Lucene search
K
SnykMost viewed

35355 matches found

Snyk
Snyk
•added 2026/04/16 9:28 p.m.•11 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview homeassistant-cli is a Command-line tool for Home Assistant. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the handling of user-supplied Jinja2 templates. An attacker can execute arbitrary code by convincing ...

5.6CVSS6.2AI score0.00103EPSS
Exploits0References3
Snyk
Snyk
•added 2026/04/16 9:22 p.m.•11 views

Use of Hard-coded Credentials

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of Hard-coded Credentials via the weak default TOKENHASHSECRET. An attacker can access sensitive internal identifiers by decrypting the meta field in JWT tokens when the default secret is used,...

5.6CVSS5.5AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:10 p.m.•11 views

Timing Attack

Overview mojic is an Obfuscate C source code into encrypted, password-seeded emoji streams. Affected versions of this package are vulnerable to Timing Attack in the getDecryptStream process. An attacker can bypass file integrity checks by exploiting timing discrepancies in the HMAC verification,...

5.7CVSS6AI score0.00108EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:9 p.m.•11 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...

6CVSS5.7AI score0.00286EPSS
Exploits0References3
Snyk
Snyk
•added 2026/04/16 1:31 a.m.•11 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the ReadCLen function of the Tiano decompressor. An attacker can cause a crash by supplying specially crafted compressed firmware data that triggers a heap out-of-bounds write during decompression. Remediation...

8.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/15 6:57 p.m.•11 views

Timing Attack

Overview @sync-in/server is a The secure, open-source platform for file storage, sharing, collaboration, and syncing Affected versions of this package are vulnerable to Timing Attack via the login process. An attacker can obtain valid usernames by measuring differences in response times from the...

6.9CVSS5.8AI score0.00333EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/15 10:13 a.m.•11 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the verifybyte expected function in JcaContentVerifierProviderBuilder. An attacker can forge a protected CMP/PKI message by supplying an empty composite signature sequence that...

9.2CVSS5.7AI score0.00392EPSS
Exploits0References3
Snyk
Snyk
•added 2026/04/14 11:32 p.m.•11 views

Out-of-bounds Write

Overview Magick.NET-Q16-HDRI-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

7.8CVSS5.8AI score0.00121EPSS
Exploits0References3
Snyk
Snyk
•added 2026/04/14 11:31 p.m.•11 views

Off-by-one Error

Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

7.1CVSS5.8AI score0.00128EPSS
Exploits0References3
Snyk
Snyk
•added 2026/04/14 11:31 p.m.•11 views

Out-of-bounds Read

Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

4.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/14 11:27 p.m.•11 views

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the MailAddressParser.TryParseAddress function due to improper neutralisation of CRLF sequences. An attacker can impersonate another user or entity by sending specially crafted data over the network...

8.7CVSS6.2AI score0.02279EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/14 11:27 p.m.•11 views

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the MailAddressParser.TryParseAddress function due to improper neutralisation of CRLF sequences. An attacker can impersonate another user or entity by sending specially crafted data over the network...

8.7CVSS6.2AI score0.02279EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/14 11:18 p.m.•11 views

Origin Validation Error

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Origin Validation Error in the CORS handling process. An attacker can access sensitive authenticated API responses, including user profile data, email, admin statu...

7.1CVSS5.8AI score0.00132EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/14 10:31 p.m.•11 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the isHealthCheckRequest function in pkg/middleware/healthcheck.go. An attacker can reach protected endpoints by sending a request with a configured health-check User-Agent, causing the middleware to treat the...

9.3CVSS5.7AI score0.00475EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/14 4:14 p.m.•11 views

Access Control Bypass

Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Access Control Bypass in the LeadController.php...

8.6CVSS5.8AI score0.00351EPSS
Exploits2References2
Snyk
Snyk
•added 2026/04/14 4:14 p.m.•11 views

Server-side Request Forgery (SSRF)

Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the...

8.5CVSS5.8AI score0.00249EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/13 11:8 p.m.•11 views

Off-by-one Error

Overview Magick.NET-Q8-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.8CVSS5.8AI score0.00177EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/13 11:8 p.m.•11 views

Off-by-one Error

Overview Affected versions of this package are vulnerable to Off-by-one Error in the MSL decoder process. An attacker can cause a crash by providing a specially crafted MSL file. Remediation A fix was pushed into the master branch but not yet published. References - GitHub Commit - GitHub Commit ...

6.8CVSS5.8AI score0.00177EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/13 11:6 p.m.•11 views

Use After Free

Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.8CVSS5.8AI score0.00184EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/13 10:11 p.m.•11 views

Out-of-bounds Read

Overview Magick.NET-Q16-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

7.1CVSS5.8AI score0.00194EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/13 10:11 p.m.•11 views

Integer Overflow or Wraparound

Overview Magick.NET-Q8-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

8.7CVSS5.8AI score0.00434EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/13 10:11 p.m.•11 views

Integer Overflow or Wraparound

Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

8.7CVSS5.8AI score0.00434EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/13 10:11 p.m.•11 views

Heap-based Buffer Overflow

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

6.9CVSS5.8AI score0.0018EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/13 10:11 p.m.•11 views

Heap-based Buffer Overflow

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

6.9CVSS5.8AI score0.0018EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/13 10:11 p.m.•11 views

Heap-based Buffer Overflow

Overview Magick.NET-Q16-HDRI-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.8CVSS6.1AI score0.00187EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/13 3:33 p.m.•11 views

Malicious Package

Overview walmart-internal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/10 7:39 p.m.•11 views

Directory Traversal

Overview uv is an An extremely fast Python package and project manager, written in Rust. Affected versions of this package are vulnerable to Directory Traversal through the uninstall process when handling RECORD entries containing relative paths that traverse outside the intended installation...

3.1CVSS6.3AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/09 4:14 p.m.•11 views

Allocation of Resources Without Limits or Throttling

Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the automatic import plugin. An attacker can cause backend services to...

7.1CVSS5.7AI score0.0024EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/09 6:11 a.m.•11 views

Authorization Bypass Through User-Controlled Key

Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the /api/ endpoints of the Administrative API. An attacker can gain unauthorized access to administrative functions by sendi...

7.5CVSS5.8AI score0.00313EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/09 3:7 a.m.•11 views

Server-side Request Forgery (SSRF)

Overview api-lab-mcp is a MCP server for API testing and experimentation - Your API Laboratory Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the testhttpendpoint function in the HTTP interface. An attacker can cause the server to initiate arbitrary...

7.5CVSS7.2AI score0.00288EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/08 9:10 p.m.•11 views

Allocation of Resources Without Limits or Throttling

Overview react-server-dom-parcel is a React Server Components bindings for DOM using Parcel. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling...

8.7CVSS5.8AI score0.01551EPSS
Exploits4References3
Snyk
Snyk
•added 2026/04/08 12:16 a.m.•11 views

Directory Traversal

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated...

6.9CVSS6.3AI score0.00459EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/07 6:13 p.m.•11 views

Memory Allocation with Excessive Size Value

Overview nvidia-pytriton is a PyTriton - Flask/FastAPI-like interface to simplify Triton's deployment in Python environments. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via insufficient input validation and processing a large number of outputs...

8.7CVSS5.8AI score0.00528EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/06 5:15 p.m.•11 views

Cross-site Scripting (XSS)

Overview feehi/cms is a Feehi CMS project template. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Role Name parameter in the Role Management module. An attacker can execute arbitrary web scripts or HTML in the context of a user's browser by injecting a craft...

6.9CVSS6AI score0.00211EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/05 1:8 a.m.•11 views

Command Injection

Overview code-screenshot-mcp is a MCP server for generating beautiful code screenshots directly from Claude Affected versions of this package are vulnerable to Command Injection through request parameters. An attacker can execute arbitrary operating system commands by sending specially crafted HT...

6.5CVSS6.1AI score0.01455EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/04 6:10 a.m.•11 views

Information Exposure

Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Information Exposure via the serverspecsgraphql resolver on the /graphql/system endpoint, which returns an SDL representation of the schema...

6.9CVSS5.9AI score0.00314EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/03 3:46 a.m.•11 views

Permissive List of Allowed Inputs

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Permissive List of Allowed Inputs in the ADDATTR predicate function via EXTRAELEMENTHANDLING.attributeCheck. An attacker can inject and execute malicious scripts in the DOM...

6.1CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/02 9:32 p.m.•11 views

Incomplete List of Disallowed Inputs

Overview @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through the validateScriptFileForShellBleed process. An attacker can execute unauthorized script content by crafting piped, substituted, or...

5.4CVSS5.9AI score0.00303EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/02 9:1 p.m.•11 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the Graph API process. An attacker can access message thread history that should be restricted by sender allowlists by querying the API directly, potentially...

5.4CVSS5.9AI score0.00177EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/02 8:59 p.m.•11 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the heartbeat process. An attacker can gain unauthorized access to restricted resources by exploiting context inheritance to bypass sandbox restrictions through...

9.9CVSS5.9AI score0.00298EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/01 11:17 p.m.•11 views

Arbitrary Code Injection

Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Arbitrary Code Injection via the executecode method. An attacker can execute arbitrary operating system commands by passing a crafted str...

10CVSS6.1AI score0.00707EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/01 9:48 p.m.•11 views

HTTP Response Splitting

Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the reason parameter in the HTTP response creation process. An attacker can inject unauthorized headers or manipulate the HTTP response by supplying specially crafted input containing carriage return...

6.9CVSS5.9AI score0.00292EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/01 9:47 p.m.•11 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Request.post function. An attacker can cause excessive memory allocation by sending a specially crafted multipart request containing large non-file fields. Remediation Upgrade...

6.9CVSS5.9AI score0.00384EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/01 6:35 a.m.•11 views

Cross-site Scripting (XSS)

Overview @holoviz/panel is a The powerful data exploration & web app framework for Python. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the formatError function in panel/models/util.ts due to using String.replace without the global flag when escaping HTML...

6.1CVSS5.7AI score
Exploits0References3
Snyk
Snyk
•added 2026/03/31 3:15 a.m.•11 views

Embedded Malicious Code

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a cross-platform remote access trojan RAT and whose content was removed from the official package manager. A malicious actor...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/03/29 3:16 p.m.•11 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the lookup function. An attacker can access properties that should be restricted by bypassing prototype-access controls...

6.3CVSS5.5AI score
Exploits0References2
Snyk
Snyk
•added 2026/03/29 3:10 p.m.•11 views

Replay Attack

Overview mppx is a /picture Affected versions of this package are vulnerable to Replay Attack in the tempo/session cooperative close handler due to improper validation of the close voucher amount. An attacker can bypass intended restrictions by submitting a close voucher with an amount exactly...

8.3CVSS5.9AI score0.00359EPSS
Exploits0References2
Snyk
Snyk
•added 2026/03/27 8:22 p.m.•11 views

Exposure of Data Element to Wrong Session

Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the MDM command processing while handling SyncML status code. An attacker can obtain sensitive configuration data belonging to other devices such as WiFi credentials, VPN secrets, and...

8.7CVSS5.9AI score0.00161EPSS
Exploits0References2
Snyk
Snyk
•added 2026/03/27 6:21 p.m.•11 views

Access of Resource Using Incompatible Type ('Type Confusion')

Overview handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via the resolvePartial and invokePartial functions. An attacker can execute arbitrary code on the server by...

9.2CVSS6.2AI score0.00703EPSS
Exploits1References3
Snyk
Snyk
•added 2026/03/27 3:7 a.m.•11 views

Malicious Package

Overview testtestsharp is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score
Exploits0References2
Total number of security vulnerabilities5000