36346 matches found
Malicious Package
Overview @bold-commerce/stacks-ui is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Origin Validation Error
Overview thrift is a lightweight, language-independent software stack with an associated code generation mechanism for point-to-point RPC. Affected versions of this package are vulnerable to Origin Validation Error in the webserver.js component. An attacker can access unauthorized files, inject...
Unsafe Reflection
Overview org.apache.opennlp:opennlp-tools is an is a machine learning based toolkit for the processing of natural language text. Affected versions of this package are vulnerable to Unsafe Reflection that leads to arbitrary class instantiation, via the instantiateExtension method in the...
Malicious Package
Overview @apiary-annex/meta is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Overview sglang is a SGLang is a fast serving framework for large language models and vision language models. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the gettokenizer function in the...
Directory Traversal
Overview mcp-game-asset-gen is a MCP server for asset generation - image, video, audio, and 3D APIs for game development Affected versions of this package are vulnerable to Directory Traversal via the imageto3dasync function when processing the statusFile argument. An attacker can access or modif...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read through the TShape process in the VRML parser when coordIndex values from parsed input are used as direct array indices without validation against the size of the coordinate array during geometry processing. An attack...
Cross-site Scripting (XSS)
Overview jsondiffpatch is a JSON diff & patch object and array diff, text diff, multiple output formats Affected versions of this package are vulnerable to Cross-site Scripting XSS via the annotated formatter due to improper sanitization of JSON values and property names. If an application compar...
Use of Cache Containing Sensitive Information
Overview Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information due to the default KeyGenerator process in the cache middleware not including query parameters when generating cache keys. An attacker can access or cause exposure of user-specific or...
Improper Encoding or Escaping of Output
Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the encode function in AxiosURLSearchParams. An attacker can smuggle a NUL byte into serialized query strings by supplying...
HTTP Response Splitting
Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to HTTP Response Splitting via the isFormData and getHeaders handling in the HTTP request path. An attacker can inject arbitrary request headers by supplying a...
Improper Neutralization of Special Elements Used in a Template Engine
Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the POST /prompts/test endpoint, which accepts user-supplied prompt templates and renders them...
Malicious Package
Overview vime-azl is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack due to insecure handling of Process ID PID files. When an application uses the ApplicationPidFileWriter, it writes its PID to a predictable file system path. A local attacker with write access to the PID file's directory...
Use of a Broken or Risky Cryptographic Algorithm
Overview org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are...
Unsafe Dependency Resolution
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the authentication setup. An attacker can cause untrusted workspace plugins to be auto-enabled by leveraging non-interactive onboarding that selects a...
HTTP Request Smuggling
Overview org.springframework:spring-webflux is a Spring Framework module that contains support for reactive HTTP and WebSocket clients as well as for reactive server web applications including REST, HTML browser, and WebSocket style interactions. Affected versions of this package are vulnerable t...
Insufficient Verification of Data Authenticity
Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the decidedByUserId field in approval-related endpoints. An attacker can forge decision attribution by supplying an arbitrary us...
External Control of File Name or Path
Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can access sensitive files on the host filesystem by supplying...
Interpretation Conflict
Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the resolveNormalizationOptions function's deprecated ignoreDuplicateSlashes configuration option. An attacker can bypass middleware by crafting URLs with...
Improper Neutralization of Special Elements in Data Query Logic
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic through the GraphCypherQAChain request handling and graph.query execution path in GraphCypherQAChain.ts. An attacker can force...
HTTP Header Injection
Overview @fastify/reply-from is a forward your HTTP request to another server, for fastify Affected versions of this package are vulnerable to HTTP Header Injection via improper handling of the Connection header after proxy-added headers have been set. An attacker can remove headers intended for...
Use of a Broken or Risky Cryptographic Algorithm
Overview org.bouncycastle:bcprov-jdk14 is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the generateCTR process in G3413CTRBlockCipher. An attacker can recover relationships between...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the verifybyte expected function in JcaContentVerifierProviderBuilder. An attacker can forge a protected CMP/PKI message by supplying an empty composite signature sequence that...
Heap-based Buffer Overflow
Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...
Heap-based Buffer Overflow
Overview Magick.NET-Q8-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Cross-site Scripting (XSS)
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the isValidDuration function due to insufficient input validation of the duration parameter, which allows arbitrary HTML or JavaScript ...
Origin Validation Error
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Origin Validation Error in the CORS handling process. An attacker can access sensitive authenticated API responses, including user profile data, email, admin statu...
Cross-site Request Forgery (CSRF)
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the configurationUpdate.json.php process. An attacker can gain full control over site configuration, inject arbitrary HTML into...
Cross-site Scripting (XSS)
Overview leaflet is a JavaScript library for mobile-friendly interactive maps Affected versions of this package are vulnerable to Cross-site Scripting XSS via the bindPopup method. An attacker can execute arbitrary JavaScript code in the context of a user's browser session by injecting malicious...
Server-side Request Forgery (SSRF)
Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the...
Malicious Package
Overview @ascend-ops/web-client is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...
Use After Free
Overview Affected versions of this package are vulnerable to Use After Free in the error handling path of the TLSXKeyShareProcessPqcHybridClient process. An attacker can cause memory corruption or potentially execute arbitrary code by triggering an error during post-quantum cryptography hybrid...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data involving task management that allows authenticated users with task creation permissions to execute arbitrary code by injecting malicious properties into a serialized object. A user can bypass...
Uncaught Exception
Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...
Directory Traversal
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated...
Incorrect Calculation of Buffer Size
Overview Affected versions of this package are vulnerable to Incorrect Calculation of Buffer Size in the initval process of HuffTable. An attacker can achieve arbitrary code execution or cause a denial of service by supplying a specially crafted malicious file. Remediation Upgrade libraw to versi...
Insecure Default Initialization of Resource
Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the isBlacklisted function when the BLACKLISTIPS environment variable is unset, causing the blacklist...
Server-side Request Forgery (SSRF)
Overview google-search-mcp is a Google Search MCP Server for Claude Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the extractContent function. An attacker can access internal resources or perform unauthorized requests by supplying crafted URLs to the...
Use of GET Request Method With Sensitive Query Strings
Overview @immich/sdk is an Auto-generated TypeScript SDK for the Immich API Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings via the transmission of authentication credentials in the password parameter within the HTTP request query string...
Incomplete List of Disallowed Inputs
Overview @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through the validateScriptFileForShellBleed process. An attacker can execute unauthorized script content by crafting piped, substituted, or...
Directory Traversal
Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to Directory Traversal via the installer.php process. An attacker can access or modify files outside the intended directory by submitting crafted input remotely. Details A Directory Traversal...
Expired Pointer Dereference
Overview Affected versions of this package are vulnerable to Expired Pointer Dereference in the Lua plugin handling. An attacker can access sensitive information by deploying a malicious Lua plugin file in specific system directories, which triggers a dangling pointer to be printed to system logs...
Arbitrary File Write via Archive Extraction (Zip Slip)
Overview Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction Zip Slip via the extractarchivetodir function. An attacker can overwrite arbitrary files or gain elevated privileges by supplying a crafted tar.gz file containing malicious paths during...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...
Cleartext Storage of Sensitive Information
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to the storage of video access passwords in plaintext within the database. An attacker can obtain sensitive...
Malicious Package
Overview agoda-test-poc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview hiagenttest is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Embedded Malicious Code
Overview @emilgroup/task-sdk-node is an A new version of the package Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released on NP...
Improper Validation of Specified Quantity in Input
Overview org.webjars.npm:fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the DocTypeReader component when the maxEntityCount or maxEntitySize configurati...