Lucene search
K
SnykMost viewed

35340 matches found

Snyk
Snyk
added 2026/05/19 2:46 p.m.20 views

Cross-site Scripting (XSS)

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the victim's browser...

9.3CVSS5.8AI score0.0023EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:29 p.m.20 views

Cross-site Scripting (XSS)

Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of attribute spreading and dynamic name attributes within form elements. An attacker can inject malicious scripts by manipulating both the sprea...

8.2CVSS5.5AI score0.00319EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 4:19 p.m.20 views

Missing Authorization

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Missing Authorization on the /api/v1/openai-assistants-vector-store API. Any user can manipulate, delete, or exfiltrate data by sending authenticated requests to the affected endpoints without proper...

8.7CVSS5.8AI score0.00327EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/13 11:16 a.m.20 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the OCSP stapling process with Apple SecTrust. An attacker can cause the client to accept invalid or revoked server certificates by exploiting the failure to properly detect OCSP response problems. Not...

9.1CVSS5.7AI score0.00267EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/12 9:0 p.m.20 views

Prototype Pollution

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Prototype Pollution in the Xml class, which implements an XML node. A user with permission to create or modify workflows can achieve remote code execution on the host system. Note: This is a bypass ...

9.9CVSS6.5AI score0.00634EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/10 9:0 p.m.20 views

Brute Force

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Brute Force when rate limiting is enabled which it is by default. The protections of the getIp function, which constructs rate-limiting keys based on the exa...

7.3CVSS5.8AI score0.00295EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/10 2:20 p.m.20 views

User Impersonation

Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to User Impersonation via the OCSESSID cookie. An attacker can gain unauthorized access to user accounts by injecting arbitrary values into the session cookie, allowing session takeover...

9.8CVSS5.9AI score0.00423EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 4:27 p.m.20 views

XML Injection

Overview Affected versions of this package are vulnerable to XML Injection due to the incomplete sanitization of XML comments. An attacker can inject arbitrary XML or HTML content by including three consecutive dashes in the comment value. Note: This issue was introduced by the fix for...

6.1CVSS5.9AI score0.00238EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 3:58 p.m.20 views

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection despite the recently introduced neutralizeArraySpeciesBatch helper in lib/bridge.js. An attacker can execute arbitrary code ...

10CVSS6.2AI score0.00851EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/07 12:12 a.m.20 views

Null Byte Interaction Error (Poison Null Byte)

Overview Affected versions of this package are vulnerable to Null Byte Interaction Error Poison Null Byte due to inadequate validation of domain name labels and lengths in the encodeDomainName and decodeDomainName components. An attacker can cause DNS cache poisoning, bypass domain validation, or...

9.1CVSS5.8AI score0.00969EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 12:11 a.m.20 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection in the newInitialMessage function of HttpProxyHandler when header validation is explicitly disabled and user-influenced outboundHeaders are added without sanitization. An attacker can inject arbitrary HTTP headers into...

7.5CVSS6.9AI score0.00952EPSS
Exploits2References2
Snyk
Snyk
added 2026/05/06 9:20 p.m.20 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the browser interaction routes. An attacker can access arbitrary files by bypassing navigation guards and leveraging browser act/evaluate interactions to pivot...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/21 6:59 p.m.20 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value through the source.view path in font/sfnt. An attacker can force the parser to allocate a large read buffer by supplying a corrupt or malicious font file that advertises data beyond the file's...

6.1CVSS5.9AI score0.00112EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/21 12:11 a.m.20 views

Improper Verification of Cryptographic Signature

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the Nostr DM ingress path. An attacker can cause unauthorized pairing challenges to be issued and consume shared pairing capacity by...

6.9CVSS5.7AI score0.00253EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:48 p.m.20 views

Insufficient Granularity of Access Control

Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control inadequate authorization checks in the POST /api/agents/:id/keys, GET /api/agents/:id/keys, and DELETE /api/agents/:id/keys/:keyId routes. An attacker can gain unauthorized access to sensitive...

8.5CVSS5.8AI score
Exploits0References4
Snyk
Snyk
added 2026/04/15 8:22 p.m.20 views

Use of Hard-coded Credentials

Overview Affected versions of this package are vulnerable to Use of Hard-coded Credentials when the nexus.orient.binaryListenerEnabled configuration is set to true. This option is set by default in legacy HA-C mode, but not in standalone deployments, including HA deployments. An attacker can gain...

9.2CVSS5.9AI score0.00461EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/10 7:40 p.m.20 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the function parameter, which is concatenated into an API error message and rendered without HTML escaping. An attacker can execute arbitrary JavaScript code in the context of a backend user's session by...

4.1CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/03 4:7 a.m.20 views

Improper Validation of Unsafe Equivalence in Input

Overview fast-jwt is a Fast JSON Web Token implementation Affected versions of this package are vulnerable to Improper Validation of Unsafe Equivalence in Input in the cacheKeyBuilder function when custom implementations do not generate unique keys for different tokens, leading to cache collision...

9.3CVSS5.9AI score0.00212EPSS
Exploits0References4
Snyk
Snyk
added 2026/01/28 4:33 p.m.20 views

Malicious Package

Overview mona-max is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:24 p.m.19 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object...

6.9CVSS6AI score0.00282EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 9:17 p.m.19 views

Cross-site Scripting (XSS)

Overview @earendil-works/pi-coding-agent is a Coding agent CLI with read, bash, edit, write tools and session management Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of Markdown link and image URLs during HTML session export. An attacker c...

2.5CVSS6AI score0.00132EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 8:28 a.m.19 views

Malicious Package

Overview ts-ecro is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/05 5:13 p.m.19 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the ParseDepedencyExpression function of the UEFI firmware image parser when an attacker provides a specially crafted opcode value. An attacker can cause a denial of service or potentially disclose minor informatio...

7.1CVSS5.5AI score0.00225EPSS
Exploits1References3
Snyk
Snyk
added 2026/06/01 9:0 p.m.19 views

Malicious Package

Overview omglucidesotuff is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/01 9:0 p.m.19 views

Malicious Package

Overview ishowfeet9 is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate advertisi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/01 9:0 p.m.19 views

Malicious Package

Overview backupsitetuff6 is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/01 9:0 p.m.19 views

Malicious Package

Overview howmanygreatbritain is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/31 9:0 p.m.19 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to the "Miasma" supply chain attack targeting the @redhat-cloud-services npm namespace. A malicious actor compromised the publication pipeline and published versions containing malicious code that includes...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 10:54 p.m.19 views

Malicious Package

Overview @cloudplatform-single-spa/business-solutions is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 10:2 p.m.19 views

Malicious Package

Overview foundry-config is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 8:1 a.m.19 views

Malicious Package

Overview lint-builder-logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/22 1:14 p.m.19 views

Improper Authentication

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

6CVSS5.8AI score0.00093EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/22 2:42 a.m.19 views

Malicious Package

Overview truffle-config-helper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/21 9:43 p.m.19 views

Division by zero

Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

4.8CVSS5.8AI score0.00111EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/19 2:35 p.m.19 views

Allocation of Resources Without Limits or Throttling

Overview Scriban.Signed is a fast, powerful, safe and lightweight scripting language and engine for .NET, which was primarily developed for text templating with a compatibility mode for parsing liquid templates. Affected versions of this package are vulnerable to Allocation of Resources Without...

9.2CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.19 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.19 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 8:36 p.m.19 views

Out-of-bounds Write

Overview Magick.NET-Q16-HDRI-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

8.7CVSS5.8AI score0.00441EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/15 8:46 a.m.19 views

Malicious Package

Overview supabase-javascript is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 6:25 p.m.19 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal due to insufficient path sanitization in the osfs.ChrootOS component. An attacker can gain unauthorized access to unintended filesystem locations by supplying crafted paths containing directory traversal sequences...

8.6CVSS6.3AI score0.0031EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:23 p.m.19 views

Directory Traversal

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal via the createmodelversion function. An attack...

8.7CVSS7.5AI score0.00712EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/11 7:36 p.m.19 views

Arbitrary Code Injection

Overview mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of the classDef function in state diagrams. An attacker can inject arbitrary...

7.1CVSS5.9AI score0.00401EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 6:32 a.m.19 views

Cross-site Scripting (XSS)

Overview org.opencms:opencms-core is a Java open source content management system by Alkacon Software. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the updateModelGroups.jsp process. An attacker can execute arbitrary scripts in the context of a user's browser by...

6.1CVSS5.9AI score0.00149EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 8:52 p.m.19 views

Server-side Request Forgery (SSRF)

Overview nuxt-og-image is an Enlightened OG Image generation for Nuxt. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to inadequate validation of user-supplied URLs in the isBlockedUrl process. An attacker can access internal network resources or sensitiv...

6.3CVSS5.8AI score0.00171EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 10:26 p.m.19 views

Improper Authentication

Overview fast-jwt is a Fast JSON Web Token implementation Affected versions of this package are vulnerable to Improper Authentication in the async key resolver when it returns an empty string or zero-length buffer. An attacker can gain unauthorized access and assume arbitrary identities by forgin...

9.1CVSS5.9AI score0.00236EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/05 5:58 p.m.19 views

Incorrect Authorization

Overview codechecker is an analyzer tooling, defect database and viewer extension Affected versions of this package are vulnerable to Incorrect Authorization via the Authentication endpoint functions, including getAuthorisedNames, getPermissionsForUser, hasPermission, addPermission, and...

10CVSS5.8AI score0.00447EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/21 12:0 a.m.19 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the InnoDB component. An attacker can cause the server to hang or crash repeatedly by sending crafted requests over the network with high privileges. Remediation Upgrade...

6.9CVSS7.7AI score0.00323EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:27 p.m.19 views

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the MailAddressParser.TryParseAddress function due to improper neutralisation of CRLF sequences. An attacker can impersonate another user or entity by sending specially crafted data over the network...

8.7CVSS6.2AI score0.02279EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/06 5:59 p.m.19 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect through the redirecturi parameter in multiple endpoints ForgotPassword, MagicLinkLogin, Signup, InviteMembers, OAuthLoginHandler, VerifyEmailHandler which is not validated against AllowedOrigins. An attacker can obtain...

8.6CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/27 7:58 p.m.19 views

Server-side Request Forgery (SSRF)

Overview @clerk/backend is a Clerk Backend SDK - REST Client for Backend API & JWT verification utilities Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the clerkFrontendApiProxy function. An attacker can obtain secret keys by crafting a request path that...

9.1CVSS5.9AI score0.00309EPSS
Exploits0References2
Total number of security vulnerabilities5000