35340 matches found
Deserialization of Untrusted Data
Overview llama-stack is a Llama Stack Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the use of pickle as a serialization format for socket communication. An attacker can execute arbitrary code by sending maliciously crafted data that is deserialized...
Malicious Package
Overview gcore-cdn-stats is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package w...
Malicious Package
Overview contentsource-connector is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...
Improper Verification of Cryptographic Signature
Overview jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid ...
Malicious Package
Overview lznfjbhurpjsqmr is a malicious package. A copy-paste of the legitimate package global-npm, used by the malicious package gxm-reference-web-auth-server and maintained by the same malicious actor. See gxm-reference-web-auth-server advisory for more information:...
Code Injection
Overview Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in .template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted,...
Malicious Package
Overview spider-bot is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using spider-bot...
Malicious Package
Overview batchrails is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using batchrails...
Malicious Package
Overview active-model-permalink is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the getcommand function. An attacker can execute arbitrary commands by supplying a file path containing shell metacharacters. Remediation Upgrade pillow to version 12.3.0 or higher. References - GitHub Advisory -...
Malicious Package
Overview tailwind-typography-stylecss is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Uncontrolled Search Path Element
Overview app-builder-bin is an app-builder precompiled binaries Affected versions of this package are vulnerable to Uncontrolled Search Path Element through the execWine/executeAppBuilder command path in builder-util and app-builder-lib on non-Windows systems. An attacker can execute...
Malicious Package
Overview setup-cicd is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Allocation of Resources Without Limits or Throttling
Overview org.apache.activemq:activemq-all is a package that puts together an ActiveMQ jar bundle. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the OpenWire process. An attacker can exhaust system memory by repeatedly sending BrokerInf...
Improper Authorization
Overview org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Improper Authorization due to the improper enforcement of security constraints in the default...
Malicious Package
Overview @webda-features/dashboard is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @meego-progressive/cdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...
Malicious Package
Overview @live-backstage-im/communication-chat is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...
Malicious Package
Overview vkzmn is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
External Control of File Name or Path
Overview @pnpm/installing.deps-installer is a Fast, disk space efficient installation engine Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended...
Brute Force
Overview payload is a Node, React and MongoDB Headless CMS and Application Framework Affected versions of this package are vulnerable to Brute Force due to insufficient access control in the unlock process. An attacker can regain access to a locked account by exploiting the default unlock...
Malicious Package
Overview react-icon-svgs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ai-node-relay is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview wao is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview pump-stream-logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ttal2ttml is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview ref-slot is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Incomplete Filtering of Special Elements
Overview angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...
Malicious Package
Overview rapidsearch is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Malicious Package
Overview aes-decode-runner-pro is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview markdownlint-cli2-fix is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview server-parket is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ts-predict-helper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ts-wross is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Deserialization of Untrusted Data
Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ensurepip.runpip function. An attacker can execute arbitrary code by crafting malicious pickle files...
Malicious Package
Overview apintergrationpost is a malicious package. This package conceals a Linux remote access trojan RAT called MYRA. The package's documentation claims it is designed for "authorized red team exercises and EDR validation." Regardless of the publisher's intent, it should be treated as malicious...
Server-side Request Forgery (SSRF)
Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /v1/mcp/test/connection endpoint. An attacker can perform server-side request forgery SSRF by supplying a crafted tokenurl and...
Incorrect Authorization
Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Authorization in the userapikeyauth.py file of the M2M JWT Handler. An attacker can gain unauthorized access to resources by exploiting insufficient authorization...
Origin Validation Error
Overview Affected versions of this package are vulnerable to Origin Validation Error via insufficient validation of the Origin header and improper handling of request paths in the local HTTP server. An attacker can access and exfiltrate arbitrary local files by sending crafted requests from a...
Authorization Bypass Through User-Controlled Key
Overview stigmem-node is a Stigmem reference node — single-host production implementation Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the issuetombstone process and the read-suppression path, where tenant scoping is not properly enforced...
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Overview ultimate-sitemap-parser is an A performant library for parsing and crawling sitemaps Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs 'XML Entity Expansion' through the sitemaptreeforhomepage and sitemapfromstr functions when...
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Overview CoreWCF.Primitives is a port of the service side of Windows Communication Foundation WCF to .NET Core. The goal of this project is to enable existing WCF services to move to .NET Core. Affected versions of this package are vulnerable to Selection of Less-Secure Algorithm During Negotiati...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the propagation of unvalidated LABEL values from image configuration to container labels. An attacker can execute arbitrary commands on the host by...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview github.com/containerd/containerd/pkg/cri/server is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer an...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack via the os.ReadFile function during direct lookups via resources.Get. An attacker can access arbitrary files outside the intended directory by placing a symlink inside a mounted directory that points to files outside the...
User Impersonation
Overview silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS. Affected versions of this package are vulnerable to User Impersonation via insufficient validation of proxy-related HTTP headers. An attacker can spoof client IP addresses, hostnames, or protocols by...
Cross-site Scripting (XSS)
Overview @jupyterlab/extensionmanager is a JupyterLab - Extension Manager Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized handling of the homepageurl field in the extension manager. An attacker can execute arbitrary JavaScript in the context of the...
Missing Authentication for Critical Function
Overview network-ai is an AI agent orchestration framework for TypeScript/Node.js - 29 adapters LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Compu Affected version...
Malicious Package
Overview new-ecro is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...