Lucene search
K
SnykMost viewed

35491 matches found

snyk
snyk
added 2026/05/18 5:48 p.m.10 views

Improper Validation of Array Index

Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

7.1CVSS5.9AI score0.00122EPSS
Exploits0References3
snyk
snyk
added 2026/05/18 5:23 p.m.10 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the submission handling process for Hidden fields with the Default value set to Custom. An attacker can execute arbitrary server-side code by submitting crafted...

9.8CVSS6.1AI score0.00475EPSS
Exploits0References4
snyk
snyk
added 2026/05/18 4:42 p.m.10 views

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview org.asynchttpclient:async-http-client is a maven plugin for the Async Http Client AHC classes. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the propagatedHeaders method during cross-origin redirects,...

7.4CVSS5.8AI score0.00322EPSS
Exploits1References2
snyk
snyk
added 2026/05/18 4:22 p.m.10 views

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:brace-expansion is a WebJar for brace-expansion. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the max option being applied after generating all elements in a large numeric range. An attacker can exhaust...

8.7CVSS5.8AI score0.00278EPSS
Exploits0References2
snyk
snyk
added 2026/05/18 3:38 p.m.10 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the SpriteFont file loading process. An attacker can execute arbitrary code by providing a specially crafted .spritefont file that triggers a 32-bit integer overflow during multiplication. This is only...

7.3CVSS6.2AI score
Exploits0References2
snyk
snyk
added 2026/05/18 3:38 p.m.10 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the SpriteFont file loading process when handling untrusted .spritefont files. An attacker can execute arbitrary code by supplying a crafted data file that triggers a 32-bit integer overflow during...

7.3CVSS6.2AI score
Exploits0References2
snyk
snyk
added 2026/05/18 3:31 p.m.10 views

Integer Underflow (Wrap or Wraparound)

Overview Affected versions of this package are vulnerable to Integer Underflow Wrap or Wraparound in the IPTC encoder. An attacker can access sensitive information or cause a partial denial of service by providing a specially crafted input file that triggers an out-of-bounds read. Remediation A f...

5.1CVSS5.8AI score0.0012EPSS
Exploits0References3
snyk
snyk
added 2026/05/18 3:31 p.m.10 views

Integer Underflow (Wrap or Wraparound)

Overview Magick.NET-Q16-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

5.1CVSS5.8AI score0.0012EPSS
Exploits0References3
snyk
snyk
added 2026/05/18 3:31 p.m.10 views

Integer Underflow (Wrap or Wraparound)

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

5.1CVSS5.8AI score0.0012EPSS
Exploits0References3
snyk
snyk
added 2026/05/18 2:14 p.m.10 views

Malicious Package

Overview citrea-bridge is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/18 2:14 p.m.10 views

Malicious Package

Overview clementine-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/18 2:14 p.m.10 views

Malicious Package

Overview @zentrafinance/protocol-config is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and thi...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/18 2:14 p.m.10 views

Malicious Package

Overview zentra-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/18 1:30 p.m.10 views

Improper Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Improper Authorization via the mention.json.php process. An attacker can enumerate user information by sending unauthenticated requests that match the required inp...

6.9CVSS5.8AI score0.00193EPSS
Exploits0References3
snyk
snyk
added 2026/05/18 1:29 p.m.10 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via unvalidated URL processing in the OAuth2 dynamic client registration process. An attacker can access internal network resources or sensitive information by supplying malicious URLs to be fetched by t...

7.2CVSS5.2AI score0.00198EPSS
Exploits0References2
snyk
snyk
added 2026/05/18 12:31 p.m.10 views

Deserialization of Untrusted Data

Overview sglang is a SGLang is a fast serving framework for large language models and vision language models. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the ROUTER socket which binds to 0.0.0.0 by default and deserializes incoming messages using...

9.8CVSS6.1AI score0.00399EPSS
Exploits0References2
snyk
snyk
added 2026/05/18 9:45 a.m.10 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the error page composition process. An attacker can execute arbitrary JavaScript code in the context of affected users by injecting malicious content into unescaped variables when editing certain site...

5.1CVSS5.8AI score0.00143EPSS
Exploits0References2
snyk
snyk
added 2026/05/18 9:10 a.m.10 views

Malicious Package

Overview string-manipulation-typescript is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and thi...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/18 3:47 a.m.10 views

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the file ngap/handler.go of the component NGAP Message Handler. This manipulation causes null pointer dereference. Remote exploitation of the attack is possible. The exploit has been made available to the...

5.3CVSS5.4AI score0.00303EPSS
Exploits0References2
snyk
snyk
added 2026/05/18 3:45 a.m.10 views

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the function RANConfiguration of the file ngap/handler.go. The manipulation results in null pointer dereference. The attack may be launched remotely. The exploit has been released to the public and may be us...

5.3CVSS5.5AI score0.00303EPSS
Exploits0References2
snyk
snyk
added 2026/05/17 1:28 a.m.10 views

NULL Pointer Dereference

Overview org.webjars.npm:qs is a querystring parser that supports nesting and arrays, with a depth limit. Affected versions of this package are vulnerable to NULL Pointer Dereference in the stringify function, when processing arrays with the options arrayFormat: 'comma' and encodeValuesOnly: true...

6.9CVSS5.9AI score0.00351EPSS
Exploits0References2
snyk
snyk
added 2026/05/16 3:26 p.m.10 views

Deserialization of Untrusted Data

Overview jsonpickle is a Python library for serializing any arbitrary object graph into JSON. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the loadrepr function in Unpickler. An attacker can execute arbitrary system commands by supplying malicious JSON...

9.8CVSS6.2AI score0.00696EPSS
Exploits0References2
snyk
snyk
added 2026/05/16 12:0 a.m.10 views

Symlink Attack

Overview @boxlite-ai/boxlite is a BoxLite - Embeddable micro-VM runtime for secure, isolated code execution Affected versions of this package are vulnerable to Symlink Attack via improper path resolution during extraction of OCI image layer tarballs. An attacker can write arbitrary files to...

9.6CVSS6AI score0.00482EPSS
Exploits0References2
snyk
snyk
added 2026/05/15 6:34 p.m.10 views

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the set.json.php process. An attacker can disable a user's two-factor authentication by tricking a logged-in user into...

6.9CVSS5.8AI score0.0011EPSS
Exploits0References3
snyk
snyk
added 2026/05/15 6:25 p.m.10 views

External Control of File Name or Path

Overview apm-cli is a MCP configuration tool Affected versions of this package are vulnerable to External Control of File Name or Path through the tar.extractall function in legacy-bundle probing on Windows systems running Python versions earlier than 3.12. An attacker can overwrite arbitrary fil...

7.4CVSS5.6AI score0.0061EPSS
Exploits0References3
snyk
snyk
added 2026/05/15 5:33 p.m.10 views

Cross-site Request Forgery (CSRF)

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF when building an errorURL in parseGenericState, when the storeStateStrategy is set to "cookie" and PKCE is disabled. An...

5.9CVSS5.9AI score
Exploits0References3
snyk
snyk
added 2026/05/15 11:24 a.m.10 views

Malicious Package

Overview dowloadeboklosenemigosdelcomerciobyantonioescohotado6t2l4 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection betwee...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/15 10:43 a.m.10 views

Malicious Package

Overview jenkins-forge-app is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/15 10:43 a.m.10 views

Malicious Package

Overview simple-date-diff-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/15 10:40 a.m.10 views

Malicious Package

Overview frank-at-alibaba-internal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/15 10:40 a.m.10 views

Malicious Package

Overview apple-internal-telemetry-service is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/15 10:40 a.m.10 views

Malicious Package

Overview apple-infra-ultimate-bypass is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/14 11:28 p.m.10 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound through the lybreadstring function in src/parserlyb.c when parsing a specially crafted LYB binary blob. An attacker can cause a crash or corrupt the heap by supplying malicious LYB data to a consumer of th...

8.7CVSS5.8AI score0.00428EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 11:28 p.m.10 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the websiteUrl field, which is interpolated into an HTML attribute without proper encoding of quote characters. An attacker can execute arbitrary JavaScript in the context of users visiting the catalogue UI b...

5.4CVSS5.8AI score0.00167EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 9:24 p.m.10 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read due to improper bounds checking in the decodepixel process. An attacker can trigger an out-of-bounds read by supplying a specially crafted TGA paletted image that causes integer wraparound during palette index...

6.8CVSS5.8AI score0.00177EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 9:23 p.m.10 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the softimageinput.cpp process when handling RLE decoding. An attacker can cause a heap buffer overflow by submitting a crafted .pic file with a manipulated run length value that exceeds the scanline width...

8.4CVSS6AI score0.00173EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 8:30 p.m.10 views

Cross-site Scripting (XSS)

Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper serialization of hydratable promises. An attacker can execute arbitrary scripts in the context of the affected application by supplying specially...

8.2CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/14 8:29 p.m.10 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of attribute spreading and dynamic name attributes within form elements. An attacker can inject malicious scripts by manipulatin...

8.1CVSS5.5AI score0.00319EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 8:29 p.m.10 views

Regular Expression Denial of Service (ReDoS)

Overview org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS through the svelte:element tag validation process. An attacker can cause significant performance degradation by supplying...

7.5CVSS5.8AI score0.00421EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 8:28 p.m.10 views

Incorrect Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Incorrect Authorization through the /api/v1/utils/code/execute endpoint, which fails to enforce the ENABLECODEEXECUTION configuration flag. An attacker can execute arbitrary Python code within the Jupyter...

8.8CVSS6.1AI score0.00406EPSS
Exploits2References2
snyk
snyk
added 2026/05/14 8:28 p.m.10 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization via the /api/v1/memories/ef endpoint. An attacker can trigger embedding generation and consume computational resources or incur costs by making unauthenticated requests to this endpoint...

6.9CVSS5.8AI score0.00341EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 8:26 p.m.10 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization in the GET /api/tasks and POST /api/tasks/stop/taskid endpoints, which lack proper ownership checks. An attacker can enumerate and terminate background tasks belonging to other users by...

7.1CVSS5.8AI score0.0027EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 8:25 p.m.10 views

Authorization Bypass Through User-Controlled Key

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the updatemessagebyid and deletemessagebyid handlers in channels.py. An attacker can overwrite or remove another member’s group or direct message conte...

5.3CVSS5.8AI score0.00204EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 8:25 p.m.10 views

Improper Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Authorization via the bypassfilter parameter in the HTTP query string, which is unintentionally exposed in the route handler. An attacker can gain unauthorized access to restricted models by appendin...

5.4CVSS5.8AI score0.00193EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 8:21 p.m.10 views

Improper Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Authorization in the model update process. An attacker can modify resources belonging to other users by sending crafted requests that bypass intended access controls. Remediation Upgrade open-webui t...

7.1CVSS5.8AI score0.00226EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 8:19 p.m.10 views

Cross-site Scripting (XSS)

Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of attributes using spread syntax from untrusted data, which includes event handler properties in the HTML output. An attacker can execute...

7.7CVSS5.8AI score0.00168EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 7:16 p.m.10 views

Division by zero

Overview Affected versions of this package are vulnerable to Division by zero in the qtdemuxaudiocaps function of the isomp4 plugin when parsing MP4 audio tracks. An attacker can cause a denial of service by supplying crafted atom data that triggers an integer division by zero. Remediation A fix...

9.1CVSS5.8AI score0.00208EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 6:26 p.m.10 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the xmp raw-text passthrough. An attacker can execute arbitrary JavaScript in the browser of another user by submitting specially crafted HTML content that is sanitized and then rendered as trusted output...

9.3CVSS5.8AI score0.00397EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 4:19 p.m.10 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over data across different workspaces by...

7.6CVSS5.8AI score0.00342EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 3:49 p.m.10 views

Malicious Package

Overview solidity-linter is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Total number of security vulnerabilities5000