Lucene search
K
SnykMost viewed

35355 matches found

Snyk
Snyk
added 2026/05/29 6:8 p.m.13 views

Protection Mechanism Failure

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Protection Mechanism Failure through the NodeVM builtin wildcard expansion in lib/builtin.js. An attacker can load Node’s private underscored network...

9.3CVSS5.9AI score0.00282EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 5:59 p.m.13 views

Incomplete List of Disallowed Inputs

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the builtin allowlist handling in lib/builtin.js. An attacker can reach host code by requiring process and...

10CVSS6.2AI score0.00536EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/29 5:40 p.m.13 views

Improper Control of Dynamically-Managed Code Resources

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the localPromise constructor in lib/setup-sandbox.js. An attacker can obtain a host-realm...

10CVSS6AI score0.0051EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 4:4 p.m.13 views

Prototype Pollution

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution through the config.proxy property in the HTTP adapter, which accesses properties via the prototype chain. An attacker can intercept and modify all HTT...

8.9CVSS6.1AI score0.01041EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/28 6:24 p.m.13 views

Improper Authorization

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Authorization via the jwt middleware when the Authorization header uses any scheme, not just Bearer. An attacker can gain unauthorized access by presenting a valid JWT under a...

6.5CVSS5.8AI score0.00199EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 5:4 p.m.13 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the Parse function. An attacker can exhaust CPU resources and generate excessive log output by sending oversized or malformed headers that are processed without length checks. Remediation...

6.9CVSS5.8AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 4:50 p.m.13 views

Cross-site Scripting (XSS)

Overview tinymce/tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the media plugin when handling crafted data-mce- attributes. An attacker can execute arbitrary scripts in the context of the user's...

8.7CVSS5.9AI score0.00264EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 4:50 p.m.13 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication when decoding JSON Web Tokens. An attacker can forge valid tokens by supplying a public key as the secret for the HMAC algorithm when both asymmetric and HMAC algorithms are supported. PoC python from jwt.apijws...

8.8CVSS5.8AI score0.00394EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/28 4:50 p.m.13 views

Cross-site Scripting (XSS)

Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the mce:protected comments. An attacker can execute arbitrary scripts in the context of affected users by injecting malicious content that...

8.7CVSS5.9AI score0.00281EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 1:39 p.m.13 views

Malicious Package

Overview @service-user-notifications/setrefreshinterval is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/28 1:39 p.m.13 views

Malicious Package

Overview @service-suppliers/setselectedsupplier is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/28 3:8 a.m.13 views

Incorrect Authorization

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Authorization via the user-facing APIs when the Organizations feature is disabled. An attacker can...

7.1CVSS5.3AI score0.00214EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 5:41 p.m.13 views

Improper Validation of Specified Index, Position, or Offset in Input

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input in the SandboxNodeVisitor that allows toString policy bypass via Traversable in join/replace filte...

6CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/27 5:3 p.m.13 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the wheel installation process. An attacker can overwrite arbitrary files within the installing user's permissions by convincing a user to install a specially crafted Python wheel containing malicious entry-point...

8.5CVSS6.3AI score0.0032EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 1:25 p.m.13 views

Malicious Package

Overview shop-minis is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/27 9:41 a.m.13 views

Improper Encoding or Escaping of Output

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the HtmlSanitizer component that fails to properly detect and strip percent-encoded BiDi...

5.3CVSS5.8AI score0.00025EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 12:37 a.m.13 views

Interpretation Conflict

Overview @hapi/content is a HTTP Content- headers parsing Affected versions of this package are vulnerable to Interpretation Conflict due to inconsistent handling of duplicate parameters in the Content.disposition and Content.type functions. An attacker can bypass upload filename allowlists or...

8.6CVSS5.8AI score0.00052EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 12:28 a.m.13 views

Insecure Default Initialization of Resource

Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in the Context.spawn function. An attacker can access prototype-chain properties of objects...

6.9CVSS5.8AI score0.00271EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 12:9 a.m.13 views

Cross-site Scripting (XSS)

Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the striphtml filter, which fails to properly remove HTML tags containing newline characters. An attacker...

6.1CVSS5.8AI score0.00203EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/26 11:39 p.m.13 views

LDAP Injection

Overview Affected versions of this package are vulnerable to LDAP Injection via the LdapAuthModule process. An attacker can gain unauthorized access to user accounts by injecting specially crafted input into the username parameter during LDAP authentication. Note: This is only exploitable if the...

5.3CVSS5.5AI score0.01027EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/26 11:38 p.m.13 views

Incorrect Behavior Order: Validate Before Canonicalize

Overview @fedify/fedify is an An ActivityPub server framework Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize through manipulation of JSON-LD document structure using keywords such as @graph, @included, and @reverse. An attacker can alter...

8.3CVSS5.9AI score0.00171EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/26 5:39 p.m.13 views

Cross-site Scripting (XSS)

Overview @typebot.io/js is a Javascript library to display typebots on your website Affected versions of this package are vulnerable to Cross-site Scripting XSS in the RatingButton component when unsanitized SVG or HTML is rendered via the innerHTML directive. An attacker can gain access to sessi...

8.7CVSS5.6AI score0.00257EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/25 9:5 a.m.13 views

Malicious Package

Overview @gbrlxvii/ts-project-lint is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 8:54 a.m.13 views

Malicious Package

Overview auth0-net-sdk-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 8:49 a.m.13 views

Malicious Package

Overview expo-config-plugin-typescript is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 8:49 a.m.13 views

Malicious Package

Overview vite-plugin-env-compat-plus is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 8:20 a.m.13 views

Malicious Package

Overview explorhub-claude-bridge is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 8:1 a.m.13 views

Malicious Package

Overview levex-press is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 7:12 a.m.13 views

Malicious Package

Overview mcp-dashboards-shared is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 7:9 a.m.13 views

Malicious Package

Overview uipath-ui-widgets is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 7:9 a.m.13 views

Malicious Package

Overview apollo-vertex is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/24 3:36 p.m.13 views

Malicious Package

Overview llm-context-compressor is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/23 9:0 p.m.13 views

Malicious Package

Overview defi-risk-scanner is a malicious package. This package contains malicious code, and its content was removed from the official package manager. The package was linked to a supply chain attack and contained code designed to steal developer secrets, crypto wallets, SSH keys, and cloud...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/23 9:0 p.m.13 views

Malicious Package

Overview solidity-build-guard is a malicious package. This package contains malicious code, and its content was removed from the official package manager. The package was linked to a supply chain attack and contained code designed to steal developer secrets, crypto wallets, SSH keys, and cloud...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/22 9:0 p.m.13 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a remote code execution backdoor and an advanced credential stealer. A malicious actor exploited remapped historical tags to commit malicious commits, retroactively compromising over 700 versions of...

9.8CVSS6.5AI score
Exploits0References2
Snyk
Snyk
added 2026/05/22 5:42 p.m.13 views

Cross-site Scripting (XSS)

Overview golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the childTextNodesAreLiteral function in render.go. An attacker can cause the execution of scripts in the context o...

6.1CVSS5.7AI score0.00178EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/22 4:42 p.m.13 views

Malicious Package

Overview polymarket-trading-cli is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/22 3:45 p.m.13 views

Arbitrary Command Injection

Overview shell-quote is a package used to quote and parse shell commands. Affected versions of this package are vulnerable to Arbitrary Command Injection via the quote function when object-token inputs containing line terminators \n, \r, U+2028, U+2029 in the .op field are not properly validated...

9.2CVSS6AI score0.00848EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/22 1:44 p.m.13 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the API response process. An attacker can access sensitive information about team member roles by invoking various team API endpoints without having elevated permissions. Remediation Upgrade...

5.3CVSS5.8AI score0.00184EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/22 1:14 p.m.13 views

Improper Authentication

Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...

6CVSS5.8AI score0.00093EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/22 1:14 p.m.13 views

Improper Authentication

Overview Magick.NET-Q16-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6CVSS5.8AI score0.00093EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/22 1:14 p.m.13 views

Improper Authentication

Overview Magick.NET-Q16-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6CVSS5.8AI score0.00093EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/22 1:14 p.m.13 views

Information Exposure

Overview Magick.NET-Q16-HDRI-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

6.9CVSS5.8AI score0.00109EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/22 1:14 p.m.13 views

Information Exposure

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

6.9CVSS5.8AI score0.00109EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/22 1:14 p.m.13 views

Information Exposure

Overview Magick.NET-Q16-HDRI-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.9CVSS5.8AI score0.00109EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/22 1:14 p.m.13 views

Information Exposure

Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.9CVSS5.8AI score0.00109EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/22 1:11 p.m.13 views

Unsynchronized Access to Shared Data in a Multithreaded Context

Overview Magick.NET-Q8-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

5.6CVSS5.8AI score0.00077EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/22 1:11 p.m.13 views

Unsynchronized Access to Shared Data in a Multithreaded Context

Overview Magick.NET-Q8-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

5.6CVSS5.8AI score0.00077EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/22 1:11 p.m.13 views

Unsynchronized Access to Shared Data in a Multithreaded Context

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

5.6CVSS5.8AI score0.00077EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/22 1:11 p.m.13 views

Unsynchronized Access to Shared Data in a Multithreaded Context

Overview Magick.NET-Q16-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

5.6CVSS5.8AI score0.00077EPSS
Exploits0References3
Total number of security vulnerabilities5000