Lucene search
K
SnykMost viewed

35345 matches found

Snyk
Snyk
added 2026/05/21 3:53 p.m.17 views

Buffer Overflow

Overview Affected versions of this package are vulnerable to Buffer Overflow via the checktemplate and tokenizecleanup functions in the checktemplate.cpp component of the executable. An attacker can cause a crash or disrupt service by providing specially crafted input to these functions...

7.3CVSS5.8AI score0.00134EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/20 3:35 p.m.17 views

Deserialization of Untrusted Data

Overview symfony/monolog-bridge is a Provides integration for Monolog with various Symfony components Affected versions of this package are vulnerable to Deserialization of Untrusted Data via deserialization of network input in Symfony\Bridge\Monolog\Command\ServerLogCommand. An attacker can...

9.8CVSS6.4AI score0.01261EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:55 p.m.17 views

Missing Authorization

Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Missing Authorization via the extension automation feature. An attacker can perform unauthorized browser automation actions by tricking a user into interacting with attacker-controll...

5.4CVSS5.8AI score0.00227EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 8:36 p.m.17 views

Infinite loop

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

6.8CVSS5.8AI score0.00111EPSS
Exploits0References5
Snyk
Snyk
added 2026/05/17 9:0 p.m.17 views

Malicious Package

Overview chalk-tempalte is a malicious package. This package contains malicious code that includes infostealer malware, one of which is a Shai-Hulud clone following the TeamPCP open source release, and one DDoS botnet package. While this package might be attempting to impersonate a valid...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 6:30 p.m.17 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the SQL code generation process. An attacker can execute arbitrary code on TaskManagers by submitting specially crafted SQL queries that exploit improper escaping of user-controlled strings in generated Java...

8.6CVSS6.3AI score0.00381EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/15 6:1 p.m.17 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the generic download endpoint when the disk and path parameters are supplied in the request. An attacker can access unrelated files stored on configured storage disks by manipulating...

7.7CVSS5.8AI score0.00262EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/15 10:40 a.m.17 views

Malicious Package

Overview apple-internal-pki-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 10:40 a.m.17 views

Malicious Package

Overview alicloud-pop-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:29 p.m.17 views

Server-side Request Forgery (SSRF)

Overview deepseek-tui is an Install and run deepseek and deepseek-tui binaries from GitHub release artifacts. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchurl process. An attacker can access sensitive internal resources by supplying a URL that...

7.4CVSS5.8AI score0.00226EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 4:19 p.m.17 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over resources belonging to other...

7.7CVSS5.8AI score0.00335EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 7:22 p.m.17 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to improper validation of user-supplied input in the authentication process. An attacker can gain elevated privileges by providing crafted input during local interaction. Remediation Upgrade...

8.3CVSS5.8AI score0.00662EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 9:0 p.m.17 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

9.8CVSS6AI score0.02342EPSS
Exploits3References2
Snyk
Snyk
added 2026/05/11 7:40 p.m.17 views

Arbitrary Code Injection

Overview @nyariv/sandboxjs is a Javascript sandboxing library. Affected versions of this package are vulnerable to Arbitrary Code Injection via createFunction in executorUtils.ts. An attacker can escape the sandbox and execute arbitrary code in the host environment by leveraging access to interna...

10CVSS6.2AI score0.00472EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 4:29 p.m.17 views

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection while processing XML entities. An attacker can inject arbitrary attributes into generated XML or HTML by crafting attribute values containing quotes, which are improperly parsed and split into multiple...

7.4CVSS6.1AI score0.00209EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 10:31 p.m.17 views

Cross-site Scripting (XSS)

Overview netbox-data-flows is a NetBox plugin to document data flows between systems and applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the ObjectAlias.name field rendered in DataFlow tables. An attacker can execute arbitrary JavaScript in the brows...

8.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/07 8:24 p.m.17 views

Cross-site Scripting (XSS)

Overview postorius is an A web user interface for GNU Mailman Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering process of the message subject in the Held messages pop-up. An attacker can execute arbitrary scripts in the context of the user's browser b...

7.2CVSS5.9AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 3:15 a.m.17 views

Server-side Request Forgery (SSRF)

Overview docling-graph is an A tool to convert documents into knowledge graphs using Docling. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the URLInputHandler process. An attacker can access internal network resources or sensitive cloud metadata by...

6.9CVSS5.8AI score0.00188EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 12:13 a.m.17 views

HTTP Request Smuggling

Overview io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients. Affected versions of this package are vulnerable to HTTP Request Smuggling via the getChunkSize function. An attacker can inject unauthorized HT...

7.3CVSS5.8AI score0.00364EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/06 11:1 p.m.17 views

Directory Traversal

Overview nitro is a Build and Deploy Universal JavaScript Servers Affected versions of this package are vulnerable to Directory Traversal via the routeRules function. An attacker can access files or endpoints outside the intended proxy scope by sending specially crafted URLs containing...

6.9CVSS6.3AI score0.00392EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 9:19 p.m.17 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the DM pairing-store process. An attacker can gain unauthorized access to privileged room control commands by leveraging DM-paired sender IDs to bypass...

8.8CVSS5.8AI score0.00288EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 7:32 p.m.17 views

Allocation of Resources Without Limits or Throttling

Overview react-server-dom-webpack is a React Server Components bindings for DOM using Webpack. This is intended to be integrated into meta-frameworks. It is not intended to be imported directly. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttli...

8.7CVSS5.8AI score0.01533EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/05 10:20 p.m.17 views

Improper Restriction of Rendered UI Layers or Frames

Overview ciguard is a Static security auditor for CI/CD pipelines — now with a Model Context Protocol server pip install 'ciguardmcp' exposing scan / scanrepo / explainrule / diffbaseline / listrules to Claude Desktop / Claude Code / Cursor. Plus .ciguardignore rationale-required suppression,...

4.3CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/04 10:2 p.m.17 views

Inefficient Algorithmic Complexity

Overview Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the ResponseReader class. An attacker can exhaust the client's CPU by sending specially crafted IMAP responses containing many string literals, leading to significant performance degradation in...

7.5CVSS5.8AI score0.0041EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 6:26 p.m.17 views

Unsafe Reflection

Overview Affected versions of this package are vulnerable to Unsafe Reflection that leads to arbitrary class instantiation, via the instantiateExtension method in the ExtensionLoader class. An attacker can trigger the static initializer of any class present on the classpath by supplying a model...

9.8CVSS6.1AI score0.00692EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/29 12:39 p.m.17 views

Malicious Package

Overview chai-str is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/29 12:27 p.m.17 views

Malicious Package

Overview chai-as-inserted is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/25 11:49 p.m.17 views

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the browser profile creation process. An attacker can cause unauthorized requests to internal network resources by storing a profile with a cdpUrl...

5CVSS5.5AI score0.00246EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/25 4:18 p.m.17 views

SQL Injection

Overview showdoc/showdoc is a tool for an IT team to share documents online. Affected versions of this package are vulnerable to SQL Injection via the pages argument in the API Page Sort Endpoint process. An attacker can execute arbitrary SQL commands by sending crafted requests to the affected...

6.5CVSS7AI score0.00241EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:23 p.m.17 views

Uncontrolled Recursion

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related operations, including...

8.7CVSS5.4AI score0.00643EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:47 p.m.17 views

Improper Removal of Sensitive Information Before Storage or Transfer

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the sourceConfig and runtimeConfig alias fields, which were not properly redacted. An attacker can obtain sensitive...

7.1CVSS5.8AI score0.00333EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:48 p.m.17 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the decidedByUserId field in approval-related endpoints. An attacker can forge decision attribution by supplying an arbitrary user identifier in the request body, causing the system to...

5.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:22 p.m.17 views

Use of Hard-coded Credentials

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of Hard-coded Credentials due to the use of a weak default value for the secret parameter in session management when the EXPRESSSESSIONSECRET environment variable is not set. An attacker can impersonate...

6.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/04/14 3:30 p.m.17 views

Arbitrary Code Injection

Overview @openai/codex is a OpenAI Codex CLI Lightweight coding agent that runs in your terminal Affected versions of this package are vulnerable to Arbitrary Code Injection via the automatic loading of .env and .codex/config.toml files when executing the CLI in a compromised repository. An...

9.8CVSS6AI score0.06583EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/10 12:8 a.m.17 views

Improper Validation of Integrity Check Value

Overview Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value via the PKCS7 CBC decryption process. An attacker can recover plaintext data by sending repeated decryption queries with modified ciphertext, exploiting improper validation of interior paddin...

6.3CVSS5.8AI score0.00111EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/07 2:11 p.m.17 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing access-control validation in the AJAX endpoint used for downloading saved model artifacts. An attacker can gain unauthorized access to model artifacts by directly querying this endpoint without prope...

5.3CVSS5.9AI score0.00362EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/20 4:47 a.m.17 views

Malicious Package

Overview cryptopapi is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/10 8:44 p.m.17 views

Directory Traversal

Overview @appium/support is a Support libs used across Appium packages Affected versions of this package are vulnerable to Directory Traversal in the extractAllTo function. An attacker can write arbitrary files outside the intended extraction directory by supplying a crafted ZIP archive containin...

6.9CVSS6.3AI score0.00388EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/06 7:14 a.m.17 views

Malicious Package

Overview tannucolingboys is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/03/03 8:3 p.m.17 views

Incomplete List of Disallowed Inputs

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the unsafeglobals function. An attacker can execute arbitrary code by crafting a malicious pickle that...

10CVSS6.4AI score
Exploits0References2
Snyk
Snyk
added 2026/02/28 2:1 a.m.17 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in which the non-blocking async JSON parser can be made to bypass the maxNumberLength constraint default: 1000 characters defined in StreamReadConstraints. An attacker can cause...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/02/18 6:5 a.m.17 views

Infinite loop

Overview jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the...

8.7CVSS5.8AI score0.00554EPSS
Exploits1References2
Snyk
Snyk
added 2026/01/28 4:33 p.m.17 views

Malicious Package

Overview @monkey-tilt/ui is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2025/12/10 9:30 p.m.17 views

Missing Release of Memory after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime due to improper cleanup of threads in multithreaded environments. An attacker can cause resource exhaustion and degrade application performance by repeatedly initiating requests in a...

6CVSS6.6AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2025/10/23 11:46 a.m.17 views

Brute Force

Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to Brute Force via the authentication endpoints for the mobile client and authwebservice. An attacker can repeatedly attempt to guess user credentials by sending multiple authentication requests withou...

8.7CVSS6.9AI score0.00385EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 8:18 a.m.16 views

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data due to the improper clearing of the CURLOPTREFERER option. An attacker can cause sensitive information to be disclosed by forcing the reuse and transmission of a previous referer header ...

7.5CVSS5.9AI score0.00652EPSS
Exploits1References2
Total number of security vulnerabilities5000