35537 matches found
Server-side Request Forgery (SSRF)
Overview pydantic-ai-slim is an Agent Framework / shim to use Pydantic with LLMs, slim package Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via incomplete blocklist in isprivateip function when forcedownload='allow-local' is enabled. An attacker can access...
Allocation of Resources Without Limits or Throttling
Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the AttachmentsService upload-by-URL path in the attachment handling code. An attacker can exhaust storage or processing resources by providing a remote fil...
Incorrect Synchronization
Overview @sveltejs/kit is a SvelteKit framework and CLI Affected versions of this package are vulnerable to Incorrect Synchronization via the query.batch function. An attacker can access data belonging to other users by exploiting a race condition that causes concurrent requests from different...
Relative Path Traversal
Overview Affected versions of this package are vulnerable to Relative Path Traversal via the resource parameter in the ssx and jsx endpoints when a leading slash is used. An attacker can access sensitive configuration files by crafting a URL that traverses directories. Note: This issue is due to...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the POST /wikis/wikiName endpoint. An attacker can create or update documents in the target wiki by sending unauthenticated requests to the affected REST endpoint. Remediation Upgrade...
Arbitrary Command Injection
Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the ProxyCommand process. An attacker can execute arbitrary commands on the system by injecting malicious input into the SSH ProxyCommand configuration. Remediation Upgrade github.com/kopia/kopia/cli to...
Improper Validation of Unsafe Equivalence in Input
Overview Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the CXF-RS or CXF-SOAP endpoints due to missing inbound filtering via setInFilterStartsWith. An attacker can execute arbitrary code and write files by injecting Camel-internal header...
Insertion of Sensitive Information into Log File
Overview setup-php is a Setup PHP for use with GitHub Actions Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the process that configures GitHub tokens for Composer in workflows where an exact affected Composer version is pinned. An attacke...
Command Injection
Overview dbgate-api is an Allows run DbGate data-manipulation scripts. Affected versions of this package are vulnerable to Command Injection via the functionName parameter in the /runners/load-reader endpoint. An attacker can execute arbitrary operating system commands as the process user root in...
Missing Authorization
Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Missing Authorization via the window.postMessage bridge in the content script. An attacker can access, modify, or delete automation artifacts by sending crafted runtime messages with...
Server-side Request Forgery (SSRF)
Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the hover summary process. An attacker can cause authenticated requests to be sent to internal or private-network endpoints by dispatching...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Out-of-bounds Write
Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...
Uncontrolled Recursion
Overview Magick.NET-Q16-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Use After Free
Overview Magick.NET-Q16-HDRI-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Out-of-bounds Write
Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Uncontrolled Recursion
Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Improper Validation of Array Index
Overview Affected versions of this package are vulnerable to Improper Validation of Array Index in the distort operation. An attacker can access sensitive memory contents or cause a partial denial of service by providing specially crafted arguments to the polynomial distortion operation...
Improper Validation of Array Index
Overview Magick.NET-Q16-HDRI-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...
Improper Validation of Array Index
Overview Magick.NET-Q8-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Infinite loop
Overview Microsoft.AspNetCore.App.Runtime.linux-arm is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Infinite loop in the FormDataReader.ProcessFormKeys...
Improper Validation of Array Index
Overview Magick.NET-Q16-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Improper Validation of Array Index
Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...
Improper Validation of Array Index
Overview Affected versions of this package are vulnerable to Improper Validation of Array Index in the connected-components when an invalid value is supplied to the keep-top parameter. An attacker can access sensitive memory contents or cause a partial denial of service by providing a specially...
Integer Underflow (Wrap or Wraparound)
Overview Magick.NET-Q16-HDRI-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the post rewrite endpoint. An attacker can gain unauthorized access to the content of threads in private channels and direct messages by sending a crafted request. Remediation Upgrade...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the start meeting API endpoint when the size of the request body is not limited. An attacker can exhaust system resources or disrupt service availability by sending crafted...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in various respons.text invocations in response-handler.ts, which accept and buffer arbitrarily long request strings. Functions like createJsonResponseHandler and...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Display template option of the Set field type, where user-supplied input is processed by the $interpolate function and rendered via Vue's v-html directive without proper sanitization. An attacker can...
Missing Authorization
Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Missing Authorization via the PUT /api/datasources/:datasourceId route. An attacker can overwrite datasource connection parameters such as host, port, and url by sending crafted requests, which...
Incorrect Permission Assignment for Critical Resource
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the files/ endpoints. An attacker can list, access and delete every uploaded file due to absence of authorisation on these endpoints. Remediation Upgra...
Missing Authorization
Overview github.com/portainer/portainer/api/http/proxy/factory/docker is a management UI which allows to manage different Docker environments. Affected versions of this package are vulnerable to Missing Authorization in the enforcement of endpoint security restrictions for non-admin users on Dock...
Malicious Package
Overview viem-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the /api/v1/tools endpoint when the server fails to validate and restrict client-supplied fields in the request body. An...
Cross-site Scripting (XSS)
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the form fields. An attacker can execute arbitrary JavaScript in the context of a victim's browser by injecting malicious scripts, potentially...
Dependency on Vulnerable Third-Party Component
Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Dependency on Vulnerable Third-Party Component through the use of a vulnerable third-party component. An attacker can cause the application to crash by sending specially...
SQL Injection
Overview @n8n/api-types is a fair-code workflow automation platform with native AI capabilities Affected versions of this package are vulnerable to SQL Injection in the process of importing a Data Table JSON file during a Source Control Pull operation. An attacker who can write to the git...
Improper Authorization
Overview org.apache.tomcat:catalina is a Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Authorization in the processing of security constraints when multiple method constraints define an HTTP method for the same extension. An...
Stack-based Buffer Overflow
Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Exposed Dangerous Method or Function
Overview org.webjars.npm:webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Exposed Dangerous Method or Function in Server.js, when handling non-HTTPS responses. ...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...