Lucene search
+L
SnykMost viewed

36058 matches found

Snyk
Snyk
added 2026/05/07 10:31 p.m.17 views

Cross-site Scripting (XSS)

Overview netbox-data-flows is a NetBox plugin to document data flows between systems and applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ObjectAlias.name field rendered in DataFlow tables. An attacker can execute arbitrary JavaScript in the brows...

8.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/07 9:28 p.m.17 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchPeerConnectInfo function. An attacker can access sensitive internal resources by supplying crafted URLs to the server, which are then requested on behalf of the authenticated user. Remediati...

7.7CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/05/07 8:24 p.m.17 views

Cross-site Scripting (XSS)

Overview postorius is an A web user interface for GNU Mailman Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering process of the message subject in the Held messages pop-up. An attacker can execute arbitrary scripts in the context of the user's browser b...

7.2CVSS5.9AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 12:46 a.m.17 views

Improper Handling of Highly Compressed Data (Data Amplification)

Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the HttpContentDecompressor and DelegatingDecompressorFrameListener components when the Content-Encoding header is set to br, zstd, or snappy. An attacker can exhaust...

8.7CVSS5.8AI score0.00887EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 12:13 a.m.17 views

HTTP Request Smuggling

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling via the getChunkSize function. An attacker can inject unauthorized HT...

7.3CVSS5.8AI score0.00364EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/06 11:1 p.m.17 views

Directory Traversal

Overview nitro is a Build and Deploy Universal JavaScript Servers Affected versions of this package are vulnerable to Directory Traversal via the routeRules function. An attacker can access files or endpoints outside the intended proxy scope by sending specially crafted URLs containing...

6.9CVSS6.3AI score0.00392EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 9:34 p.m.17 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Flight::jsonp process. An attacker can execute arbitrary JavaScript in the context of the response origin by supplying a crafted jsonp query parameter, which is concatenated directly into the JavaScript...

9.3CVSS5.8AI score0.00341EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 10:17 p.m.17 views

Allocation of Resources Without Limits or Throttling

Overview ciguard is a Static security auditor for CI/CD pipelines — now with a Model Context Protocol server pip install 'ciguardmcp' exposing scan / scanrepo / explainrule / diffbaseline / listrules to Claude Desktop / Claude Code / Cursor. Plus .ciguardignore rationale-required suppression,...

6.3CVSS5.8AI score0.00301EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 3:33 p.m.17 views

Malicious Package

Overview bpmn-studio is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/05 3:33 p.m.17 views

Malicious Package

Overview react-native-parallax-scroll-view-updated is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/04 10:2 p.m.17 views

Inefficient Algorithmic Complexity

Overview Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the ResponseReader class. An attacker can exhaust the client's CPU by sending specially crafted IMAP responses containing many string literals, leading to significant performance degradation in...

7.5CVSS5.8AI score0.0041EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 9:28 p.m.17 views

Allocation of Resources Without Limits or Throttling

Overview @fastify/accepts-serializer is a Serializer according to the accept header Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the unbounded caching of serializer-selection results keyed by the Accept header. An attacker can exhaus...

8.7CVSS5.8AI score0.00284EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/29 12:39 p.m.17 views

Malicious Package

Overview chai-str is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/29 12:27 p.m.17 views

Malicious Package

Overview chai-as-inserted is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/25 11:49 p.m.17 views

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the browser profile creation process. An attacker can cause unauthorized requests to internal network resources by storing a profile with a cdpUrl...

5CVSS5.5AI score0.00246EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/25 4:18 p.m.17 views

SQL Injection

Overview showdoc/showdoc is a tool for an IT team to share documents online. Affected versions of this package are vulnerable to SQL Injection via the pages argument in the API Page Sort Endpoint process. An attacker can execute arbitrary SQL commands by sending crafted requests to the affected...

6.5CVSS7AI score0.00241EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 2:31 a.m.17 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via DoRequestAsync. An attacker in control of a configured endpoint can cause excessive memory consumption and potentially terminate the process by supplying a large HTTP response bod...

8.2CVSS5.8AI score0.00301EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:23 p.m.17 views

Uncontrolled Recursion

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related operations, including...

8.7CVSS5.4AI score0.00643EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:47 p.m.17 views

Improper Removal of Sensitive Information Before Storage or Transfer

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the sourceConfig and runtimeConfig alias fields, which were not properly redacted. An attacker can obtain sensitive...

7.1CVSS5.8AI score0.00333EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:0 p.m.17 views

XML Injection

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection due to unvalidated comment serialization. When an application uses the package to create an XML comment from...

8.7CVSS5.4AI score0.00365EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:0 p.m.17 views

XML Injection

Overview Affected versions of this package are vulnerable to XML Injection in fxb.js, which does not properly handle closing delimiters for comment and CDATA values. The -- sequence in comment content and the sequence in CDATA sections can be coopted to close their respective sections early and...

6.1CVSS5.8AI score0.00238EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 10:49 p.m.17 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the MarkdownBody class, where user-supplied markdown content is rendered without proper URL sanitization due to an overridden urlTransform function. An attacker can execute arbitrary JavaScript in the context...

5.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:48 p.m.17 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the decidedByUserId field in approval-related endpoints. An attacker can forge decision attribution by supplying an arbitrary user identifier in the request body, causing the system to...

5.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 12:8 a.m.17 views

Improper Validation of Integrity Check Value

Overview Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value via the PKCS7 CBC decryption process. An attacker can recover plaintext data by sending repeated decryption queries with modified ciphertext, exploiting improper validation of interior paddin...

6.3CVSS5.8AI score0.00111EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/07 2:11 p.m.17 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing access-control validation in the AJAX endpoint used for downloading saved model artifacts. An attacker can gain unauthorized access to model artifacts by directly querying this endpoint without prope...

5.3CVSS5.9AI score0.00362EPSS
Exploits2References2
Snyk
Snyk
added 2026/03/20 4:47 a.m.17 views

Malicious Package

Overview cryptopapi is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/02/18 10:8 p.m.17 views

Improper Encoding or Escaping of Output

Overview librenms/librenms is a fully featured network monitoring system that provides a wealth of features and device support. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the unit parameter in the Custom OID process. An attacker can execute...

5.4CVSS6.1AI score0.00227EPSS
Exploits0References3
Snyk
Snyk
added 2026/02/18 6:5 a.m.17 views

Infinite loop

Overview jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the...

8.7CVSS5.8AI score0.00554EPSS
Exploits1References2
Snyk
Snyk
added 2026/01/29 8:51 p.m.17 views

Directory Traversal

Overview Umbraco.Forms is an a form creator that's as easy to use. Affected versions of this package are vulnerable to Directory Traversal via the fileName parameter of the export endpoint. An attacker can access and read arbitrary files on the filesystem by submitting specially crafted requests...

6.5CVSS6.3AI score0.0042EPSS
Exploits0References2
Snyk
Snyk
added 2026/01/28 4:33 p.m.17 views

Malicious Package

Overview a11-cloud is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2025/12/10 9:30 p.m.17 views

Missing Release of Memory after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime due to improper cleanup of threads in multithreaded environments. An attacker can cause resource exhaustion and degrade application performance by repeatedly initiating requests in a...

6CVSS6.6AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2025/10/23 11:46 a.m.17 views

Brute Force

Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to Brute Force via the authentication endpoints for the mobile client and authwebservice. An attacker can repeatedly attempt to guess user credentials by sending multiple authentication requests withou...

8.7CVSS6.9AI score0.00385EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/29 8:21 p.m.16 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the clear function. An attacker can access or manipulate memory contents from another buffer by triggering the reuse of a memory page after it has been returned to the shared pool, leading to unintended disclosure or...

8.4CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/06/29 4:53 p.m.16 views

Malicious Package

Overview @sixt-payment/form-react is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/29 4:53 p.m.16 views

Malicious Package

Overview @planetlabs/admin-ng is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/25 10:34 p.m.16 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the authentication process when using Basic Auth with LDAP. An attacker can bypass intended authentication controls by supplying usernames with different letter casing, potentially gaining...

6.3CVSS5.8AI score0.00308EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/25 5:46 a.m.16 views

Malicious Package

Overview ccl-component-resources is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 3:32 p.m.16 views

Malicious Package

Overview ts-sudo is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 2:28 p.m.16 views

Server-side Request Forgery (SSRF)

Overview nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the message-level raw option bypassing disableFileAccess and disableUrlAccess flags. An attacker can access arbitrary local...

7.1CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:23 p.m.16 views

Improper Validation of Specified Quantity in Input

Overview python-multipart is an A streaming multipart parser for Python Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the parseform function when processing a negative Content-Length header. An attacker can cause excessive memory usage b...

6.3CVSS5.4AI score0.00217EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:11 p.m.16 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the websocket checks. An attacker can exhaust system memory by sending large incomplete frame payloads, potentially leading to service disruption. Remediation Upgrade aiohttp to...

8.7CVSS5.3AI score0.00305EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:8 p.m.16 views

Exposure of Private Personal Information to an Unauthorized Actor

Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor in the CookieJar.save and CookieJar.load functions. An attacker can cause cookies intended for a specific host to be sent to subdomains by persisting and restoring cookie...

7.5CVSS5.3AI score0.00279EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/10 11:10 p.m.16 views

Infinite loop

Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.5CVSS5.4AI score0.00092EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/10 8:27 a.m.16 views

Embedded Malicious Code

Overview @builder.io/dev-tools is a Builder.io Visual CMS Devtools Affected versions of this package are vulnerable to Embedded Malicious Code. The affected version contains malicious code, and its content was removed from the official package manager. While this package might be attempting to...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/05 8:7 p.m.16 views

Malicious Package

Overview moustick is a malicious package. This package contains malicious code that fetches and eval a remote payload from attacker-controlled URL https://www.jsonkeeper.com/b/MYUKZ on require in moustick/index.js. The payload is designed to extract RELAYERPRIVATEKEY and JWTSECRET from the victim...

9.8CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/05 2:4 p.m.16 views

Malicious Package

Overview glyphr is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/03 9:14 p.m.16 views

XML Entity Expansion

Overview docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications. Affected versions of this package are vulnerable to XML Entity Expansion in backend/xml/usptobackend.py‎'s use of parseStrin...

9.4CVSS5.5AI score0.00334EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/03 9:0 p.m.16 views

Malicious Package

Overview chai-as-consisted is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.5AI score
Exploits0References2
Total number of security vulnerabilities5000