Lucene search
K
SnykMost viewed

35340 matches found

Snyk
Snyk
added 2024/10/23 2:41 p.m.10 views

Deserialization of Untrusted Data

Overview llama-stack is a Llama Stack Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the use of pickle as a serialization format for socket communication. An attacker can execute arbitrary code by sending maliciously crafted data that is deserialized...

9.8CVSS7.8AI score0.00886EPSS
Exploits1References2
Snyk
Snyk
added 2022/08/05 8:9 a.m.10 views

Malicious Package

Overview gcore-cdn-stats is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package w...

9.8CVSS7.1AI score
Exploits0References3
Snyk
Snyk
added 2022/06/23 9:25 a.m.10 views

Malicious Package

Overview contentsource-connector is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this...

9.8CVSS7AI score
Exploits0References3
Snyk
Snyk
added 2022/06/13 11:15 a.m.10 views

Improper Verification of Cryptographic Signature

Overview jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid ...

9.8CVSS7AI score0.01096EPSS
Exploits1References2
Snyk
Snyk
added 2022/04/14 4:37 p.m.10 views

Malicious Package

Overview lznfjbhurpjsqmr is a malicious package. A copy-paste of the legitimate package global-npm, used by the malicious package gxm-reference-web-auth-server and maintained by the same malicious actor. See gxm-reference-web-auth-server advisory for more information:...

8CVSS6.8AI score
Exploits0References2
Snyk
Snyk
added 2020/11/17 1:2 p.m.10 views

Code Injection

Overview Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in .template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted,...

7.2CVSS7.2AI score0.2241EPSS
Exploits3References2
Snyk
Snyk
added 2020/04/17 12:0 a.m.10 views

Malicious Package

Overview spider-bot is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using spider-bot...

8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2020/04/17 12:0 a.m.10 views

Malicious Package

Overview batchrails is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using batchrails...

8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2020/04/17 12:0 a.m.10 views

Malicious Package

Overview active-model-permalink is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using...

8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 6 days ago9 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the getcommand function. An attacker can execute arbitrary commands by supplying a file path containing shell metacharacters. Remediation Upgrade pillow to version 12.3.0 or higher. References - GitHub Advisory -...

4.5CVSS6.2AI score0.00136EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/02 1:7 p.m.9 views

Malicious Package

Overview tailwind-typography-stylecss is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/30 11:20 p.m.9 views

Uncontrolled Search Path Element

Overview app-builder-bin is an app-builder precompiled binaries Affected versions of this package are vulnerable to Uncontrolled Search Path Element through the execWine/executeAppBuilder command path in builder-util and app-builder-lib on non-Windows systems. An attacker can execute...

7.8CVSS6.3AI score0.00129EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/30 3:13 p.m.9 views

Malicious Package

Overview setup-cicd is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/30 12:21 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview org.apache.activemq:activemq-all is a package that puts together an ActiveMQ jar bundle. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the OpenWire process. An attacker can exhaust system memory by repeatedly sending BrokerInf...

7.5CVSS5.8AI score0.00707EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/29 10:23 p.m.9 views

Improper Authorization

Overview org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Improper Authorization due to the improper enforcement of security constraints in the default...

6.5CVSS5.8AI score0.0041EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/29 4:53 p.m.9 views

Malicious Package

Overview @webda-features/dashboard is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/29 4:53 p.m.9 views

Malicious Package

Overview @meego-progressive/cdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/29 4:50 p.m.9 views

Malicious Package

Overview @live-backstage-im/communication-chat is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/29 10:49 a.m.9 views

Malicious Package

Overview vkzmn is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/27 12:2 a.m.9 views

External Control of File Name or Path

Overview @pnpm/installing.deps-installer is a Fast, disk space efficient installation engine Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended...

7.1CVSS5.8AI score0.00262EPSS
Exploits1References3
Snyk
Snyk
added 2026/06/26 6:15 p.m.9 views

Brute Force

Overview payload is a Node, React and MongoDB Headless CMS and Application Framework Affected versions of this package are vulnerable to Brute Force due to insufficient access control in the unlock process. An attacker can regain access to a locked account by exploiting the default unlock...

5.4CVSS5.8AI score0.00235EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 12:16 p.m.9 views

Malicious Package

Overview react-icon-svgs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 11:16 a.m.9 views

Malicious Package

Overview ai-node-relay is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 5:55 a.m.9 views

Malicious Package

Overview wao is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 5:11 a.m.9 views

Malicious Package

Overview pump-stream-logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 5:10 a.m.9 views

Malicious Package

Overview ttal2ttml is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 3:10 a.m.9 views

Malicious Package

Overview ref-slot is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 10:17 p.m.9 views

Incomplete Filtering of Special Elements

Overview angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package...

7.6CVSS5.8AI score0.00338EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/24 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 10:23 a.m.9 views

Malicious Package

Overview rapidsearch is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:36 a.m.9 views

Malicious Package

Overview aes-decode-runner-pro is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:17 a.m.9 views

Malicious Package

Overview markdownlint-cli2-fix is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 3:32 p.m.9 views

Malicious Package

Overview server-parket is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 3:27 p.m.9 views

Malicious Package

Overview ts-predict-helper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 6:22 a.m.9 views

Malicious Package

Overview ts-wross is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/22 11:19 p.m.9 views

Deserialization of Untrusted Data

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ensurepip.runpip function. An attacker can execute arbitrary code by crafting malicious pickle files...

9CVSS6.2AI score0.00367EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/21 9:0 p.m.9 views

Malicious Package

Overview apintergrationpost is a malicious package. This package conceals a Linux remote access trojan RAT called MYRA. The package's documentation claims it is designed for "authorized red team exercises and EDR validation." Regardless of the publisher's intent, it should be treated as malicious...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/21 5:6 a.m.9 views

Server-side Request Forgery (SSRF)

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /v1/mcp/test/connection endpoint. An attacker can perform server-side request forgery SSRF by supplying a crafted tokenurl and...

6.5CVSS6.8AI score0.00262EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/21 3:6 a.m.9 views

Incorrect Authorization

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Authorization in the userapikeyauth.py file of the M2M JWT Handler. An attacker can gain unauthorized access to resources by exploiting insufficient authorization...

7.5CVSS6AI score0.00288EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/19 10:10 p.m.9 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error via insufficient validation of the Origin header and improper handling of request paths in the local HTTP server. An attacker can access and exfiltrate arbitrary local files by sending crafted requests from a...

8.7CVSS6.1AI score0.00181EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/19 9:42 p.m.9 views

Authorization Bypass Through User-Controlled Key

Overview stigmem-node is a Stigmem reference node — single-host production implementation Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the issuetombstone process and the read-suppression path, where tenant scoping is not properly enforced...

7.6CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 9:15 p.m.9 views

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Overview ultimate-sitemap-parser is an A performant library for parsing and crawling sitemaps Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs 'XML Entity Expansion' through the sitemaptreeforhomepage and sitemapfromstr functions when...

8.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 8:47 p.m.9 views

Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

Overview CoreWCF.Primitives is a port of the service side of Windows Communication Foundation WCF to .NET Core. The goal of this project is to enable existing WCF services to move to .NET Core. Affected versions of this package are vulnerable to Selection of Less-Secure Algorithm During Negotiati...

6.9CVSS5.8AI score0.00157EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/19 7:35 p.m.9 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the propagation of unvalidated LABEL values from image configuration to container labels. An attacker can execute arbitrary commands on the host by...

9.4CVSS6.2AI score0.00203EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 7:35 p.m.9 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview github.com/containerd/containerd/pkg/cri/server is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer an...

9.4CVSS6.3AI score0.00203EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 5:45 p.m.9 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via the os.ReadFile function during direct lookups via resources.Get. An attacker can access arbitrary files outside the intended directory by placing a symlink inside a mounted directory that points to files outside the...

6.5CVSS6AI score0.00318EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 3:41 p.m.9 views

User Impersonation

Overview silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS. Affected versions of this package are vulnerable to User Impersonation via insufficient validation of proxy-related HTTP headers. An attacker can spoof client IP addresses, hostnames, or protocols by...

5.3CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/06/19 3:11 p.m.9 views

Cross-site Scripting (XSS)

Overview @jupyterlab/extensionmanager is a JupyterLab - Extension Manager Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized handling of the homepageurl field in the extension manager. An attacker can execute arbitrary JavaScript in the context of the...

8.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 1:34 p.m.9 views

Missing Authentication for Critical Function

Overview network-ai is an AI agent orchestration framework for TypeScript/Node.js - 29 adapters LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Compu Affected version...

9.3CVSS6AI score0.00297EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 8:28 a.m.9 views

Malicious Package

Overview new-ecro is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Total number of security vulnerabilities5000