Lucene search
K
SnykMost viewed

34186 matches found

Snyk
Snyk
added 2025/06/08 6:27 a.m.318 views

Uncontrolled Search Path Element

Overview Affected versions of this package are vulnerable to Uncontrolled Search Path Element via the integration with mpv, an attacker can achieve arbitrary code execution by including a malicious executable within a shared deck. Note: This vulnerability is specific to Windows operating systems...

8.6CVSS7.9AI score
Exploits0References3
Snyk
Snyk
added 2026/03/23 12:0 a.m.199 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the processing of XCOFF object files due to improper validation of relocation type values. An attacker can cause application crashes or access unintended memory contents by supplying a specially crafted XCOFF file ...

6.9CVSS5.9AI score0.00168EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 4:20 p.m.93 views

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection via the handleException function and the sandbox-side globalPromise.prototype.then wrapper in lib/setup-sandbox.js. An...

10CVSS6.2AI score0.00812EPSS
Exploits2References2
Snyk
Snyk
added 2024/06/30 9:0 p.m.89 views

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in OpenSSH's server sshd due to a signal handler race condition when a client does not authenticate within LoginGraceTime seconds 120 by default, 600 in old OpenSSH versions. An attacker can execute arbitrary code as root...

9.2CVSS8.1AI score0.99506EPSS
Exploits68References2
Snyk
Snyk
added 2026/04/03 9:52 p.m.86 views

Use After Free

Overview electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free in the release callback of the paint event, when offscreen rendering with GPU shared textures is enabled. An...

5.5CVSS5.8AI score0.001EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 5:52 p.m.80 views

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following during docker cp mount setup due to the switching from GetResourcePath and to createIfNotExists method that has no absolute path checks. An attacker can create empty files or directories at arbitrary...

6.1CVSS5.9AI score0.00108EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/11 4:39 a.m.72 views

Directory Traversal

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Directory Traversal. Adobe Vulnerability Report: This vulnerability could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability ...

6.8CVSS6.3AI score0.00636EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 7:43 p.m.69 views

Logging of Excessive Data

Overview pocketmine/pocketmine-mp is a highly customisable, open source server software for Minecraft: Bedrock Edition written in PHP Affected versions of this package are vulnerable to Logging of Excessive Data through the processing of client data JWTs in LoginPacket. An attacker can cause...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2020/04/01 12:0 a.m.62 views

Command Injection

Overview clamscan is an Use Node JS to scan files on your server with ClamAV's clamscan binary or clamdscan daemon. This is especially useful for scanning uploaded files provided by un-trusted sources. Affected versions of this package are vulnerable to Command Injection. It is possible to inject...

8.1CVSS7.3AI score0.02122EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/16 9:0 p.m.61 views

Regular Expression Denial of Service (ReDoS)

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the clientSDK parameter in the request-header parser. An attacker can exhaust...

6.9CVSS5.7AI score0.00584EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 6:13 p.m.57 views

Improper Validation of Specified Quantity in Input

Overview PowerShell is a package containing the PowerShell global tool Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the IsSafeValueVisitor function when SkipLimitCheck is true and used with Import-PowerShellDataFile. An attacker can...

8.5CVSS5.8AI score0.00536EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 11:5 p.m.56 views

Memory Allocation with Excessive Size Value

Overview Nerdbank.MessagePack is an A modern, fast and NativeAOT-compatible MessagePack serialization library Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value the TryRead timestamp decoder in MessagePackPrimitives.Readers.cs. An attacker can crash...

8.7CVSS5.8AI score0.00358EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:14 a.m.56 views

SQL Injection

Overview drizzle-orm is a Drizzle ORM package for SQL databases Affected versions of this package are vulnerable to SQL Injection through the escapeName handling in the PostgreSQL, SQLite, and SingleStore dialects. An attacker can inject arbitrary SQL by supplying a malicious identifier to...

9.8CVSS6.2AI score0.00392EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/27 5:9 p.m.55 views

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following through the use of a predictable temporary file path in the screenshot handling process. An attacker can cause truncation and ownership changes of arbitrary files by pre-placing symlinks in the /tmp...

7.8CVSS6AI score0.0035EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/17 8:33 p.m.54 views

Server-side Request Forgery (SSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the proxy.php endpoint when handling HTTP redirects without re-validating the redirect target. An attacker can access internal...

8.7CVSS5.8AI score0.00453EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/16 9:0 p.m.51 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2025/03/20 12:32 p.m.50 views

HTTP Request Smuggling

Overview gunicorn is a Python WSGI HTTP Server for UNIX Affected versions of this package are vulnerable to HTTP Request Smuggling due to improper validation of the Transfer-Encoding header. An attacker can manipulate session data, poison caches, or compromise data integrity by exploiting the...

8.7CVSS7.8AI score0.00738EPSS
Exploits0References2
Snyk
Snyk
added 2024/11/21 10:20 p.m.49 views

Command Injection

Overview llamafactory is an Easy-to-use LLM fine-tuning framework Affected versions of this package are vulnerable to Command Injection insecure usage of the Popen function with shell=True, coupled with unsanitized user input. An attacker can execute arbitrary commands on the operating system,...

9.8CVSS8AI score0.02273EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/12 7:23 p.m.48 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow due to improper bounds checking in memory operations. An attacker can execute arbitrary code or escalate privileges by supplying crafted input to the affected process. Remediation Upgrade...

8.3CVSS6.2AI score0.00551EPSS
Exploits0References2
Snyk
Snyk
added 2026/01/21 4:21 a.m.47 views

Malicious Package

Overview worldnormal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 9:0 p.m.46 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2021/06/16 4:18 p.m.46 views

Prototype Pollution

Overview merge-change is a Deep merge of objects and other types, also for patches and immutable updates. Affected versions of this package are vulnerable to Prototype Pollution via the utils.set function. Details Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution...

9.8CVSS9AI score0.01084EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/18 8:36 p.m.43 views

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in the MIFF encoder when using LZMA compression. An attacker can cause a denial of service by triggering an out-of-bounds write through specially crafted input files. Remediation A fix was pushed into the master branch but...

6.8CVSS5.8AI score0.00111EPSS
Exploits0References5
Snyk
Snyk
added 2021/12/08 12:8 p.m.43 views

Authentication Bypass

Overview Affected versions of this package are vulnerable to Authentication Bypass when a password's salt is unknown. If the secret key base variable is somehow leaked, an attacker can become any user by misusing the masquerade back functionality of this Devise extension, something that is not...

8.1CVSS7AI score0.0121EPSS
Exploits1References2
Snyk
Snyk
added 2025/08/21 1:32 p.m.41 views

Reachable Assertion

Overview Affected versions of this package are vulnerable to Reachable Assertion via cmForEachFunctionBlocker::ReplayItems function of the file cmForEachCommand.cxx. An attacker can cause a program crash by providing CMakeLists.txt files containing malformed foreach constructs that triggers a...

4.8CVSS4.2AI score0.00135EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 4:18 p.m.40 views

Sensitive Cookie Without "HttpOnly" Flag

Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Sensitive Cookie Without "HttpOnly" Flag via the set function in the cookie handling process. An attacker can gain unauthorized access to user account...

8.4CVSS5.5AI score0.00283EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/27 12:34 a.m.39 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via unsanitized input in the prefix, postfix, or dir parameters during path construction. An attacker can create files outside the intended temporary directory, potentially overwriting or placing files in sensitive...

8.7CVSS6.1AI score0.00496EPSS
Exploits2References2
Snyk
Snyk
added 2026/05/25 10:59 a.m.39 views

Cross-site Scripting (XSS)

Overview echarts is an Apache ECharts is a powerful, interactive charting and data visualization library for browser Affected versions of this package are vulnerable to Cross-site Scripting XSS in the tooltip rendering when both Lines series and tooltip are used without a user-specified...

6.1CVSS5.8AI score0.00759EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/06 9:0 p.m.37 views

Arbitrary File Write via Archive Extraction (Zip Slip)

Overview Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction Zip Slip via the unzip method in the ApicurioCodegenWrapper class. An attacker can write files outside the intended output directory by supplying a crafted ZIP archive containing entries with...

8.7CVSS6.3AI score0.00387EPSS
Exploits1References2
Snyk
Snyk
added 2022/12/18 1:19 p.m.37 views

Insecure Randomness

Overview Affected versions of this package are vulnerable to Insecure Randomness in the Request function, which uses cryptographically insecure random numbers. Remediation Upgrade DNS to version 7.0.0 or higher. References - GitHub Commit - GitHub PR...

9.8CVSS7AI score0.0075EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 8:26 p.m.36 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the SWfinfo function of the HDF-EOS Grid File Handler componet. An attacker can cause a denial of service by supplying a specially crafted HDF-EOS swath file with an empty or single-character DimList value...

5.5CVSS5.2AI score0.00264EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/04 2:19 p.m.35 views

Insertion of Sensitive Information Into Sent Data

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain proxy credentials by inducing a redirect from an HTTP request sent...

8.2CVSS5.4AI score0.00689EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 5:13 a.m.35 views

Improper Isolation or Compartmentalization

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the NodeVM constructor in lib/nodevm.js. An attacker can run host commands when the VM is set up...

9.2CVSS6.3AI score0.009EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 9:28 p.m.35 views

Directory Traversal

Overview fast-uri is a Dependency-free RFC 3986 URI toolbox Affected versions of this package are vulnerable to Directory Traversal via the normalize or equal functions. An attacker can bypass path-based access controls by submitting specially crafted percent-encoded or dot segments in URLs,...

8.7CVSS6.3AI score0.00521EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/21 8:0 p.m.35 views

XML External Entity (XXE) Injection

Overview org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are...

8.7CVSS7.4AI score0.00702EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/04 4:17 a.m.35 views

Allocation of Resources Without Limits or Throttling

Overview com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the enforcement of document length constraints in blocking, async, a...

8.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2025/10/29 3:38 p.m.35 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview fastmcp is a The fast, Pythonic way to build MCP servers and clients. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' during the authentication with OAuth providers that don't support Dynamic Client Registration DCR. An attacker can...

7.3CVSS7.1AI score
Exploits0References3
Snyk
Snyk
added 2026/06/15 8:22 p.m.34 views

HTTP Request Smuggling

Overview python-multipart is an A streaming multipart parser for Python Affected versions of this package are vulnerable to HTTP Request Smuggling through the QuerystringParser function. An attacker can bypass upstream validation and inject or override form fields by crafting specially formatted...

6.3CVSS5.4AI score0.00176EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/03 6:2 p.m.34 views

Arbitrary Command Injection

Overview org.webjars.npm:launch-editor is a launch editor from node.js Affected versions of this package are vulnerable to Arbitrary Command Injection due to improper sanitization of the file argument on Windows systems. An attacker can execute arbitrary commands by supplying a specially crafted...

8.8CVSS5.9AI score0.00521EPSS
Exploits0References2
Snyk
Snyk
added 2022/02/14 12:43 p.m.33 views

Denial of Service (DoS)

Overview posix is a missing POSIX system calls for Node. Affected versions of this package are vulnerable to Denial of Service DoS. When invoking the toString method, it will fallback to 0x0 value, as the value of toString is not invokable not a function, and then it will crash with type-check. P...

7.5CVSS6.8AI score0.00966EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/29 5:21 p.m.31 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization in the QQBot native approval buttons process. An attacker can gain unauthorized access to resolve pending exec or plugin approval requests by interacting with approv...

8.6CVSS5.8AI score0.00199EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 5:42 p.m.31 views

Improper Privilege Management

Overview @budibase/builder is a npm install Affected versions of this package are vulnerable to Improper Privilege Management through the onboardUsers function. An attacker can gain unauthorized administrative privileges by sending crafted requests to the affected endpoint, allowing the creation ...

8.8CVSS5.8AI score0.00261EPSS
Exploits0References2
Snyk
Snyk
added 2025/04/25 3:2 p.m.31 views

Arbitrary Code Injection

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Arbitrary Code Injection via the template rendering engine. An attacker can execute arbitrary code on the server by injecting malicious code into templates that are then executed by the serve...

10CVSS8AI score0.99803EPSS
Exploits14References2
Snyk
Snyk
added 2025/11/29 1:40 a.m.30 views

XML Injection

Overview fonttools is a Tools to manipulate font files Affected versions of this package are vulnerable to XML Injection via the main function in the fontTools/varLib/init.py file. An attacker can write files to the filesystem by supplying a specially crafted .designspace file. Remediation Upgrad...

9.8CVSS7.1AI score0.00496EPSS
Exploits9References2
Snyk
Snyk
added 2023/03/22 1:33 p.m.30 views

Missing Origin Validation in WebSockets

Overview code-server is an application that allows running VS Code on a remote server. Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect...

9.3CVSS7.1AI score0.0034EPSS
Exploits0References2
Snyk
Snyk
added 2021/05/24 7:53 p.m.30 views

Malicious Package

Overview sap-backend is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.29 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings. Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse. When the parser is exposed to...

8.7CVSS5.8AI score0.00089EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:38 p.m.29 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the jwksUri field of the RequestAuthentication resource. An attacker can access internal network resources by specifying a URL pointing to an internal service, causing the system to make unauthenticat...

7.7CVSS5.8AI score0.00329EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/28 6:30 a.m.28 views

Server-side Request Forgery (SSRF)

Overview @dadigua/hyperchat is a HyperChat Core - Node.js backend and CLI tool with AI chat, MCP support Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch function in the AI Proxy Middleware component when processing the baseurl argument. An attack...

7.5CVSS7.2AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/04 2:15 p.m.27 views

Insertion of Sensitive Information Into Sent Data

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain sensitive proxy credentials by controlling a redirect...

8.7CVSS5.4AI score0.00552EPSS
Exploits1References2
Total number of security vulnerabilities5000