35724 matches found
Cross-site Scripting (XSS)
Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the MarkdownBody class, where user-supplied markdown content is rendered without proper URL sanitization due to an overridden urlTransform function. An...
Missing Authentication for Critical Function
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the public-chatbotConfig and oauth2-credential/refresh endpoints. An attacker can obtain OAuth 2.0 access tokens for third-party services by retrieving...
LDAP Injection
Overview Affected versions of this package are vulnerable to LDAP Injection via the parseDN handling and the LDAP store helpers in X509LDAPCertStoreSpi and LDAPStoreHelper. An attacker can influence LDAP search filters by supplying a crafted X.500 subject or issuer string that is parsed into an...
Guessable CAPTCHA
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Guessable CAPTCHA through the getCaptcha.php process, which allows external control over the CAPTCHA length parameter without proper validation. An attacker can...
Arbitrary Argument Injection
Overview mcp-server-kubernetes is a MCP server for interacting with Kubernetes clusters via kubectl Affected versions of this package are vulnerable to Arbitrary Argument Injection through the startPortForward function in src/tools/portforward.ts. An attacker can inject additional kubectl flags b...
Arbitrary Code Injection
Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Arbitrary Code Injection via the /admin/tinymce/uplo...
CRLF Injection
Overview basic-ftp is a FTP client for Node.js, supports FTPS over TLS, IPv6, Async/Await, and Typescript. Affected versions of this package are vulnerable to CRLF Injection via the login and openDir methods. An attacker can execute arbitrary FTP commands by injecting control characters into...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Add Account Group process on the account-group page. An attacker can execute arbitrary JavaScript in the context of users who view the affected page by injecting malicious scripts. Details Cross-site...
Directory Traversal
Overview @budibase/types is a Budibase types Affected versions of this package are vulnerable to Directory Traversal via the fileUpload and the createTempFolder function. An attacker can delete arbitrary directories and write files to any location accessible by the Node.js process by uploading a...
User Impersonation
Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to User Impersonation in the getoidcuserinfo function. An attacker can gain unauthorized access to another user's identity and permissions by crafting a token with the same...
External Control of System or Configuration Setting
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the handling of the .env configuration file, which allows the override of the OPENCLAWBUNDLEDHOOKSDIR environment variable. An...
Malicious Package
Overview @logcore/pino-pretty-logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal in the AdvancedLoggingJSON configuration during support packet generation. An attacker can access arbitrary files on the host system by supplying a malicious file path. Details A Directory Traversal attack also known...
Embedded Malicious Code
Overview @emilgroup/process-manager-sdk is an A new version of the package Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released...
Cross-site Scripting (XSS)
Overview justhtml is an A pure Python HTML5 parser that just works. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the serialization process of raw-text elements such as script and style when a custom sanitization policy retains these elements. An attacker can...
Malicious Package
Overview jalalstealer is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview no-type-assertion is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior The...
Malicious Package
Overview sap-appid is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure via the default exception handling process. An attacker can obtain sensitive internal exception messages by triggering an unhandled exception, causing the server to include the exception message in the EXCEPTIONWHAT...
Cross-site Request Forgery (CSRF)
Overview parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the agent endpoint. An attacker can perform unauthorized actions on behalf of an authenticated user by tricking them into visiting a malicious...
Cross-site Scripting (XSS)
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the editableTable.twig component when the html column type is used. An attacker can execute arbitrary JavaScript in the context of another user's session by...
Malicious Package
Overview prod-natwest is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview vite-tsconfig-assistant is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the writeFileToTmpDirAndOpenIt function due to improper user-input sanitization. PoC js var root = require"cycle-import-check" root.writeFileToTmpDirAndOpenIt"& touch JHU ", "aaa" Remediation Upgrade...
Malicious Package
Overview contentsource-connector is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...
Remote Code Execution (RCE)
Overview log4j-jars is a ruby bundled Log4j jars. Affected versions of this package are vulnerable to Remote Code Execution RCE. Apache Log4j2 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An...
Malicious Package
Overview vitest-agent is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Use After Free
Overview Affected versions of this package are vulnerable to Use After Free in the clear function. An attacker can access or manipulate memory contents from another buffer by triggering the reuse of a memory page after it has been returned to the shared pool, leading to unintended disclosure or...
Malicious Package
Overview @source-row/source-container is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview path-internal-util is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ccl-component-resources is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...
Cross-site Scripting (XSS)
Overview silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via hashlink rewriting in SSViewer::process. An attacker can inject arbitrary HTML or script content by supplying a specially...
Command Injection
Overview agent-coderag is a Lightweight semantic code search and distillation utility for AI coding agents. It solves the API knowledge gap via real-time local signature extraction and intent analysis without PyTorch. Optimized for token efficiency, it compresses codebase context into compact...
Protection Mechanism Failure
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Protection Mechanism Failure in the skill-command dispatch process. An attacker can bypass hook-based auditing or policy enforcement by routing a skill command through a dispatch path tha...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation via unvalidated parsing of the Forwarded and X-Forwarded-For headers. An attacker can inject arbitrary or malformed values into Request.ClientIPAddresses by supplying crafted forwarding headers. This can lead to...
Missing Authentication for Critical Function
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
Incorrect Resource Transfer Between Spheres
Overview excon is an is Extended https connections. Affected versions of this package are vulnerable to Incorrect Resource Transfer Between Spheres via the RedirectFollower class. An attacker can obtain sensitive header information by exploiting improper header redaction when following redirects...
Improper Certificate Validation
Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Improper Certificate Validation in the ProxyAgent when configured with a SOCKS5 proxy URI, which causes the requestTls option to be silently dropped. An attacker can...
Symlink Attack
Overview chrome-devtools-mcp is a MCP server for Chrome DevTools Affected versions of this package are vulnerable to Symlink Attack in the fs.writeFileSync process when writing the PID file to a runtime directory under /tmp if $XDGRUNTIMEDIR is unset. An attacker can overwrite or truncate arbitra...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...
Arbitrary Code Injection
Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted schema names that are incorporated into generated...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the websocket checks. An attacker can exhaust system memory by sending large incomplete frame payloads, potentially leading to service disruption. Remediation Upgrade aiohttp to...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the handling of HTTP/1 pipelined requests queue without a limit. An attacker can exhaust system memory by sending a large number of pipelined requests, potentially causing...
Resources Downloaded over Insecure Protocol
Overview esbuild is an An extremely fast JavaScript and CSS bundler and minifier. Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol in the installFromNPM process. An attacker can execute arbitrary code with the privileges of the Deno process by...
Malicious Package
Overview web-dotenv is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview solana-web3-lts is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...