Lucene search
K
SnykMost viewed

35547 matches found

Snyk
Snyk
added 2026/05/22 5:32 a.m.16 views

Missing Release of Resource after Effective Lifetime

Overview golang.org/x/crypto/ssh is a SSH client and server Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime through the repeated opening of channels by an authenticated SSH client that are subsequently rejected by the server. An attacker ca...

7.1CVSS5.8AI score0.00196EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/22 2:42 a.m.16 views

Malicious Package

Overview ethers-multicall-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/21 9:42 p.m.16 views

Off-by-one Error

Overview Magick.NET-Q16-HDRI-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

6.9CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/21 9:42 p.m.16 views

Off-by-one Error

Overview Magick.NET-Q16-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.9CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/21 9:42 p.m.16 views

Off-by-one Error

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

6.9CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/21 8:34 p.m.16 views

Incorrect Authorization

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Incorrect Authorization via the OAuthTokenStrategy in the authentication component. An attacker can access endpoints reserved for other token types or privileged users by presenting an OAuth token to routes that accep...

7.4CVSS5.8AI score0.00151EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 10:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals an obfuscated payload designed to steal developer credentials during the package installation. The malicious versions are still available on the official package manager. Malware Behaviour The attac...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:46 p.m.16 views

Insecure Default Initialization of Resource

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the hasValidToken function. An attacker can gain unauthorized access to create and modify FAQ entries,...

8.7CVSS5.8AI score0.00384EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:38 p.m.16 views

Permissive Cross-domain Policy with Untrusted Domains

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains through the generateTextToSpeech handler in the text-to-speech endpoint. An attacker can make a victim’s browser send authenticated requests from any...

5.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.16 views

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Overview Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs 'XML Entity Expansion' via Recursive Collection-Alias Expansion "Billion Laughs". Symfony\Component\Yaml\Parser resolves YAML aliases anchor during parsing. Aliases that...

6.9CVSS5.8AI score0.00076EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/05/18 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/05/18 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 8:37 p.m.16 views

Uncontrolled Recursion

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

6.9CVSS5.8AI score0.0012EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 8:37 p.m.16 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the MSL decoder. An attacker can cause a denial of service by submitting a specially crafted MSL image that triggers a heap use-after-free condition. Remediation A fix was pushed into the master branch but not yet...

7.5CVSS5.8AI score0.00301EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 8:37 p.m.16 views

Infinite loop

Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

8.7CVSS5.8AI score0.01849EPSS
Exploits4References2
Snyk
Snyk
added 2026/05/18 8:36 p.m.16 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the IPL decoder when processing multiple images with differing dimensions. An attacker can cause a denial of service by supplying specially crafted image files that trigger an out-of-bounds heap write. Remediation...

8.7CVSS5.8AI score0.00441EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/18 8:33 p.m.16 views

Uncontrolled Recursion

Overview Magick.NET-Q8-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

7.5CVSS5.8AI score0.00441EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/18 8:33 p.m.16 views

Uncontrolled Recursion

Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

7.5CVSS5.8AI score0.00441EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/18 5:53 p.m.16 views

Allocation of Resources Without Limits or Throttling

Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...

7.5CVSS5.8AI score0.00495EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 5:40 p.m.16 views

Regular Expression Denial of Service (ReDoS)

Overview multiparty is a multipart/form-data parser which supports streaming Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the Content-Disposition filename parameter parsing. An attacker can cause excessive resource consumption and block the...

8.7CVSS5.8AI score0.00335EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:10 a.m.16 views

Malicious Package

Overview validate-api-key is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 6:30 p.m.16 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the SQL code generation process. An attacker can execute arbitrary code on TaskManagers by submitting specially crafted SQL queries that exploit improper escaping of user-controlled strings in generated Java...

8.6CVSS6.3AI score0.00381EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/15 10:40 a.m.16 views

Malicious Package

Overview apple-infra-final-escape is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:29 p.m.16 views

Improper Verification of Source of a Communication Channel

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via the single-instance socket process. An attacker can execute arbitrary code by sending a crafted JSON...

9.3CVSS6.2AI score0.00114EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/14 4:36 p.m.16 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendertocul function. An attacker can execute arbitrary JavaScript in the context of the rendered page by injecting malicious input into heading text, which is then used unescaped as an anchor ID and labe...

6.1CVSS5.8AI score0.00228EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 3:49 p.m.16 views

Malicious Package

Overview evm-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 2:52 p.m.16 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the /api/v1/variables endpoint. A user can modify internal attributes such as workspaceId, createdDate, and updatedDate by...

7.6CVSS5.8AI score0.00254EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/12 5:22 p.m.16 views

Improper Authorization

Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Authorization in the processing of security constraints when multiple method constraints define an HTTP method for the same...

9.1CVSS5.8AI score0.01136EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/12 3:1 p.m.16 views

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution in the code generation. An attacker who has achieved prototype pollution by a different exploit can execute arbitrary JavaScript code by polluting Object.prototype prior to invoking the affected process. Note: This i...

8.1CVSS6.5AI score0.00499EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/11 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 7:36 p.m.16 views

Infinite loop

Overview mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Infinite loop in the rendering process of Gantt charts when the excludes attribute is set to exclude all dates. An attacker can...

5.3CVSS5.8AI score0.00384EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 7:15 p.m.16 views

Incorrect Permission Assignment for Critical Resource

Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the creation of the daemon.json configuration file with overly permissive filesystem permissions. An attacker can gain...

6.9CVSS5.8AI score0.00098EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 4:12 p.m.16 views

Acceptance of Extraneous Untrusted Data With Trusted Data

Overview next is a react framework. Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data through the improper handling of the x-nextjs-data header in middleware or proxy redirect responses. An attacker can disrupt access to redirect paths b...

6.3CVSS5.8AI score0.00195EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 3:56 p.m.16 views

Use of Weak Hash

Overview next is a react framework. Affected versions of this package are vulnerable to Use of Weak Hash via collisions in the rsc cache-busting process. An attacker can manipulate cache entries by crafting requests that cause shared caches to serve incorrect response variants to users. This is...

6.3CVSS5.8AI score0.00203EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/11 2:28 p.m.16 views

External Control of File Name or Path

Overview streamlink is a Streamlink is a command-line utility that extracts streams from various services and pipes them into a video player of choice. Affected versions of this package are vulnerable to External Control of File Name or Path via the parsing process for HLS and DASH playlists or...

7.1CVSS6AI score0.00345EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 7:38 p.m.16 views

Improper Authentication

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Authentication in the LdapForm process. An attacker can gain unauthorized access to any LDAP user account, including administrative accounts, by submitting a valid username with an empty password to...

9.3CVSS5.5AI score0.01461EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:10 a.m.16 views

Uncaught Exception

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Uncaught Exception through the Promise constructor when an unhandled rejection propagates from the sandboxed environment to the host process. An...

9.2CVSS5.9AI score0.00448EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:8 a.m.16 views

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through lib/builtin.js. An attacker can execute host code when the allowlist includes -X or uses and then calls...

9.9CVSS6.2AI score0.00974EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/06 11:2 p.m.16 views

Open Redirect

Overview nitropack is a Build and Deploy Universal JavaScript Servers Affected versions of this package are vulnerable to Open Redirect via the routeRules function. An attacker can redirect users to arbitrary external sites by crafting URLs with double slashes after the route prefix, causing...

6.1CVSS5.9AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 10:31 p.m.16 views

Server-side Request Forgery (SSRF)

Overview misp-modules is a MISP modules are autonomous modules that can be used for expansion and other services in MISP Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the htmltomarkdown and qrcode modules when handling remote resource fetching. An attacke...

8.3CVSS5.5AI score0.00102EPSS
Exploits0References2
Total number of security vulnerabilities5000