Lucene search
+L
SnykMost viewed

35936 matches found

snyk
snyk
added 2026/05/11 3:56 p.m.11 views

Cross-site Scripting (XSS)

Overview next is a react framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the beforeInteractive process, when untrusted input is embedded without proper escaping. An attacker can execute arbitrary JavaScript in a user's browser by injecting malicious...

6.1CVSS5.8AI score0.00205EPSS
Exploits0References2
snyk
snyk
added 2026/05/11 3:56 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Image Optimization API when handling requests to the /next/image endpoint that match the images.localPatterns configuration. An attacker can exhaust...

8.2CVSS5.8AI score0.00705EPSS
Exploits1References2
snyk
snyk
added 2026/05/11 3:55 p.m.11 views

Server-side Request Forgery (SSRF)

Overview next is a react framework. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via crafted WebSocket upgrade requests. An attacker can access internal or external resources by sending specially crafted requests with absolute-url that cause the server to...

8.6CVSS5.9AI score0.38811EPSS
Exploits9References2
snyk
snyk
added 2026/05/11 3:54 p.m.11 views

Authentication Bypass Using an Alternate Path or Channel

Overview next is a react framework. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the handling of segment-prefetch routes. An attacker can gain unauthorized access to protected content by crafting .rsc and segment-prefetch URLs tha...

8.7CVSS5.8AI score0.01523EPSS
Exploits0References2
snyk
snyk
added 2026/05/11 3:54 p.m.11 views

Authentication Bypass Using an Alternate Path or Channel

Overview next is a react framework. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via dynamic full-route RSC requests in the deployment adapter. An attacker can gain unauthorized access to protected content by injecting a URL with que...

8.6CVSS5.8AI score0.00485EPSS
Exploits2References2
snyk
snyk
added 2026/05/11 2:57 p.m.11 views

Directory Traversal

Overview python-liquid is an A Python engine for the Liquid template language. Affected versions of this package are vulnerable to Directory Traversal via the FileSystemLoader and CachingFileSystemLoader components. An attacker can access and render arbitrary files outside the intended search pat...

8.2CVSS6.3AI score0.00335EPSS
Exploits0References2
snyk
snyk
added 2026/05/11 2:51 p.m.11 views

Insertion of Sensitive Information Into Sent Data

Overview urllib3 is a HTTP library with thread-safe connection pooling, file post, and more. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in urlopen when using ProxyManager.connectionfromurl with assertsamehost=False, directly rather than v...

8.2CVSS5.8AI score0.00527EPSS
Exploits0References2
snyk
snyk
added 2026/05/11 2:4 p.m.11 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization in the updatemessagebyid and deletemessagebyid endpoints due to missing ownership validation for messages. An attacker can alter or remove messages belonging to other users by sending...

7.1CVSS5.8AI score0.00266EPSS
Exploits1References2
snyk
snyk
added 2026/05/10 8:12 a.m.11 views

Inefficient Algorithmic Complexity

Overview Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity due to the computational complexity of attribute name collision checks in XML parsing. An attacker can cause excessive resource consumption by providing specially crafted XML input. Remediation Upgrade...

7.5CVSS5.7AI score0.00428EPSS
Exploits1References2
snyk
snyk
added 2026/05/08 10:34 p.m.11 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization in the authentication process. An attacker can gain unauthorized access to user-level API endpoints by registering an account, obtaining a valid JWT while in a pending role, and using th...

7.3CVSS5.8AI score0.0023EPSS
Exploits1References2
snyk
snyk
added 2026/05/08 10:21 p.m.11 views

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering process of the pending user overlay content due to improper sanitization order. An attacker can execute arbitrary JavaScript in the browser context of affected users ...

4.8CVSS5.8AI score0.0017EPSS
Exploits1References2
snyk
snyk
added 2026/05/08 7:52 p.m.11 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization in the generatecompletion, embed, embeddings, and showmodelinfo functions. An attacker can access restricted model information and consume compute resources by sending crafted API reques...

5.4CVSS5.8AI score0.00238EPSS
Exploits1References2
snyk
snyk
added 2026/05/08 7:50 p.m.11 views

Incorrect Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Incorrect Authorization in the setaccessgrants process. An attacker can override administrative access controls by submitting arbitrary access grants, including wildcard grants, which are persisted without...

5.4CVSS5.9AI score0.0019EPSS
Exploits1References2
snyk
snyk
added 2026/05/08 7:45 p.m.11 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization in the basemodelid process. An attacker can gain unauthorized access to restricted models by creating a new model that chains to a restricted base model and invoking it, causing the serv...

7.6CVSS5.8AI score0.00248EPSS
Exploits1References2
snyk
snyk
added 2026/05/08 7:0 p.m.11 views

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the sanitizeResponseContent process. An attacker can execute arbitrary JavaScript in the browser of another user by crafting a malicious model description containing a markdown lin...

8.5CVSS7.2AI score0.00308EPSS
Exploits1References2
snyk
snyk
added 2026/05/08 6:34 p.m.11 views

Unsafe Dependency Resolution

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the runWidget function. An attacker can achieve arbitrary code execution by supplying crafted input that exploits path traversal to...

9.8CVSS6.3AI score0.00167EPSS
Exploits0References3
snyk
snyk
added 2026/05/08 5:39 p.m.11 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to revoke existing refresh tokens in the auth.refreshtokens and auth.oauth2refreshtokens tables after a password change. An attacker can maintain unauthorized access to a user's account...

4.2CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/08 4:31 p.m.11 views

Directory Traversal

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

8.7CVSS6.3AI score0.00433EPSS
Exploits1References2
snyk
snyk
added 2026/05/08 12:0 a.m.11 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the SimpleFunctionRegistry composition. An attacker can exhaust memory or trigger unbounded recursive function composition by supplying crafted function definitions that...

8.7CVSS5.8AI score0.00211EPSS
Exploits0References2
snyk
snyk
added 2026/05/08 12:0 a.m.11 views

Improper Neutralization of Special Elements in Data Query Logic

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the MilvusVectorStoredoDeleteList implementation. An attacker can inject filter expressions by supplying crafted document IDs that are not properly sanitized before bei...

8.8CVSS5.7AI score0.00353EPSS
Exploits0References2
snyk
snyk
added 2026/05/07 9:45 p.m.11 views

Timing Attack

Overview mcp-ssh-tool is a Model Context Protocol MCP SSH client server for remote automation Affected versions of this package are vulnerable to Timing Attack in the transfer-related filesystem handling process. An attacker can access unauthorized files or directories by bypassing local path...

8.7CVSS5.8AI score
Exploits0References3
snyk
snyk
added 2026/05/07 8:26 p.m.11 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the SWnentries function in the file SWapi.c. An attacker can achieve arbitrary code execution or cause a denial of service by providing a specially crafted HDF-EOS file with DimensionName argument that...

7.8CVSS6.7AI score0.00237EPSS
Exploits1References2
snyk
snyk
added 2026/05/07 8:26 p.m.11 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the SWnentries function in the file SWapi.c. An attacker can achieve arbitrary code execution or cause a denial of service by providing a specially crafted HDF-EOS file with DimensionName argument that...

7.8CVSS6.6AI score0.00237EPSS
Exploits1References2
snyk
snyk
added 2026/05/07 7:43 p.m.11 views

Active Debug Code

Overview Affected versions of this package are vulnerable to Active Debug Code via the Installer process. An attacker can access sensitive server configuration, environment variables, filesystem paths, and loaded PHP extensions by sending an unauthenticated GET request with the phpinfo parameter...

6.9CVSS5.8AI score0.0024EPSS
Exploits0References2
snyk
snyk
added 2026/05/07 7:21 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview std/net/mail is a Go standard library package std/net/mail Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger...

8.7CVSS5.8AI score0.00784EPSS
Exploits0References3
snyk
snyk
added 2026/05/07 7:21 p.m.11 views

Infinite loop

Overview golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go. Affected versions of this package are vulnerable to Infinite loop. Go Vulnerability Report: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receiv...

8.7CVSS5.8AI score0.00781EPSS
Exploits0References3
snyk
snyk
added 2026/05/07 9:25 a.m.11 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the process handling incoming requests. An attacker can perform unauthorized actions on behalf of an authenticated user by tricking them into submitting a crafted request. Remediation Upgrade...

5.4CVSS5.8AI score0.00092EPSS
Exploits0References2
snyk
snyk
added 2026/05/07 5:55 a.m.11 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the readVariableLengthInteger function. An attacker can trigger undefined behavior and potentially execute arbitrary code by providing specially crafted EXR input that causes excessive left shifts...

9.8CVSS6.2AI score0.00393EPSS
Exploits1References2
snyk
snyk
added 2026/05/07 4:33 a.m.11 views

Symlink Attack

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Symlink Attack via the isPathAllowed path check in lib/resolver-compat.js. An attacker can execute code outside the configured...

8.5CVSS6.4AI score0.00722EPSS
Exploits1References2
snyk
snyk
added 2026/05/07 4:8 a.m.11 views

Arbitrary Code Injection

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through lib/builtin.js. An attacker can execute host code when the allowlist includes -X or uses and then...

9.9CVSS6.1AI score0.00974EPSS
Exploits1References2
snyk
snyk
added 2026/05/07 4:7 a.m.11 views

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the BaseHandler write traps in lib/bridge.js. An attacker can mutate host Object.prototype, Array.prototype,...

10CVSS6AI score0.00842EPSS
Exploits1References2
snyk
snyk
added 2026/05/07 2:9 a.m.11 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via improper validation of the supi path parameter in multiple GET handlers. An attacker can obtain internal infrastructure details, including hostnames, ports, and API paths, by injecting control characters into th...

8.7CVSS5.8AI score0.00324EPSS
Exploits1References2
snyk
snyk
added 2026/05/07 1:56 a.m.11 views

Improperly Implemented Security Check for Standard

Overview Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to missing concurrent procedure validation in the SecurityMode and handleHandoverRequiredMain functions. An attacker can cause mismatches between security contexts, potentially...

5.4CVSS5.8AI score0.00251EPSS
Exploits1References2
snyk
snyk
added 2026/05/07 1:49 a.m.11 views

Open Redirect

Overview Microsoft.Kiota.Http.HttpClientLibrary is a dotnet HTTP library implementation with HttpClient. Affected versions of this package are vulnerable to Open Redirect in the RedirectHandler function. An attacker can obtain sensitive information such as session cookies, proxy credentials, and...

7CVSS5.8AI score0.00505EPSS
Exploits0References2
snyk
snyk
added 2026/05/07 1:15 a.m.11 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the downloadFrom and webhook processes. An attacker can access internal network resources and potentially exfiltrate sensitive information or interact with internal-only services by supplying special...

9.4CVSS5.8AI score0.00352EPSS
Exploits1References2
snyk
snyk
added 2026/05/07 12:57 a.m.11 views

Server-side Request Forgery (SSRF)

Overview github.com/gotenberg/gotenberg/v7/pkg/modules/chromium is a Docker-powered stateless API for PDF files. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the FilterOutboundURL process. An attacker can access internal network resources and retrie...

6.9CVSS5.8AI score0.00186EPSS
Exploits1References3
snyk
snyk
added 2026/05/07 12:8 a.m.11 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the handling of index rollover requests when an explicit target index name is provided. An attacker can create a new index with an unauthorized name by exploiting insufficient access control checks on the targ...

2.2CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/06 11:50 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the bodyLimit function. An attacker can bypass request size restrictions by sending chunked or unknown-length requests, allowing...

8.7CVSS5.8AI score0.00219EPSS
Exploits0References2
snyk
snyk
added 2026/05/06 9:43 p.m.11 views

Cross-site Scripting (XSS)

Overview @jupyterlab/apputils is a JupyterLab - Application Utilities Affected versions of this package are vulnerable to Cross-site Scripting XSS via the handling of data-commandlinker-command and data-commandlinker-args attributes in HTML content. An attacker can execute arbitrary commands,...

9.3CVSS5.9AI score0.00386EPSS
Exploits0References2
snyk
snyk
added 2026/05/06 9:43 p.m.11 views

Cross-site Scripting (XSS)

Overview @jupyterlab/rendermime-interfaces is a JupyterLab - Interfaces for Mime Renderers Affected versions of this package are vulnerable to Cross-site Scripting XSS via the handling of data-commandlinker-command and data-commandlinker-args attributes in HTML content. An attacker can execute...

9.3CVSS5.9AI score0.00386EPSS
Exploits0References2
snyk
snyk
added 2026/05/06 9:43 p.m.11 views

Cross-site Scripting (XSS)

Overview @jupyterlab/rendermime is a JupyterLab - RenderMime Affected versions of this package are vulnerable to Cross-site Scripting XSS via the handling of data-commandlinker-command and data-commandlinker-args attributes in HTML content. An attacker can execute arbitrary commands, including co...

9.3CVSS5.9AI score0.00386EPSS
Exploits0References2
snyk
snyk
added 2026/05/06 8:44 p.m.11 views

SQL Injection

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to SQL Injection in the setTokenData function when OAuth token fields are interpolated into a SQL statement without proper escaping. An attacker can execut...

7.7CVSS6.1AI score0.00212EPSS
Exploits0References2
snyk
snyk
added 2026/05/06 8:18 p.m.11 views

Cross-site Scripting (XSS)

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Cross-site Scripting XSS via the decodeAllEntities function. An attacker can execute arbitrary JavaScript in the context of the application origin by...

5.4CVSS5.9AI score0.00153EPSS
Exploits0References2
snyk
snyk
added 2026/05/06 7:50 p.m.11 views

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect via the trainerlogin function. An attacker can redirect a user's browser to an external, attacker-controlled URL by supplying a crafted next parameter, potentially exposing sensitive information such as the original URL...

9.6CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/06 7:37 p.m.11 views

Allocation of Resources Without Limits or Throttling

Overview basic-ftp is a FTP client for Node.js, supports FTPS over TLS, IPv6, Async/Await, and Typescript. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the connect function. An attacker can cause excessive memory and CPU consumption,...

8.7CVSS5.8AI score0.00465EPSS
Exploits0References2
snyk
snyk
added 2026/05/06 7:32 p.m.11 views

Binding to an Unrestricted IP Address

Overview Affected versions of this package are vulnerable to Binding to an Unrestricted IP Address which defaults to 0.0.0.0 when the -port argument is used or the -listen argument is used without specifying a host. An attacker can execute arbitrary code remotely by connecting to the exposed...

8.8CVSS5.9AI score0.00223EPSS
Exploits0References2
snyk
snyk
added 2026/05/06 7:16 p.m.11 views

LDAP Injection

Overview lemur is a Certificate management and orchestration service Affected versions of this package are vulnerable to LDAP Injection via unsanitized input in the username field during the authentication process. An attacker can escalate privileges and gain unauthorized access to sensitive...

8.6CVSS5.8AI score0.00179EPSS
Exploits0References2
snyk
snyk
added 2026/05/06 5:54 p.m.11 views

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via the condition process. An attacker can execute arbitrary commands on the server by injecting malicious...

8.6CVSS6.1AI score0.00346EPSS
Exploits0References2
snyk
snyk
added 2026/05/06 1:21 a.m.11 views

Use of a Broken or Risky Cryptographic Algorithm

Overview paramiko is a library for making SSH2 connections client or server. Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the RSA key handling by allowing the use of the SHA-1 algorithm. An attacker can compromise the integrity of...

4.8CVSS5.8AI score0.00114EPSS
Exploits0References2
snyk
snyk
added 2026/05/06 12:0 a.m.11 views

Directory Traversal

Overview org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Directory Traversal via the EnvironmentController, ResourceController, and EncryptionController reque...

8.8CVSS6.3AI score0.0022EPSS
Exploits0References2
Total number of security vulnerabilities5000