Lucene search
K
SnykMost viewed

35344 matches found

Snyk
Snyk
added 2026/04/07 9:0 p.m.10 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ?describe page when user-supplied input is reflected in the response without proper sanitization. An attacker can execute JavaScript in the context of a victim's browser by convincing the user to click a...

6.1CVSS5.6AI score0.00465EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/07 6:16 p.m.10 views

Timing Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Timing Attack through the secret comparison process. An attacker can infer secret length information by measuring timing differences during comparison operations. Remediation Upgrade...

6.3CVSS5.8AI score0.00225EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/07 3:30 p.m.10 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation via improper validation in the certificate renewal process. An attacker can gain unauthorized access to other managed clusters by forging a client certificate that is accepted by the controller. Remediati...

8.4CVSS5.5AI score0.00112EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/03 2:53 a.m.10 views

Files or Directories Accessible to External Parties

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the appendLocalMediaParentRoots function. An attacker can access arbitrary files and exfiltrate credentials by leveraging...

7.2CVSS6AI score0.00181EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/02 8:44 p.m.10 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing restoreTenant from the adminMutationMWConfig. An attacker can overwrite the entire database, read arbitrary server-side files, and perform server-side request forgery by sending crafted requests to t...

10CVSS5.9AI score0.00452EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/01 9:24 p.m.10 views

Cross-site Scripting (XSS)

Overview @payloadcms/plugin-mcp is a MCP Model Context Protocol capabilities with Payload Affected versions of this package are vulnerable to Cross-site Scripting XSS in the admin panel when user-supplied content is saved in a collection with versions enabled. An attacker can execute arbitrary...

8.7CVSS6AI score0.00286EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/01 1:5 a.m.10 views

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling via the static file handler when it serves GET responses without consuming the request body. An attacker can inject and have the server process unintended HTTP requests by embedding arbitrary HTTP requests inside...

6.5CVSS6AI score0.00196EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/31 11:54 p.m.10 views

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via unbounded concurrent unauthenticated WebSocket upgrades before session authentication. An attacker can exhaust socket and worker...

5.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/03/29 3:17 p.m.10 views

Prototype Pollution

Overview handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Prototype Pollution in the protoAccessControl function. An attacker can gain unauthorized access to prototype methods by referencing lookupSetter in templates through...

6.3CVSS6.5AI score
Exploits0References2
Snyk
Snyk
added 2026/03/27 8:41 p.m.10 views

Cross-site Scripting (XSS)

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS when sanitized HTML is reinserted into a new parsing context using innerHTML and special wrappers such as script, xmp, iframe, noembed, noframes, o...

6.1CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/03/27 6:6 p.m.10 views

Cross-site Scripting (XSS)

Overview @n8n/n8n-nodes-langchain is a Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Custom CSS field in the Chat Trigger node due to improper sanitization in the sanitize-html library. An authenticated user with permission to create or modify workflows and...

5.4CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/03/27 5:31 p.m.10 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the logs and logs-stream endpoints. An attacker can access sensitive application log data by authenticating with basic user privileges, as these endpoints do not enforce privilege checks. Remediation There is n...

7.1CVSS5.9AI score0.00244EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/27 1:23 a.m.10 views

Unsafe Dependency Resolution

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the process of loading sub-components with the trustremotecode parameter set to True, regardless of user...

8.8CVSS6.2AI score0.01364EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/26 10:9 p.m.10 views

Missing Release of Memory after Effective Lifetime

Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

4.6CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/03/26 10:5 p.m.10 views

Improper Certificate Validation

Overview node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Improper Certificate Validation in the verifyCertificateChain function. An attacker can gain...

9.1CVSS6.7AI score0.00348EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/26 10:2 p.m.10 views

Improper Verification of Cryptographic Signature

Overview node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in ASN.1 structures during RSA signature verification...

8.7CVSS5.9AI score0.00339EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/26 6:48 p.m.10 views

HTTP Request Smuggling

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling in the parsing of quoted strings within chunked transfer encoding...

8.7CVSS6AI score0.0064EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/26 6:7 p.m.10 views

Brute Force

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Brute Force via the getapivideopasswordiscorrect API endpoint, which allows unauthenticated users to verify passwords for protected videos without rate limiting or...

6.9CVSS5.8AI score0.0032EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/26 5:17 p.m.10 views

Out-of-bounds Write

Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

5.5CVSS5.9AI score0.00141EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/25 9:10 p.m.10 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization in the authentication process. An attacker can maintain unauthorized access to resources by using valid API tokens, CalDAV credentials, or OpenID Connect authentication even after the account has been disabled or...

8.1CVSS5.8AI score0.00453EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/25 6:45 p.m.10 views

Command Injection

Overview textract is an Extracting text from files of various type including html, pdf, doc, docx, xls, xlsx, csv, pptx, png, jpg, gif, rtf, text/, and various open office. Affected versions of this package are vulnerable to Command Injection via the filePath parameter in multiple extractors. An...

9.8CVSS6.1AI score0.02421EPSS
Exploits4References2
Snyk
Snyk
added 2026/03/25 3:3 p.m.10 views

Malicious Package

Overview allergan is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/03/24 10:27 p.m.10 views

User Impersonation

Overview github.com/nats-io/nats-server/v2/server is an A simple, secure and performant communications system for digital systems, services and devices. Affected versions of this package are vulnerable to User Impersonation through the createOrRestoreSession function in the MQTT session manager. ...

8.3CVSS5.9AI score0.0024EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/24 12:48 p.m.10 views

Malicious Package

Overview agoda-test-poc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/24 2:33 a.m.10 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the pathfor function in DiskService. An attacker can read, write, or delete arbitrary files on the server by supplying blob keys containing path traversal sequences like ../. Note: In most cases, blob keys are...

9.8CVSS6.4AI score0.00567EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/23 10:0 p.m.10 views

Malicious Package

Overview coinbase-desktop-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/03/20 4:32 a.m.10 views

Malicious Package

Overview pretty-loggers is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/19 12:41 a.m.10 views

Resources Downloaded over Insecure Protocol

Overview Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol through the dependency resolution of openapi-to-java-records-mustache-templates artifact that if compromised may include arbitrary .mustache files. An attacker can introduce and distribute...

3.4CVSS6AI score0.00321EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/18 12:14 a.m.10 views

Malicious Package

Overview @0xengine/meow is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/03/17 5:12 p.m.10 views

Out-of-bounds Write

Overview Magick.NET-Q8-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

7.5CVSS5.8AI score0.00475EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/17 12:46 p.m.10 views

Exposure of Resource to Wrong Sphere

Overview apache-airflow-providers-fab is a Provider package apache-airflow-providers-fab for Apache Airflow Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere due to improper handling of the session token cookie path. An attacker can gain unauthorized access ...

9.3CVSS5.8AI score0.00677EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/13 8:41 p.m.10 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the RIFF parser when handling palette data in AVI files. An attacker can execute arbitrary code by convincing a user to open a specially crafted AVI file with an application linked against the affected...

8.4CVSS7.5AI score0.00867EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/13 8:39 p.m.10 views

Stack-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Stack-based Buffer Overflow in the H.266 video bitstream parser. An attacker can achieve process crash or arbitrary code execution by enticing a user to open specially crafted H.266 media content with an application that processes...

8.4CVSS7.7AI score0.00425EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/13 6:55 p.m.10 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through a discrepancy in path normalization between protocol handlers and internal routing. An attacker can bypass folder-level permissions or escape the boundaries of a configured virtual folder by crafting specific...

8.1CVSS6.3AI score0.00521EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/13 4:45 p.m.10 views

Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

Overview Affected versions of this package are vulnerable to Selection of Less-Secure Algorithm During Negotiation 'Algorithm Downgrade' in the TLS 1.3 server key agreement group selection when the server configuration includes the 'DEFAULT' keyword. An attacker can influence the negotiation to u...

6.5CVSS5.9AI score0.00435EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/13 3:47 p.m.10 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization through the configWrites authorization. An attacker can modify protected configuration data of sibling accounts by issuing channel commands that target accounts with...

7.1CVSS5.9AI score0.00194EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/12 10:39 p.m.10 views

Stack-based Buffer Overflow

Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

6.7CVSS5.8AI score0.00096EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/12 10:39 p.m.10 views

Stack-based Buffer Overflow

Overview Magick.NET-Q8-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.7CVSS5.8AI score0.00096EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/12 4:23 p.m.10 views

Malicious Package

Overview transform-function-bind is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior...

9.8CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/03/12 4:23 p.m.10 views

Malicious Package

Overview transform-dynamic-import is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior...

9.8CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/03/12 4:23 p.m.10 views

Malicious Package

Overview urql-introspection is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior The...

9.8CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/03/12 2:16 p.m.10 views

Heap-based Buffer Overflow

Overview Magick.NET-Q16-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

7CVSS5.9AI score0.00099EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/12 2:15 p.m.10 views

Heap-based Buffer Overflow

Overview Magick.NET-Q16-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

8.6CVSS5.8AI score0.00108EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/12 2:9 p.m.10 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the MSL decoder. An attacker can cause the application to access freed memory by submitting a malicious MSL file. Remediation A fix was pushed into the master branch but not yet published. References - GitHub Commit...

7.5CVSS5.8AI score0.00243EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/12 2:9 p.m.10 views

Heap-based Buffer Overflow

Overview Magick.NET-Q16-HDRI-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

8.2CVSS5.8AI score0.00113EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/12 2:18 a.m.10 views

Malicious Package

Overview unibody is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/11 11:0 p.m.10 views

Prototype Pollution

Overview graphql-upload-minimal is a Minimalistic and developer friendly middleware and an Upload scalar to add support for GraphQL multipart requests file uploads via queries and mutations to various Node.js GraphQL servers. Affected versions of this package are vulnerable to Prototype Pollution...

9.3CVSS7.5AI score
Exploits0References2
Snyk
Snyk
added 2026/03/11 10:40 p.m.10 views

Improper Encoding or Escaping of Output

Overview shescape is a simple shell escape library Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the escape function. An attacker can cause unintended expansion of shell arguments by supplying input containing square brackets, which may result in...

6.9CVSS5.8AI score0.00214EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/10 11:57 p.m.10 views

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in the FileTypeParser class. This is triggered when the ASF WMV/WMA parser receives input including an ASF sub-header with a size value of 0. An attacker can interrupt service with a 55-byte payload. Remediation Upgrade...

6.9CVSS5.8AI score0.00325EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/10 11:44 p.m.10 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the DistSpecAuthzHandler process. An attacker can overwrite an existing latest tag without the required update permission by exploiting the authorization logic that incorrectly treats overwrite attempts as...

8.3CVSS5.8AI score0.00212EPSS
Exploits1References2
Total number of security vulnerabilities5000