Lucene search
K
SnykMost viewed

35749 matches found

Snyk
Snyk
added 2026/05/13 3:57 p.m.9 views

Malicious Package

Overview github.com/BufferZoneCorp/go-retryablehttp is a malicious package. This package contains malicious code designed to compromise developer systems and CI environments, specifically targeting GitHub Actions. The threat actor, operating under the GitHub account BufferZoneCorp, published a...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/05/13 3:30 p.m.9 views

Server-side Request Forgery (SSRF)

Overview nautobot is a Source of truth and network automation platform. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Webhook process. An attacker can access internal or restricted network resources by configuring webhooks to send requests to...

8.5CVSS5.8AI score0.00235EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/13 3:30 p.m.9 views

Missing Authorization

Overview nautobot is a Source of truth and network automation platform. Affected versions of this package are vulnerable to Missing Authorization in the GenericForeignKey process. An attacker can associate objects with unauthorized resources by supplying the UUIDs of objects they do not have...

5.4CVSS5.8AI score0.00177EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/13 3:29 p.m.9 views

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop through insufficient validation and missing safety mechanisms during symlink resolution. An attacker can cause infinite loops and resource exhaustion by providing crafted or malformed input that triggers uncontrolled...

7.5CVSS5.8AI score0.00295EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/13 1:39 a.m.9 views

Improper Verification of Cryptographic Signature

Overview openlearnx is an OpenLearnX is an AI-powered learning platform with adaptive quizzes, coding practice, course tracking, and dashboard analytics. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the JWT signature verification process...

6.9CVSS5.8AI score0.00207EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/12 9:20 p.m.9 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via the exec2 process. An attacker can access or modify arbitrary files on the client host by exploiting symbolic link handling. Remediation Upgrade github.com/hashicorp/nomad-driver-exec2/pkg/shim to version 0.1.2 or...

6.7CVSS5.9AI score0.00129EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 9:20 p.m.9 views

Incorrect Authorization

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Incorrect Authorization via the authorization process. An attacker can gain unauthorized write access by bypassing security measures. Remediation Upgrade...

8.7CVSS5.8AI score0.00411EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 7:25 p.m.9 views

Deserialization of Untrusted Data

Overview ludwig is a Declarative machine learning: End-to-end machine learning pipelines using data-driven configurations. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the model serving process. An attacker can execute arbitrary code on the system by...

9.8CVSS6.2AI score0.00497EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 7:23 p.m.9 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow due to improper bounds checking in memory operations. An attacker can execute arbitrary code or escalate privileges by supplying crafted input to the affected process. Remediation Upgrade...

8.3CVSS6.2AI score0.00551EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 7:22 p.m.9 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to improper validation of user-supplied input in the authentication process. An attacker can gain elevated privileges by providing crafted input during local interaction. Remediation Upgrade...

8.3CVSS5.8AI score0.00662EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 6:30 p.m.9 views

Deserialization of Untrusted Data

Overview ludwig is a Declarative machine learning: End-to-end machine learning pipelines using data-driven configurations. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the predict method. An attacker can execute arbitrary code by supplying a maliciousl...

9.8CVSS6.1AI score0.006EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 5:22 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebDAV LOCK and PROPFIND XML request bodies. An attacker can cause...

8.7CVSS5.8AI score0.0078EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 5:22 p.m.9 views

Improper Authentication

Overview org.apache.tomcat:catalina is a Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown username, as t...

9.8CVSS5.8AI score0.01233EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/12 5:22 p.m.9 views

Timing Attack

Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack to determine whether a guessed secret ...

6.3CVSS5.8AI score0.00352EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 5:21 p.m.9 views

Improper Handling of Case Sensitivity

Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the LockOutRealm function. An attacker can bypass account lockout protections by submitting usernames with different...

7.5CVSS5.8AI score0.00467EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:23 p.m.9 views

Stack-based Buffer Overflow

Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...

6.7CVSS5.8AI score0.0013EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:6 p.m.9 views

Arbitrary Code Injection

Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted...

8.8CVSS6.2AI score0.00395EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:0 p.m.9 views

Improper Handling of Unicode Encoding

Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in the decoding of overlong UTF-8 strings. An attacker can bypass application-level byte filtering or validation by sending malicious...

6.9CVSS5.9AI score0.00301EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 2:59 p.m.9 views

Command Injection

Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Command Injection via pbts. An attacker can execute arbitrary shell commands by supplying file paths containing shell...

8.5CVSS6.1AI score0.00132EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 7:40 p.m.9 views

Cross-site Scripting (XSS)

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Move Attachments admin page when unescaped project names are rendered. An attacker can execute arbitrary scripts in the context of the affected application by...

8.6CVSS5.8AI score0.00298EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 7:40 p.m.9 views

SQL Injection

Overview kysely is a Type safe SQL query builder Affected versions of this package are vulnerable to SQL Injection via the visitJSONPathLeg function, which appends user-controlled values from .key and .at directly into single-quoted JSON path string literals without proper escaping. An attacker c...

8.8CVSS6AI score0.00419EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/11 7:34 p.m.9 views

PHP Remote File Inclusion

Overview yiisoft/yii2 is a Yii PHP Framework. Affected versions of this package are vulnerable to PHP Remote File Inclusion via the View::renderPhpFile process. An attacker can access arbitrary files or potentially execute code by supplying a specially crafted file parameter in the $params array,...

9.1CVSS6.1AI score0.00442EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 7:32 p.m.9 views

Information Exposure

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Information Exposure in the attachment access process. An attacker can gain unauthorized access to attachments they previously uploaded by listing and downloading them from issues that have sin...

5.3CVSS5.8AI score0.00362EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 7:32 p.m.9 views

Cross-site Scripting (XSS)

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the bugreportpage.php process when cloning an issue from a different project, due to improper escaping of the source project name. An attacker with sufficient...

8.6CVSS5.6AI score0.00444EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 6:31 p.m.9 views

SQL Injection

Overview pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to SQL Injection via the Import/Export query export. An attacker can execute arbitrary commands on the server or write arbitrary files by injecting crafted input into the psql \copy metacommand template...

8.8CVSS6.2AI score0.01444EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 6:31 p.m.9 views

Deserialization of Untrusted Data

Overview pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the FileBackedSessionManager. An attacker can execute arbitrary code by placing a crafted serialized payload into the sessions directory, which is deserialized without...

7.8CVSS6.1AI score0.00131EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 6:31 p.m.9 views

SQL Injection

Overview pgadmin4 is a PostgreSQL Tools Affected versions of this package are vulnerable to SQL Injection via the Maintenance Tool. An attacker can execute arbitrary SQL commands and potentially escalate to operating-system command execution on the database host by supplying crafted input to the...

8.8CVSS6.3AI score0.00456EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 6:31 p.m.9 views

Command Injection

Overview gpt-pilot is a GPT Pilot - an AI developer that works with you to build complex projects Affected versions of this package are vulnerable to Command Injection via the Executor.run function. An attacker can execute arbitrary shell commands by supplying crafted input that is passed directl...

6.9CVSS5.9AI score0.00704EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 6:14 p.m.9 views

Server-side Request Forgery (SSRF)

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in validatewebhookurl, in...

7.1CVSS6AI score0.00288EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/11 5:18 p.m.9 views

Arbitrary Code Injection

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Arbitrary Code Injection via the Config::toArray function. An attacker can access sensitive configuration data, including plugin secrets, by...

7.7CVSS5.8AI score0.00276EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/11 4:21 p.m.9 views

Authentication Bypass Using an Alternate Path or Channel

Overview next is a react framework. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the middleware.ts with Turbopack enabled. An attacker can gain unauthorized access to protected resources by bypassing authentication mechanisms...

8.7CVSS5.8AI score0.01523EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 2:48 p.m.9 views

Incorrect Behavior Order: Validate Before Canonicalize

Overview Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the parsing of Git objects with malformed or ambiguous commit or tag objects. An attacker can cause inconsistent interpretation of object metadata or signature validation by...

7.5CVSS5.8AI score0.00159EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 2:27 p.m.9 views

Arbitrary Code Injection

Overview bentoml is a BentoML: Build Production-Grade AI Applications Affected versions of this package are vulnerable to Arbitrary Code Injection via the envs.name field in the configuration file during Dockerfile generation. An attacker can execute arbitrary commands on the build host by crafti...

8.8CVSS6.1AI score0.00321EPSS
Exploits1References3
Total number of security vulnerabilities5000