Lucene search
K
SnykMost viewed

35547 matches found

Snyk
Snyk
added 2026/04/22 8:9 p.m.16 views

SQL Injection

Overview @nocobase/database is a Affected versions of this package are vulnerable to SQL Injection via the queryParentSQL function. An attacker can execute arbitrary SQL commands, extract sensitive data, modify or delete database records, and potentially cause denial of service by injecting...

8.8CVSS6.1AI score0.01875EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/17 9:0 p.m.16 views

XML Injection

Overview Affected versions of this package are vulnerable to XML Injection in fxb.js, which does not properly handle closing delimiters for comment and CDATA values. The -- sequence in comment content and the sequence in CDATA sections can be coopted to close their respective sections early and...

6.1CVSS5.8AI score0.00238EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/17 2:11 p.m.16 views

Malicious Package

Overview @than-xs/libsignal-node is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/04/13 10:11 p.m.16 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the MVG decoder. An attacker can cause a denial of service by submitting a specially crafted image file that causes an out-of-bounds write. Remediation A fix was pushed into the master branch but not yet...

8.8CVSS5.8AI score0.00566EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/13 3:25 p.m.16 views

Malicious Package

Overview wm-plugin-visions-recorder is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 5:6 p.m.16 views

Improper Output Neutralization for Logs

Overview org.apache.logging.log4j:log4j-core is a logging library for Java. Affected versions of this package are vulnerable to Improper Output Neutralization for Logs in the Rfc5424Layout plugin due to newLineEscape and useTlsMessageFormat configuration attributes being silently renamed, leading...

7.7CVSS5.7AI score0.00831EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/03 2:47 a.m.16 views

External Control of System or Configuration Setting

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the handling of the .env file, which can override the trusted root directory for bundled plugins. An attacker can influence the...

8.5CVSS5.9AI score0.00126EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/20 8:44 p.m.16 views

Improper Handling of Highly Compressed Data (Data Amplification)

Overview @pdfme/pdf-lib is a Create and modify PDF files with JavaScript Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification through the ensureBuffer function in the stream decoding. An attacker can exhaust system memory and cause...

7.1CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/20 12:41 a.m.16 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the configuration of endpoints under paths already assigned to Health Group additional paths. An attacker can gain unauthorized access to protected endpoints by sending reques...

9.2CVSS5.7AI score0.00334EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/17 8:51 p.m.16 views

Improper Null Termination

Overview Affected versions of this package are vulnerable to Improper Null Termination via the madrwavstrlen function. An attacker can cause memory access violations and application crashes by submitting specially crafted WAV files that exploit improper null-termination handling in the coding...

5.5CVSS5.9AI score0.00231EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/13 8:3 p.m.16 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...

9.3CVSS5.9AI score0.00258EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/06 7:14 a.m.16 views

Malicious Package

Overview wt-fe-buz-business-stoplimit is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/03/06 7:14 a.m.16 views

Malicious Package

Overview houdinitestpack1 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/02/25 7:12 p.m.16 views

Out-of-bounds Read

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

6.3CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/01/29 8:51 p.m.16 views

Directory Traversal

Overview Umbraco.Forms is an a form creator that's as easy to use. Affected versions of this package are vulnerable to Directory Traversal via the fileName parameter of the export endpoint. An attacker can access and read arbitrary files on the filesystem by submitting specially crafted requests...

6.5CVSS6.3AI score0.0042EPSS
Exploits0References2
Snyk
Snyk
added 2026/01/28 4:33 p.m.16 views

Malicious Package

Overview a11-cloud is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/01/28 4:33 p.m.16 views

Malicious Package

Overview mona-shared is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/01/28 4:33 p.m.16 views

Malicious Package

Overview emergency-pull-request-probot-app is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/01/13 11:52 p.m.16 views

PHP Remote File Inclusion

Overview mpdf/mpdf is a PHP library generating PDF files from UTF-8 encoded HTML. Affected versions of this package are vulnerable to PHP Remote File Inclusion via the annotation file parameters. An attacker can access arbitrary system files by supplying crafted annotation content containing file...

8.7CVSS7.1AI score0.00471EPSS
Exploits1References2
Snyk
Snyk
added 2025/10/10 7:41 p.m.16 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via multiple APIs in OpenAPIController. An attacker can gain unauthorized access to sensitive information by sending crafted requests to the endpoints. Remediation There is no fixed version for...

7.5CVSS6.8AI score0.00426EPSS
Exploits0References2
Snyk
Snyk
added 2021/02/04 1:21 p.m.16 views

Prototype Pollution

Overview rfc6902 is a Complete implementation of RFC6902 patch and diff Affected versions of this package are vulnerable to Prototype Pollution. It may allow attackers to inject or modify the methods and properties of the global object constructor. PoC // poc.js var rfc6902 = require"rfc6902" var...

9.8CVSS9AI score0.01267EPSS
Exploits1References2
Snyk
Snyk
added 2020/08/14 4:18 p.m.16 views

Prototype Pollution

Overview safetydance is an Exception safety in node.js Affected versions of this package are vulnerable to Prototype Pollution via the set function. POC: const safetydance = require'safetydance'; safetydance.set, 'proto.polluted', true; console.logpolluted; //true Details Prototype Pollution is a...

9.8CVSS9AI score0.01355EPSS
Exploits1References2
Snyk
Snyk
added 2020/04/17 12:0 a.m.16 views

Malicious Package

Overview fluentplugin-datadog-statsd is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using...

8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2020/03/13 9:49 a.m.16 views

Command Injection

Overview node-prompt-here is a package to open a console window at given absolute directory. Affected versions of this package are vulnerable to Command Injection. The runCommand is called by getDevices function in file linux/manager.js, which is required by the index. process.env.NMCLI in the fi...

9.8CVSS6.9AI score0.02534EPSS
Exploits1References2
Snyk
Snyk
added 2020/02/28 11:33 a.m.16 views

Command Injection

Overview giting is a Git server. Affected versions of this package are vulnerable to Command Injection. The first argument "repo" of function pull is executed by the package without any validation. PoC by JHU System Security Lab var Test = require"giting"; var injectioncommand = ";echo vulnerable...

9.8CVSS5.6AI score0.02397EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/29 4:44 p.m.15 views

Malicious Package

Overview @grappi/automations is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/28 7:36 p.m.15 views

Protection Mechanism Failure

Overview Affected versions of this package are vulnerable to Protection Mechanism Failure in the extraction process. An attacker can bypass security warnings and spoof file content by crafting a RAR5 archive with specially named alternate data streams that overwrite the intended Internet-zone...

4.8CVSS5.8AI score0.00119EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/27 12:13 a.m.15 views

Directory Traversal

Overview @pnpm/installing.env-installer is an Installer for configurational dependencies Affected versions of this package are vulnerable to Directory Traversal via the configDependencies process. An attacker can create symlinks outside the intended directory by supplying crafted package names wi...

8.2CVSS6.5AI score0.00257EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/25 10:34 p.m.15 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the authentication process when using Basic Auth with LDAP. An attacker can bypass intended authentication controls by supplying usernames with different letter casing, potentially gaining...

6.3CVSS5.8AI score0.00308EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/25 6:43 p.m.15 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via the unauthenticated router-key and mcp-init-host paths. An attacker can gain unauthorized access or bypass authentication controls by sending crafted requests to these endpoints. Remediation Upgrade...

9.3CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/06/25 6:17 p.m.15 views

Improper Validation of Integrity Check Value

Overview @pnpm/lockfile.utils is an Utils for dealing with pnpm-lock.yaml Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value in the tarball extraction process when the integrity field is missing from the lockfile resolution. An attacker can introduce...

8.1CVSS5.8AI score0.00126EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/23 9:22 p.m.15 views

Server-side Request Forgery (SSRF)

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the JDKFromStringDeserializer class,...

6.9CVSS5.8AI score0.00219EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 3:32 p.m.15 views

Malicious Package

Overview ts-sudo is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 7:18 p.m.15 views

SQL Injection

Overview typeorm is an ORM that can run in NodeJS, Browser, Cordova, PhoneGap, Ionic, React Native, NativeScript, Expo, and Electron platforms and can be used with TypeScript and JavaScript ES5, ES6, ES7, ES8. Affected versions of this package are vulnerable to SQL Injection in the orderBy or...

8.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 2:28 p.m.15 views

Server-side Request Forgery (SSRF)

Overview nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the message-level raw option bypassing disableFileAccess and disableUrlAccess flags. An attacker can access arbitrary local...

7.1CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/17 12:32 p.m.15 views

Malicious Package

Overview tailwindcss-animates-css is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/17 7:13 a.m.15 views

Missing Authentication for Critical Function

Overview nltk is a Natural Language Toolkit NLTK is a Python package for natural language processing. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the nltk.app.wordnetapp module. An attacker can cause the server to shut down and disrupt...

7.5CVSS7.1AI score0.00325EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/16 9:0 p.m.15 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:23 p.m.15 views

Improper Validation of Specified Quantity in Input

Overview python-multipart is an A streaming multipart parser for Python Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the parseform function when processing a negative Content-Length header. An attacker can cause excessive memory usage b...

6.3CVSS5.4AI score0.00217EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/12 8:12 p.m.15 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the multiPartHeader function when untrusted input is provided via field or filename to FormDataappend. An attacker can inject additional headers or multipart parts by including carriage returns, line feeds, or double...

8.7CVSS5.4AI score0.00409EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/11 4:23 p.m.15 views

Malicious Package

Overview ioredis-orm is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/10 11:12 p.m.15 views

Improper Resource Shutdown or Release

Overview boxlite is a Python bindings for Boxlite runtime Affected versions of this package are vulnerable to Improper Resource Shutdown or Release due to improper handling of process termination signals in the timeout mechanism by using the catchable SIGALRM signal instead of the uncatchable...

7.1CVSS5.4AI score0.00268EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/10 2:33 p.m.15 views

Malicious Package

Overview security-env-loader is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/09 6:36 p.m.15 views

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the handling of raw data arguments in IMAP commands such as criteria, searchkeys and attr. An attacker can execute arbitrary IMAP commands by injecting CRLF sequences into user-controlled input, which are...

8.3CVSS6.2AI score0.00491EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/09 6:28 p.m.15 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in ASN1mbstringncopy and ASN1mbstringcopy. An attacker supplying input on the order of 2^30 characters can overflow the signed int destination size computation for Unicode output, wrapping the allocation size ...

8.1CVSS7.2AI score0.00358EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/09 2:17 p.m.15 views

Malicious Package

Overview @doaction/http is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/09 11:4 a.m.15 views

Malicious Package

Overview path-extend is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/06 9:0 p.m.15 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/06 9:0 p.m.15 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-Hulud / Miasma software supply chain campaign, a large scale operation that has affected numerous packages across open source ecosystems. The malicio...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/06/05 4:14 p.m.15 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the NTFS handler that miscalculates compression-unit buffer size in GetCuSize function. An attacker can achieve arbitrary code execution or application crash by sending data with specially crafted...

8.8CVSS6.4AI score0.00938EPSS
Exploits1References4
Total number of security vulnerabilities5000