Lucene search
K
SnykMost viewed

35537 matches found

Snyk
Snyk
added 2026/02/25 7:12 p.m.10 views

Out-of-bounds Read

Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.3CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/02/25 7:12 p.m.10 views

Out-of-bounds Read

Overview Magick.NET-Q16-HDRI-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.3CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/02/25 6:59 p.m.10 views

Missing Authorization

Overview parse-dashboard is a The Parse Dashboard for Parse Server Affected versions of this package are vulnerable to Missing Authorization via the agent endpoint. An attacker can gain unauthorized access to other applications' agent endpoints and escalate privileges by modifying the app ID in t...

9.6CVSS5.9AI score0.0022EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/24 3:27 p.m.10 views

Out-of-bounds Read

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

8.7CVSS6AI score0.00348EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/19 8:45 p.m.10 views

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the applypatch tool when non-sandboxed path resolution fails to enforce workspace containment. An attacker can write or delete files outside the intended workspace...

8.8CVSS6.2AI score0.00742EPSS
Exploits0References2
Snyk
Snyk
added 2026/02/19 3:18 p.m.10 views

Cross-site Scripting (XSS)

Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the svelte:element tags. An attacker can inject arbitrary HTML into the server-side rendered output by supplying a crafted tag name. Details Cross-site...

5.5CVSS5.6AI score0.00189EPSS
Exploits0References2
Snyk
Snyk
added 2026/01/28 4:33 p.m.10 views

Malicious Package

Overview bytes-guide is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/01/28 4:33 p.m.10 views

Malicious Package

Overview finaustt is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/01/28 4:33 p.m.10 views

Malicious Package

Overview api-cache-worker is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/01/28 7:50 a.m.10 views

Malicious Package

Overview converse-rn-lib is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/01/27 7:55 p.m.10 views

Improper Control of Dynamically-Managed Code Resources

Overview @nyariv/sandboxjs is a Javascript sandboxing library. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the AsyncFunction constructor not being properly isolated in the sandboxing function. An attacker can execute arbitrary cod...

10CVSS6.2AI score0.01122EPSS
Exploits1References3
Snyk
Snyk
added 2026/01/23 5:8 a.m.10 views

Arbitrary Code Injection

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Arbitrary Code Injection via the loadtoolmodulebyid function in the utils/plugin.py file. An attacker can execute arbitrary code in the context of the service account by supplying a crafted string that is not...

8.8CVSS8.6AI score0.27227EPSS
Exploits1References2
Snyk
Snyk
added 2026/01/21 1:6 a.m.10 views

Release of Invalid Pointer or Reference

Overview Magick.NET-Q8-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

8.3CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/01/21 1:6 a.m.10 views

Release of Invalid Pointer or Reference

Overview Magick.NET-Q8-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

8.3CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/01/21 1:0 a.m.10 views

Insufficiently Protected Credentials

Overview @anthropic-ai/claude-code is an Use Claude, Anthropic's AI assistant, right from your terminal. Claude can understand your codebase, edit files, run terminal commands, and handle entire workflows for you. Affected versions of this package are vulnerable to Insufficiently Protected...

7.5CVSS6.1AI score0.2297EPSS
Exploits2References2
Snyk
Snyk
added 2026/01/20 12:48 a.m.10 views

Release of Invalid Pointer or Reference

Overview Magick.NET-Q16-HDRI-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

9.8CVSS5.7AI score0.00336EPSS
Exploits0References2
Snyk
Snyk
added 2025/12/11 8:43 p.m.10 views

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview react-server-dom-webpack is a React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an...

7.5CVSS7AI score0.65592EPSS
Exploits13References2
Snyk
Snyk
added 2025/12/10 6:30 p.m.10 views

Improper Resource Shutdown or Release

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP-based CLI connections. An attacker can cause the service to become unavailable by sending corrupted connection...

8.7CVSS6.8AI score0.00515EPSS
Exploits0References2
Snyk
Snyk
added 2025/12/06 1:4 a.m.10 views

CSV Injection

Overview json-2-csv is an A JSON to CSV and CSV to JSON converter that natively supports sub-documents and auto-generates the CSV heading. Affected versions of this package are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas in...

7CVSS5.9AI score0.00166EPSS
Exploits0References2
Snyk
Snyk
added 2025/12/05 12:0 a.m.10 views

Access Control Bypass

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Control Bypass via the /admin/realms/master/users/profile endpoint. An attacker can access internal us...

5.1CVSS6.8AI score0.0032EPSS
Exploits0References2
Snyk
Snyk
added 2025/12/03 4:39 p.m.10 views

Arbitrary Code Injection

Overview react-server-dom-parcel is a React Server Components bindings for DOM using Parcel. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe deserialization ...

10CVSS7.7AI score0.99562EPSS
Exploits374References3
Snyk
Snyk
added 2025/12/02 1:20 a.m.10 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via incomplete sanitization of certain SVG and MathML attributes, including xlink:href, math|href, as well as the attributeName attribute of SVG animation elements when it is bound to href or xlink:href. An...

8.7CVSS5.3AI score0.00377EPSS
Exploits1References2
Snyk
Snyk
added 2025/11/24 4:24 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

9.8CVSS6.8AI score
Exploits0References3
Snyk
Snyk
added 2025/11/20 7:41 a.m.10 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:lightgallery is an A lightweight, customizable, modular, responsive, lightbox gallery plugin for jQuery. Affected versions of this package are vulnerable to Cross-site Scripting XSS via insufficient input sanitization and output escaping of attributes. An attacker can...

6.4CVSS5.7AI score0.00213EPSS
Exploits0References2
Snyk
Snyk
added 2025/11/07 12:24 p.m.10 views

Malicious Package

Overview Sharp7Extend is a malicious package. This package contains malicious code that injects time-delayed destructive payloads into database operations and target industrial control systems. Published under the NuGet alias shanhai666 together with 8 other malicious packages between 2023 and...

9.8CVSS7.2AI score
Exploits0References2
Snyk
Snyk
added 2025/10/30 5:41 p.m.10 views

Directory Traversal

Overview keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Directory Traversal via the keras.utils.getfile API when the extract=True option is used for tar archives. An attacker can write arbitrary files to any location on the...

9.4CVSS7.6AI score0.01184EPSS
Exploits11References2
Snyk
Snyk
added 2025/10/28 4:42 p.m.10 views

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload/rename API endpoints. An attacker can execute arbitrary code on the server by uploading a file with a .png or .pdf extension containing executable code, bypassing client-side validation, then...

8.8CVSS7.9AI score0.0051EPSS
Exploits2References2
Snyk
Snyk
added 2025/10/16 7:56 p.m.10 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the Express Checkout feature. An attacker can bypass the login procedure via email. Note: Versions 9.4.3.1 through 9.4.3.3, which used the build numbering scheme prior to 2025, are also...

9.3CVSS7AI score0.00469EPSS
Exploits1References2
Snyk
Snyk
added 2025/09/06 7:42 p.m.10 views

Directory Traversal

Overview internetarchive is an A Python interface to archive.org. Affected versions of this package are vulnerable to Directory Traversal via the download function in the file.py file, which does not properly sanitize user-supplied filenames or validate the final download path. An attacker can...

9.6CVSS7.7AI score0.01402EPSS
Exploits0References2
Snyk
Snyk
added 2025/08/13 9:52 a.m.10 views

Allocation of Resources Without Limits or Throttling

Overview org.bouncycastle:bcprov-jdk16 is a Bouncy Castle Crypto package that is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.6. Affected versions of this package are vulnerable to Allocatio...

6.3CVSS6.8AI score0.0043EPSS
Exploits0References2
Snyk
Snyk
added 2025/04/14 1:44 p.m.10 views

Cross-site Scripting (XSS)

Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the storeMedia function...

5.4CVSS5.4AI score0.00356EPSS
Exploits2References2
Snyk
Snyk
added 2025/03/24 10:0 p.m.10 views

Improper Isolation or Compartmentalization

Overview Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization that allows an attacker who can convince a user to follow a malicious link to escape sandbox protections, due to a logic error in the Mojo component. This vulnerability does not enable code...

8.3CVSS7.6AI score0.08404EPSS
Exploits6References2
Snyk
Snyk
added 2025/02/27 6:30 a.m.10 views

Incorrect Authorization

Overview org.wso2.am:am-parent is a WSO2 API Manager - Aggregator Module Affected versions of this package are vulnerable to Incorrect Authorization that allows an attacker in possession of a valid admin refresh token to gain unauthorized access to API resources by using a refresh token instead o...

6.3CVSS7AI score0.00222EPSS
Exploits0References2
Snyk
Snyk
added 2024/10/23 2:41 p.m.10 views

Deserialization of Untrusted Data

Overview llama-stack is a Llama Stack Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the use of pickle as a serialization format for socket communication. An attacker can execute arbitrary code by sending maliciously crafted data that is deserialized...

9.8CVSS7.8AI score0.00886EPSS
Exploits1References2
Snyk
Snyk
added 2024/10/17 7:30 p.m.10 views

Use of Weak Hash

Overview MessagePack is a MessagePackMsgPack Serializer for C.NET, .NET Core, Unity, Xamarin. Affected versions of this package are vulnerable to Use of Weak Hash through the deserialization process. An attacker can cause a denial of service by sending specially crafted data that leads to hash...

8.7CVSS6.8AI score0.01578EPSS
Exploits0References2
Snyk
Snyk
added 2022/08/05 8:9 a.m.10 views

Malicious Package

Overview gcore-cdn-stats is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package w...

9.8CVSS7.1AI score
Exploits0References3
Snyk
Snyk
added 2022/06/13 11:15 a.m.10 views

Improper Verification of Cryptographic Signature

Overview jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid ...

9.8CVSS7AI score0.01096EPSS
Exploits1References2
Snyk
Snyk
added 2022/04/14 4:37 p.m.10 views

Malicious Package

Overview lznfjbhurpjsqmr is a malicious package. A copy-paste of the legitimate package global-npm, used by the malicious package gxm-reference-web-auth-server and maintained by the same malicious actor. See gxm-reference-web-auth-server advisory for more information:...

8CVSS6.8AI score
Exploits0References2
Snyk
Snyk
added 2021/12/15 1:37 p.m.10 views

Command Injection

Overview com.itextpdf:itextpdf is a software developer toolkit that allows users to integrate PDF functionalities within their applications, processes or products. Affected versions of this package are vulnerable to Command Injection. An attacker controlling the filename passed to the CompareTool...

9.8CVSS7.3AI score0.05172EPSS
Exploits1References2
Snyk
Snyk
added 2021/05/24 7:53 p.m.10 views

Malicious Package

Overview e39test is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2020/12/14 7:38 p.m.10 views

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution. The vulnerability is in the set function. PoC const decal = require'decal'; console.log'Before:', .polluted; decal.set, "proto.polluted", "1337"; console.log'After:', .polluted; Details Prototype Pollution is a...

8.6CVSS8.6AI score0.0176EPSS
Exploits1References2
Snyk
Snyk
added 2020/11/17 1:2 p.m.10 views

Code Injection

Overview Affected versions of this package are vulnerable to Code Injection due the improper validation of options.variable key names in .template. An attacker can execute arbitrary code at template compilation time by injecting malicious expressions. If Object.prototype has been polluted,...

7.2CVSS7.2AI score0.2241EPSS
Exploits3References2
Snyk
Snyk
added 2020/11/12 5:10 p.m.10 views

Prototype Pollution

Overview asciitable.js is a Generate a ASCII Table from a bidimensional array of strings Affected versions of this package are vulnerable to Prototype Pollution via the main function. POC var a = require"asciitable.js"; var b = JSON.parse'"proto":"test":123'; a,b; console.log.test Details Prototy...

9.8CVSS9AI score0.01939EPSS
Exploits1References2
Snyk
Snyk
added 2020/05/20 12:50 a.m.10 views

Cross-site Scripting (XSS)

Overview bootstrap-select is a .NET bundle for bootstrap-select jQuery plugin. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the use of the data-subtext attribute, in cases where that content originates from a user-controlled input. PoC by Snyk Research js HTML ...

6.1CVSS5.7AI score0.01738EPSS
Exploits0References2
Snyk
Snyk
added 2020/04/17 12:0 a.m.10 views

Malicious Package

Overview spider-bot is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using spider-bot...

8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2020/04/17 12:0 a.m.10 views

Malicious Package

Overview batchrails is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using batchrails...

8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2020/04/17 12:0 a.m.10 views

Malicious Package

Overview active-model-permalink is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using...

8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2020/04/17 12:0 a.m.10 views

Malicious Package

Overview ackintosh-net-empty-port is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using...

8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 4 days ago9 views

Malicious Package

Overview poc-node-npm is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago9 views

XML External Entity (XXE) Injection

Overview ebookmeta is a Read/write ebook metadata for fb2, epub2 and epub3 files Affected versions of this package are vulnerable to XML External Entity XXE Injection in the ebookmeta.getmetadata function via lxml dependency allows attackers to access sensitive information or cause a Denial of...

9.1CVSS7AI score0.00532EPSS
Exploits0References2
Total number of security vulnerabilities5000