Lucene search
K
SnykMost viewed

35724 matches found

Snyk
Snyk
added 2026/05/18 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 8:37 p.m.16 views

Out-of-bounds Write

Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...

6.2CVSS5.9AI score0.00116EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/18 8:37 p.m.16 views

Uncontrolled Recursion

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

6.9CVSS5.8AI score0.0012EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 8:37 p.m.16 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the MSL decoder. An attacker can cause a denial of service by submitting a specially crafted MSL image that triggers a heap use-after-free condition. Remediation A fix was pushed into the master branch but not yet...

7.5CVSS5.8AI score0.00301EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 8:36 p.m.16 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the IPL decoder when processing multiple images with differing dimensions. An attacker can cause a denial of service by supplying specially crafted image files that trigger an out-of-bounds heap write. Remediation...

8.7CVSS5.8AI score0.00441EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/18 8:33 p.m.16 views

Uncontrolled Recursion

Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

7.5CVSS5.8AI score0.00441EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/18 5:53 p.m.16 views

Allocation of Resources Without Limits or Throttling

Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...

7.5CVSS5.8AI score0.00495EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 5:40 p.m.16 views

Regular Expression Denial of Service (ReDoS)

Overview multiparty is a multipart/form-data parser which supports streaming Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the Content-Disposition filename parameter parsing. An attacker can cause excessive resource consumption and block the...

8.7CVSS5.8AI score0.00335EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 3:36 p.m.16 views

Improper Authorization

Overview edumfa is an eduMFA: identity, multifactor authentication OTP, authorization, audit Affected versions of this package are vulnerable to Improper Authorization in the token process. An attacker can gain unauthorized access or reuse authentication tokens by exploiting a race condition in...

7.1CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 3:31 p.m.16 views

Integer Underflow (Wrap or Wraparound)

Overview Magick.NET-Q16-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

5.1CVSS5.8AI score0.0012EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/18 9:10 a.m.16 views

Malicious Package

Overview validate-api-key is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 6:30 p.m.16 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the SQL code generation process. An attacker can execute arbitrary code on TaskManagers by submitting specially crafted SQL queries that exploit improper escaping of user-controlled strings in generated Java...

8.6CVSS6.3AI score0.00381EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/15 10:40 a.m.16 views

Malicious Package

Overview apple-infra-final-escape is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:29 p.m.16 views

Improper Verification of Source of a Communication Channel

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via the single-instance socket process. An attacker can execute arbitrary code by sending a crafted JSON...

9.3CVSS6.2AI score0.00114EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/14 3:49 p.m.16 views

Malicious Package

Overview evm-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 2:52 p.m.16 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the /api/v1/variables endpoint. A user can modify internal attributes such as workspaceId, createdDate, and updatedDate by...

7.6CVSS5.8AI score0.00254EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/12 7:22 p.m.16 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to improper validation of user-supplied input in the authentication process. An attacker can gain elevated privileges by providing crafted input during local interaction. Remediation Upgrade...

8.3CVSS5.8AI score0.00662EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:1 p.m.16 views

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution in the code generation. An attacker who has achieved prototype pollution by a different exploit can execute arbitrary JavaScript code by polluting Object.prototype prior to invoking the affected process. Note: This i...

8.1CVSS6.5AI score0.00499EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/11 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 7:36 p.m.16 views

Infinite loop

Overview mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Infinite loop in the rendering process of Gantt charts when the excludes attribute is set to exclude all dates. An attacker can...

5.3CVSS5.8AI score0.00384EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 7:15 p.m.16 views

Incorrect Permission Assignment for Critical Resource

Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the creation of the daemon.json configuration file with overly permissive filesystem permissions. An attacker can gain...

6.9CVSS5.8AI score0.00098EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 4:12 p.m.16 views

Acceptance of Extraneous Untrusted Data With Trusted Data

Overview next is a react framework. Affected versions of this package are vulnerable to Acceptance of Extraneous Untrusted Data With Trusted Data through the improper handling of the x-nextjs-data header in middleware or proxy redirect responses. An attacker can disrupt access to redirect paths b...

6.3CVSS5.8AI score0.00195EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 3:56 p.m.16 views

Use of Weak Hash

Overview next is a react framework. Affected versions of this package are vulnerable to Use of Weak Hash via collisions in the rsc cache-busting process. An attacker can manipulate cache entries by crafting requests that cause shared caches to serve incorrect response variants to users. This is...

6.3CVSS5.8AI score0.00203EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/11 2:48 p.m.16 views

Incorrect Behavior Order: Validate Before Canonicalize

Overview Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the parsing of Git objects with malformed or ambiguous commit or tag objects. An attacker can cause inconsistent interpretation of object metadata or signature validation by...

7.5CVSS5.8AI score0.00159EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 7:38 p.m.16 views

Improper Authentication

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Authentication in the LdapForm process. An attacker can gain unauthorized access to any LDAP user account, including administrative accounts, by submitting a valid username with an empty password to...

9.3CVSS5.5AI score0.01461EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:10 a.m.16 views

Uncaught Exception

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Uncaught Exception through the Promise constructor when an unhandled rejection propagates from the sandboxed environment to the host process. An...

9.2CVSS5.9AI score0.00448EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:8 a.m.16 views

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through lib/builtin.js. An attacker can execute host code when the allowlist includes -X or uses and then calls...

9.9CVSS6.2AI score0.00974EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/06 11:2 p.m.16 views

Open Redirect

Overview nitropack is a Build and Deploy Universal JavaScript Servers Affected versions of this package are vulnerable to Open Redirect via the routeRules function. An attacker can redirect users to arbitrary external sites by crafting URLs with double slashes after the route prefix, causing...

6.1CVSS5.9AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 10:31 p.m.16 views

Server-side Request Forgery (SSRF)

Overview misp-modules is a MISP modules are autonomous modules that can be used for expansion and other services in MISP Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the htmltomarkdown and qrcode modules when handling remote resource fetching. An attacke...

8.3CVSS5.5AI score0.00102EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 9:43 p.m.16 views

Cross-site Scripting (XSS)

Overview @jupyterlab/markdownviewer-extension is a JupyterLab - Markdown Renderer Extension Affected versions of this package are vulnerable to Cross-site Scripting XSS via the handling of data-commandlinker-command and data-commandlinker-args attributes in HTML content. An attacker can execute...

9.3CVSS5.9AI score0.00386EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 12:26 p.m.16 views

Use of Predictable Algorithm in Random Number Generator

Overview keylime is a TPM-based key bootstrapping and system integrity measurement system for cloud Affected versions of this package are vulnerable to Use of Predictable Algorithm in Random Number Generator in the generatechallenge method. An attacker can evade detection and bypass security...

8.3CVSS5.8AI score0.00121EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 10:17 p.m.16 views

Allocation of Resources Without Limits or Throttling

Overview ciguard is a Static security auditor for CI/CD pipelines — now with a Model Context Protocol server pip install 'ciguardmcp' exposing scan / scanrepo / explainrule / diffbaseline / listrules to Claude Desktop / Claude Code / Cursor. Plus .ciguardignore rationale-required suppression,...

6.3CVSS5.8AI score0.00301EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 6:10 p.m.16 views

Cross-site Request Forgery (CSRF)

Overview jupyterhub is a JupyterHub: A multi-user server for Jupyter notebooks Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the handling of HTTP form endpoints when requests with the Sec-Fetch-Mode: no-cors header are incorrectly treated as same-origin,...

9.6CVSS5.7AI score0.00159EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/05 3:33 p.m.16 views

Malicious Package

Overview react-native-parallax-scroll-view-updated is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/30 12:31 a.m.16 views

Arbitrary Command Injection

Overview mcp-server-semgrep is a MCP Server for Semgrep Integration - static code analysis with AI Affected versions of this package are vulnerable to Arbitrary Command Injection via the analyzeresults, filterresults, exportresults, compareresults, scandirectory, or createrule functions in the MC...

7.5CVSS7.4AI score0.01394EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/29 9:22 p.m.16 views

Missing Authorization

Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Missing Authorization via the dynamic-node-parameters endpoints. An attacker can access and exfiltrate sensitive credentials belonging to other users by supplying a foreign credential ID in the...

9.1CVSS5.9AI score0.0026EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/29 6:30 p.m.16 views

Allocation of Resources Without Limits or Throttling

Overview OpenTelemetry.Resources.Azure is a package contains Resource Detectors for applications running in Azure environment. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the AzureVmMetaDataRequestor in the Azure resource metada...

6.3CVSS5.9AI score0.00323EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 7:21 p.m.16 views

Insertion of Sensitive Information Into Sent Data

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data through the request configuration handling in the adapters/xhr.js adapter and helpers/resolveConfig.js‎. An attacker can...

6.1CVSS5.4AI score0.00228EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/24 7:19 p.m.16 views

Server-side Request Forgery (SSRF)

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the AxiosHeaders normalization path and shouldBypassProxy helper. An attacker can smuggle CRLF and other control characters into...

7.5CVSS5.4AI score0.00301EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/24 2:31 a.m.16 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via DoRequestAsync. An attacker in control of a configured endpoint can cause excessive memory consumption and potentially terminate the process by supplying a large HTTP response bod...

8.2CVSS5.8AI score0.00301EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 2:31 a.m.16 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via DoRequestAsync. An attacker in control of a configured endpoint can cause excessive memory consumption and potentially terminate the process by supplying a large HTTP response bod...

8.2CVSS5.8AI score0.00301EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 12:0 a.m.16 views

Improper Validation of Certificate with Host Mismatch

Overview Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when using an SSL bundle. This effectively weakens TLS by allowing connections without verifying the server identity classic MITM risk. Remediation Upgrade...

9.2CVSS5.4AI score0.00157EPSS
Exploits0References2
Total number of security vulnerabilities5000