35723 matches found
Cross-site Scripting (XSS)
Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS in the menu management process when user-controlled input is added to navigation menus and rendered without proper sanitization or output encoding...
Malicious Package
Overview base-or-engine is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Reliance on Untrusted Inputs in a Security Decision
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the chat.send process. An attacker can inject unauthorized provenance fields by spoofing client identity metadata during the...
Arbitrary File Write via Archive Extraction (Zip Slip)
Overview Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction Zip Slip via the extractarchivetodir function. An attacker can overwrite arbitrary files or gain elevated privileges by supplying a crafted tar.gz file containing malicious paths during...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...
Cleartext Storage of Sensitive Information
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to the storage of video access passwords in plaintext within the database. An attacker can obtain sensitive...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the Windows cleanup routine when a crafted profile name containing PowerShell metacharacters is used. An attacker can execute arbitrary PowerShell commands with the privileges of the application process user by...
Malicious Package
Overview hiagenttest is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Malicious Package
Overview supportgameapp is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Origin Validation Error
Overview Glances is an A cross-platform curses-based monitoring tool Affected versions of this package are vulnerable to Origin Validation Error in the REST/WebUI FastAPI application due to the lack of host header validation and the absence of an allowlist for trusted hosts. An attacker can gain...
Malicious Package
Overview triggerator-backend is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Permissive Regular Expression
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Permissive Regular Expression via the matchesExecAllowlistPattern function. An attacker can bypass intended command or executable path restrictions by crafting paths that exploit overly...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...
Authorization Bypass Through User-Controlled Key
Overview @withstudiocms/api-spec is an API Specification for StudioCMS Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the create-reset-link process. An attacker can gain unauthorized access to higher-privileged accounts by generating a...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the forwardProxy function. An attacker can access internal network resources, retrieve sensitive data, and potentially obtain cloud metadata or credentials by supplying a crafted URL to the endpoint...
Heap-based Buffer Overflow
Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Out-of-bounds Read
Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Stack-based Buffer Overflow
Overview Magick.NET-Q16-HDRI-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Arbitrary Code Injection
Amendment This was deemed not a vulnerability. Overview es-toolkit is an A state-of-the-art, high-performance JavaScript utility library with a small bundle size and strong type annotations. Affected versions of this package are vulnerable to Arbitrary Code Injection. The template function in...
Malicious Package
Overview @bytedanc-ad/mui-wc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @rrvis/logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Missing Authentication for Critical Function
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function via config.apply. An attacker can execute arbitrary commands as the gateway process user by supplying crafted cliPath values through the Gatew...
Malicious Package
Overview magic-porta1 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview dynamodb-data-mapper-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...
Malicious Package
Overview focal-examples is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the environment proxy middleware. An attacker can gain unauthorized access to and manipulate remote environment resources by sending unauthenticated requests that are proxied to remote...
Improper Validation of Specified Type of Input
Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input that is passed to the handleFormData function. An attacker can gain unauthorized access to files on the underlying server by requests with unexpected...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the lack of a security header on certain user-uploaded content served from repositories. An attacker can execute arbitrary scripts in the context of another user by uploading specially crafted content and...
Relative Path Traversal
Overview privatebin/privatebin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Affected versions of this package are vulnerable to Relative Path Traversal via the template-switching feature when templateselection is enabled in the configuration. An...
Allocation of Resources Without Limits or Throttling
Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the data: URL handler. An attacker can trigger a denial of service by crafting a data: URL with an excessive...
Denial of Service (DoS)
Overview org.webjars.npm:pacote is a JavaScript package downloader Affected versions of this package are vulnerable to Denial of Service DoS via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s rege...
Prototype Pollution
Overview web3-utils is a Collection of utility functions used in web3.js. Affected versions of this package are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading ...
Prototype Pollution
Overview litespeed.js is a Lite & fast micro javascript framework that is easy to learn. Affected versions of this package are vulnerable to Prototype Pollution. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leadin...
Code Injection
Overview lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in .template. An attacker can execute arbitrary code at template...
Arbitrary Code Execution
Overview sandbox is a nifty javascript sandbox for node.js. Affected versions of this package are vulnerable to Arbitrary Code Execution through this.constructor.constructor. An attacker can execute arbitrary code in the system by evaluating payloads that have access to the main context, such as...
Malicious Package
Overview poc-node-npm is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
XML External Entity (XXE) Injection
Overview ebookmeta is a Read/write ebook metadata for fb2, epub2 and epub3 files Affected versions of this package are vulnerable to XML External Entity XXE Injection in the ebookmeta.getmetadata function via lxml dependency allows attackers to access sensitive information or cause a Denial of...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the LookupOrg handler in the /api/orgs/lookup endpoint when unauthenticated requests are made. An attacker can cause repeated NULL pointer dereferences, resulting in excessive log entries and increased disk...
Improper Authorization
Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Authorization due to the improper enforcement of security constraints in the default servlet when certain HTTP methods or...
Malicious Package
Overview unleash-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Prototype Pollution
Overview n8n-workflow is a Workflow base code of n8n Affected versions of this package are vulnerable to Prototype Pollution via the deepCopy and replaceCircularReferences utilities in utils.ts. An attacker can inject crafted proto, constructor, or prototype fields in a public webhook payload tha...
Malicious Package
Overview node-slot is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Inefficient Algorithmic Complexity
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the query-depth processing in validateQueryDepth and...
Unsafe Dependency Resolution
Overview @theia/ai-ide is an AI IDE Agents Extension Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the processing of workspace file and directory names in the AI chat. An attacker can cause the agent to execute attacker-controlled instructions by introducing...
Malicious Package
Overview uidaireusablecomponents is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...
Malicious Package
Overview @ncurran/sandbox-recon-7c4e1a is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview npm-sandbox-research-a1b2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview npm-sandbox-ping-c8f2a is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via missing authentication tag verification in the experimental Chacha20Poly1305 key-encryption algorithm. An attacker can modify an encrypted content-encryption key CEK in transit withou...