Lucene search
K
SnykMost viewed

35537 matches found

Snyk
Snyk
added 2025/12/16 7:3 a.m.15 views

Malicious Package

Overview prod-natwest is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6.8AI score
Exploits0References2
Snyk
Snyk
added 2025/12/09 3:40 a.m.15 views

Uncaught Exception

Overview robrichards/xmlseclibs is a PHP library for XML Security. Affected versions of this package are vulnerable to Uncaught Exception in the form of improper handling of canonicalization failures. An attacker can bypass signature or digest validation by submitting specially crafted invalid XM...

7.5CVSS6.9AI score0.00226EPSS
Exploits1References2
Snyk
Snyk
added 2025/01/01 6:26 a.m.15 views

Race Condition

Overview amici is an Advanced multi-language Interface to CVODES and IDAS Affected versions of this package are vulnerable to Race Condition due to the use of shared static variables in multi-threaded contexts. Exploiting this vulnerability is possible by triggering concurrent executions, leading...

8.3CVSS7.1AI score
Exploits0References3
Snyk
Snyk
added 2022/12/06 4:11 p.m.15 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization. PoC js var root = require"cycle-import-check" root.writeFileToTmpDirAndOpenIt"& touch JHU ", "aaa" Remediation Upgrade...

9.8CVSS7.4AI score0.02309EPSS
Exploits1References2
Snyk
Snyk
added 2021/12/10 10:2 a.m.15 views

Remote Code Execution (RCE)

Overview log4j-jars is a ruby bundled Log4j jars. Affected versions of this package are vulnerable to Remote Code Execution RCE. Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An...

10CVSS9.4AI score0.99999EPSS
Exploits352References2
Snyk
Snyk
added 2021/02/04 1:21 p.m.15 views

Prototype Pollution

Overview rfc6902 is a Complete implementation of RFC6902 patch and diff Affected versions of this package are vulnerable to Prototype Pollution. It may allow attackers to inject or modify the methods and properties of the global object constructor. PoC // poc.js var rfc6902 = require"rfc6902" var...

9.8CVSS9AI score0.01267EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/29 8:21 p.m.14 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the clear function. An attacker can access or manipulate memory contents from another buffer by triggering the reuse of a memory page after it has been returned to the shared pool, leading to unintended disclosure or...

8.4CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/06/25 6:43 p.m.14 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via the unauthenticated router-key and mcp-init-host paths. An attacker can gain unauthorized access or bypass authentication controls by sending crafted requests to these endpoints. Remediation Upgrade...

9.3CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/06/25 5:46 a.m.14 views

Malicious Package

Overview ccl-component-resources is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 7:18 p.m.14 views

SQL Injection

Overview typeorm is an ORM that can run in NodeJS, Browser, Cordova, PhoneGap, Ionic, React Native, NativeScript, Expo, and Electron platforms and can be used with TypeScript and JavaScript ES5, ES6, ES7, ES8. Affected versions of this package are vulnerable to SQL Injection in the orderBy or...

8.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 3:41 p.m.14 views

Cross-site Scripting (XSS)

Overview silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via hashlink rewriting in SSViewer::process. An attacker can inject arbitrary HTML or script content by supplying a specially...

4.7CVSS5.8AI score
Exploits0References4
Snyk
Snyk
added 2026/06/19 3:1 p.m.14 views

Command Injection

Overview agent-coderag is a Lightweight semantic code search and distillation utility for AI coding agents. It solves the API knowledge gap via real-time local signature extraction and intent analysis without PyTorch. Optimized for token efficiency, it compresses codebase context into compact...

8.6CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 1:58 p.m.14 views

Missing Authentication for Critical Function

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

9.8CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added 2026/06/17 2:1 p.m.14 views

Symlink Attack

Overview chrome-devtools-mcp is a MCP server for Chrome DevTools Affected versions of this package are vulnerable to Symlink Attack in the fs.writeFileSync process when writing the PID file to a runtime directory under /tmp if $XDGRUNTIMEDIR is unset. An attacker can overwrite or truncate arbitra...

6.9CVSS6AI score0.00077EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/16 9:0 p.m.14 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 9:0 p.m.14 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 9:0 p.m.14 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 9:0 p.m.14 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:11 p.m.14 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the websocket checks. An attacker can exhaust system memory by sending large incomplete frame payloads, potentially leading to service disruption. Remediation Upgrade aiohttp to...

8.7CVSS5.3AI score0.00305EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/12 3:0 p.m.14 views

Malicious Package

Overview web-dotenv is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/12 2:32 p.m.14 views

Malicious Package

Overview ecto-flag-read-m7p2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/11 9:0 p.m.14 views

Malicious Package

Overview solana-web3-lts is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/11 3:20 p.m.14 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via improper validation of the Host header when parsing raw HTTP request messages or deriving a server request URI from server variables. An attacker can manipulate the Host header to include URI authori...

6.9CVSS5.4AI score0.00198EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/11 1:54 p.m.14 views

Malicious Package

Overview @trackking/core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/11 9:44 a.m.14 views

Malicious Package

Overview routing-controls is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/11 9:44 a.m.14 views

Malicious Package

Overview react-photo-views is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/10 11:12 p.m.14 views

Uncontrolled Recursion

Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

6.8CVSS5.3AI score0.00107EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/10 11:12 p.m.14 views

NULL Pointer Dereference

Overview Magick.NET-Q16-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.5CVSS5.3AI score0.00187EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/10 8:27 a.m.14 views

Embedded Malicious Code

Overview @builder.io/dev-tools is a Builder.io Visual CMS Devtools Affected versions of this package are vulnerable to Embedded Malicious Code. The affected version contains malicious code, and its content was removed from the official package manager. While this package might be attempting to...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/09 6:33 p.m.14 views

Improper Validation of Integrity Check Value

Overview Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value when processing cipher and tag-length fields of CMS AuthEnvelopedData containers. An attacker can bypass message integrity via replay attack. A non AEAD cipher is permitted in...

9.1CVSS6.5AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/09 6:32 p.m.14 views

Missing Cryptographic Step

Overview Affected versions of this package are vulnerable to Missing Cryptographic Step in EVPPKEYderivesetpeer when called with a DHX X9.42 peer key. A malicious peer can recover the victim's private key. A peer presenting an X9.42 key that carries the victim's p and g, and a forged q passes all...

8.2CVSS7.1AI score0.00259EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/09 3:10 p.m.14 views

Malicious Package

Overview progerss-cli is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/09 2:17 p.m.14 views

Malicious Package

Overview @doaction/http is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/08 3:14 a.m.14 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via the OAuth2Client function. An attacker can redirect users to arbitrary external sites by crafting a malicious link and tricking them into clicking it. Remediation A fix was pushed into the master branch but not yet...

5.3CVSS5.6AI score0.00303EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/07 4:44 p.m.14 views

Arbitrary Code Injection

Overview dbgate-api is an Allows run DbGate data-manipulation scripts. Affected versions of this package are vulnerable to Arbitrary Code Injection in the loadReader function in runners.js. The functionName parameter can be injected with arbitrary JavaScript, which is executed with the privileges...

8.8CVSS5.6AI score0.0051EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/06 9:0 p.m.14 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/06 9:0 p.m.14 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-Hulud / Miasma software supply chain campaign, a large scale operation that has affected numerous packages across open source ecosystems. The malicio...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/06/06 9:0 p.m.14 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-Hulud / Miasma software supply chain campaign, a large scale operation that has affected numerous packages across open source ecosystems. The malicio...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/06/06 9:0 p.m.14 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-Hulud / Miasma software supply chain campaign, a large scale operation that has affected numerous packages across open source ecosystems. The malicio...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/06/05 2:4 p.m.14 views

Malicious Package

Overview glyphr is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/04 2:26 p.m.14 views

Use of Weak Hash

Overview streamlit is a The fastest way to build data apps in Python Affected versions of this package are vulnerable to Use of Weak Hash due to the use of a weak hash algorithm in the hashing.py process of the Palette Handler component. An attacker can compromise data integrity or cause unintend...

5.7CVSS6AI score0.00083EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/03 9:0 p.m.14 views

Malicious Package

Overview clx-cookie-signature is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/03 9:0 p.m.14 views

Malicious Package

Overview ui-weave is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/03 9:0 p.m.14 views

Malicious Package

Overview chai-utils-test is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/03 9:0 p.m.14 views

Malicious Package

Overview midpatch is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/03 1:43 p.m.14 views

Malicious Package

Overview webpack-json is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/03 1:41 p.m.14 views

CRLF Injection

Overview laravel/framework is a PHP framework for web artisans. Affected versions of this package are vulnerable to CRLF Injection in the validateEmail function, and Address.php, which are used by the default email rule. An attacker can modify outbound email contents by injecting malicious string...

6.9CVSS5.5AI score0.00048EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/02 9:0 p.m.14 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/02 9:0 p.m.14 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/02 9:0 p.m.14 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
Total number of security vulnerabilities5000