Lucene search
K
SnykMost viewed

35723 matches found

Snyk
Snyk
added 2026/04/01 10:4 p.m.13 views

Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS in the menu management process when user-controlled input is added to navigation menus and rendered without proper sanitization or output encoding...

9.1CVSS6AI score0.00307EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/01 9:10 a.m.13 views

Malicious Package

Overview base-or-engine is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/03/31 11:57 p.m.13 views

Reliance on Untrusted Inputs in a Security Decision

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the chat.send process. An attacker can inject unauthorized provenance fields by spoofing client identity metadata during the...

8.6CVSS5.9AI score0.00203EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/30 2:5 a.m.13 views

Arbitrary File Write via Archive Extraction (Zip Slip)

Overview Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction Zip Slip via the extractarchivetodir function. An attacker can overwrite arbitrary files or gain elevated privileges by supplying a crafted tar.gz file containing malicious paths during...

10CVSS7.8AI score0.00587EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/26 10:9 p.m.13 views

Missing Release of Memory after Effective Lifetime

Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

4.6CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/03/26 6:16 p.m.13 views

Cleartext Storage of Sensitive Information

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to the storage of video access passwords in plaintext within the database. An attacker can obtain sensitive...

9.1CVSS5.9AI score0.00152EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/24 7:46 p.m.13 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the Windows cleanup routine when a crafted profile name containing PowerShell metacharacters is used. An attacker can execute arbitrary PowerShell commands with the privileges of the application process user by...

8.6CVSS6.1AI score0.02904EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/20 4:45 a.m.13 views

Malicious Package

Overview hiagenttest is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/20 4:28 a.m.13 views

Malicious Package

Overview supportgameapp is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/18 8:49 p.m.13 views

Origin Validation Error

Overview Glances is an A cross-platform curses-based monitoring tool Affected versions of this package are vulnerable to Origin Validation Error in the REST/WebUI FastAPI application due to the lack of host header validation and the absence of an allowlist for trusted hosts. An attacker can gain...

6CVSS5.8AI score0.0016EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/18 12:14 a.m.13 views

Malicious Package

Overview triggerator-backend is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/03/13 8:55 p.m.13 views

Permissive Regular Expression

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Permissive Regular Expression via the matchesExecAllowlistPattern function. An attacker can bypass intended command or executable path restrictions by crafting paths that exploit overly...

9.8CVSS5.6AI score0.00406EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/13 8:3 p.m.13 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...

9.3CVSS5.9AI score0.00258EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/12 2:49 p.m.13 views

Authorization Bypass Through User-Controlled Key

Overview @withstudiocms/api-spec is an API Specification for StudioCMS Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the create-reset-link process. An attacker can gain unauthorized access to higher-privileged accounts by generating a...

7.2CVSS5.8AI score0.00344EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/12 2:23 p.m.13 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the forwardProxy function. An attacker can access internal network resources, retrieve sensitive data, and potentially obtain cloud metadata or credentials by supplying a crafted URL to the endpoint...

8.7CVSS7.2AI score0.00278EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/12 2:16 p.m.13 views

Heap-based Buffer Overflow

Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

7CVSS5.9AI score0.00099EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/10 9:2 p.m.13 views

Out-of-bounds Read

Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

8.2CVSS5.8AI score0.00258EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/10 9:2 p.m.13 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

7.2CVSS5.9AI score0.00108EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/09 9:39 p.m.13 views

Stack-based Buffer Overflow

Overview Magick.NET-Q16-HDRI-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

8.6CVSS5.8AI score0.00096EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/08 5:2 p.m.13 views

Arbitrary Code Injection

Amendment This was deemed not a vulnerability. Overview es-toolkit is an A state-of-the-art, high-performance JavaScript utility library with a small bundle size and strong type annotations. Affected versions of this package are vulnerable to Arbitrary Code Injection. The template function in...

9.8CVSS6AI score0.2241EPSS
Exploits3References2
Snyk
Snyk
added 2026/03/06 7:14 a.m.13 views

Malicious Package

Overview @bytedanc-ad/mui-wc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/03/06 7:14 a.m.13 views

Malicious Package

Overview @rrvis/logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/02/04 8:6 p.m.13 views

Missing Authentication for Critical Function

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function via config.apply. An attacker can execute arbitrary commands as the gateway process user by supplying crafted cliPath values through the Gatew...

8.6CVSS5.9AI score0.00639EPSS
Exploits0References3
Snyk
Snyk
added 2026/01/28 4:33 p.m.13 views

Malicious Package

Overview magic-porta1 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/01/28 4:33 p.m.13 views

Malicious Package

Overview dynamodb-data-mapper-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/01/28 4:33 p.m.13 views

Malicious Package

Overview focal-examples is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/01/19 9:50 p.m.13 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the environment proxy middleware. An attacker can gain unauthorized access to and manipulate remote environment resources by sending unauthenticated requests that are proxied to remote...

9.8CVSS5.6AI score0.00445EPSS
Exploits0References2
Snyk
Snyk
added 2026/01/07 7:20 p.m.13 views

Improper Validation of Specified Type of Input

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input that is passed to the handleFormData function. An attacker can gain unauthorized access to files on the underlying server by requests with unexpected...

10CVSS7.2AI score0.71647EPSS
Exploits18References2
Snyk
Snyk
added 2025/12/04 6:42 p.m.13 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the lack of a security header on certain user-uploaded content served from repositories. An attacker can execute arbitrary scripts in the context of another user by uploading specially crafted content and...

5.4CVSS5.5AI score0.00287EPSS
Exploits0References2
Snyk
Snyk
added 2025/11/13 3:45 p.m.13 views

Relative Path Traversal

Overview privatebin/privatebin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Affected versions of this package are vulnerable to Relative Path Traversal via the template-switching feature when templateselection is enabled in the configuration. An...

6.9CVSS7.3AI score0.00482EPSS
Exploits0References2
Snyk
Snyk
added 2025/09/10 3:42 p.m.13 views

Allocation of Resources Without Limits or Throttling

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the data: URL handler. An attacker can trigger a denial of service by crafting a data: URL with an excessive...

7.5CVSS6.4AI score0.0106EPSS
Exploits1References2
Snyk
Snyk
added 2024/10/16 4:2 p.m.13 views

Denial of Service (DoS)

Overview org.webjars.npm:pacote is a JavaScript package downloader Affected versions of this package are vulnerable to Denial of Service DoS via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s rege...

8.7CVSS5.4AI score0.00346EPSS
Exploits0References2
Snyk
Snyk
added 2024/02/05 10:0 p.m.13 views

Prototype Pollution

Overview web3-utils is a Collection of utility functions used in web3.js. Affected versions of this package are vulnerable to Prototype Pollution via the utility functions format and mergeDeep, due to insecure recursive merge. An attacker can manipulate an object's prototype, potentially leading ...

7.5CVSS8AI score0.00712EPSS
Exploits0References2
Snyk
Snyk
added 2022/01/24 9:10 a.m.13 views

Prototype Pollution

Overview litespeed.js is a Lite & fast micro javascript framework that is easy to learn. Affected versions of this package are vulnerable to Prototype Pollution. When parsing the query string in the getJsonFromUrl function, the key that is set in the result object is not properly sanitized leadin...

9.8CVSS6.7AI score0.02117EPSS
Exploits1References2
Snyk
Snyk
added 2020/11/17 1:2 p.m.13 views

Code Injection

Overview lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in .template. An attacker can execute arbitrary code at template...

7.2CVSS7.2AI score0.2241EPSS
Exploits3References2
Snyk
Snyk
added 2020/08/31 10:25 a.m.13 views

Arbitrary Code Execution

Overview sandbox is a nifty javascript sandbox for node.js. Affected versions of this package are vulnerable to Arbitrary Code Execution through this.constructor.constructor. An attacker can execute arbitrary code in the system by evaluating payloads that have access to the main context, such as...

9.8CVSS6.3AI score
Exploits0References2
Snyk
Snyk
added 6 days ago12 views

Malicious Package

Overview poc-node-npm is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/07/07 2:34 p.m.12 views

XML External Entity (XXE) Injection

Overview ebookmeta is a Read/write ebook metadata for fb2, epub2 and epub3 files Affected versions of this package are vulnerable to XML External Entity XXE Injection in the ebookmeta.getmetadata function via lxml dependency allows attackers to access sensitive information or cause a Denial of...

9.1CVSS7AI score0.00532EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/30 5:25 p.m.12 views

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the LookupOrg handler in the /api/orgs/lookup endpoint when unauthenticated requests are made. An attacker can cause repeated NULL pointer dereferences, resulting in excessive log entries and increased disk...

6.9CVSS6AI score0.00362EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/29 10:23 p.m.12 views

Improper Authorization

Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Authorization due to the improper enforcement of security constraints in the default servlet when certain HTTP methods or...

6.5CVSS5.8AI score0.0041EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/29 4:53 p.m.12 views

Malicious Package

Overview unleash-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 9:11 p.m.12 views

Prototype Pollution

Overview n8n-workflow is a Workflow base code of n8n Affected versions of this package are vulnerable to Prototype Pollution via the deepCopy and replaceCircularReferences utilities in utils.ts. An attacker can inject crafted proto, constructor, or prototype fields in a public webhook payload tha...

6.4CVSS6.6AI score0.00259EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 6:22 a.m.12 views

Malicious Package

Overview node-slot is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 2:50 p.m.12 views

Inefficient Algorithmic Complexity

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the query-depth processing in validateQueryDepth and...

8.7CVSS5.9AI score0.00335EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/18 6:35 p.m.12 views

Unsafe Dependency Resolution

Overview @theia/ai-ide is an AI IDE Agents Extension Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the processing of workspace file and directory names in the AI chat. An attacker can cause the agent to execute attacker-controlled instructions by introducing...

8.8CVSS6.2AI score0.00272EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/18 8:57 a.m.12 views

Malicious Package

Overview uidaireusablecomponents is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 3:27 a.m.12 views

Malicious Package

Overview @ncurran/sandbox-recon-7c4e1a is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 3:27 a.m.12 views

Malicious Package

Overview npm-sandbox-research-a1b2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 3:27 a.m.12 views

Malicious Package

Overview npm-sandbox-ping-c8f2a is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/17 8:4 p.m.12 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via missing authentication tag verification in the experimental Chacha20Poly1305 key-encryption algorithm. An attacker can modify an encrypted content-encryption key CEK in transit withou...

9.1CVSS5.9AI score
Exploits0References2
Total number of security vulnerabilities5000