Lucene search
K
SnykMost viewed

35340 matches found

Snyk
Snyk
added 2026/01/28 4:33 p.m.18 views

Malicious Package

Overview bytes-guides is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/01/21 11:1 p.m.18 views

Prototype Pollution

Overview lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Prototype Pollution via the .unset and .omit functions. An attacker can delete methods held in properties of global prototypes but cannot...

8.2CVSS6.7AI score0.01535EPSS
Exploits0References2
Snyk
Snyk
added 2025/12/17 11:42 p.m.18 views

CSV Injection

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to CSV Injection via the users data export feature. An attacker can execute arbitrary commands on the system by injecting malicious formulas into the profi...

8.8CVSS7.7AI score0.00442EPSS
Exploits1References2
Snyk
Snyk
added 2024/07/03 12:59 a.m.18 views

SQL Injection

Overview NHibernate is a mature, open source object-relational mapper for the .NET framework. It is actively developed, fully featured and used in thousands of successful projects. Affected versions of this package are vulnerable to SQL Injection when passing unescaped user input to...

9.8CVSS7.9AI score0.00578EPSS
Exploits0References2
Snyk
Snyk
added 2021/09/23 10:57 a.m.18 views

Remote Code Execution (RCE)

Overview md-to-pdf is a CLI tool for converting Markdown files to PDF. Affected versions of this package are vulnerable to Remote Code Execution RCE due to utilizing the library gray-matter to parse front matter content, without disabling the JS engine. PoC: bash //Before running poc.js: $ cat...

9.8CVSS7.3AI score0.05329EPSS
Exploits2References2
Snyk
Snyk
added 2026/06/26 8:13 p.m.17 views

Exposed Dangerous Method or Function

Overview nx is a The core Nx plugin contains the core functionality of Nx like the project graph, nx commands and task orchestration. Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the local HTTP server's permissive CORS policy, which sends...

6CVSS6.1AI score0.00812EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/23 12:15 p.m.17 views

Malicious Package

Overview new-ecro-helper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 8:8 a.m.17 views

Malicious Package

Overview assert-kit is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 12:20 a.m.17 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the deserialization process of RFC7797 JWS payloads with b64=false. An attacker can cause resource exhaustion by submitting a payload that exceeds the intended size limits, bypassi...

8.7CVSS5.9AI score0.00163EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/16 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. An attacker using the npm account ehindero hijacked the @mastra npm organization and, in a roughly 30–45 minute burst starting around 01:12 UTC, republished the entire @mastra catalog. The Mastra source code was...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:12 p.m.17 views

Protection Mechanism Failure

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Protection Mechanism Failure through the clearConfig function. An attacker can execute arbitrary scripts in a Trusted Types sink by influencing a previously supplied...

4.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/06 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/06 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-Hulud / Miasma software supply chain campaign, a large scale operation that has affected numerous packages across open source ecosystems. The malicio...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/06/02 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/31 9:0 p.m.17 views

Malicious Package

Overview @cloudplatform-single-spa/cloudia is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/31 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to the "Miasma" supply chain attack targeting the @redhat-cloud-services npm namespace. A malicious actor compromised the publication pipeline and published versions containing malicious code that includes...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/31 9:0 p.m.17 views

Malicious Package

Overview @cloudplatform-single-spa/evocs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and th...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 11:52 p.m.17 views

Malicious Package

Overview @t-in-one/addapplicationtid is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 10:54 p.m.17 views

Malicious Package

Overview @cloudplatform-single-spa/employees is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization an...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/29 10:4 p.m.17 views

Malicious Package

Overview paychex-common-vendor-lib is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/28 1:39 p.m.17 views

Malicious Package

Overview @service-suppliers/setinitialloaded is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization an...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/27 1:25 p.m.17 views

Malicious Package

Overview claude-channel-imessage is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/27 12:38 a.m.17 views

Insufficiently Protected Credentials

Overview @hapi/wreck is a HTTP Client Utilities library. Affected versions of this package are vulnerable to Insufficiently Protected Credentials due to leaking the sensitive Proxy-Authorization header across cross-hostname redirects. An attacker can obtain sensitive proxy credentials by inducing...

6.3CVSS5.8AI score0.00054EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/26 9:0 p.m.17 views

Malicious Package

Overview codexui-android is a malicious package. offering a remote web UI for OpenAI Codex, secretly stealing Codex OAuth credentials. Malicious code exists only in published npm builds—not in the public GitHub repo—and runs at import time, reading /.codex/auth.json, XOR-encrypting it, and POSTin...

9.8CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/05/26 12:15 p.m.17 views

Malicious Package

Overview @izumiswap/sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 8:54 a.m.17 views

Malicious Package

Overview auth0-common-telemetry is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 8:48 a.m.17 views

Malicious Package

Overview unique-string-64 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/25 8:11 a.m.17 views

Malicious Package

Overview wnba-parent is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/24 7:39 a.m.17 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the toString function in the AST Serialization. An attacker can cause uncontrolled recursion by providing specially crafted input, potentially resulting in resource exhaustion and application unavailability...

6.9CVSS5.8AI score0.00325EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/23 9:0 p.m.17 views

Malicious Package

Overview eth-security-auditor is a malicious package. This package contains malicious code, and its content was removed from the official package manager. The package was linked to a supply chain attack and contained code designed to steal developer secrets, crypto wallets, SSH keys, and cloud...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/23 1:42 p.m.17 views

Buffer Overflow

Overview Affected versions of this package are vulnerable to Buffer Overflow in the NGSetupRequest process. An attacker can cause memory corruption and potentially compromise confidentiality, integrity, and availability by sending specially crafted requests remotely. Remediation Upgrade...

6.5CVSS6.6AI score0.00228EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/22 1:11 p.m.17 views

Unsynchronized Access to Shared Data in a Multithreaded Context

Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

5.6CVSS5.8AI score0.00077EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/22 5:32 a.m.17 views

Missing Release of Resource after Effective Lifetime

Overview golang.org/x/crypto/ssh is a SSH client and server Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime through the handling of unsolicited global request responses, which can fill an internal buffer and block the connection's read loop...

9.1CVSS5.9AI score0.00533EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/21 9:49 p.m.17 views

Insecure Randomness

Overview Magick.NET-Q8-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

6.3CVSS5.8AI score0.00229EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/21 9:42 p.m.17 views

Off-by-one Error

Overview Magick.NET-Q16-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.9CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/21 3:53 p.m.17 views

Buffer Overflow

Overview Affected versions of this package are vulnerable to Buffer Overflow via the checktemplate and tokenizecleanup functions in the checktemplate.cpp component of the executable. An attacker can cause a crash or disrupt service by providing specially crafted input to these functions...

7.3CVSS5.8AI score0.00134EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:46 p.m.17 views

Insecure Default Initialization of Resource

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the hasValidToken function. An attacker can gain unauthorized access to create and modify FAQ entries,...

8.7CVSS5.8AI score0.00384EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.17 views

Deserialization of Untrusted Data

Overview symfony/monolog-bridge is a Provides integration for Monolog with various Symfony components Affected versions of this package are vulnerable to Deserialization of Untrusted Data via deserialization of network input in Symfony\Bridge\Monolog\Command\ServerLogCommand. An attacker can...

9.8CVSS6.4AI score0.01261EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 8:36 p.m.17 views

Infinite loop

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

6.8CVSS5.8AI score0.00111EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/17 9:0 p.m.17 views

Malicious Package

Overview chalk-tempalte is a malicious package. This package contains malicious code that includes infostealer malware, one of which is a Shai-Hulud clone following the TeamPCP open source release, and one DDoS botnet package. While this package might be attempting to impersonate a valid...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 6:30 p.m.17 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the SQL code generation process. An attacker can execute arbitrary code on TaskManagers by submitting specially crafted SQL queries that exploit improper escaping of user-controlled strings in generated Java...

8.6CVSS6.3AI score0.00381EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/15 6:1 p.m.17 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the generic download endpoint when the disk and path parameters are supplied in the request. An attacker can access unrelated files stored on configured storage disks by manipulating...

7.7CVSS5.8AI score0.00262EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/15 10:40 a.m.17 views

Malicious Package

Overview apple-internal-pki-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 4:19 p.m.17 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over resources belonging to other...

7.7CVSS5.8AI score0.00335EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 7:22 p.m.17 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to improper validation of user-supplied input in the authentication process. An attacker can gain elevated privileges by providing crafted input during local interaction. Remediation Upgrade...

8.3CVSS5.8AI score0.00662EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Total number of security vulnerabilities5000