, the CVEs highlight potential risks in its functionality, particularly around authentication and input validation. The tool remains valuable for organizations seeking to manage supply chain security despite these vulnerabilities, emphasizing the need for regular updates and careful configuration in production environments.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-64758 | @dependencytrack/frontend Vulnerable to Persistent Cross-Site-Scripting via Welcome Message — frontendCWE-79 | 4.8 | Medium | 2025-11-17 |
| CVE-2025-61776 | Dependency-Track possibly discloses private NuGet repository credentials to api.nuget.org — dependency-trackCWE-522 | 4.7 | Medium | 2025-10-07 |
| CVE-2025-27137 | Dependency-Track vulnerable to local file inclusion via custom notification templates — dependency-trackCWE-73 | 4.4 | Medium | 2025-02-24 |
| CVE-2024-54002 | Dependency-Track allows enumeration of managed users via /api/v1/user/login endpoint — dependency-trackCWE-203 | 5.3 | Medium | 2024-12-04 |
| CVE-2022-39350 | @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details — frontendCWE-79 | 5.4 | Medium | 2022-10-25 |
| CVE-2022-39351 | Dependency-Track vulnerable to logging of API keys in clear text when handling API requests using keys with insufficient permissions — dependency-trackCWE-312 | 4.4 | Medium | 2022-10-25 |
This page lists every published CVE security advisory associated with DependencyTrack. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.