Lucene search
K
SnykMost viewed

35537 matches found

Snyk
Snyk
added 2026/05/08 4:32 p.m.11 views

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

8.8CVSS6.1AI score0.00363EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 4:31 p.m.11 views

Directory Traversal

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

8.7CVSS6.3AI score0.00433EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 12:0 a.m.11 views

Improper Neutralization of Special Elements in Data Query Logic

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the MilvusVectorStoredoDeleteList implementation. An attacker can inject filter expressions by supplying crafted document IDs that are not properly sanitized before bei...

8.8CVSS5.7AI score0.00353EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 12:0 a.m.11 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the SimpleFunctionRegistry composition. An attacker can exhaust memory or trigger unbounded recursive function composition by supplying crafted function definitions that...

8.7CVSS5.8AI score0.00211EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 9:45 p.m.11 views

Timing Attack

Overview mcp-ssh-tool is a Model Context Protocol MCP SSH client server for remote automation Affected versions of this package are vulnerable to Timing Attack in the transfer-related filesystem handling process. An attacker can access unauthorized files or directories by bypassing local path...

8.7CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/07 8:26 p.m.11 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the SWnentries function in the file SWapi.c. An attacker can achieve arbitrary code execution or cause a denial of service by providing a specially crafted HDF-EOS file with DimensionName argument that...

7.8CVSS6.6AI score0.00237EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 8:26 p.m.11 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the SWnentries function in the file SWapi.c. An attacker can achieve arbitrary code execution or cause a denial of service by providing a specially crafted HDF-EOS file with DimensionName argument that...

7.8CVSS6.7AI score0.00237EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 7:43 p.m.11 views

Active Debug Code

Overview Affected versions of this package are vulnerable to Active Debug Code via the Installer process. An attacker can access sensitive server configuration, environment variables, filesystem paths, and loaded PHP extensions by sending an unauthenticated GET request with the phpinfo parameter...

6.9CVSS5.8AI score0.0024EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 7:21 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview std/net/mail is a Go standard library package std/net/mail Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger...

8.7CVSS5.8AI score0.00784EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 7:21 p.m.11 views

Infinite loop

Overview golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go. Affected versions of this package are vulnerable to Infinite loop. Go Vulnerability Report: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receiv...

8.7CVSS5.8AI score0.00781EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 3:27 p.m.11 views

Command Injection

Overview node-ts-ocr is an A simple wrapper around command-line utils to assist in PDF / Image OCR Optical Character Recognition processing using Tesseract. Affected versions of this package are vulnerable to Command Injection via the invokeImageOcr function. An attacker can execute arbitrary...

9.8CVSS6AI score0.01185EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 9:25 a.m.11 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the process handling incoming requests. An attacker can perform unauthorized actions on behalf of an authenticated user by tricking them into submitting a crafted request. Remediation Upgrade...

5.4CVSS5.8AI score0.00092EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 4:33 a.m.11 views

Symlink Attack

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Symlink Attack via the isPathAllowed path check in lib/resolver-compat.js. An attacker can execute code outside the configured...

8.5CVSS6.4AI score0.00722EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:8 a.m.11 views

Arbitrary Code Injection

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through lib/builtin.js. An attacker can execute host code when the allowlist includes -X or uses and then...

9.9CVSS6.1AI score0.00974EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:7 a.m.11 views

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the BaseHandler write traps in lib/bridge.js. An attacker can mutate host Object.prototype, Array.prototype,...

10CVSS6AI score0.00842EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 2:9 a.m.11 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via improper validation of the supi path parameter in multiple GET handlers. An attacker can obtain internal infrastructure details, including hostnames, ports, and API paths, by injecting control characters into th...

8.7CVSS5.8AI score0.00324EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 1:56 a.m.11 views

Improperly Implemented Security Check for Standard

Overview Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to missing concurrent procedure validation in the SecurityMode and handleHandoverRequiredMain functions. An attacker can cause mismatches between security contexts, potentially...

5.4CVSS5.8AI score0.00251EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 1:49 a.m.11 views

Open Redirect

Overview Microsoft.Kiota.Http.HttpClientLibrary is a dotnet HTTP library implementation with HttpClient. Affected versions of this package are vulnerable to Open Redirect in the RedirectHandler function. An attacker can obtain sensitive information such as session cookies, proxy credentials, and...

7CVSS5.8AI score0.00505EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 1:15 a.m.11 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the convertUrlRoute and screenshotUrlRoute processes. An attacker can access sensitive files belonging to other users' in-flight conversion requests by submitting specially crafted file:// URLs pointi...

8.2CVSS5.8AI score0.00251EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/07 1:15 a.m.11 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the downloadFrom and webhook processes. An attacker can access internal network resources and potentially exfiltrate sensitive information or interact with internal-only services by supplying special...

9.4CVSS5.8AI score0.00352EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 12:57 a.m.11 views

Server-side Request Forgery (SSRF)

Overview github.com/gotenberg/gotenberg/v7/pkg/modules/chromium is a Docker-powered stateless API for PDF files. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the FilterOutboundURL process. An attacker can access internal network resources and retrie...

6.9CVSS5.8AI score0.00186EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/07 12:8 a.m.11 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the handling of index rollover requests when an explicit target index name is provided. An attacker can create a new index with an unauthorized name by exploiting insufficient access control checks on the targ...

2.2CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/06 11:50 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the bodyLimit function. An attacker can bypass request size restrictions by sending chunked or unknown-length requests, allowing...

8.7CVSS5.8AI score0.00219EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 11:23 p.m.11 views

Incorrect Permission Assignment for Critical Resource

Overview @axonflow/openclaw is a Policy enforcement, approval gates, and audit trails for OpenClaw — govern tool inputs before execution, scan outbound messages for PII/secrets, and record agent activity for review and compliance Affected versions of this package are vulnerable to Incorrect...

6.8CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/06 9:43 p.m.11 views

Cross-site Scripting (XSS)

Overview @jupyterlab/apputils is a JupyterLab - Application Utilities Affected versions of this package are vulnerable to Cross-site Scripting XSS via the handling of data-commandlinker-command and data-commandlinker-args attributes in HTML content. An attacker can execute arbitrary commands,...

9.3CVSS5.9AI score0.00386EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 9:43 p.m.11 views

Cross-site Scripting (XSS)

Overview @jupyterlab/rendermime-interfaces is a JupyterLab - Interfaces for Mime Renderers Affected versions of this package are vulnerable to Cross-site Scripting XSS via the handling of data-commandlinker-command and data-commandlinker-args attributes in HTML content. An attacker can execute...

9.3CVSS5.9AI score0.00386EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 9:39 p.m.11 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure in the Engine::error function. An attacker can obtain sensitive information, such as absolute filesystem paths, secrets embedded in exception messages, and internal module structure, by triggering an uncaught...

8.7CVSS5.8AI score0.00335EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:44 p.m.11 views

SQL Injection

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to SQL Injection in the setTokenData function when OAuth token fields are interpolated into a SQL statement without proper escaping. An attacker can execut...

7.7CVSS6.1AI score0.00212EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:18 p.m.11 views

Cross-site Scripting (XSS)

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Cross-site Scripting XSS via the decodeAllEntities function. An attacker can execute arbitrary JavaScript in the context of the application origin by...

5.4CVSS5.9AI score0.00153EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 7:50 p.m.11 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via the trainerlogin function. An attacker can redirect a user's browser to an external, attacker-controlled URL by supplying a crafted next parameter, potentially exposing sensitive information such as the original URL...

9.6CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/06 7:37 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview basic-ftp is a FTP client for Node.js, supports FTPS over TLS, IPv6, Async/Await, and Typescript. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the connect function. An attacker can cause excessive memory and CPU consumption,...

8.7CVSS5.8AI score0.00465EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 7:32 p.m.11 views

Binding to an Unrestricted IP Address

Overview Affected versions of this package are vulnerable to Binding to an Unrestricted IP Address which defaults to 0.0.0.0 when the -port argument is used or the -listen argument is used without specifying a host. An attacker can execute arbitrary code remotely by connecting to the exposed...

8.8CVSS5.9AI score0.00223EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 7:16 p.m.11 views

LDAP Injection

Overview lemur is a Certificate management and orchestration service Affected versions of this package are vulnerable to LDAP Injection via unsanitized input in the username field during the authentication process. An attacker can escalate privileges and gain unauthorized access to sensitive...

8.6CVSS5.8AI score0.00179EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 5:54 p.m.11 views

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via the condition process. An attacker can execute arbitrary commands on the server by injecting malicious...

8.6CVSS6.1AI score0.00346EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 4:42 p.m.11 views

SQL Injection

Overview rucio is a Rucio Package Affected versions of this package are vulnerable to SQL Injection in the createsqlaquery function when processing filter keys and values in Oracle database backends using the default jsonmeta metadata plugin configuration. An attacker can execute arbitrary SQL...

9.9CVSS6.7AI score0.00281EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 1:21 a.m.11 views

Use of a Broken or Risky Cryptographic Algorithm

Overview paramiko is a library for making SSH2 connections client or server. Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the RSA key handling by allowing the use of the SHA-1 algorithm. An attacker can compromise the integrity of...

4.8CVSS5.8AI score0.00114EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 12:0 a.m.11 views

Directory Traversal

Overview org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Directory Traversal via the EnvironmentController, ResourceController, and EncryptionController reque...

8.8CVSS6.3AI score0.0022EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 10:17 p.m.11 views

CRLF Injection

Overview sse-channel is a Server-Sent Events "channel" where all messages are broadcasted to all connected clients, history is maintained automatically and server attempts to keep clients alive by sending "keep-alive" packets automatically. Affected versions of this package are vulnerable to CRLF...

8.7CVSS5.9AI score0.00478EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 10:2 p.m.11 views

Missing Authentication for Critical Function

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the objects/users.json.php process. An attacker can retrieve sensitive user information, including user IDs, displa...

6.9CVSS5.8AI score0.0027EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 9:35 p.m.11 views

XML External Entity (XXE) Injection

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to XML External Entity XXE Injection in the simplexmlloadstring process when handling uploaded SVG files. An attacker can access sensitive files...

7.1CVSS5.9AI score0.00233EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 9:15 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol GEP for auditable, reusable evolution assets. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling vi...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/05 8:53 p.m.11 views

Server-side Request Forgery (SSRF)

Overview magicmirror is a The open source modular smart mirror platform. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the cors endpoint, which acts as an open HTTP proxy without authentication or URL validation. An attacker can force the server to make...

9.2CVSS5.9AI score0.01623EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/05 8:31 p.m.11 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the User-Agent header being logged and later rendered in the admin event log interface without proper output encoding. An attacker can execute arbitrary JavaScript in an administrator's browser by submitting...

9.6CVSS5.8AI score0.00282EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 8:29 p.m.11 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the isSSRFSafeURL function. An attacker can access internal network resources and sensitive cloud metadata by submitting specially crafted URLs that use IPv4-mapped IPv6 notation, which bypasses the...

8.8CVSS5.8AI score0.00226EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/05 8:5 p.m.11 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the S3FileMiddleware process. An attacker can access arbitrary files by sending specially crafted requests that escape pre-signed upload locations, causing the application to load files from unintended locations...

10CVSS6.3AI score0.00564EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/05 5:31 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview phoenix is a The official JavaScript client for the Phoenix web framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Elixir.Phoenix.Transports.LongPoll POST requests handling with Content-Type: application/x-ndjson. A...

8.7CVSS5.8AI score0.00469EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 5:30 p.m.11 views

Use of Cache Containing Sensitive Information

Overview Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the UpdateCacheMiddleware middleware. An attacker can access private data...

5.3CVSS5.8AI score0.00358EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 4:49 p.m.11 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal due to the getospath check in fileio.py in the file manager component. An attacker can read, write, and delete files outside the configured root directory by supplying a path whose resolved absolute path shares a...

9.2CVSS6.3AI score0.00583EPSS
Exploits2References2
Snyk
Snyk
added 2026/05/05 3:34 p.m.11 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the email notification template system. An attacker can inject arbitrary HTML content by supplying crafted values in device, geofence, or driver name fields, which are then rendered in notification emails se...

5.4CVSS5.7AI score0.00162EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/05 3:33 p.m.11 views

Malicious Package

Overview deployment-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Total number of security vulnerabilities5000