Lucene search
K
SnykMost viewed

35537 matches found

Snyk
Snyk
added 2026/05/29 9:14 p.m.11 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the decoding process. An attacker can cause application crashes or bypass memory allocation limits by supplying specially crafted Avro data that exploits integer arithmetic errors during decoding...

8.7CVSS5.8AI score0.00397EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 9:14 p.m.11 views

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop through the Avro Decoder process. An attacker can exhaust CPU resources by providing a specially crafted payload with a large block-count value, causing the decoder to perform excessive iterations before propagating an...

8.7CVSS5.8AI score0.00378EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 7:55 p.m.11 views

Asymmetric Resource Consumption (Amplification)

Overview Nerdbank.MessagePack is an A modern, fast and NativeAOT-compatible MessagePack serialization library Affected versions of this package are vulnerable to Asymmetric Resource Consumption Amplification in the deserialization of collection-shaped types, where the element count from MessagePa...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 7:43 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the parsing of maliciously crafted Git repository data, such as .pack, .idx, or loose objects. An attacker can cause the application to panic by providing a payload that excee...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 7:32 p.m.11 views

Arbitrary Code Injection

Overview redshift-connector is a Redshift interface library Affected versions of this package are vulnerable to Arbitrary Code Injection due to the use of eval on untrusted data received from the server, in the vectorin function. An attacker can execute arbitrary code on the client system by...

9.8CVSS6.2AI score0.00808EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/29 7:18 p.m.11 views

SQL Injection

Overview agno is an Agno: a lightweight library for building Multi-Agent Systems Affected versions of this package are vulnerable to SQL Injection via the deletebymetadata function in the clickhouse backend. An attacker can execute unintended SQL commands by supplying malicious metadata keys and...

8.7CVSS6AI score0.00319EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 5:44 p.m.11 views

Incomplete List of Disallowed Inputs

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through Symbol.for handling in lib/setup-sandbox.js and the bridge write traps in lib/bridge.js. An attacker can...

9.5CVSS5.9AI score0.00266EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 5:22 p.m.11 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the browser debug and export routes. An attacker can access sensitive internal resources by reusing already-open blocked tabs to export or inspect content that...

6.5CVSS5.5AI score0.00155EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 5:16 p.m.11 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via host resolution in the CLI authentication layer. An attacker can obtain authentication tokens intended for GitHub or GitHub Enterprise by causing authenticated requests to be sent to external hosts, as the ho...

9.1CVSS5.4AI score0.00289EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 10:28 p.m.11 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the validatepathelementntfs function. An attacker can write arbitrary files and potentially execute code in the victim's user context by crafting malicious Git repositories with NTFS-hostile tree entries that are...

8.8CVSS6.4AI score0.00635EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 8:2 p.m.11 views

Directory Traversal

Overview shamefile is an A cli tool to enforce documentation for code suppressions Affected versions of this package are vulnerable to Directory Traversal via the shame next process when processing a user-controlled shamefile.yaml. An attacker can disclose the contents of files outside the intend...

6.8CVSS6.3AI score0.00013EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 6:25 p.m.11 views

Insertion of Sensitive Information into Log File

Overview github.com/projectcalico/calico/cni-plugin/pkg/install is a cloud-native networking and network security package Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the logging of the entire unmarshaled configuration map at INFO level ...

7.7CVSS5.8AI score0.00323EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 6:24 p.m.11 views

Incorrect Regular Expression

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Incorrect Regular Expression via the ip-restriction middleware. An attacker can bypass configured deny rules for IPv6 addresses by submitting non-canonical representations, such as...

6.9CVSS5.8AI score0.00244EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 6:24 p.m.11 views

HTTP Response Splitting

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTTP Response Splitting via the serialize function. An attacker can inject arbitrary attributes into the Set-Cookie response header by supplying crafted input to the sameSite or priority...

5.3CVSS5.9AI score0.00216EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 5:19 p.m.11 views

Missing Release of File Descriptor or Handle after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of File Descriptor or Handle after Effective Lifetime via the ParseFile function. An attacker can cause the process to exhaust available file descriptors and disrupt service by repeatedly triggering schema parsing...

5.5CVSS5.8AI score0.00168EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/28 5:19 p.m.11 views

Missing Release of File Descriptor or Handle after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of File Descriptor or Handle after Effective Lifetime via the ParseFile function. An attacker can cause the process to exhaust available file descriptors and disrupt service by repeatedly triggering schema parsing...

5.5CVSS5.8AI score0.00168EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/28 5:4 p.m.11 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the Parse function. An attacker can exhaust CPU resources and generate excessive log output by sending oversized or malformed headers that are processed without length checks. Remediation...

6.9CVSS5.8AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 4:50 p.m.11 views

Cross-site Scripting (XSS)

Overview tinymce/tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of SVG namespace scope by the sanitizer. An attacker can execute arbitrary JavaScript by crafting a payload with neste...

8.7CVSS5.8AI score0.00191EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 4:50 p.m.11 views

Cross-site Scripting (XSS)

Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes. An attacker can execute arbitrary scripts in the context of the user's...

8.7CVSS5.9AI score0.00281EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 4:50 p.m.11 views

Excessive Iteration

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Excessive Iteration via the processing of cross-reference streams containing /W values set to 0 0 0 and large /Size values. An...

5.1CVSS5.8AI score0.00124EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 4:50 p.m.11 views

Cross-site Scripting (XSS)

Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the media plugin when handling crafted data-mce- attributes. An attacker can execute arbitrary scripts in the context of the user's browser by...

8.7CVSS5.9AI score0.00264EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 4:50 p.m.11 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the jwt.decode or jwt.decodecomplete functions when used with a PyJWK key. An attacker can bypass algorithm restrictions and gain unauthorized access to protected resources by signing...

5.4CVSS5.8AI score0.00127EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/28 4:48 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parsing process. An attacker can cause excessive memory consumption b...

6.9CVSS5.8AI score0.0013EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 1:39 p.m.11 views

Malicious Package

Overview @service-suppliers/setcountrylist is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/28 1:39 p.m.11 views

Malicious Package

Overview @service-suppliers/setselectedsupplieractionsaga is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/28 1:39 p.m.11 views

Malicious Package

Overview @service-suppliers/fetchsuppliersactionsaga is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/28 1:39 p.m.11 views

Malicious Package

Overview @databus-service-ui/ui-event is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/28 1:39 p.m.11 views

Malicious Package

Overview @polka-ui/loader is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/28 12:38 p.m.11 views

Relative Path Traversal

Overview org.apache.ignite:ignite-core is a memory-centric distributed database, caching, and processing platform for transactional, analytical, and streaming workloads delivering in-memory speeds at petabyte scale. Affected versions of this package are vulnerable to Relative Path Traversal via t...

8.5CVSS5.9AI score0.00526EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 6:7 a.m.11 views

External Control of File Name or Path

Overview org.jenkins-ci.plugins:email-ext is a plugin that allows you to configure every aspect of email notifications. Affected versions of this package are vulnerable to External Control of File Name or Path via the data-inline attribute. An attacker can gain control of the email content and re...

8.8CVSS5.9AI score0.00299EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 3:53 a.m.11 views

Authentication Bypass by Primary Weakness

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the Client-Initiated Backchannel Authentication CIBA flow. An...

4.3CVSS5.9AI score0.00206EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/28 3:10 a.m.11 views

Improper Handling of Insufficient Permissions or Privileges

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the org.keycloak.protocol.oidc component when...

6.9CVSS5.4AI score0.00267EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 10:27 p.m.11 views

Incorrect Authorization

Overview pimcore/pimcore is a content & product management framework CMS/PIM/E-Commerce. Affected versions of this package are vulnerable to Incorrect Authorization in the WordExport process. An attacker can access and export sensitive document content by exploiting insufficient object-level...

6.4CVSS5.8AI score0.00089EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 7:33 p.m.11 views

Inefficient Algorithmic Complexity

Overview Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the BER data parsing process. An attacker can cause excessive resource consumption and service disruption by submitting specially crafted indefinite length encodings. Remediation Upgrade botan to...

7.5CVSS5.8AI score0.00324EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 5:36 p.m.11 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the migrate endpoint /actions/app/migrate. An attacker can perform unauthorized migration operations by sending crafted requests to this endpoint. Remediation There ...

7.3CVSS5.8AI score0.00283EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/27 5:36 p.m.11 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data from LDAP referrals. An attacker can execute arbitrary code or perform unauthorized actions by supplying crafted LDAP referral data. Details Serialization is a process of converting an object into a...

8.8CVSS6.1AI score0.0027EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 5:34 p.m.11 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the parseiadarray function. An attacker can cause a denial of service by supplying a malformed USB descriptor with a crafted bLength value, leading to a one-byte out-of-bounds read when processing USB interface...

5.5CVSS5.8AI score0.0013EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 5:34 p.m.11 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the form validation method. An attacker can connect to an arbitrary URL by leveraging Overall/Read permission. Remediation Upgrade com.rapid7:jenkinsci-appspider-plugin to version 1.0.18 or higher. References -...

5.3CVSS5.9AI score0.00187EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 9:41 a.m.11 views

Server-side Request Forgery (SSRF)

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF. The NoPrivateNetworkHttpClient is designed to be a security boundary that blocks requests to private/interna...

8.8CVSS5.8AI score0.00029EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 3:23 a.m.11 views

Stack-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Stack-based Buffer Overflow via the scanForGeometryContainers function. An attacker can achieve arbitrary code execution by supplying a crafted NetCDF file containing an oversized geometry attribute, which is read into a fixed-size stac...

7.8CVSS6.4AI score0.00102EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/27 12:3 a.m.11 views

Improper Encoding or Escaping of Output

Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output that allows bypassing of the contenttypedenylist in the denylistedcontenttype? function. An attacker can upload files with MIME types containing unescaped regex metacharacters, including the + in...

6.1CVSS5.7AI score0.00223EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/26 6:0 p.m.11 views

Cross-site Scripting (XSS)

Overview @typebot.io/js is a Javascript library to display typebots on your website Affected versions of this package are vulnerable to Cross-site Scripting XSS via the href attribute in anchor tags rendered from user-controlled content. An attacker can execute arbitrary JavaScript in the context...

6.1CVSS5.8AI score0.00241EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/26 11:56 a.m.11 views

Malicious Package

Overview xlsx-enhanced is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/26 9:20 a.m.11 views

Malicious Package

Overview eo-terminal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 11:17 p.m.11 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect due to insufficient validation of the Referer header in saveRequestReferer. An authenticated user can redirect users to arbitrary external sites by supplying a malicious Referer value during authentication. Remediation...

5.4CVSS5.9AI score0.00352EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/25 12:58 p.m.11 views

LDAP Injection

Overview apache-airflow-providers-fab is a Provider package apache-airflow-providers-fab for Apache Airflow Affected versions of this package are vulnerable to LDAP Injection through the ldapbindindirect and nested group search code in override.py. An attacker can manipulate the LDAP username or...

9.1CVSS5.9AI score0.00574EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/25 10:59 a.m.11 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:echarts is an Apache ECharts is a powerful, interactive charting and data visualization library for browser Affected versions of this package are vulnerable to Cross-site Scripting XSS in the tooltip rendering when both Lines series and tooltip are used without a...

6.1CVSS5.9AI score0.00759EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/25 9:5 a.m.11 views

Malicious Package

Overview jules-standard is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 9:5 a.m.11 views

Malicious Package

Overview @gbrlxvii/ts-form-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 9:5 a.m.11 views

Malicious Package

Overview @gbrlxvii/ts-env-validator is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Total number of security vulnerabilities5000