35723 matches found
Malicious Package
Overview web3-docs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview sap-autofix is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Malicious Package
Overview sap-activate is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview sap-b is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview gbc-viewer is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview vue-cli-plugin-changelog is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Authorization Bypass Through User-Controlled Key
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the duplicateElements function. An attacker can gain unauthorized access and duplicate other users' entries by sending direct requests wit...
Improper Encoding or Escaping of Output
Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the forgot password process. An attacker can gain unauthorized access to user accounts by manipulating the Host header to injecting custom domains into the password reset link sent to users...
Out-of-bounds Read
Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...
Allocation of Resources Without Limits or Throttling
Overview Magick.NET-Q8-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in server-side rendering when attribute spreading is performed on elements. An attacker can inject...
Arbitrary Code Injection
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Arbitrary Code Injection via the incorporation of untrusted Slack channel metadata into the system prompt. An attacker can execute unauthorized commands or access sensitive information by...
Command Injection
Overview lu2 is a Simple and flexible UI component library based on native HTML and JavaScript Affected versions of this package are vulnerable to Command Injection due to the use of childprocess.exec function in run.js. An attacker can execute arbitrary operating system commands by supplying...
Improper Certificate Validation
Overview std/crypto/tls is a Go standard library package std/crypto/tls Affected versions of this package are vulnerable to Improper Certificate Validation. Go Vulnerability Report: During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated betwe...
Improper Encoding or Escaping of Output
Overview jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, or AcroFormRadioButton.appearanceState...
Prototype Pollution
Overview deephas is a package to test for existence of nested object key and optionally return that key. Affected versions of this package are vulnerable to Prototype Pollution via the add and indexer functions. An attacker can modify global object behavior and inject arbitrary properties into...
Malicious Package
Overview mindmeld-ui is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Malicious Package
Overview @volcenjine/tos-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview api-cache-worker is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview bytes-guide is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Malicious Package
Overview @metrics-service/mf-client is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @douinfe/semi-illustrations is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview chakra-ui-2--react-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Uncaught Exception
Overview Affected versions of this package are vulnerable to Uncaught Exception in the TLS module when a TLS server is configured with pskCallback or ALPNCallback. A remote attacker can crash or exhaust resources of a TLS server by sending input that causes the callback to throw an error...
Malicious Package
Overview onchain-commerce-template is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview semi-adimation is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
CSV Injection
Overview json-2-csv is an A JSON to CSV and CSV to JSON converter that natively supports sub-documents and auto-generates the CSV heading. Affected versions of this package are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas in...
SQL Injection
Overview Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to SQL Injection via the connector argument in the QuerySet.filter, QuerySet.exclude, QuerySet.get, and Q objects. A dictionary usin...
Unverified Ownership
Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Unverified Ownership via the JWT authentication process. An attacker can gain unauthorized access to protected resources by presenting a valid token intended for a different audience when...
HTTP Request Smuggling
Overview Microsoft.AspNetCore.Server.Kestrel.Core is a core components of ASP.NET Core Kestrel cross-platform web server. Affected versions of this package are vulnerable to HTTP Request Smuggling via the interpretation of chunked HTTP requests. An attacker can bypass security restrictions and...
Information Exposure
Overview prestashop/prestashop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers. Affected versions of this package are vulnerable to Information Exposure via manipulation of the idemployee and resettoken parameters on...
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS due to incorrect stream accounting in the handling of server-sent stream resets. An attacker can cause excessive server resource consumption by rapidly opening streams and triggering resets using malformed frames o...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper processing of large name constraint structures in PKIXCertPathReviewer. An attacker can cause excessive resource allocation by submitting specially crafted ASN.1...
Allocation of Resources Without Limits or Throttling
Overview org.bouncycastle:bcprov-jdk15on is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper processing of large name constraint structures in PKIXCertPathReviewer. An attack...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper processing of large name constraint structures in PKIXCertPathReviewer. An attacker can cause excessive resource allocation by submitting specially crafted ASN.1...
Allocation of Resources Without Limits or Throttling
Overview org.bouncycastle:bcprov-ext-jdk15to18 is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper processing of large name constraint structures in PKIXCertPathReviewer. An...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ASN1ObjectIdentifier. An attacker can cause excessive resource consumption by submitting specially crafted ASN.1 Object Identifiers, potentially leading to service disruption...
Cross-site Scripting (XSS)
Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the storeMedia function...
Improper Isolation or Compartmentalization
Overview CefSharp.WinForms is a the CefSharp Chromium-based browser component WinForms control. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization that allows an attacker who can convince a user to follow a malicious link to escape sandbox protections,...
Improper Isolation or Compartmentalization
Overview Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization that allows an attacker who can convince a user to follow a malicious link to escape sandbox protections, due to a logic error in the Mojo component. This vulnerability does not enable code...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview camaleoncms is a dynamic and advanced content management system based on Ruby on Rails as an alternative to Wordpress. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the updatedajax method of the...
Improper Authentication
Overview Microsoft.AspNetCore.App.Runtime.linux-musl-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Improper Authentication in the RefreshSignInAsyn...
Malicious Package
Overview gcore-cdn-stats is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package w...
Command Injection
Overview com.itextpdf:itextpdf is a software developer toolkit that allows users to integrate PDF functionalities within their applications, processes or products. Affected versions of this package are vulnerable to Command Injection. An attacker controlling the filename passed to the CompareTool...
Malicious Package
Overview buntopress is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using buntopress...
Directory Traversal
Overview decompress is a package that can be used for extracting archives. Affected versions of this package are vulnerable to Directory Traversal via improper validation in the safeMakeDir function and extraction path validation process. An attacker can write arbitrary files outside the intended...
Improper Certificate Validation
Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to improper enforcement of the Certificate Revocation List on the gRPC listener when separate listeners are configured for HTTP and gRPC client endpoints. An attacker can gain unauthorized access and...
Relative Path Traversal
Overview Affected versions of this package are vulnerable to Relative Path Traversal via the scp process. An attacker can cause files to be placed outside the intended directory by crafting a copy operation between two remote destinations. Remediation A fix was pushed into the master branch but n...
Malicious Package
Overview env-axios is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Out-of-bounds Read
Overview onnx is an Open Neural Network Exchange Affected versions of this package are vulnerable to Out-of-bounds Read through convPoolShapeInferenceopset19 in onnx/defs/nn/old.cc. An attacker can trigger the flaw by supplying a malformed convolution or pooling model that reaches the...