Lucene search
K
SnykMost viewed

35183 matches found

Snyk
Snyk
added 2026/05/22 1:14 p.m.21 views

Improper Authentication

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

6CVSS5.8AI score0.00093EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/18 11:48 p.m.21 views

Creation of Temporary File With Insecure Permissions

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions via the...

7.8CVSS7.6AI score0.00215EPSS
Exploits2References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.21 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 5:53 p.m.21 views

Server-side Request Forgery (SSRF)

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the req function. An attacker can access internal services and sensitive cloud metadata by leveraging HTTP redirects through an attacker-controlled server,...

7.7CVSS5.8AI score0.00258EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 6:26 p.m.21 views

Cross-site Scripting (XSS)

Overview sanitize-html is a library that allows you to clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis Affected versions of this package are vulnerable to Cross-site Scripting XSS via the xmp raw-text passthrough. An attacker can...

6.1CVSS5.8AI score0.00397EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 4:20 p.m.21 views

Server-side Request Forgery (SSRF)

Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the urlUpload function. An attacker can access internal network resources and sensitive metadata by submitting a...

7.7CVSS5.9AI score0.00263EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 8:34 p.m.21 views

Type Confusion

Overview Affected versions of this package are vulnerable to Type Confusion in code compilation. An attacker can execute arbitrary code by providing malicious input. Notes: This is only exploitable if the system compiles untrusted or attacker-controlled code. Workaround This vulnerability can be...

8.2CVSS6.2AI score0.00125EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/08 7:17 p.m.21 views

SQL Injection

Overview @mikro-orm/sql is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Supports MongoDB, MySQL, PostgreSQL and SQLite databases as well as usage with vanilla JavaScript. Affected versions of this package are vulnerable to SQL Injection via improper...

7.6CVSS6.1AI score0.01252EPSS
Exploits2References2
Snyk
Snyk
added 2026/05/07 6:30 p.m.21 views

Allocation of Resources Without Limits or Throttling

Overview youtube-regex is a The correct Youtube video id regex! Regex done right! Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the regex param. An attacker can cause excessive resource consumption by supplying crafted input that...

8.7CVSS5.8AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 4:30 a.m.21 views

Information Exposure

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Information Exposure via the sandbox CallSite handling. An attacker can leak absolute host filesystem paths by causing error.stack or getEvalOrigin t...

6.9CVSS5.9AI score0.00241EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:26 a.m.21 views

Allocation of Resources Without Limits or Throttling

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the Buffer.alloc family in lib/setup-sandbox.js. An attacker can crash the host process ...

8.7CVSS6.1AI score0.00424EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/06 7:54 p.m.21 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the evaluation of user-controlled input within validation rules during documentation generation. An attacker can execute arbitrary code by supplying crafted data to documentation endpoints when they are...

9.4CVSS6AI score0.0586EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/05 8:30 p.m.21 views

Race Condition

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Race Condition due to a race condition in the login process. An attacker can obtain multiple valid session tokens by...

2.2CVSS5.8AI score0.00236EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:32 p.m.21 views

Out-of-bounds Write

Overview Magick.NET-Q16-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

7.8CVSS5.8AI score0.00121EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/10 12:11 a.m.21 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the PKCS7VerifySignedData process. An attacker can cause the application to read memory outside the bounds of a heap buffer by submitting a specially crafted PKCS7 message. Remediation Upgrade wolfssl to version...

5.4CVSS5.9AI score0.00159EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/18 12:57 a.m.21 views

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the handling of module paths in the gateway configuration. An attacker can execute arbitrary code by supplying a crafted module path to the configuration if they...

8.6CVSS6.7AI score0.00405EPSS
Exploits0References2
Snyk
Snyk
added 2026/01/05 10:58 p.m.21 views

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling via the unicode processing of HTTP header values. An attacker can bypass firewall or proxy protections by sending requests containing non-ASCII characters. Note: This is only exploitable if C extensions are not in...

6.5CVSS6.9AI score0.00213EPSS
Exploits0References2
Snyk
Snyk
added 2026/01/05 10:58 p.m.21 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the autodecompress feature in the ZLibDecompressor class. An attacker can exhaust system memory by sending a compressed request that, when decompressed, consumes excessive...

8.7CVSS7AI score0.00487EPSS
Exploits0References3
Snyk
Snyk
added 2022/06/06 1:0 p.m.21 views

Arbitrary Code Injection

Overview convert-svg-core is a package that supports converting SVG into another format using headless Chromium. Affected versions of this package are vulnerable to Arbitrary Code Injection when using a specially crafted SVG file. An attacker can read arbitrary files from the file system and then...

7.8CVSS7.7AI score0.00855EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/23 3:32 p.m.20 views

Malicious Package

Overview mjs-eslint-service is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 9:0 p.m.20 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/10 2:30 p.m.20 views

Malicious Package

Overview nw-demo is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/03 6:2 p.m.20 views

Arbitrary Command Injection

Overview launch-editor is a launch editor from node.js Affected versions of this package are vulnerable to Arbitrary Command Injection due to improper sanitization of the file argument on Windows systems. An attacker can execute arbitrary commands by supplying a specially crafted filename as the...

8.8CVSS5.9AI score0.00521EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/01 9:0 p.m.20 views

Malicious Package

Overview nottuff24 is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate advertisin...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/01 9:0 p.m.20 views

Malicious Package

Overview speed5 is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate advertising...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 5:50 p.m.20 views

Improper Control of Dynamically-Managed Code Resources

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the NodeVM constructor in lib/nodevm.js. An attacker can obtain host code execution by...

10CVSS6.2AI score0.00382EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 4:50 p.m.20 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Base64URL decoding process. An attacker can cause excessive CPU and memory consumption by supplying an arbitrarily large payload segment when verifying detached JWS tokens wit...

7.5CVSS5.8AI score0.00288EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/25 8:54 a.m.20 views

Malicious Package

Overview webservices.rest-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/22 1:14 p.m.20 views

Improper Authentication

Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

6CVSS5.8AI score0.00093EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/21 9:49 p.m.20 views

Insecure Randomness

Overview Magick.NET-Q16-HDRI-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

6.3CVSS5.8AI score0.00229EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/21 9:43 p.m.20 views

Division by zero

Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...

4.8CVSS5.8AI score0.00111EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/21 8:42 p.m.20 views

Server-side Request Forgery (SSRF)

Overview FlaskBB is an A classic Forum Software in Python using Flask. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the getimageinfo function. An attacker can access internal network resources and sensitive cloud metadata by supplying a crafted URL as t...

8.6CVSS5.5AI score0.00032EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/21 8:22 p.m.20 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the constructor when the binary path is sourced from user-influenced configuration, environment variables derived from request data, or concatenated with user-controlled fragments. An attacker can execute arbitrary...

7.5CVSS6AI score0.00152EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/19 4:17 p.m.20 views

Server-side Request Forgery (SSRF)

Overview n8n-core is a Core functionality of n8n Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /rest/dynamic-node-parameters/options endpoint. An attacker can redirect responses to a server under their control by sending a specially crafted...

7.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/19 2:46 p.m.20 views

Cross-site Scripting (XSS)

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the victim's browser...

9.3CVSS5.8AI score0.0023EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:29 p.m.20 views

Cross-site Scripting (XSS)

Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of attribute spreading and dynamic name attributes within form elements. An attacker can inject malicious scripts by manipulating both the sprea...

8.2CVSS5.5AI score0.00319EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 4:19 p.m.20 views

Missing Authorization

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Missing Authorization on the /api/v1/openai-assistants-vector-store API. Any user can manipulate, delete, or exfiltrate data by sending authenticated requests to the affected endpoints without proper...

8.7CVSS5.8AI score0.00327EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 9:0 p.m.20 views

Prototype Pollution

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Prototype Pollution in the Xml class, which implements an XML node. A user with permission to create or modify workflows can achieve remote code execution on the host system. Note: This is a bypass ...

9.9CVSS6.5AI score0.00634EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.20 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.20 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/10 9:0 p.m.20 views

Brute Force

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Brute Force when rate limiting is enabled which it is by default. The protections of the getIp function, which constructs rate-limiting keys based on the exa...

7.3CVSS5.8AI score0.00295EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/10 2:20 p.m.20 views

User Impersonation

Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to User Impersonation via the OCSESSID cookie. An attacker can gain unauthorized access to user accounts by injecting arbitrary values into the session cookie, allowing session takeover...

9.8CVSS5.9AI score0.00423EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 4:27 p.m.20 views

XML Injection

Overview Affected versions of this package are vulnerable to XML Injection due to the incomplete sanitization of XML comments. An attacker can inject arbitrary XML or HTML content by including three consecutive dashes in the comment value. Note: This issue was introduced by the fix for...

6.1CVSS5.9AI score0.00238EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 3:58 p.m.20 views

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection despite the recently introduced neutralizeArraySpeciesBatch helper in lib/bridge.js. An attacker can execute arbitrary code ...

10CVSS6.2AI score0.00851EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/07 12:12 a.m.20 views

Null Byte Interaction Error (Poison Null Byte)

Overview Affected versions of this package are vulnerable to Null Byte Interaction Error Poison Null Byte due to inadequate validation of domain name labels and lengths in the encodeDomainName and decodeDomainName components. An attacker can cause DNS cache poisoning, bypass domain validation, or...

9.1CVSS5.8AI score0.00944EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 12:11 a.m.20 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection in the newInitialMessage function of HttpProxyHandler when header validation is explicitly disabled and user-influenced outboundHeaders are added without sanitization. An attacker can inject arbitrary HTTP headers into...

7.5CVSS6.9AI score0.00927EPSS
Exploits2References2
Snyk
Snyk
added 2026/05/07 12:6 a.m.20 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the SNS HTTP/HTTPS notification endpoints due to missing signature verification. An attacker can cause the application to process arbitrary payloads as legitimate notifications, auto-confi...

6.3CVSS5.9AI score0.00179EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 9:20 p.m.20 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the browser interaction routes. An attacker can access arbitrary files by bypassing navigation guards and leveraging browser act/evaluate interactions to pivot...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/21 6:59 p.m.20 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value through the source.view path in font/sfnt. An attacker can force the parser to allocate a large read buffer by supplying a corrupt or malicious font file that advertises data beyond the file's...

6.1CVSS5.9AI score0.00112EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/21 12:11 a.m.20 views

Improper Verification of Cryptographic Signature

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the Nostr DM ingress path. An attacker can cause unauthorized pairing challenges to be issued and consume shared pairing capacity by...

6.9CVSS5.7AI score0.00253EPSS
Exploits0References2
Total number of security vulnerabilities5000