Lucene search
K
SnykMost viewed

35355 matches found

Snyk
Snyk
added 2026/06/29 3:31 a.m.9 views

Malicious Package

Overview unsafe-malicious-package is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/27 12:2 a.m.9 views

External Control of File Name or Path

Overview @pnpm/installing.deps-installer is a Fast, disk space efficient installation engine Affected versions of this package are vulnerable to External Control of File Name or Path via the lockfile alias handling process. An attacker can overwrite files or directories outside the intended...

7.1CVSS5.8AI score0.00262EPSS
Exploits1References3
Snyk
Snyk
added 2026/06/26 10:31 p.m.9 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the API key management process. An attacker can perform unauthorized key-management operations, such as creating, listing, or revoking API keys for other owners or escalating privileges by generating keys with...

5.4CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 6:15 p.m.9 views

Brute Force

Overview payload is a Node, React and MongoDB Headless CMS and Application Framework Affected versions of this package are vulnerable to Brute Force due to insufficient access control in the unlock process. An attacker can regain access to a locked account by exploiting the default unlock...

5.4CVSS5.8AI score0.00235EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/26 12:16 p.m.9 views

Malicious Package

Overview react-icon-svgs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 11:16 a.m.9 views

Malicious Package

Overview ai-node-relay is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 5:55 a.m.9 views

Malicious Package

Overview wao is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 5:11 a.m.9 views

Malicious Package

Overview pump-stream-logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 5:10 a.m.9 views

Malicious Package

Overview ttal2ttml is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 3:10 a.m.9 views

Malicious Package

Overview ref-slot is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/25 9:22 p.m.9 views

Uncontrolled Recursion

Overview MessagePack is a MessagePackMsgPack Serializer for C.NET, .NET Core, Unity, Xamarin. Affected versions of this package are vulnerable to Uncontrolled Recursion in the DynamicUnionResolver.BuildDeserialize process. An attacker can cause a process crash by providing a specially crafted uni...

7.5CVSS5.7AI score0.00231EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/25 6:43 p.m.9 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via the unauthenticated router-key and mcp-init-host paths. An attacker can gain unauthorized access or bypass authentication controls by sending crafted requests to these endpoints. Remediation Upgrade...

9.3CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/06/24 10:17 p.m.9 views

Incomplete Filtering of Special Elements

Overview angular is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this package...

7.6CVSS5.8AI score0.00338EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/24 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 10:23 a.m.9 views

Malicious Package

Overview rapidsearch is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:36 a.m.9 views

Malicious Package

Overview aes-decode-runner-pro is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/24 1:17 a.m.9 views

Malicious Package

Overview markdownlint-cli2-fix is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 3:32 p.m.9 views

Malicious Package

Overview server-parket is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/23 6:22 a.m.9 views

Malicious Package

Overview ts-wross is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/22 11:19 p.m.9 views

Deserialization of Untrusted Data

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ensurepip.runpip function. An attacker can execute arbitrary code by crafting malicious pickle files...

9CVSS6.2AI score0.00367EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/21 9:0 p.m.9 views

Malicious Package

Overview apintergrationpost is a malicious package. This package conceals a Linux remote access trojan RAT called MYRA. The package's documentation claims it is designed for "authorized red team exercises and EDR validation." Regardless of the publisher's intent, it should be treated as malicious...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/21 5:6 a.m.9 views

Server-side Request Forgery (SSRF)

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /v1/mcp/test/connection endpoint. An attacker can perform server-side request forgery SSRF by supplying a crafted tokenurl and...

6.5CVSS6.8AI score0.00262EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/21 3:6 a.m.9 views

Incorrect Authorization

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Authorization in the userapikeyauth.py file of the M2M JWT Handler. An attacker can gain unauthorized access to resources by exploiting insufficient authorization...

7.5CVSS6AI score0.00288EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/19 10:10 p.m.9 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error via insufficient validation of the Origin header and improper handling of request paths in the local HTTP server. An attacker can access and exfiltrate arbitrary local files by sending crafted requests from a...

8.7CVSS6.1AI score0.00181EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/19 9:42 p.m.9 views

Authorization Bypass Through User-Controlled Key

Overview stigmem-node is a Stigmem reference node — single-host production implementation Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the issuetombstone process and the read-suppression path, where tenant scoping is not properly enforced...

7.6CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 9:42 p.m.9 views

External Control of File Name or Path

Overview network-ai is an AI agent orchestration framework for TypeScript/Node.js - 29 adapters LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Compu Affected version...

7.1CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added 2026/06/19 9:15 p.m.9 views

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Overview ultimate-sitemap-parser is an A performant library for parsing and crawling sitemaps Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs 'XML Entity Expansion' through the sitemaptreeforhomepage and sitemapfromstr functions when...

8.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 8:47 p.m.9 views

Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

Overview CoreWCF.Primitives is a port of the service side of Windows Communication Foundation WCF to .NET Core. The goal of this project is to enable existing WCF services to move to .NET Core. Affected versions of this package are vulnerable to Selection of Less-Secure Algorithm During Negotiati...

6.9CVSS5.8AI score0.00157EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/19 7:35 p.m.9 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the propagation of unvalidated LABEL values from image configuration to container labels. An attacker can execute arbitrary commands on the host by...

9.4CVSS6.2AI score0.00203EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 7:35 p.m.9 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview github.com/containerd/containerd/pkg/cri/server is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer an...

9.4CVSS6.3AI score0.00203EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 5:45 p.m.9 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via the os.ReadFile function during direct lookups via resources.Get. An attacker can access arbitrary files outside the intended directory by placing a symlink inside a mounted directory that points to files outside the...

6.5CVSS6AI score0.00318EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 4:37 p.m.9 views

Use After Free

Overview nokogiri is a gem for parsing HTML, XML, SAX, and Reader. Affected versions of this package are vulnerable to Use After Free in the doxinclude. An attacker can cause invalid memory reads or writes by exposing nodes or namespaces to Ruby before invoking XInclude processing. Note: This is...

7.3CVSS5.8AI score0.00093EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 3:41 p.m.9 views

User Impersonation

Overview silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS. Affected versions of this package are vulnerable to User Impersonation via insufficient validation of proxy-related HTTP headers. An attacker can spoof client IP addresses, hostnames, or protocols by...

5.3CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/06/19 3:11 p.m.9 views

Cross-site Scripting (XSS)

Overview @jupyterlab/extensionmanager is a JupyterLab - Extension Manager Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized handling of the homepageurl field in the extension manager. An attacker can execute arbitrary JavaScript in the context of the...

8.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 1:34 p.m.9 views

Missing Authentication for Critical Function

Overview network-ai is an AI agent orchestration framework for TypeScript/Node.js - 29 adapters LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Compu Affected version...

9.3CVSS6AI score0.00297EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/19 8:28 a.m.9 views

Malicious Package

Overview new-ecro is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 8:28 a.m.9 views

Malicious Package

Overview ts-ecro-helper is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/19 8:28 a.m.9 views

Malicious Package

Overview ts-big-ecro is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 8:32 p.m.9 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the BlueBubbles process. An attacker can gain unauthorized access to restricted agent responses by manipulating conversation-level identifiers to match allowli...

5.4CVSS5.9AI score0.00171EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/18 2:28 p.m.9 views

Server-side Request Forgery (SSRF)

Overview org.webjars.npm:nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the message-level raw option bypassing disableFileAccess and disableUrlAccess flags. An attacker can access...

7.1CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 4:5 a.m.9 views

Malicious Package

Overview intquery is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 3:27 a.m.9 views

Malicious Package

Overview metrics-probe-f256 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 3:27 a.m.9 views

Malicious Package

Overview runtime-metrics-w7k2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 3:27 a.m.9 views

Malicious Package

Overview npm-sandbox-research-9c4e is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 3:27 a.m.9 views

Malicious Package

Overview @ncurran/sandbox-recon-9b2d4f is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/18 3:27 a.m.9 views

Malicious Package

Overview @ncurran/dc-selftest-ba0ad4 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/17 6:22 p.m.9 views

Permissive List of Allowed Inputs

Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Permissive List of Allowed Inputs via permissive substring matching in the Set-Cookie attribute parsing. An attacker can weaken cookie SameSite enforcement by crafting a...

8.3CVSS5.9AI score0.00248EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/17 6:21 p.m.9 views

CRLF Injection

Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to CRLF Injection in the parseSetCookie. An attacker can inject arbitrary HTTP headers by supplying specially crafted percent-encoded values in the Set-Cookie header, which...

9.2CVSS6AI score0.00257EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/17 6:21 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the handling of fragmented WebSocket messages. An attacker can cause unbounded memory growth and exhaust system...

8.7CVSS5.9AI score0.00426EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/17 6:21 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the handling of fragmented WebSocket messages. An attacker can cause unbounded memory growth and...

8.7CVSS6.5AI score0.00426EPSS
Exploits0References2
Total number of security vulnerabilities5000