Lucene search
K
SnykMost viewed

34963 matches found

Snyk
Snyk
added 2026/05/22 2:42 a.m.11 views

Malicious Package

Overview wallet-security-checker is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/22 2:42 a.m.11 views

Malicious Package

Overview crypto-credential-scanner is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/21 11:46 p.m.11 views

Incorrect Authorization

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Authorization via the allowedroutes field during API key generation. An attacker can gain unauthorized access to restricted routes by specifying routes outside...

8.8CVSS5.8AI score0.00739EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/21 9:49 p.m.11 views

Insecure Randomness

Overview Affected versions of this package are vulnerable to Insecure Randomness via the PasskeyEncipherImage function. An attacker can access sensitive information by exploiting AES-CTR nonce reuse during encryption. Remediation A fix was pushed into the master branch but not yet published...

6.3CVSS5.8AI score0.00229EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/21 9:43 p.m.11 views

Division by zero

Overview Magick.NET-Q16-HDRI-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

4.8CVSS5.8AI score0.00111EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/21 9:43 p.m.11 views

Division by zero

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

4.8CVSS5.8AI score0.00111EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/21 9:43 p.m.11 views

Division by zero

Overview Affected versions of this package are vulnerable to Division by zero in the processing of a user-supplied binomial kernel. An attacker can cause a crash or denial of service by providing a specially crafted large kernel that triggers a division by zero. Remediation A fix was pushed into...

4.8CVSS5.8AI score0.00111EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/21 9:42 p.m.11 views

Off-by-one Error

Overview Magick.NET-Q8-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

6.9CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/21 9:27 p.m.11 views

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the htmltomarkdown, markdowntohtml, and inlinecss filters due to incorrect declaration of output safety. An attacker can inject unescaped HTML or script content by supplying specially crafted...

6.1CVSS5.8AI score0.0006EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/21 8:38 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the AttachmentsService upload-by-URL path in the attachment handling code. An attacker can exhaust storage or processing resources by providing a remote fil...

5.3CVSS5.8AI score0.0024EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/21 8:34 p.m.11 views

Server-side Request Forgery (SSRF)

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the sendMessage methods in the Discord, Mattermost, Slack, and Teams webhook adapters. An attacker can make the server send requests to attacker-controlled URLs by supplying a...

6.4CVSS5.9AI score0.00176EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/21 8:20 p.m.11 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the xsl-style-sheet option. An attacker can access internal or remote resources and read arbitrary local files by supplying crafted input to the xsl-style-sheet parameter. Remediation Upgrade...

7.2CVSS6AI score0.00249EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/21 3:35 p.m.11 views

Malicious Package

Overview json-spectaculation is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/21 2:41 p.m.11 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection due to the extension failing to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of...

8.2CVSS6AI score0.00386EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/21 1:56 p.m.11 views

Externally Controlled Reference to a Resource in Another Sphere

Overview Affected versions of this package are vulnerable to Externally Controlled Reference to a Resource in Another Sphere via the Build resource creation. An attacker can gain unauthorized control over pod generation in arbitrary Kubernetes namespaces, including the operator namespace, by...

8.6CVSS5.9AI score0.00325EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 5:48 p.m.11 views

Improper Validation of Specified Index, Position, or Offset in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input via the legacy GridFS file reader API. An attacker can cause a crash or leak process memory contents by supplying crafted documents with malformed file metadata to the...

6CVSS5.8AI score0.00281EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.11 views

Arbitrary Argument Injection

Overview symfony/runtime is an Enables decoupling PHP applications from global state Affected versions of this package are vulnerable to Arbitrary Argument Injection via SymfonyRuntime::getInput when registerargcargv=On in web SAPIs. An attacker can modify the Symfony application environment and...

5.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.11 views

Cross-site Scripting (XSS)

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the CodeExtension::fileExcerpt function in WebProfiler. An attacker can execute arbitrary JavaScript code in the...

5.4CVSS5.8AI score0.00062EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.11 views

Missing Authentication for Critical Function

Overview symfony/twilio-notifier is a Symfony Twilio Notifier Bridge Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the doParse webhook request parser in the notifier bridge. An attacker can submit forged webhook status events because the pars...

6.9CVSS5.7AI score0.00026EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.11 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the CodeExtension::fileExcerpt function in WebProfiler. An attacker can execute arbitrary JavaScript code in the context of affected users by sending a specially crafted non-PHP files with \n that avoids HTM...

5.4CVSS5.8AI score0.00062EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.11 views

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the Parser::cleanup function. Symfony\Component\Yaml\Parser::cleanup strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The origina...

6.9CVSS5.8AI score0.00076EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.11 views

Incorrect Regular Expression

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Incorrect Regular Expression in the route URL requirements when a requirement is set as an alternation such as locale: 'ar|bg|...|vi|...|zhCN'...

8.7CVSS5.8AI score0.0004EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.11 views

User Impersonation

Overview symfony/security-http is a provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. Affected versions of this package are vulnerable to User...

8.5CVSS5.9AI score0.00069EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.11 views

User Impersonation

Overview symfony/security-http is a provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials. Affected versions of this package are vulnerable to User...

9.3CVSS5.8AI score0.00064EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.11 views

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' in the admin console endpoints such as /web/configuration/virtualServerEdit.jsf. An attacker can execute arbitrary syst...

9.1CVSS6AI score0.00819EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/20 3:35 p.m.11 views

Deserialization of Untrusted Data

Overview APScheduler is an In-process task scheduler with Cron-like capabilities Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the unmarshalobject function in the JSONSerializer and CBORSerializerserializers. An attacker can exploit this by submitting a...

9.8CVSS5.8AI score0.0081EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 9:41 a.m.11 views

Incorrect Authorization

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Incorrect Authorization via the deprecated % sandbox % include path. An attacker can bypass Twig sandbox restrictions by including a template that was previously loade...

7.4CVSS5.8AI score0.00066EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 9:41 a.m.11 views

Incorrect Authorization

Overview twig/twig is a flexible, fast, and secure template language for PHP. Affected versions of this package are vulnerable to Incorrect Authorization via incomplete CheckToStringNode enforcement in SandboxNodeVisitor. An attacker can invoke toString on arbitrary objects reachable from the...

7.4CVSS5.9AI score0.00044EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:42 a.m.11 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via the timing window between path resolution and syscall execution in operations such as chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat. An attacker...

7.2CVSS6AI score0.00136EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 8:10 p.m.11 views

Uncontrolled Recursion

Overview sqlfluffrs is a The SQL Linter for Humans Affected versions of this package are vulnerable to Uncontrolled Recursion through the ParseContext and parser recursion in the SQL parser components. An attacker can exhaust parser stack depth and force repeated parse failures by supplying deepl...

8.7CVSS5.9AI score0.00263EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 8:3 p.m.11 views

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling via the nuxtisland endpoint when responses are not properly bound to request props, allowing shared-cache poisoning. An attacker can cause users to receive attacker-controlled HTML by priming a shared cache with...

5.8CVSS6AI score0.00091EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/19 7:51 p.m.11 views

NULL Pointer Dereference

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to NULL Pointer Dereference when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire...

7.1CVSS5.4AI score0.0024EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 3:54 p.m.11 views

Improper Removal of Sensitive Information Before Storage or Transfer

Overview Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the HideSecretData function that fails to mask predictedLive argument for --server-side-diff command. An attacker can extract last-applied-configuration which may...

6.3CVSS5.8AI score0.00034EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 3:47 p.m.11 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal due to the improper validation of annotations from org.opencontainers.image.title in pullArtifact methods in Registry and OCILayout. An attacker can manipulate this annotation to create a path that escapes the output...

8.1CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 2026/05/19 2:47 p.m.11 views

Insecure Storage of Sensitive Information

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Insecure Storage of Sensitive Information via the connectionSettings function. An attacker can gain unauthorized access to authentication tokens and impersonate other users by injectin...

8.8CVSS5.6AI score0.00275EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 2:46 p.m.11 views

Cross-site Scripting (XSS)

Overview @haxtheweb/iframe-loader is an Adds a loading indicator for iframes. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the...

9.3CVSS5.8AI score0.0023EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 2:46 p.m.11 views

Cross-site Scripting (XSS)

Overview @haxtheweb/video-player is an Automated conversion of video-player/ Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the...

9.3CVSS5.8AI score0.0023EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 2:44 p.m.11 views

Use of a Broken or Risky Cryptographic Algorithm

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via the hmacBase64 function. An attacker can obtain sensitive cryptographic material by sending a single unauthenticated HTTP request t...

9.8CVSS5.6AI score0.00295EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/19 2:44 p.m.11 views

Server-side Request Forgery (SSRF)

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the createSite function. An attacker can access internal network resources and read arbitrary files by supplying crafted URLs or file paths to the...

7.1CVSS5.6AI score0.00238EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 2:3 p.m.11 views

Malicious Package

Overview psxjson is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/19 10:50 a.m.11 views

External Control of Assumed-Immutable Web Parameter

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter via the SessionCodeChecks restart flow in the login sessi...

7.1CVSS5.8AI score0.00344EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 5:0 a.m.11 views

Client-Side Enforcement of Server-Side Security

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Client-Side Enforcement of Server-Side Security through the processAction registration flow in the WebAuthn...

5.3CVSS5.5AI score0.00392EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/18 9:47 p.m.11 views

Incorrect Permission Assignment for Critical Resource

Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the configuration file rewrite process. An attacker can access sensitive credentials by reading files created with overly...

6.8CVSS5.8AI score0.00137EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.11 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.11 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.11 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/05/18 9:0 p.m.11 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.11 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.11 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/05/18 9:0 p.m.11 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References3
Total number of security vulnerabilities5000