Lucene search
K
SnykMost viewed

34963 matches found

Snyk
Snyk
added 2022/02/14 12:43 p.m.33 views

Denial of Service (DoS)

Overview posix is a missing POSIX system calls for Node. Affected versions of this package are vulnerable to Denial of Service DoS. When invoking the toString method, it will fallback to 0x0 value, as the value of toString is not invokable not a function, and then it will crash with type-check. P...

7.5CVSS6.8AI score0.00966EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/18 5:42 p.m.32 views

Improper Privilege Management

Overview @budibase/builder is a npm install Affected versions of this package are vulnerable to Improper Privilege Management through the onboardUsers function. An attacker can gain unauthorized administrative privileges by sending crafted requests to the affected endpoint, allowing the creation ...

8.8CVSS5.8AI score0.00261EPSS
Exploits0References2
Snyk
Snyk
added 2021/05/24 7:53 p.m.32 views

Malicious Package

Overview sap-backend is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 5:21 p.m.31 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization in the QQBot native approval buttons process. An attacker can gain unauthorized access to resolve pending exec or plugin approval requests by interacting with approv...

8.6CVSS5.8AI score0.00199EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.31 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via Unbounded Recursion in Nested Blocks, Sequences, and Mappings. Symfony\Component\Yaml\Parser is the entry point for parsing YAML strings into PHP values via Yaml::parse. When the parser is exposed to...

8.7CVSS5.8AI score0.00089EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 1:49 a.m.31 views

Authorization Bypass Through User-Controlled Key

Overview aegra-api is an Aegra core API - Self-hosted Agent Protocol server Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the POST /threads/threadid/runs, POST /threads/threadid/runs/stream, and POST /threads/threadid/runs/wait endpoints...

8.6CVSS5.9AI score0.00285EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/06 8:10 p.m.31 views

Improper Encoding or Escaping of Output

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the Utils::parseUrl function during comment rendering. An attacker can execute arbitrary JavaScript in the...

8.3CVSS6.1AI score0.00215EPSS
Exploits0References3
Snyk
Snyk
added 2025/04/25 3:2 p.m.31 views

Arbitrary Code Injection

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Arbitrary Code Injection via the template rendering engine. An attacker can execute arbitrary code on the server by injecting malicious code into templates that are then executed by the serve...

10CVSS8AI score0.99803EPSS
Exploits14References2
Snyk
Snyk
added 2025/11/29 1:40 a.m.30 views

XML Injection

Overview fonttools is a Tools to manipulate font files Affected versions of this package are vulnerable to XML Injection via the main function in the fontTools/varLib/init.py file. An attacker can write files to the filesystem by supplying a specially crafted .designspace file. Remediation Upgrad...

9.8CVSS7.1AI score0.00496EPSS
Exploits9References2
Snyk
Snyk
added 2023/03/22 1:33 p.m.30 views

Missing Origin Validation in WebSockets

Overview code-server is an application that allows running VS Code on a remote server. Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets handshakes. Exploiting this vulnerability can allow an adversary in specific scenarios to access data from and connect...

9.3CVSS7.1AI score0.0034EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/11 2:9 p.m.29 views

Malicious Package

Overview downlynpm is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:38 p.m.29 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the jwksUri field of the RequestAuthentication resource. An attacker can access internal network resources by specifying a URL pointing to an internal service, causing the system to make unauthenticat...

7.7CVSS5.8AI score0.00329EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:45 p.m.28 views

Incorrect Authorization

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Incorrect Authorization through the getChatflowByApiKey handler in the chatflow API and the getChatflowByApiKey query in the chatflow service. An attacker can retrieve chatflows from other workspaces by...

7.1CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 5:42 p.m.28 views

Improper Privilege Management

Overview @budibase/worker is a Budibase background service Affected versions of this package are vulnerable to Improper Privilege Management through the onboardUsers function. An attacker can gain unauthorized administrative privileges by sending crafted requests to the affected endpoint, allowin...

8.8CVSS5.8AI score0.00261EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 8:21 p.m.28 views

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the sendPhoto process. An attacker can cause unauthorized requests to internal or external resources by supplying a crafted outbound photo URL tha...

8.6CVSS5.8AI score0.00291EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/28 6:30 a.m.28 views

Server-side Request Forgery (SSRF)

Overview @dadigua/hyperchat is a HyperChat Core - Node.js backend and CLI tool with AI chat, MCP support Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch function in the AI Proxy Middleware component when processing the baseurl argument. An attack...

7.5CVSS7.2AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/29 10:22 p.m.27 views

Detection of Error Condition Without Action

Overview org.apache.tomcat:tomcat-util is a Common code shared by multiple Tomcat components. Affected versions of this package are vulnerable to Detection of Error Condition Without Action due to improper handling of invalid certificate revocation list CRL configurations in the FFM connector. An...

9.1CVSS5.8AI score0.00368EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/04 2:15 p.m.27 views

Insertion of Sensitive Information Into Sent Data

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the setProxy function. An attacker can obtain sensitive proxy credentials by controlling a redirect...

8.7CVSS5.4AI score0.00552EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/02 9:0 p.m.27 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/05/22 3:45 p.m.27 views

Arbitrary Command Injection

Overview org.webjars.npm:shell-quote is a package used to quote and parse shell commands. Affected versions of this package are vulnerable to Arbitrary Command Injection via the quote function when object-token inputs containing line terminators \n, \r, U+2028, U+2029 in the .op field are not...

9.2CVSS6.1AI score0.00848EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/01 11:26 p.m.27 views

Command Injection

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

10CVSS6.2AI score0.00383EPSS
Exploits1References2
Snyk
Snyk
added 2026/01/08 8:45 p.m.27 views

Directory Traversal

Overview @react-router/node is a Node.js platform abstractions for React Router Affected versions of this package are vulnerable to Directory Traversal via the createFileSessionStorage function. An attacker can access or modify files outside the intended session file directory by crafting a...

9.1CVSS7.4AI score0.16104EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/17 12:32 p.m.26 views

Malicious Package

Overview qrcode-express is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/24 7:39 a.m.26 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the toString function in the AST Serialization. An attacker can cause uncontrolled recursion by providing specially crafted input, potentially resulting in resource exhaustion and application unavailability...

6.9CVSS4.9AI score0.00325EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/21 8:39 p.m.26 views

Insufficient Session Expiration

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Insufficient Session Expiration through the ApiToken delete path in the token management code. An attacker can keep using a deleted API token by deleting it while the cache entry remains keyed under the token value,...

6.3CVSS5.8AI score0.00197EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:49 p.m.26 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the MarkdownBody class, where user-supplied markdown content is rendered without proper URL sanitization due to an overridden urlTransform function. An attacker can execute arbitrary JavaScript in the context...

5.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/25 5:23 p.m.26 views

Improper Restriction of Communication Channel to Intended Endpoints

Overview @grackle-ai/mcp is a MCP Model Context Protocol server for Grackle — translates MCP tool calls to ConnectRPC Affected versions of this package are vulnerable to Improper Restriction of Communication Channel to Intended Endpoints in the knowledgesearch and knowledgegetnode MCP tools, whic...

9.6CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2025/11/03 4:41 p.m.26 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the url variable processing in openURLMiddleware.ts. An attacker can execute arbitrary system commands by sending crafted HTTP POST requests, if the Metro development server is in use. This server binds to all...

9.8CVSS8.3AI score0.62378EPSS
Exploits5References2
Snyk
Snyk
added 2025/05/08 12:31 a.m.26 views

External Control of Assumed-Immutable Web Parameter

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter due to missing sanitization of the return URL requested by the client. This allows an attacker to introduce arbitrary values to a known loc...

6.9CVSS6.7AI score0.01119EPSS
Exploits0References2
Snyk
Snyk
added 2024/10/24 5:48 p.m.26 views

Privilege Context Switching Error

Overview aimeos/ai-admin-graphql is an Aimeos Admin GraphQL API extension Affected versions of this package are vulnerable to Privilege Context Switching Error through the SaaS and marketplace setups. An attacker can disrupt service availability by overwhelming the system with requests. Note: The...

7CVSS6.9AI score0.00346EPSS
Exploits0References2
Snyk
Snyk
added 2021/09/05 3:50 p.m.26 views

Directory Traversal

Overview convert-svg-to-jpeg is a package for converting SVG to JPEG using headless Chromium. Affected versions of this package are vulnerable to Directory Traversal. Using a specially crafted SVG file, an attacker could read arbitrary files from the file system and then show the file content as ...

7.5CVSS7.3AI score0.01978EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/05 5:8 p.m.25 views

Allocation of Resources Without Limits or Throttling

Overview puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly concurrent Ruby implementations such as Rubinius and JRuby as well as as providing process...

8.7CVSS5.5AI score0.0007EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/01 3:25 p.m.25 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the tilingPatternFill function. An attacker can execute arbitrary code, disclose sensitive information, or cause a denial of service by supplying a specially crafted PDF file to an application that...

8.4CVSS5.5AI score0.00252EPSS
Exploits0References2
Snyk
Snyk
added 2025/10/27 6:31 p.m.25 views

Relative Path Traversal

Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Relative Path Traversal via the URL normalization. An attacker can bypass security constraints and access restricted directories such as /WEB-INF/ and /META-INF/...

7.7CVSS9.1AI score0.66535EPSS
Exploits4References2
Snyk
Snyk
added 2026/06/02 9:0 p.m.24 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/01 9:0 p.m.24 views

Malicious Package

Overview ratelimitsucks6 is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 10:54 p.m.24 views

Malicious Package

Overview @cloudplatform-single-spa/dataplatform-metastore is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/27 9:41 a.m.24 views

Authentication Bypass Using an Alternate Path or Channel

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via failureforward Subrequest. An attacker could manipulate the failurepath parameter...

6.9CVSS5.8AI score0.00058EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/24 3:54 p.m.24 views

Deserialization of Untrusted Data

Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of model configuration files, an attacker can craft a malicious config.json file...

8.5CVSS7.2AI score0.00479EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/22 12:31 a.m.24 views

Cross-site Request Forgery (CSRF)

Overview concrete5/concrete5 is a concrete5 open source CMS. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the concrete/controllers/dialog/express/association/reorder process. An attacker can perform unauthorized actions on behalf of an authenticated user...

8.8CVSS5.8AI score0.0013EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 5:47 p.m.24 views

Arbitrary Code Injection

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Arbitrary Code Injection via the calculation parameter in the V1 Views API, which is interpolated directly into a CouchDB reduce function without validation. An attacker can execute arbitrary...

8.5CVSS6.1AI score0.00263EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 2:22 p.m.24 views

Malicious Package

Overview knot-rspec-formatter-json is a malicious package. This package is part of a malicious cluster of Ruby gems published by the threat actor knot-theory. Designed to impersonate legitimate utilities, it executes a payload upon installation that harvests environment variables, SSH keys, AWS...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/08 4:22 p.m.24 views

Improper Isolation or Compartmentalization

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the setupSandboxScript bootstrap in lib/vm.js and lib/setup-sandbox.js. An attacker can read the...

6.9CVSS5.9AI score0.00248EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:29 a.m.24 views

Improper Isolation or Compartmentalization

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the globalPromise.prototype.then onFulfilled wrapper in the Promise bridge. An attacker can supply...

7.2CVSS6AI score0.002EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/06 8:31 p.m.24 views

Cross-site Scripting (XSS)

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Cross-site Scripting XSS via the search.twig template and the process that decodes and renders user-supplied content without proper sanitization. An...

8.2CVSS5.8AI score0.00249EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 8:22 p.m.24 views

Access Control Bypass

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Access Control Bypass via the MCP loopback process. An attacker can gain unauthorized access to owner-gated operations by spoofing owner-context metadata in request headers. Remediation...

8.5CVSS5.8AI score0.00112EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:56 p.m.24 views

External Control of System or Configuration Setting

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the loading of workspace .env files. An attacker can manipulate runtime-control variables by crafting a malicious .env file that se...

8.8CVSS5.7AI score0.00203EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/13 10:11 p.m.24 views

Integer Overflow or Wraparound

Overview Magick.NET-Q16-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

5.9CVSS6.1AI score0.00148EPSS
Exploits0References2
Snyk
Snyk
added 2020/02/28 9:12 a.m.24 views

Sandbox Escape

Overview safe-eval is a Safer version of eval Affected versions of this package are vulnerable to Sandbox Escape. It is possible for an attacker to run an arbitrary command on the host machine. POC by Anirudh Anand for node 12.13.0 const safeEval = require'safe-eval'; const theFunction = function...

9.8CVSS7AI score0.0143EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/05 1:40 p.m.23 views

Malicious Package

Overview utils-mf is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.5AI score
Exploits0References2
Total number of security vulnerabilities5000