Lucene search
K
SnykMost viewed

35345 matches found

Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview guardrails-ai is an Adding guardrails to large language models. Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tamper...

9.8CVSS5.8AI score0.00276EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS5.8AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 7:34 p.m.10 views

Cross-site Scripting (XSS)

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper escaping of textarea custom field contents in the bugupdatepage.php process. An attacker can inject HTML and, if content security policy settings allow,...

5.4CVSS5.8AI score0.0023EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 6:31 p.m.10 views

Allocation of Resources Without Limits or Throttling

Overview docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the...

8.7CVSS5.8AI score0.00351EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 6:14 p.m.10 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in validatewebhookurl, in validate.py. The createwebhook function accepts a user-controlled url parameter without validation. An attacker can cause the backend to send HTTP requests to internal services,...

7.1CVSS5.9AI score0.00288EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/11 6:11 p.m.10 views

Improper Authentication

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Authentication via the handleBlueBubblesWebhookRequest function. An attacker can gain unauthorized access and potentially compromise confidentiality, integrity, and availability ...

9.8CVSS7.1AI score0.00636EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/11 3:56 p.m.10 views

Allocation of Resources Without Limits or Throttling

Overview next is a react framework. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling involving Partial Prerendering in the Cache Components feature. An attacker can exhaust the connection pool by sending malicious POST requests that cause a...

8.7CVSS5.8AI score0.00546EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/11 3:54 p.m.10 views

Authentication Bypass Using an Alternate Path or Channel

Overview next is a react framework. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the handling of segment-prefetch routes. An attacker can gain unauthorized access to protected content by crafting .rsc and segment-prefetch URLs tha...

8.7CVSS5.8AI score0.01523EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/10 8:12 a.m.10 views

Inefficient Algorithmic Complexity

Overview Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity due to the computational complexity of attribute name collision checks in XML parsing. An attacker can cause excessive resource consumption by providing specially crafted XML input. Remediation Upgrade...

7.5CVSS5.7AI score0.00428EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/10 12:6 a.m.10 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the GDSDfldsrch function of the Grid File Handler component. An attacker can execute arbitrary code or cause a denial of service by supplying crafted input that triggers a heap-based buffer overflow during...

5.5CVSS6.6AI score0.00258EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/09 12:10 a.m.10 views

Permissive Cross-domain Policy with Untrusted Domains

Overview @yoda.digital/gitlab-mcp-server is a GitLab MCP Server - A Model Context Protocol server for GitLab integration Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the SSE HTTP transport when USESSE=true is set, which lacks...

9.2CVSS5.8AI score0.00392EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/08 11:2 p.m.10 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to the lack of inbound authentication and authorization checks on the nnef-pfdmanagement route group. An attacker can gain unauthorized access to sensitive PFD application data, create or delete PFD...

10CVSS5.8AI score0.00287EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 10:46 p.m.10 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the nnef-callback route group, which lacks inbound authentication and authorization checks. An attacker can access sensitive business logic and potentially manipulate subscription state by submitting forged...

7.3CVSS5.9AI score0.00241EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/08 10:26 p.m.10 views

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the process that previews Excel file attachments using the sheettohtml function. An attacker can execute arbitrary scripts in the context of the victim's browser by uploading a...

8.7CVSS5.8AI score0.00318EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 8:23 p.m.10 views

Improper Handling of Insufficient Permissions or Privileges

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges on page copy. An attacker can gain unauthorized access to restricted page content by copying pages from are...

7.1CVSS5.8AI score0.00201EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 8:17 p.m.10 views

Improper Handling of Insufficient Permissions or Privileges

Overview wagtail is an open source content management system built on Django. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via revision comparisons. An attacker can gain unauthorized access to sensitive information by supplying th...

7.1CVSS5.8AI score0.00204EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 7:38 p.m.10 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization via the createfolder process. An attacker can create unauthorized folders in another user's account, potentially flooding the victim's folder tree or planting phishing content, by...

5.3CVSS5.8AI score0.00287EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 6:34 p.m.10 views

Unsafe Dependency Resolution

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the runWidget function. An attacker can achieve arbitrary code execution by supplying crafted input that exploits path traversal to...

9.8CVSS6.3AI score0.00167EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/08 5:39 p.m.10 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to revoke existing refresh tokens in the auth.refreshtokens and auth.oauth2refreshtokens tables after a password change. An attacker can maintain unauthorized access to a user's account...

4.2CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/08 5:24 p.m.10 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via ExternalSecret resource handling for Service Account tokens. A user can impersonate service accounts by crafting ExternalSecret resources that cause the operator to create Secrets populated with long-lived...

6.9CVSS5.9AI score0.00214EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 4:59 p.m.10 views

Server-side Request Forgery (SSRF)

Overview n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol MCP Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the N8nApiClient, when handling webhook triggers, API client base URLs, and per-request URLs supplied via the...

9.1CVSS5.8AI score0.00235EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 4:54 p.m.10 views

Cross-site Scripting (XSS)

Overview prestashop/prestashop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Customer Service view process. An attacker can...

9.3CVSS5.8AI score0.00331EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 4:31 p.m.10 views

Directory Traversal

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

8.7CVSS6.3AI score0.00433EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 9:23 a.m.10 views

Numeric Truncation Error

Overview Affected versions of this package are vulnerable to Numeric Truncation Error due to pointer difference truncation to int in multiple locations. An attacker can cause incorrect memory calculations by providing specially crafted input. Remediation Upgrade uriparser to version 1.0.2 or...

5.3CVSS5.3AI score0.00211EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 6:32 a.m.10 views

Cross-site Scripting (XSS)

Overview org.opencms:opencms-core is a Java open source content management system by Alkacon Software. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the cmis-online/type process. An attacker can execute arbitrary scripts in the context of a user's browser by...

6.1CVSS5.9AI score0.0059EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 12:0 a.m.10 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the SimpleFunctionRegistry composition and function wrapper cache in SimpleFunctionRegistry.java. An attacker can exhaust memory by supplying many distinct composed function...

8.7CVSS5.8AI score0.00211EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 7:49 p.m.10 views

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the addImageAction process. An attacker can execute arbitrary code on the server by uploading a file with executable extensions disguised as an image, bypassing MIME type validation. This is only exploitable if...

6.3CVSS6.2AI score0.00229EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 7:32 p.m.10 views

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the Plugins::add process. An attacker can execute arbitrary code, overwrite sensitive files, and gain full control of the server by uploading a specially crafted ZIP archive containing file paths with directory...

8.6CVSS6AI score0.00522EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 6:30 p.m.10 views

Prototype Pollution

Overview parse-ini is a Parse ini file to get the content and variables of the ini file as node object. Affected versions of this package are vulnerable to Prototype Pollution via the index.js file. An attacker can manipulate object properties and potentially execute arbitrary code or alter...

9.8CVSS6.5AI score0.00416EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 3:27 p.m.10 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation via incorrect handling of name constraints during certificate validation. An attacker can bypass critical certificate validation checks by presenting a certificate chain where permitted name constraints a...

9.1CVSS5.8AI score0.00475EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 5:55 a.m.10 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the readVariableLengthInteger function. An attacker can trigger undefined behavior and potentially execute arbitrary code by providing specially crafted EXR input that causes excessive left shifts...

9.8CVSS6.2AI score0.00393EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:29 a.m.10 views

Improper Isolation or Compartmentalization

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the globalPromise.prototype.then onFulfilled wrapper in the Promise bridge. An...

7.2CVSS5.6AI score0.002EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:26 a.m.10 views

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the Buffer.alloc family in lib/setup-sandbox.js. An attacker can crash t...

8.7CVSS5.8AI score0.00424EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:10 a.m.10 views

Uncaught Exception

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Uncaught Exception through the Promise constructor when an unhandled rejection propagates from the sandboxed environment to the host...

9.2CVSS5.4AI score0.00448EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 3:34 a.m.10 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the RSL policy validation. An attacker can revert the system to a previous trusted state by creating a new Reference State Log entry that references an older policy, provided it i...

6CVSS5.8AI score0.00198EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 1:49 a.m.10 views

Open Redirect

Overview @microsoft/kiota-http-fetchlibrary is an implementation using the Fetch API to make requests. Affected versions of this package are vulnerable to Open Redirect in the RedirectHandler function. An attacker can obtain sensitive information such as session cookies, proxy credentials, and AP...

7CVSS5.8AI score0.00505EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 1:15 a.m.10 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the convertUrlRoute and screenshotUrlRoute processes. An attacker can access sensitive files belonging to other users' in-flight conversion requests by submitting specially crafted file:// URLs pointi...

8.2CVSS5.8AI score0.00251EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/07 1:15 a.m.10 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the downloadFrom and webhook processes. An attacker can access internal network resources and potentially exfiltrate sensitive information or interact with internal-only services by supplying special...

9.4CVSS5.8AI score0.00352EPSS
Exploits1References2
Total number of security vulnerabilities5000