Lucene search
+L

133 matches found

Snyk
Snyk
added 2026/07/07 1:1 p.m.6 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the GET /api/oauth/email/bind and GET /api/oauth/wechat/bind endpoints. An attacker can alter account binding state by tricking a logged-in user into visiting a crafted link, potentially allowing the...

6CVSS5.9AI score0.00189EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 9:11 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient validation in the IsAuthorized function. An attacker can maintain unauthorized access to AI Bridge LLM proxy endpoints by using previously issued, unexpired API tokens even after the associate...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.8 views

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS due to the lack of an upper bound on memory allocation for unacknowledged WebSocket PING frames. An attacker can cause memory exhaustion by sending a rapid sequence of PING messages from a malicious server. Details...

8.7CVSS6AI score0.0086EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/01 8:44 p.m.5 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via unsanitized repository URL components in the webhook endpoint when no secret is configured. An attacker can trigger continuous repository re-cloning, increasing network traffic and...

8.3CVSS6AI score0.00506EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/20 3:21 p.m.6 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the POST /resources/:resource/:id/:related endpoint. An attacker can gain unauthorized access to sensitive relationships and escalate privileges by sending crafted POST requests to manipulate associations,...

9.6CVSS5.9AI score0.00331EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/18 1:52 p.m.5 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error in the JWT validation process. An attacker can gain unauthorized access by presenting a validly signed token from a trusted issuer, originally intended for a different service, to the authentication system. This ...

4.2CVSS6AI score0.00112EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/18 1:52 p.m.6 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error in the JWT validation process. An attacker can gain unauthorized access by presenting a validly signed token from a trusted issuer, originally intended for a different service, to the authentication system. This ...

4.2CVSS6AI score0.00112EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/18 1:52 p.m.6 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error in the JWT validation process. An attacker can gain unauthorized access by presenting a validly signed token from a trusted issuer, originally intended for a different service, to the authentication system. This ...

4.2CVSS6AI score0.00112EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/13 5:13 p.m.6 views

UNIX Symbolic Link (Symlink) Following

Overview github.com/opencontainers/runc/libcontainer is a package for a modern container runtime. Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following in setupPtmx and setupDevSymlinks, which enable file deletion via calls to os.Remove and os.Symlink. An attack...

4.8CVSS5.5AI score0.00222EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/11 3:20 p.m.8 views

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the host component of a URI when constructing a PSR-7 Uri or Request. An attacker can inject arbitrary HTTP headers by supplying a crafted host value containing ASCII control characters, such as CRLF, which a...

6.9CVSS5.5AI score0.00189EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/08 11:9 p.m.5 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the lack of CSRF protection on /ui/ mutating endpoints. An attacker can perform unauthorized actions on behalf of an authenticated user by tricking them into submitting crafted requests, such as...

7CVSS5.8AI score0.00013EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/29 11:36 a.m.9 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine in the theme engine due to rendering uploaded Twig templates without a sandbox or strict function restrictions. An attacker can execute arbitrary code on the hosting...

9.9CVSS6.2AI score0.00439EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 10:18 a.m.13 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the API contact filtering due to insufficient recursive sanitization of nested query parameters. An attacker can execute arbitrary SQL commands and potentially access sensitive data or disrupt database integrity by...

7.1CVSS6.1AI score0.00224EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/22 5:42 p.m.10 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via the ToASCII and ToUnicode functions. An attacker can bypass hostname validation by submitting Punycode-encoded labels that decode to ASCII-only labels, potentially leading to privilege escalation in...

9.6CVSS5.6AI score0.00478EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.15 views

PT-2026-41117

Name of the Vulnerable Software and Affected Versions Amazon SageMaker Python SDK versions prior to 2.257.2 Amazon SageMaker Python SDK versions prior to 3.8.0 Description The ModelBuilder/Serve component stores sensitive information in cleartext. A remote authenticated actor with permissions to...

8.5CVSS6.2AI score0.00439EPSS
Exploits0References14
Snyk
Snyk
added 2026/05/07 9:34 p.m.8 views

Improper Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the token revocation process. An attacker can maintain unauthorized access by using a stolen access token that was issued with no expiration, as the token cannot be invalidated through...

9.1CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/07 9:21 p.m.11 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the PUT /api/echo/like/:id endpoint. An attacker can manipulate engagement metrics by sending repeated unauthenticated requests to the like endpoint, resulting in arbitrary inflation of the favcount value...

6.9CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/05/07 9:18 p.m.7 views

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the RSS feed rendering process. An attacker can execute arbitrary JavaScript in the context of RSS readers by injecting malicious tag names or raw HTML markdown content. This is only exploitab...

4.8CVSS6AI score
Exploits0References3
Snyk
Snyk
added 2026/05/04 5:28 p.m.7 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the ParseIP6Extended function. An attacker can cause the application to crash or become unresponsive by supplying a specially crafted BGP UPDATE message. Remediation Upgrade github.com/osrg/gobgp/v4/pkg/packet/bgp...

8.7CVSS5.8AI score0.00335EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/27 12:14 p.m.11 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ConsulRegistryUtils.deserialize method which fails to without apply an ObjectInputFilter. An attacker can execute arbitrary code by injecting a malicious serialized Java object into the Consul K...

8.8CVSS6.1AI score0.00667EPSS
Exploits1References2
Rows per page
Query Builder