Lucene search
K
SnykMost viewed

35122 matches found

Snyk
Snyk
added 2026/05/07 4:29 a.m.24 views

Improper Isolation or Compartmentalization

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the globalPromise.prototype.then onFulfilled wrapper in the Promise bridge. An attacker can supply...

7.2CVSS6AI score0.002EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/06 8:31 p.m.24 views

Cross-site Scripting (XSS)

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Cross-site Scripting XSS via the search.twig template and the process that decodes and renders user-supplied content without proper sanitization. An...

8.2CVSS5.8AI score0.00249EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/13 10:11 p.m.24 views

Integer Overflow or Wraparound

Overview Magick.NET-Q16-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

5.9CVSS6.1AI score0.00148EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/25 6:45 p.m.24 views

Command Injection

Overview node-tesseract-ocr is an A Node.js wrapper for the Tesseract OCR API Affected versions of this package are vulnerable to Command Injection via the recognize function. An attacker can execute arbitrary system commands by supplying crafted input to the file path parameter, which is...

9.8CVSS6.1AI score0.01706EPSS
Exploits3References2
Snyk
Snyk
added 2026/06/05 1:40 p.m.23 views

Malicious Package

Overview utils-mf is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 10:4 p.m.23 views

Malicious Package

Overview @timelycare/config-service is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 10:2 p.m.23 views

Malicious Package

Overview deepl-sync is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/28 1:39 p.m.23 views

Malicious Package

Overview @service-suppliers/fetch-initial-suppliers-watcher-saga is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/26 12:27 p.m.23 views

Malicious Package

Overview web3.prc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 4:43 p.m.23 views

Prototype Pollution

Overview parse-nested-form-data is an A tiny node module for parsing FormData by name into objects and arrays Affected versions of this package are vulnerable to Prototype Pollution via the parseFormData process. An attacker can modify the prototype of all plain objects in the running process by...

8.8CVSS6.3AI score0.00315EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:29 p.m.23 views

Server-side Request Forgery (SSRF)

Overview deepseek-tui is an Install and run deepseek and deepseek-tui binaries from GitHub release artifacts. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchurl process. An attacker can gain unauthorized access to internal resources by supplying ...

7.4CVSS5.8AI score0.00239EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 7:36 p.m.23 views

Arbitrary Code Injection

Overview mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of input passed to the addStyleClass function. An attacker can inject...

7.1CVSS5.9AI score0.00338EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/10 2:17 p.m.23 views

Cross-site Request Forgery (CSRF)

Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the account/password process. An attacker can change user passwords by sending crafted requests to the relevant endpoint, potentially hijacking accounts...

7.4CVSS5.8AI score0.00126EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 2:24 a.m.23 views

Arbitrary Code Injection

Overview diffusers is a State-of-the-art diffusion in PyTorch and JAX. Affected versions of this package are vulnerable to Arbitrary Code Injection in the frompretrained fucntion when a repository contains a None.py file and the custompipeline argument is not supplied. An attacker can execute...

8.8CVSS6.2AI score0.00865EPSS
Exploits2References2
Snyk
Snyk
added 2026/04/16 9:44 p.m.23 views

Arbitrary Code Injection

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization...

9.9CVSS6.2AI score0.0145EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/02 8:59 p.m.23 views

Replay Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Replay Attack in the replay deduplication process. An attacker can bypass intended access restrictions by reusing messageId values across authenticated sibling-target delivery paths...

5.4CVSS5.4AI score0.00274EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/24 10:16 p.m.23 views

Allocation of Resources Without Limits or Throttling

Overview Scriban is a Scriban is a fast, powerful, safe and lightweight scripting language and engine for .NET, which was primarily developed for text templating with a compatibility mode for parsing liquid templates. Today, not only Scriban can be used in text templating scenarios, but also can ...

7.1CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2025/09/19 3:41 a.m.23 views

Incorrect Authorization

Overview edu.internet2.middleware.grouper:grouper is an Internet2 Groups Management Toolkit Affected versions of this package are vulnerable to Incorrect Authorization via improper job scheduling in the loader jobs configuration process. A group administrator who is not a member of the Grouper...

8.4CVSS7AI score0.00248EPSS
Exploits0References2
Snyk
Snyk
added 2022/06/01 7:58 a.m.23 views

Remote Code Injection

Overview convert-svg-core is a package that supports converting SVG into another format using headless Chromium. Affected versions of this package are vulnerable to Remote Code Injection via sending an SVG file containing the payload. PoC: js const convert = require'convert-svg-to-png'; const...

9.9CVSS7.5AI score0.09204EPSS
Exploits1References2
Snyk
Snyk
added 2022/04/25 2:9 p.m.23 views

Server-side Request Forgery (SSRF)

Overview gibbon is a wrapper for MailChimp API 3.0 and Export API Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the concatenation of domains, it's possible to spoof the information and change the root domain via a crafted URL. Remediation Upgrade gibb...

9.8CVSS6.7AI score0.01489EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/18 2:27 p.m.22 views

Improper Initialization

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Improper Initialization in the DOMPurify.setConfig API when an uponSanitizeAttribute hook is registered that mutates allowedAttributes. An attacker can caus...

5.4CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/06/16 9:0 p.m.22 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 6:9 a.m.22 views

Malicious Package

Overview rbac-auth is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/02 9:0 p.m.22 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/01 9:0 p.m.22 views

Malicious Package

Overview env-config-manager is a malicious package. This package contains malicious code, and its content has been removed from the official package manager. While this package typosquats well-known libraries to impersonate valid open-source ecosystems, there is no connection between those...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 10:9 p.m.22 views

Malicious Package

Overview chai-bundle is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/23 9:0 p.m.22 views

Malicious Package

Overview data-pipeline-check is a malicious package. This package contains malicious code, and its content was removed from the official package manager. The package was linked to a supply chain attack and contained code designed to steal developer secrets, crypto wallets, SSH keys, and cloud...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/22 1:14 p.m.22 views

Improper Authentication

Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6CVSS5.8AI score0.00093EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/22 2:43 a.m.22 views

Malicious Package

Overview credential-verification-cli is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/17 1:28 a.m.22 views

NULL Pointer Dereference

Overview qs is a querystring parser that supports nesting and arrays, with a depth limit. Affected versions of this package are vulnerable to NULL Pointer Dereference in the stringify function, when processing arrays with the options arrayFormat: 'comma' and encodeValuesOnly: true that contain nu...

6.9CVSS5.9AI score0.00351EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 4:19 p.m.22 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through improper handling of the Object.assign process in the dataset service. An attacker can gain unauthorized access to...

7.7CVSS5.8AI score0.00335EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 5:19 p.m.22 views

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Overview docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications. Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs 'XML Entity...

8.7CVSS5.8AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:49 p.m.22 views

SQL Injection

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to SQL Injection via the BuiltinCaptcha process. An attacker can access sensitive data, modify or delete database records, and extract credential hashes by...

9.8CVSS5.8AI score0.01709EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 7:38 p.m.22 views

Directory Traversal

Overview GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Directory Traversal through insufficient validation of reference paths in the creation, renaming, and deletion. An attacker can write, overwrite, move, or delete files...

9.1CVSS6.3AI score0.00419EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/05 3:27 p.m.22 views

Malicious Package

Overview @atlan/connectors is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/04 7:46 p.m.22 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the io.Copy process that handles binary import requests. An attacker can exhaust disk space on the host system by continuously streaming large amounts of data to the affected...

5.3CVSS5.8AI score0.00333EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/02 6:30 p.m.22 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the exportstate function in the MCP Interface component. An attacker can overwrite or access arbitrary files by supplying crafted input to manipulate file paths remotely. Details A Directory Traversal attack also...

6.9CVSS6.3AI score0.00462EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 10:15 p.m.22 views

Incorrect Authorization

Overview @openclaw/matrix is an OpenClaw Matrix channel plugin Affected versions of this package are vulnerable to Incorrect Authorization via the operator.write message-tool. An attacker can modify persistent Matrix profile configuration without proper authorization by sending crafted requests...

7.6CVSS5.8AI score0.00295EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/06 7:14 a.m.22 views

Malicious Package

Overview permissionscaling is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2025/12/02 6:45 a.m.22 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via algorithmic complexity in the SQL parsing logic. The parser fails to enforce limits when handling deeply nested tuples or unusually large token sequences, allowing an attacker to...

8.7CVSS7.5AI score0.0321EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/16 9:0 p.m.21 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 1:47 p.m.21 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via improper handling of URLs in the navigateTo function. An attacker can execute arbitrary scripts or redirect users to malicious sites by supplying crafted URLs that exploit path normalization and protocol-relative...

9.6CVSS6.1AI score0.00205EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/08 12:0 a.m.21 views

Server-side Request Forgery (SSRF)

Overview org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via...

6.5CVSS5.5AI score0.00123EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/04 2:37 p.m.21 views

User Impersonation

Overview doorkeeper-openidconnect is an OpenID Connect extension for Doorkeeper. Affected versions of this package are vulnerable to User Impersonation via the Dynamic Client Registration feature that treats clientsecretbasic and clientsecretpost parameters as confidential: false which allows...

8.8CVSS5.5AI score0.00058EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/02 9:0 p.m.21 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/31 9:0 p.m.21 views

Malicious Package

Overview @mlspace/env-gitlab is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 10:9 p.m.21 views

Malicious Package

Overview customerdigital-service-lib is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/28 1:39 p.m.21 views

Malicious Package

Overview @polka-ui/reco is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/22 1:14 p.m.21 views

Improper Authentication

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

6CVSS5.8AI score0.00093EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/18 11:48 p.m.21 views

Creation of Temporary File With Insecure Permissions

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions via the...

7.8CVSS7.6AI score0.00215EPSS
Exploits2References2
Total number of security vulnerabilities5000