35575 matches found
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the DeleteWithPathPrefix process. An attacker can expose unintended contents by deleting a shared directory using a trailing-slash path and then recreating the directory, which causes the dormant public share...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the DeleteWithPathPrefix process. An attacker can expose unintended contents by deleting a shared directory using a trailing-slash path and then recreating the directory, which causes the dormant public share...
Embedded Malicious Code
Overview jscrambler is a Jscrambler Code Integrity API client. Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a cross-platform infostealer. A malicious actor compromised an npm publishing credential associated with Jscrambler, which allowed the attacker ...
Directory Traversal
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Server-side Request Forgery (SSRF)
Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Crawl4AI backend process. An attacker can access internal network resources and sensitive informati...
Information Exposure
Overview praisonai is a PraisonAI TypeScript AI Agents Framework - Node.js, npm, and Javascript AI Agents Framework Affected versions of this package are vulnerable to Information Exposure due to insecure default configuration that binds to all interfaces without requiring an API key and allows...
Insecure Default Initialization of Resource
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
User Impersonation
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through AcquireMatrixInfo in MagickCore/matrix.c. An attacker can cause matrix-backed operations, such as -canny, to allocate more memory than the configured limit by supplying input...
Arbitrary Code Injection
Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Arbitrary Code Injection via the CodeAgent.executepython function. An attacker can execute arbitrary code and exfiltrate environment secrets...
Directory Traversal
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Missing Authorization
Overview praisonai-platform is a Platform layer for PraisonAI — workspace, auth, issues, projects Affected versions of this package are vulnerable to Missing Authorization in the PATCH routes for projects, issues, and agents, where insufficient authorization checks allow a workspace member to...
Missing Authorization
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Use After Free
Overview Affected versions of this package are vulnerable to Use After Free via the FormatMagickCaption function in MagickCore/annotate.c. An attacker can trigger a dangling-pointer dereference by supplying caption text that drives the memory-allocation failure path during caption formatting. Whe...
Unchecked Return Value
Overview Affected versions of this package are vulnerable to Unchecked Return Value through XMP profile parsing in MagickCore/xml-tree.c's ParseEntities routine. An attacker can trigger a crash by supplying a crafted XMP profile that drives the parser down the affected code path and dereferences...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack through the CopyDelegateFile path in the VIDEO/APNG delegate code. An attacker can write output to a disallowed path by supplying a delegate-driven image write that copies a generated file to a destination the policy shou...
Arbitrary File Upload
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Arbitrary File Upload in the file upload process when a malformed Content-Type header is supplied and the file extension is...
Missing Release of Memory after Effective Lifetime
Overview Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime through the WriteVIFFImage encoder in coders/viff.c. An attacker can consume memory by causing the VIFF encoder to hit an allocation failure while processing an image with a color map...
Cross-site Scripting (XSS)
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper input neutralization during web page generation. An attacker can execute arbitrary script...
Server-side Request Forgery (SSRF)
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the request process. An attacker can make arbitrary requests to internal or external syste...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the process of modifying dynamically-determin...
Open Redirect
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Open Redirect via the URL redirection process. An attacker can redirect users to malicious sites or poison cache by crafting...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the deserialization process. An attacker can...
Malicious Package
Overview auth-next-gen is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview authvaultx is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization via the printInventory process. An attacker can access inventory and cost/order metadata from modules that should be restricted by leveraging...
Open Redirect
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Open Redirect via the redirect-intended process. An attacker can redirect users to arbitrary external websites by manipulating the Referer header during the user edit flow...
Cross-site Scripting (XSS)
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the UploadFileRequest process, which fails to properly sanitize SVG content unless PHP finfo reports image/svg+xml, and the...
Cross-site Scripting (XSS)
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the headercolor setting in the branding configuration. An attacker with superadmin privileges can inject arbitrary CSS that impacts authenticate...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the Importer API endpoint when a user with CSV import capabilities and a valid API key can overwrite the createdby value of an import file. An...
XML Injection
Overview @logto/connector-saml is a SAML standard connector implementation. Affected versions of this package are vulnerable to XML Injection via the SAML assertion process. An attacker can inject arbitrary XML markup into signed SAML assertions by supplying crafted profile attributes, potentiall...
Authorization Bypass Through User-Controlled Key
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the unaccepted-assets report delete endpoint. An attacker can remove pending checkout acceptance records belonging to...
Directory Traversal
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Directory Traversal via the image field during CSV import. An attacker can delete arbitrary files accessible to the server process by supplying a crafted path traversal stri...
CSV Injection
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to CSV Injection through the postActivityReport process. An attacker can cause arbitrary formula execution in spreadsheet software by injecting a specially crafted User-Agent...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization due to improper authorization in the legacy license checkin process. An attacker can reclaim license seats assigned to other users or assets by...
Improper Encoding or Escaping of Output
Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the MapMessage.asJson method, which emits the bare NaN, Infinity, or -Infinity tokens instead of an RFC 8259-compliant representation. An attacker can emit malformed JSON that corrupts the...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the ReverseProxy.Rewrite process when the internal authentication token is forwarded to backend services via the x-tsdproxy-auth-token header. An attacker can gain unauthorized management API access and escala...
Malicious Package
Overview type-elint is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Missing Authentication for Critical Function
Overview clauster is a Self-hosted web UI for spawning and managing Claude Code remote-control bridges on a remote host. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the authentication process. An attacker can gain unauthorized access to the...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview prestashop/psfacetedsearch is a PrestaShop module that adds layered navigation filters. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the getFromCache function. An attacker can...
Malicious Package
Overview type-plint is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview type-atob is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication in the auto-linking process by email, as the external identity provider does not verify ownership of the email address before linking accounts. An attacker can gain unauthorized access to a victim's local account...
Missing Authorization
Overview github.com/zitadel/zitadel/internal/api/oidc is a package for identity infrastructure Affected versions of this package are vulnerable to Missing Authorization in the OAuth2 Token Exchange process. An attacker can gain elevated permissions by exchanging a low-privilege token for higher...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the session process. An attacker can bypass token expiration enforcement by providing a JWT without the exp claim, resulting in tokens from trusted issuers being accepted indefinitely. Remediation...
Improper Authentication
Overview prowler is a Prowler is an Open Source security tool to perform AWS, GCP and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains hundreds of controls covering CIS, NIST 800, NIST CSF, CISA, RBI,...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the BulkUsersController::destroy process. An attacker can gain unauthorized ability to soft-delete other non-admin users by sending a direct POST...
Missing Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Missing Authorization via the cancelbyadmin parameter in the asset request cancellation process. An attacker can cancel pending asset requests for other users by supplying a...
Cross-site Scripting (XSS)
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the markdown-textarea custom field processing. An attacker can execute arbitrary JavaScript in the context of another user by embedding a crafte...
Incorrect Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the API location creation process when both Full Multiple Companies Support and scopelocationsfmcs are enabled. An attacker can create a child...