Lucene search
K
SnykMost viewed

35669 matches found

Snyk
Snyk
added 2026/05/05 4:49 p.m.11 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal due to the getospath check in fileio.py in the file manager component. An attacker can read, write, and delete files outside the configured root directory by supplying a path whose resolved absolute path shares a...

9.2CVSS6.3AI score0.00583EPSS
Exploits2References2
Snyk
Snyk
added 2026/05/05 3:34 p.m.11 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the email notification template system. An attacker can inject arbitrary HTML content by supplying crafted values in device, geofence, or driver name fields, which are then rendered in notification emails se...

5.4CVSS5.7AI score0.00162EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/05 3:33 p.m.11 views

Malicious Package

Overview deployment-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/05 2:34 p.m.11 views

Malicious Package

Overview eslint-plugin-skyscanner-dates is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and thi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/05 1:35 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview @openclaw/voice-call is an OpenClaw voice-call plugin Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the voice-call realtime WebSocket path when oversized WebSocket frames are accepted without proper validation. An attacker ca...

8.2CVSS5.8AI score0.00417EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 1:35 p.m.11 views

UNIX Symbolic Link (Symlink) Following

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following via the repository path handling process. An attacker can access files outside the intended repository directory by submitting crafted symlink paths...

6.5CVSS5.8AI score0.00323EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 1:35 p.m.11 views

Missing Authorization

Overview @openclaw/msteams is an OpenClaw Microsoft Teams channel plugin Affected versions of this package are vulnerable to Missing Authorization via the Microsoft Teams SSO invoke handler. An attacker can gain unauthorized access to Teams SSO signin functionality by sending specially crafted SS...

6.3CVSS5.8AI score0.00231EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 12:26 p.m.11 views

Interpretation Conflict

Overview fast-uri is a Dependency-free RFC 3986 URI toolbox Affected versions of this package are vulnerable to Interpretation Conflict during the decoding of URL host component. An attacker can manipulate the authority component of a URI by supplying percent-encoded delimiters, causing the host ...

8.7CVSS5.8AI score0.00475EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 12:18 a.m.11 views

Prototype Pollution

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution when the Object.prototype has been polluted via a different exploit. The following properties in the HTTP adapter configuration may be manipulated, as...

9.1CVSS6.3AI score0.00715EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 10:4 p.m.11 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the handling of raw string arguments in commands such as uidsearch, search, uidfetch, fetch, uidstore, store, and setquota. A user can execute arbitrary IMAP commands by injecting specially crafted input containing CR...

9.8CVSS6AI score0.00429EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/04 10:3 p.m.11 views

Use of Blocking Code in Single-threaded, Non-blocking Context

Overview Affected versions of this package are vulnerable to Use of Blocking Code in Single-threaded, Non-blocking Context through the OpenSSL::KDF.pbkdf2hmac function during SCRAM authentication. An attacker can cause the Ruby client VM to become unresponsive by sending a large iteration count...

8.3CVSS5.9AI score0.00299EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/04 9:30 p.m.11 views

Access Control Bypass

Overview rdiffweb is an A web interface to rdiff-backup repositories. Affected versions of this package are vulnerable to Access Control Bypass via the API authentication process. An attacker can gain unauthorized access to other users' data and perform actions on their behalf by using any valid ...

8.6CVSS5.8AI score0.00245EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 9:30 p.m.11 views

Arbitrary Argument Injection

Overview archivebox is a The self-hosted internet archive. Affected versions of this package are vulnerable to Arbitrary Argument Injection via the AddView class. An attacker can execute arbitrary code on the server by submitting specially crafted configuration overrides to the /add/ endpoint,...

9.8CVSS6.3AI score0.00404EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 9:28 p.m.11 views

Directory Traversal

Overview org.webjars.npm:fast-uri is a Dependency-free RFC 3986 URI toolbox Affected versions of this package are vulnerable to Directory Traversal via the normalize or equal functions. An attacker can bypass path-based access controls by submitting specially crafted percent-encoded or dot segmen...

8.7CVSS6.3AI score0.00521EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 8:56 p.m.11 views

XML External Entity (XXE) Injection

Overview changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to XML External Entity XXE Injection via the xpathfilter process. An attacker can access sensitive local files by supplying crafted XML or RSS content containing...

8.2CVSS5.9AI score0.00266EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 8:48 p.m.11 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through the DeleteManifest process. An attacker can remove tags from repositories by sending a DELETE request to the relevant API endpoint, even when deletion has been explicitly disabled in the configuration. Th...

6.5CVSS5.7AI score0.00294EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 8:23 p.m.11 views

Information Exposure

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Information Exposure in the analysis of allowlisted commands containing unquoted heredocs. An attacker can cause unintended shell expansion by crafting a command that hides malicious code...

8.8CVSS5.9AI score0.00362EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 8:18 p.m.11 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound. An attacker can cause unexpected behavior by supplying a font where each glyph advances by an excessively large amount. Remediation Upgrade pillow to version 12.2.0 or higher. References - GitHub Advisory...

7.5CVSS5.8AI score0.00114EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 8:18 p.m.11 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in ImagePath.Path, ImageDraw.ImageDraw.polygon, and ImageDraw.ImageDraw.line, all of which accept nested coordinates as input. An attacker can cause denial of service by supplying nested lists as coordinates,...

8.6CVSS5.8AI score0.00133EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 8:14 p.m.11 views

Arbitrary Code Injection

Overview pyp2spec is a Generate a valid Fedora specfile from Python package from PyPI Affected versions of this package are vulnerable to Arbitrary Code Injection in the process of writing package metadata into the generated spec file without escaping RPM macro directives. An attacker can execute...

8.5CVSS6.1AI score0.00197EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 7:8 p.m.11 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the OVN database connection process. An attacker can gain unauthorized access to sensitive network configuration data by presenting a rogue self-signed certificate chain during the TLS handshake, which is...

4.8CVSS5.8AI score0.00173EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 6:26 p.m.11 views

Expression Language Injection

Overview org.apache.polaris:polaris-core is an a catalog for data lakes. It provides new levels of choice, flexibility and control over data, with full enterprise security and Apache Iceberg interoperability across a multitude of engines and infrastructure Affected versions of this package are...

9.9CVSS5.8AI score0.00431EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 5:28 p.m.11 views

Arbitrary Code Injection

Overview org.apache.atlas:atlas-repository is an Apache Atlas Repository Module Affected versions of this package are vulnerable to Arbitrary Code Injection in the DSL search endpoint. An attacker can execute arbitrary code by placing malicious Gremlin traversal logic within grammar-allowed...

8.1CVSS6.2AI score0.00464EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 5:28 p.m.11 views

Missing Authorization

Overview org.apache.polaris:polaris-runtime-service is an a catalog for data lakes. It provides new levels of choice, flexibility and control over data, with full enterprise security and Apache Iceberg interoperability across a multitude of engines and infrastructure Affected versions of this...

9.9CVSS6AI score0.00355EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 5:20 p.m.11 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization when handling HTTP request paths that have had normalizedPath applied. An attacker can gain unauthorized access to protected resources by appending a semicolon and arbitrary text to the request URL, exploiting...

8.8CVSS6AI score0.00444EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/04 12:30 a.m.11 views

Access Control Bypass

Overview MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Access Control Bypass via the exec function in the mindsdb/integrations/handlers/byomhandler/procwrapper.py component. An attacker can gain...

7.5CVSS7.1AI score0.00284EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/03 10:15 a.m.11 views

Arbitrary Command Injection

Overview lfx is a lfx is a command-line tool for running Langflow workflows. It provides two main commands: serve and run. Affected versions of this package are vulnerable to Arbitrary Command Injection via the parsecallabledetails function in codeparser.py. An attacker can execute arbitrary syst...

6.5CVSS6.8AI score0.01666EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/01 9:27 p.m.11 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview astro-mcp-server is a MCP server for Astro ASO App Store Optimization data - Access keyword rankings, historical data, and app metrics Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' in t...

6.5CVSS6.9AI score0.00196EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/01 12:30 p.m.11 views

Use of Hard-coded Password

Overview AstrBot is a 易上手的多平台 LLM 聊天机器人及开发框架 Affected versions of this package are vulnerable to Use of Hard-coded Password in the Dashboard process due to the use of hard-coded credentials in astrbot/dashboard/routes/auth.py. An attacker can gain unauthorized access and potentially compromise...

7.5CVSS7.1AI score0.00288EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/30 6:30 p.m.11 views

Directory Traversal

Overview com.shopizer:shopizer is an open source e-commerce software. Affected versions of this package are vulnerable to Directory Traversal through the /api/v1/private/content/images/add endpoint when processing crafted POST requests while configured with the httpd local filesystem storage...

10CVSS6.3AI score0.00412EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/29 11:31 p.m.11 views

Server-side Request Forgery (SSRF)

Overview xhs-mcp is a XiaoHongShu CLI and MCP Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the xhspublishcontent MCP tool when processing the mediapaths argument. An attacker can access internal resources or perform unauthorized network requests ...

7.5CVSS5.8AI score0.00361EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/29 9:27 p.m.11 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the command-auth.ts process. An attacker can gain unauthorized access to owner-enforced commands by sending commands from a non-owner sender when a channel plugi...

5.3CVSS5.8AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/29 9:0 p.m.11 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload. A malicious actor compromised the package, enabling the attacker to publish tampered versions of the deep learning framework. Malicious Behavior The execution chain ru...

9.8CVSS6AI score0.00392EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/29 2:40 p.m.11 views

Malicious Package

Overview frank-newton3-db-final is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/28 9:0 p.m.11 views

Embedded Malicious Code

Overview @cap-js/sqlite is a CDS database service for SQLite Affected versions of this package are vulnerable to Embedded Malicious Code that conceals an obfuscated payload designed to steal developer credentials during the package installation. The malicious versions and their contents are...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/28 3:13 a.m.11 views

Directory Traversal

Overview notes-mcp is a MCP for managing markdown notes with YAML frontmatter Affected versions of this package are vulnerable to Directory Traversal via the rootdir or path arguments in the notesmcp.py process. An attacker can access or modify files outside the intended directory by supplying...

7.5CVSS7.5AI score0.0041EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/27 9:31 p.m.11 views

Directory Traversal

Overview kaggle-mcp is an A MCP server for kaggle apis Affected versions of this package are vulnerable to Directory Traversal via the preparekaggledataset function in src/kagglemcp/server.py when processing the competitionid argument. An attacker can access arbitrary files on the server by...

7.5CVSS7.5AI score0.00411EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/26 2:10 p.m.11 views

Arbitrary Command Injection

Overview ssh-mcp is a MCP server exposing SSH control for Linux and Windows systems via Model Context Protocol. Affected versions of this package are vulnerable to Arbitrary Command Injection via the shell.write function. An attacker can execute arbitrary system commands by supplying crafted inpu...

8.5CVSS6.1AI score0.00653EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/26 1:9 p.m.11 views

Insufficiently Protected Credentials

Overview ssh-mcp is a MCP server exposing SSH control for Linux and Windows systems via Model Context Protocol. Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the Command Line Handler component due to the storage of the credential in plaintext. An...

4.8CVSS5.9AI score0.00138EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/25 4:11 p.m.11 views

Prototype Pollution

Overview jsondiffpatch is a JSON diff & patch object and array diff, text diff, multiple output formats Affected versions of this package are vulnerable to Prototype Pollution via the jsondiffpatch.patch and jsondiffpatch/formatters/jsonpatch.patch APIs. An attacker can perform prototype pollutio...

8.8CVSS6.3AI score0.00378EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 7:20 p.m.11 views

HTTP Response Splitting

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to HTTP Response Splitting via the isFormData and getHeaders handling in the HTTP request path. An attacker can inject arbitrary request headers by supplying a...

9.1CVSS5.7AI score0.00394EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/24 6:21 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Tokenizer. An attacker can cause the application to exhaust system...

8.7CVSS5.7AI score0.00342EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/24 4:20 a.m.11 views

Protection Mechanism Failure

Overview Affected versions of this package are vulnerable to Protection Mechanism Failure in the defmodule, defmethod, or defclass methods due to insufficient deserialization guards. An attacker can achieve arbitrary code execution by supplying crafted input to Marshal.load in a Ruby application...

9.2CVSS6.3AI score0.01131EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 4:18 a.m.11 views

Cross-site Scripting (XSS)

Overview postcss is a PostCSS is a tool for transforming styles with JS plugins. Affected versions of this package are vulnerable to Cross-site Scripting XSS in CSS Stringify Output. An attacker can execute arbitrary JavaScript code in the context of the affected web page by submitting crafted CS...

6.1CVSS5.5AI score0.00205EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 3:49 a.m.11 views

Malicious Package

Overview ts-moduler is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/22 1:29 a.m.11 views

Malicious Package

Overview @bitunix/test is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/21 5:17 p.m.11 views

Regular Expression Denial of Service (ReDoS)

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the contextMatcher and pathMatcher functions. An attacker can cause the server to become unresponsive and exhaust CPU...

8.7CVSS5.8AI score0.00427EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/21 2:53 p.m.11 views

Remote Code Execution (RCE)

Overview Affected versions of this package are vulnerable to Remote Code Execution RCE via ExpectedArtifactExpressionEvaluationPostProcessor, which may accept and process SpEL expressions that reference and load arbitrary classes. An attacker can execute code by supplying malicious strings as inp...

9.9CVSS6.1AI score0.00553EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/21 12:0 a.m.11 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the InnoDB component. An attacker can cause the server to hang or crash repeatedly by sending specially crafted requests over the network. Remediation Upgrade libmysqlclient to...

6.9CVSS7.8AI score0.00242EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/20 10:15 p.m.11 views

Missing Origin Validation in WebSockets

Overview Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via missing origin validation in all WebSocket endpoints. An attacker can gain unauthorized access to authenticated WebSocket sessions by tricking a logged-in administrator into visiting a malicio...

8.1CVSS5.4AI score0.00176EPSS
Exploits1References2
Total number of security vulnerabilities5000