35355 matches found
Improper Neutralization of Special Elements Used in a Template Engine
Overview homeassistant-cli is a Command-line tool for Home Assistant. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the handling of user-supplied Jinja2 templates. An attacker can execute arbitrary code by convincing ...
Use of Hard-coded Credentials
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of Hard-coded Credentials via the weak default TOKENHASHSECRET. An attacker can access sensitive internal identifiers by decrypting the meta field in JWT tokens when the default secret is used,...
Timing Attack
Overview mojic is an Obfuscate C source code into encrypted, password-seeded emoji streams. Affected versions of this package are vulnerable to Timing Attack in the getDecryptStream process. An attacker can bypass file integrity checks by exploiting timing discrepancies in the HMAC verification,...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...
Out-of-bounds Write
Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the ReadCLen function of the Tiano decompressor. An attacker can cause a crash by supplying specially crafted compressed firmware data that triggers a heap out-of-bounds write during decompression. Remediation...
Timing Attack
Overview @sync-in/server is a The secure, open-source platform for file storage, sharing, collaboration, and syncing Affected versions of this package are vulnerable to Timing Attack via the login process. An attacker can obtain valid usernames by measuring differences in response times from the...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the verifybyte expected function in JcaContentVerifierProviderBuilder. An attacker can forge a protected CMP/PKI message by supplying an empty composite signature sequence that...
Out-of-bounds Write
Overview Magick.NET-Q16-HDRI-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...
Off-by-one Error
Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Out-of-bounds Read
Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
HTTP Response Splitting
Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the MailAddressParser.TryParseAddress function due to improper neutralisation of CRLF sequences. An attacker can impersonate another user or entity by sending specially crafted data over the network...
HTTP Response Splitting
Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the MailAddressParser.TryParseAddress function due to improper neutralisation of CRLF sequences. An attacker can impersonate another user or entity by sending specially crafted data over the network...
Origin Validation Error
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Origin Validation Error in the CORS handling process. An attacker can access sensitive authenticated API responses, including user profile data, email, admin statu...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation via the isHealthCheckRequest function in pkg/middleware/healthcheck.go. An attacker can reach protected endpoints by sending a request with a configured health-check User-Agent, causing the middleware to treat the...
Access Control Bypass
Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Access Control Bypass in the LeadController.php...
Server-side Request Forgery (SSRF)
Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the...
Off-by-one Error
Overview Magick.NET-Q8-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Off-by-one Error
Overview Affected versions of this package are vulnerable to Off-by-one Error in the MSL decoder process. An attacker can cause a crash by providing a specially crafted MSL file. Remediation A fix was pushed into the master branch but not yet published. References - GitHub Commit - GitHub Commit ...
Use After Free
Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Out-of-bounds Read
Overview Magick.NET-Q16-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Integer Overflow or Wraparound
Overview Magick.NET-Q8-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Integer Overflow or Wraparound
Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Heap-based Buffer Overflow
Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...
Heap-based Buffer Overflow
Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Heap-based Buffer Overflow
Overview Magick.NET-Q16-HDRI-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Malicious Package
Overview walmart-internal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Directory Traversal
Overview uv is an An extremely fast Python package and project manager, written in Rust. Affected versions of this package are vulnerable to Directory Traversal through the uninstall process when handling RECORD entries containing relative paths that traverse outside the intended installation...
Allocation of Resources Without Limits or Throttling
Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the automatic import plugin. An attacker can cause backend services to...
Authorization Bypass Through User-Controlled Key
Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the /api/ endpoints of the Administrative API. An attacker can gain unauthorized access to administrative functions by sendi...
Server-side Request Forgery (SSRF)
Overview api-lab-mcp is a MCP server for API testing and experimentation - Your API Laboratory Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the testhttpendpoint function in the HTTP interface. An attacker can cause the server to initiate arbitrary...
Allocation of Resources Without Limits or Throttling
Overview react-server-dom-parcel is a React Server Components bindings for DOM using Parcel. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling...
Directory Traversal
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access sensitive static files intended to be protected by route-based middleware by crafting request paths with repeated...
Memory Allocation with Excessive Size Value
Overview nvidia-pytriton is a PyTriton - Flask/FastAPI-like interface to simplify Triton's deployment in Python environments. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via insufficient input validation and processing a large number of outputs...
Cross-site Scripting (XSS)
Overview feehi/cms is a Feehi CMS project template. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Role Name parameter in the Role Management module. An attacker can execute arbitrary web scripts or HTML in the context of a user's browser by injecting a craft...
Command Injection
Overview code-screenshot-mcp is a MCP server for generating beautiful code screenshots directly from Claude Affected versions of this package are vulnerable to Command Injection through request parameters. An attacker can execute arbitrary operating system commands by sending specially crafted HT...
Information Exposure
Overview directus is a Directus is a real-time API and App dashboard for managing SQL database content. Affected versions of this package are vulnerable to Information Exposure via the serverspecsgraphql resolver on the /graphql/system endpoint, which returns an SDL representation of the schema...
Permissive List of Allowed Inputs
Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Permissive List of Allowed Inputs in the ADDATTR predicate function via EXTRAELEMENTHANDLING.attributeCheck. An attacker can inject and execute malicious scripts in the DOM...
Incomplete List of Disallowed Inputs
Overview @openclaw/discord is an OpenClaw Discord channel plugin Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through the validateScriptFileForShellBleed process. An attacker can execute unauthorized script content by crafting piped, substituted, or...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the Graph API process. An attacker can access message thread history that should be restricted by sender allowlists by querying the API directly, potentially...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the heartbeat process. An attacker can gain unauthorized access to restricted resources by exploiting context inheritance to bypass sandbox restrictions through...
Arbitrary Code Injection
Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Arbitrary Code Injection via the executecode method. An attacker can execute arbitrary operating system commands by passing a crafted str...
HTTP Response Splitting
Overview Affected versions of this package are vulnerable to HTTP Response Splitting via the reason parameter in the HTTP response creation process. An attacker can inject unauthorized headers or manipulate the HTTP response by supplying specially crafted input containing carriage return...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Request.post function. An attacker can cause excessive memory allocation by sending a specially crafted multipart request containing large non-file fields. Remediation Upgrade...
Cross-site Scripting (XSS)
Overview @holoviz/panel is a The powerful data exploration & web app framework for Python. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the formatError function in panel/models/util.ts due to using String.replace without the global flag when escaping HTML...
Embedded Malicious Code
Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a cross-platform remote access trojan RAT and whose content was removed from the official package manager. A malicious actor...
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the lookup function. An attacker can access properties that should be restricted by bypassing prototype-access controls...
Replay Attack
Overview mppx is a /picture Affected versions of this package are vulnerable to Replay Attack in the tempo/session cooperative close handler due to improper validation of the close voucher amount. An attacker can bypass intended restrictions by submitting a close voucher with an amount exactly...
Exposure of Data Element to Wrong Session
Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the MDM command processing while handling SyncML status code. An attacker can obtain sensitive configuration data belonging to other devices such as WiFi credentials, VPN secrets, and...
Access of Resource Using Incompatible Type ('Type Confusion')
Overview handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via the resolvePartial and invokePartial functions. An attacker can execute arbitrary code on the server by...
Malicious Package
Overview testtestsharp is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...