Lucene search
+L
SnykMost viewed

35936 matches found

snyk
snyk
added 2026/03/20 12:41 a.m.16 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the configuration of endpoints under paths already assigned to Health Group additional paths. An attacker can gain unauthorized access to protected endpoints by sending reques...

9.2CVSS5.7AI score0.00334EPSS
Exploits0References2
snyk
snyk
added 2026/03/19 11:0 p.m.16 views

Embedded Malicious Code

Overview @emilgroup/process-manager-sdk is an A new version of the package Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/03/16 3:51 p.m.16 views

Malicious Package

Overview jalalstealer is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/03/13 8:3 p.m.16 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...

9.3CVSS5.9AI score0.00258EPSS
Exploits1References2
snyk
snyk
added 2026/03/06 7:14 a.m.16 views

Malicious Package

Overview wt-fe-buz-business-stoplimit is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.4AI score
Exploits0References2
snyk
snyk
added 2026/03/06 7:14 a.m.16 views

Malicious Package

Overview houdinitestpack1 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
snyk
snyk
added 2026/01/28 4:33 p.m.16 views

Malicious Package

Overview mona-shared is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.9AI score
Exploits0References2
snyk
snyk
added 2026/01/28 4:33 p.m.16 views

Malicious Package

Overview emergency-pull-request-probot-app is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

9.8CVSS5.9AI score
Exploits0References2
snyk
snyk
added 2026/01/13 11:52 p.m.16 views

PHP Remote File Inclusion

Overview mpdf/mpdf is a PHP library generating PDF files from UTF-8 encoded HTML. Affected versions of this package are vulnerable to PHP Remote File Inclusion via the annotation file parameters. An attacker can access arbitrary system files by supplying crafted annotation content containing file...

8.7CVSS7.1AI score0.00471EPSS
Exploits1References2
snyk
snyk
added 2025/10/10 7:41 p.m.16 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via multiple APIs in OpenAPIController. An attacker can gain unauthorized access to sensitive information by sending crafted requests to the endpoints. Remediation There is no fixed version for...

7.5CVSS6.8AI score0.00426EPSS
Exploits0References2
snyk
snyk
added 2025/07/25 5:41 p.m.16 views

Cross-site Scripting (XSS)

Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to Cross-site Scripting XSS via the blog editor process. An attacker can execute arbitrary JavaScript code in the context of a user's browser by injecting malicious scripts into blog content...

6.1CVSS5.4AI score0.00246EPSS
Exploits1References2
snyk
snyk
added 2025/01/01 6:26 a.m.16 views

Race Condition

Overview amici is an Advanced multi-language Interface to CVODES and IDAS Affected versions of this package are vulnerable to Race Condition due to the use of shared static variables in multi-threaded contexts. Exploiting this vulnerability is possible by triggering concurrent executions, leading...

8.3CVSS7.1AI score
Exploits0References3
snyk
snyk
added 2020/08/14 4:18 p.m.16 views

Prototype Pollution

Overview safetydance is an Exception safety in node.js Affected versions of this package are vulnerable to Prototype Pollution via the set function. POC: const safetydance = require'safetydance'; safetydance.set, 'proto.polluted', true; console.logpolluted; //true Details Prototype Pollution is a...

9.8CVSS9AI score0.01355EPSS
Exploits1References2
snyk
snyk
added 2020/04/17 12:0 a.m.16 views

Malicious Package

Overview fluentplugin-datadog-statsd is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using...

8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2020/03/13 9:49 a.m.16 views

Command Injection

Overview node-prompt-here is a package to open a console window at given absolute directory. Affected versions of this package are vulnerable to Command Injection. The runCommand is called by getDevices function in file linux/manager.js, which is required by the index. process.env.NMCLI in the fi...

9.8CVSS6.9AI score0.02555EPSS
Exploits1References2
snyk
snyk
added 2020/02/28 11:33 a.m.16 views

Command Injection

Overview giting is a Git server. Affected versions of this package are vulnerable to Command Injection. The first argument "repo" of function pull is executed by the package without any validation. PoC by JHU System Security Lab var Test = require"giting"; var injectioncommand = ";echo vulnerable...

9.8CVSS5.6AI score0.02458EPSS
Exploits0References2
snyk
snyk
added 2026/07/01 4:19 p.m.15 views

Deserialization of Untrusted Data

Overview megatron-bridge is a Megatron Bridge: Training Recipes for Megatron-based LLM and VLM models Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the deserialization process. An attacker can execute arbitrary code, escalate privileges, tamper with dat...

8.5CVSS6.1AI score0.00154EPSS
Exploits0References2
snyk
snyk
added 2026/06/29 2:6 p.m.15 views

Malicious Package

Overview path-internal-util is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/06/28 7:36 p.m.15 views

Protection Mechanism Failure

Overview Affected versions of this package are vulnerable to Protection Mechanism Failure in the extraction process. An attacker can bypass security warnings and spoof file content by crafting a RAR5 archive with specially named alternate data streams that overwrite the intended Internet-zone...

4.8CVSS5.8AI score0.00119EPSS
Exploits0References2
snyk
snyk
added 2026/06/27 12:13 a.m.15 views

Directory Traversal

Overview @pnpm/installing.env-installer is an Installer for configurational dependencies Affected versions of this package are vulnerable to Directory Traversal via the configDependencies process. An attacker can create symlinks outside the intended directory by supplying crafted package names wi...

8.2CVSS6.5AI score0.00257EPSS
Exploits1References2
snyk
snyk
added 2026/06/25 5:46 a.m.15 views

Malicious Package

Overview ccl-component-resources is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/06/23 9:22 p.m.15 views

Server-side Request Forgery (SSRF)

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the JDKFromStringDeserializer class,...

6.9CVSS5.8AI score0.00219EPSS
Exploits0References2
snyk
snyk
added 2026/06/19 7:18 p.m.15 views

SQL Injection

Overview typeorm is an ORM that can run in NodeJS, Browser, Cordova, PhoneGap, Ionic, React Native, NativeScript, Expo, and Electron platforms and can be used with TypeScript and JavaScript ES5, ES6, ES7, ES8. Affected versions of this package are vulnerable to SQL Injection in the orderBy or...

8.8CVSS6.1AI score
Exploits0References2
snyk
snyk
added 2026/06/18 2:24 p.m.15 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via unvalidated parsing of the Forwarded and X-Forwarded-For headers. An attacker can inject arbitrary or malformed values into Request.ClientIPAddresses by supplying crafted forwarding headers. This can lead to...

8.7CVSS6AI score
Exploits0References3
snyk
snyk
added 2026/06/18 1:58 p.m.15 views

Missing Authentication for Critical Function

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

9.8CVSS6.1AI score
Exploits0References3
snyk
snyk
added 2026/06/17 2:1 p.m.15 views

Symlink Attack

Overview chrome-devtools-mcp is a MCP server for Chrome DevTools Affected versions of this package are vulnerable to Symlink Attack in the fs.writeFileSync process when writing the PID file to a runtime directory under /tmp if $XDGRUNTIMEDIR is unset. An attacker can overwrite or truncate arbitra...

6.9CVSS6AI score0.00077EPSS
Exploits1References2
snyk
snyk
added 2026/06/17 7:13 a.m.15 views

Missing Authentication for Critical Function

Overview nltk is a Natural Language Toolkit NLTK is a Python package for natural language processing. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the nltk.app.wordnetapp module. An attacker can cause the server to shut down and disrupt...

7.5CVSS7.1AI score0.00325EPSS
Exploits0References2
snyk
snyk
added 2026/06/16 9:0 p.m.15 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
snyk
snyk
added 2026/06/16 9:0 p.m.15 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
snyk
snyk
added 2026/06/16 9:0 p.m.15 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
snyk
snyk
added 2026/06/16 9:0 p.m.15 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
snyk
snyk
added 2026/06/16 3:3 p.m.15 views

Symlink Attack

Overview langchain-anthropic is an Integration package connecting Claude Anthropic APIs and LangChain Affected versions of this package are vulnerable to Symlink Attack via the file-search middleware and loaders that resolve filesystem paths and search patterns without confining the resolved path...

6.9CVSS5.9AI score0.00157EPSS
Exploits0References3
snyk
snyk
added 2026/06/15 8:13 p.m.15 views

Arbitrary Code Injection

Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted schema names that are incorporated into generated...

8.2CVSS6.5AI score0.00228EPSS
Exploits0References2
snyk
snyk
added 2026/06/15 8:11 p.m.15 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the websocket checks. An attacker can exhaust system memory by sending large incomplete frame payloads, potentially leading to service disruption. Remediation Upgrade aiohttp to...

8.7CVSS5.3AI score0.00305EPSS
Exploits0References2
snyk
snyk
added 2026/06/15 8:8 p.m.15 views

Exposure of Private Personal Information to an Unauthorized Actor

Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor in the CookieJar.save and CookieJar.load functions. An attacker can cause cookies intended for a specific host to be sent to subdomains by persisting and restoring cookie...

7.5CVSS5.3AI score0.00279EPSS
Exploits0References2
snyk
snyk
added 2026/06/12 8:12 p.m.15 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the multiPartHeader function when untrusted input is provided via field or filename to FormDataappend. An attacker can inject additional headers or multipart parts by including carriage returns, line feeds, or double...

8.7CVSS5.4AI score0.00409EPSS
Exploits0References2
snyk
snyk
added 2026/06/12 2:32 p.m.15 views

Malicious Package

Overview ecto-flag-read-m7p2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
snyk
snyk
added 2026/06/11 1:54 p.m.15 views

Malicious Package

Overview @trackking/core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
snyk
snyk
added 2026/06/10 11:12 p.m.15 views

Improper Resource Shutdown or Release

Overview boxlite is a Python bindings for Boxlite runtime Affected versions of this package are vulnerable to Improper Resource Shutdown or Release due to improper handling of process termination signals in the timeout mechanism by using the catchable SIGALRM signal instead of the uncatchable...

7.1CVSS5.4AI score0.00268EPSS
Exploits0References2
snyk
snyk
added 2026/06/10 2:33 p.m.15 views

Malicious Package

Overview security-env-loader is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
snyk
snyk
added 2026/06/09 6:36 p.m.15 views

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the handling of raw data arguments in IMAP commands such as criteria, searchkeys and attr. An attacker can execute arbitrary IMAP commands by injecting CRLF sequences into user-controlled input, which are...

8.3CVSS6.2AI score0.00491EPSS
Exploits0References2
snyk
snyk
added 2026/06/09 6:28 p.m.15 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in ASN1mbstringncopy and ASN1mbstringcopy. An attacker supplying input on the order of 2^30 characters can overflow the signed int destination size computation for Unicode output, wrapping the allocation size ...

8.1CVSS7.2AI score0.00358EPSS
Exploits0References2
snyk
snyk
added 2026/06/09 2:17 p.m.15 views

Malicious Package

Overview @doaction/http is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.5AI score
Exploits0References2
snyk
snyk
added 2026/06/06 9:0 p.m.15 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-Hulud / Miasma software supply chain campaign, a large scale operation that has affected numerous packages across open source ecosystems. The malicio...

9.8CVSS5.7AI score
Exploits0References2
snyk
snyk
added 2026/06/06 9:0 p.m.15 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-Hulud / Miasma software supply chain campaign, a large scale operation that has affected numerous packages across open source ecosystems. The malicio...

9.8CVSS5.7AI score
Exploits0References2
snyk
snyk
added 2026/06/06 9:0 p.m.15 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
snyk
snyk
added 2026/06/06 9:0 p.m.15 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
snyk
snyk
added 2026/06/05 4:14 p.m.15 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the NTFS handler that miscalculates compression-unit buffer size in GetCuSize function. An attacker can achieve arbitrary code execution or application crash by sending data with specially crafted...

8.8CVSS6.4AI score0.00938EPSS
Exploits1References4
snyk
snyk
added 2026/06/04 2:55 p.m.15 views

Improper Authorization

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Improper Authorization in the deviceAuthorization plugin. An attacker can gain unauthorized access to a device or deny legitimate user sign-in by submitting ...

8.4CVSS5.6AI score0.00017EPSS
Exploits0References2
snyk
snyk
added 2026/06/03 9:34 p.m.15 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error via the cookies parameter, which is processed by connectandsendrequest in client.py. An attacker who can control a redirect on a request that passes cookies on a per-request basis can expose data from those...

8.7CVSS5.5AI score0.0015EPSS
Exploits0References2
Total number of security vulnerabilities5000