Lucene search
+L
SnykMost viewed

36346 matches found

Snyk
Snyk
added 2026/05/05 3:27 p.m.14 views

Malicious Package

Overview @bold-commerce/stacks-ui is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/05 9:26 a.m.14 views

Origin Validation Error

Overview thrift is a lightweight, language-independent software stack with an associated code generation mechanism for point-to-point RPC. Affected versions of this package are vulnerable to Origin Validation Error in the webserver.js component. An attacker can access unauthorized files, inject...

7.3CVSS5.9AI score0.00394EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 6:26 p.m.14 views

Unsafe Reflection

Overview org.apache.opennlp:opennlp-tools is an is a machine learning based toolkit for the processing of natural language text. Affected versions of this package are vulnerable to Unsafe Reflection that leads to arbitrary class instantiation, via the instantiateExtension method in the...

9.8CVSS6.1AI score0.00692EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 3:2 a.m.14 views

Malicious Package

Overview @apiary-annex/meta is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/03 12:31 a.m.14 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview sglang is a SGLang is a fast serving framework for large language models and vision language models. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the gettokenizer function in the...

6.3CVSS5.8AI score0.00368EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/01 11:30 p.m.14 views

Directory Traversal

Overview mcp-game-asset-gen is a MCP server for asset generation - image, video, audio, and 3D APIs for game development Affected versions of this package are vulnerable to Directory Traversal via the imageto3dasync function when processing the statusFile argument. An attacker can access or modif...

7.5CVSS7.5AI score0.00418EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/01 5:33 p.m.14 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read through the TShape process in the VRML parser when coordIndex values from parsed input are used as direct array indices without validation against the size of the coordinate array during geometry processing. An attack...

7.1CVSS5.8AI score0.00099EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/01 5:7 p.m.14 views

Cross-site Scripting (XSS)

Overview jsondiffpatch is a JSON diff & patch object and array diff, text diff, multiple output formats Affected versions of this package are vulnerable to Cross-site Scripting XSS via the annotated formatter due to improper sanitization of JSON values and property names. If an application compar...

6.1CVSS5.5AI score0.00191EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/28 10:28 p.m.14 views

Use of Cache Containing Sensitive Information

Overview Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information due to the default KeyGenerator process in the cache middleware not including query parameters when generating cache keys. An attacker can access or cause exposure of user-specific or...

6.9CVSS5.8AI score0.00251EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/24 7:21 p.m.14 views

Improper Encoding or Escaping of Output

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the encode function in AxiosURLSearchParams. An attacker can smuggle a NUL byte into serialized query strings by supplying...

6.3CVSS5.5AI score0.00217EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/24 7:20 p.m.14 views

HTTP Response Splitting

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to HTTP Response Splitting via the isFormData and getHeaders handling in the HTTP request path. An attacker can inject arbitrary request headers by supplying a...

9.1CVSS5.7AI score0.00394EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/24 4:2 p.m.14 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the POST /prompts/test endpoint, which accepts user-supplied prompt templates and renders them...

8.8CVSS6.2AI score0.00373EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 3:56 a.m.14 views

Malicious Package

Overview vime-azl is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 12:0 a.m.14 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack due to insecure handling of Process ID PID files. When an application uses the ApplicationPidFileWriter, it writes its PID to a predictable file system path. A local attacker with write access to the PID file's directory...

6.7CVSS5.4AI score0.00112EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/21 8:0 p.m.14 views

Use of a Broken or Risky Cryptographic Algorithm

Overview org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are...

2.9CVSS7.3AI score0.00122EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 10:12 p.m.14 views

Unsafe Dependency Resolution

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the authentication setup. An attacker can cause untrusted workspace plugins to be auto-enabled by leveraging non-interactive onboarding that selects a...

8.8CVSS5.7AI score0.00381EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 12:0 a.m.14 views

HTTP Request Smuggling

Overview org.springframework:spring-webflux is a Spring Framework module that contains support for reactive HTTP and WebSocket clients as well as for reactive server web applications including REST, HTML browser, and WebSocket style interactions. Affected versions of this package are vulnerable t...

5.9CVSS5.7AI score0.00236EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:48 p.m.14 views

Insufficient Verification of Data Authenticity

Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the decidedByUserId field in approval-related endpoints. An attacker can forge decision attribution by supplying an arbitrary us...

5.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:45 p.m.14 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can access sensitive files on the host filesystem by supplying...

6CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:28 p.m.14 views

Interpretation Conflict

Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the resolveNormalizationOptions function's deprecated ignoreDuplicateSlashes configuration option. An attacker can bypass middleware by crafting URLs with...

9.1CVSS5.7AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:54 p.m.14 views

Improper Neutralization of Special Elements in Data Query Logic

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic through the GraphCypherQAChain request handling and graph.query execution path in GraphCypherQAChain.ts. An attacker can force...

9.8CVSS5.9AI score0.00504EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 11:15 a.m.14 views

HTTP Header Injection

Overview @fastify/reply-from is a forward your HTTP request to another server, for fastify Affected versions of this package are vulnerable to HTTP Header Injection via improper handling of the Connection header after proxy-added headers have been set. An attacker can remove headers intended for...

9CVSS5.8AI score0.00441EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 10:16 a.m.14 views

Use of a Broken or Risky Cryptographic Algorithm

Overview org.bouncycastle:bcprov-jdk14 is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the generateCTR process in G3413CTRBlockCipher. An attacker can recover relationships between...

9.3CVSS5.7AI score0.00313EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 10:13 a.m.14 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the verifybyte expected function in JcaContentVerifierProviderBuilder. An attacker can forge a protected CMP/PKI message by supplying an empty composite signature sequence that...

9.2CVSS5.7AI score0.00392EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/14 11:32 p.m.14 views

Heap-based Buffer Overflow

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

4.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:32 p.m.14 views

Heap-based Buffer Overflow

Overview Magick.NET-Q8-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

4.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:22 p.m.14 views

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the isValidDuration function due to insufficient input validation of the duration parameter, which allows arbitrary HTML or JavaScript ...

5.4CVSS5.7AI score0.00173EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 11:18 p.m.14 views

Origin Validation Error

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Origin Validation Error in the CORS handling process. An attacker can access sensitive authenticated API responses, including user profile data, email, admin statu...

7.1CVSS5.8AI score0.00132EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 11:12 p.m.14 views

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the configurationUpdate.json.php process. An attacker can gain full control over site configuration, inject arbitrary HTML into...

8.7CVSS5.8AI score0.00173EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/14 4:15 p.m.14 views

Cross-site Scripting (XSS)

Overview leaflet is a JavaScript library for mobile-friendly interactive maps Affected versions of this package are vulnerable to Cross-site Scripting XSS via the bindPopup method. An attacker can execute arbitrary JavaScript code in the context of a user's browser session by injecting malicious...

6.1CVSS5.9AI score0.00191EPSS
Exploits2References2
Snyk
Snyk
added 2026/04/14 4:14 p.m.14 views

Server-side Request Forgery (SSRF)

Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the...

8.5CVSS5.8AI score0.00249EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/13 3:25 p.m.14 views

Malicious Package

Overview @ascend-ops/web-client is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/10 1:0 a.m.14 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the error handling path of the TLSXKeyShareProcessPqcHybridClient process. An attacker can cause memory corruption or potentially execute arbitrary code by triggering an error during post-quantum cryptography hybrid...

6.5CVSS6.2AI score0.00275EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 11:8 p.m.14 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data involving task management that allows authenticated users with task creation permissions to execute arbitrary code by injecting malicious properties into a serialized object. A user can bypass...

9.9CVSS6.1AI score0.00359EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:18 a.m.14 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

8.2CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/08 12:16 a.m.14 views

Directory Traversal

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated...

6.9CVSS6.3AI score0.00459EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/07 4:15 p.m.14 views

Incorrect Calculation of Buffer Size

Overview Affected versions of this package are vulnerable to Incorrect Calculation of Buffer Size in the initval process of HuffTable. An attacker can achieve arbitrary code execution or cause a denial of service by supplying a specially crafted malicious file. Remediation Upgrade libraw to versi...

9.8CVSS6.4AI score0.00504EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/03 9:34 p.m.14 views

Insecure Default Initialization of Resource

Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the isBlacklisted function when the BLACKLISTIPS environment variable is unset, causing the blacklist...

9.9CVSS6AI score0.00377EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/03 5:21 p.m.14 views

Server-side Request Forgery (SSRF)

Overview google-search-mcp is a Google Search MCP Server for Claude Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the extractContent function. An attacker can access internal resources or perform unauthorized requests by supplying crafted URLs to the...

6.5CVSS6.6AI score0.00206EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/03 5:21 p.m.14 views

Use of GET Request Method With Sensitive Query Strings

Overview @immich/sdk is an Auto-generated TypeScript SDK for the Immich API Affected versions of this package are vulnerable to Use of GET Request Method With Sensitive Query Strings via the transmission of authentication credentials in the password parameter within the HTTP request query string...

7.5CVSS5.9AI score0.00449EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/02 9:32 p.m.14 views

Incomplete List of Disallowed Inputs

Overview @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through the validateScriptFileForShellBleed process. An attacker can execute unauthorized script content by crafting piped, substituted, or...

5.4CVSS5.9AI score0.00303EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/02 2:26 p.m.14 views

Directory Traversal

Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to Directory Traversal via the installer.php process. An attacker can access or modify files outside the intended directory by submitting crafted input remotely. Details A Directory Traversal...

5.8CVSS6.5AI score0.00396EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/01 12:0 a.m.14 views

Expired Pointer Dereference

Overview Affected versions of this package are vulnerable to Expired Pointer Dereference in the Lua plugin handling. An attacker can access sensitive information by deploying a malicious Lua plugin file in specific system directories, which triggers a dangling pointer to be printed to system logs...

6.8CVSS5.9AI score0.00146EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/30 2:5 a.m.14 views

Arbitrary File Write via Archive Extraction (Zip Slip)

Overview Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction Zip Slip via the extractarchivetodir function. An attacker can overwrite arbitrary files or gain elevated privileges by supplying a crafted tar.gz file containing malicious paths during...

10CVSS7.8AI score0.00587EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/26 10:9 p.m.14 views

Missing Release of Memory after Effective Lifetime

Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

4.6CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/03/26 6:16 p.m.14 views

Cleartext Storage of Sensitive Information

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to the storage of video access passwords in plaintext within the database. An attacker can obtain sensitive...

9.1CVSS5.9AI score0.00152EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/24 12:48 p.m.14 views

Malicious Package

Overview agoda-test-poc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/20 4:45 a.m.14 views

Malicious Package

Overview hiagenttest is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/19 11:0 p.m.14 views

Embedded Malicious Code

Overview @emilgroup/task-sdk-node is an A new version of the package Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released on NP...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/19 7:13 p.m.14 views

Improper Validation of Specified Quantity in Input

Overview org.webjars.npm:fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input in the DocTypeReader component when the maxEntityCount or maxEntitySize configurati...

8.2CVSS5.8AI score0.00449EPSS
Exploits1References2
Total number of security vulnerabilities5000