Lucene search
+L
SnykMost viewed

35936 matches found

snyk
snyk
added 2026/05/14 8:29 p.m.10 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of attribute spreading and dynamic name attributes within form elements. An attacker can inject malicious scripts by manipulatin...

8.1CVSS5.5AI score0.00319EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 8:29 p.m.10 views

Regular Expression Denial of Service (ReDoS)

Overview org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS through the svelte:element tag validation process. An attacker can cause significant performance degradation by supplying...

7.5CVSS5.8AI score0.00421EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 8:29 p.m.10 views

Regular Expression Denial of Service (ReDoS)

Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS through the svelte:element tag validation process. An attacker can cause significant performance degradation by supplying specially crafted ta...

5.9CVSS5.8AI score0.00421EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 8:28 p.m.10 views

Incorrect Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Incorrect Authorization through the /api/v1/utils/code/execute endpoint, which fails to enforce the ENABLECODEEXECUTION configuration flag. An attacker can execute arbitrary Python code within the Jupyter...

8.8CVSS6.1AI score0.00406EPSS
Exploits2References2
snyk
snyk
added 2026/05/14 8:28 p.m.10 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization via the /api/v1/memories/ef endpoint. An attacker can trigger embedding generation and consume computational resources or incur costs by making unauthenticated requests to this endpoint...

6.9CVSS5.8AI score0.00341EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 8:26 p.m.10 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization in the GET /api/tasks and POST /api/tasks/stop/taskid endpoints, which lack proper ownership checks. An attacker can enumerate and terminate background tasks belonging to other users by...

7.1CVSS5.8AI score0.0027EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 8:25 p.m.10 views

Authorization Bypass Through User-Controlled Key

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the updatemessagebyid and deletemessagebyid handlers in channels.py. An attacker can overwrite or remove another member’s group or direct message conte...

5.3CVSS5.8AI score0.00204EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 8:25 p.m.10 views

Improper Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Authorization via the bypassfilter parameter in the HTTP query string, which is unintentionally exposed in the route handler. An attacker can gain unauthorized access to restricted models by appendin...

5.4CVSS5.8AI score0.00193EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 8:21 p.m.10 views

Improper Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Improper Authorization in the model update process. An attacker can modify resources belonging to other users by sending crafted requests that bypass intended access controls. Remediation Upgrade open-webui t...

7.1CVSS5.8AI score0.00226EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 7:16 p.m.10 views

Division by zero

Overview Affected versions of this package are vulnerable to Division by zero in the qtdemuxaudiocaps function of the isomp4 plugin when parsing MP4 audio tracks. An attacker can cause a denial of service by supplying crafted atom data that triggers an integer division by zero. Remediation A fix...

9.1CVSS5.8AI score0.00208EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 6:26 p.m.10 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the xmp raw-text passthrough. An attacker can execute arbitrary JavaScript in the browser of another user by submitting specially crafted HTML content that is sanitized and then rendered as trusted output...

9.3CVSS5.8AI score0.00397EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 4:19 p.m.10 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in the Object.assign process. An attacker can gain unauthorized access to and control over data across different workspaces by...

7.6CVSS5.8AI score0.00342EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 3:49 p.m.10 views

Malicious Package

Overview solidity-linter is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/14 3:49 p.m.10 views

Malicious Package

Overview deltaprime-primeloans is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/14 3:49 p.m.10 views

Malicious Package

Overview mrgn-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/14 3:49 p.m.10 views

Malicious Package

Overview web3-utils-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/14 3:49 p.m.10 views

Malicious Package

Overview solidity-lib is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/14 3:23 p.m.10 views

Use of Externally-Controlled Format String

Overview Affected versions of this package are vulnerable to Use of Externally-Controlled Format String in the timeofday function when processing crafted timezone zones. An attacker can access portions of server memory by supplying specially crafted input to the timeofday function. Remediation...

5.3CVSS5.8AI score0.00208EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 3:23 p.m.10 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the CREATE TYPE process. An attacker can execute arbitrary SQL functions of their choice by hijacking queries that use searchpath to locate user-defined types, including those defined by extensions. Remediation...

5.4CVSS6.3AI score0.00159EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 3:22 p.m.10 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the REFRESH PUBLICATION process. An attacker can execute arbitrary SQL commands with the privileges of the publication-side credentials by crafting a malicious table name and triggering the process during logical...

8.8CVSS6.1AI score0.0018EPSS
Exploits0References2
snyk
snyk
added 2026/05/14 2:58 p.m.10 views

Insufficiently Protected Credentials

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Insufficiently Protected Credentials with the credentialName filter parameter, over the credentials API endpoint. An attacker can access encryptedData, containing encrypted credential data such as API keys,...

6CVSS5.8AI score0.00271EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 2:57 p.m.10 views

Arbitrary Code Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the node-custom-function endpoint when user-supplied JavaScript is executed in a NodeVM sandbox without sufficient route-level authorization. A user can execute...

9.9CVSS6AI score0.0082EPSS
Exploits1References2
snyk
snyk
added 2026/05/14 2:54 p.m.10 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes over the /api/v1/chatflows endpoint. A user can gain unauthorized access to and modify sensitive attributes, such as deployment...

7.6CVSS5.8AI score0.00268EPSS
Exploits1References3
snyk
snyk
added 2026/05/14 2:22 p.m.10 views

Malicious Package

Overview knot-rack-session-store is a malicious package. This package is part of a malicious cluster of Ruby gems published by the threat actor knot-theory. Designed to impersonate legitimate utilities, it executes a payload upon installation that harvests environment variables, SSH keys, AWS...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/14 1:12 p.m.10 views

Arbitrary File Upload

Overview @strapi/upload is a Makes it easy to upload images and files to your Strapi Application. Affected versions of this package are vulnerable to Arbitrary File Upload via the Content API uploadFiles and replaceFile handlers, which bypass administrator-configured MIME type restrictions. An...

5.4CVSS5.9AI score0.00195EPSS
Exploits0References2
snyk
snyk
added 2026/05/13 9:14 p.m.10 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the ftpcp function when it processes server-supplied PASV host addresses without verifying them against the actual peer address. An attacker can cause connections to arbitrary hosts by supplying a...

5.9CVSS5.9AI score0.00476EPSS
Exploits0References2
snyk
snyk
added 2026/05/13 3:57 p.m.10 views

Malicious Package

Overview github.com/BufferZoneCorp/go-weather-sdk is a malicious package. This package contains malicious code designed to compromise developer systems and CI environments, specifically targeting GitHub Actions. The threat actor, operating under the GitHub account BufferZoneCorp, published a...

9.8CVSS6AI score
Exploits0References2
snyk
snyk
added 2026/05/13 3:57 p.m.10 views

Malicious Package

Overview github.com/BufferZoneCorp/log-core is a malicious package. This package contains malicious code designed to compromise developer systems and CI environments, specifically targeting GitHub Actions. The threat actor, operating under the GitHub account BufferZoneCorp, published a cluster of...

9.8CVSS6AI score
Exploits0References2
snyk
snyk
added 2026/05/13 3:57 p.m.10 views

Malicious Package

Overview github.com/BufferZoneCorp/grpc-client is a malicious package. This package contains malicious code designed to compromise developer systems and CI environments, specifically targeting GitHub Actions. The threat actor, operating under the GitHub account BufferZoneCorp, published a cluster...

9.8CVSS6AI score
Exploits0References2
snyk
snyk
added 2026/05/13 3:31 p.m.10 views

Arbitrary Code Injection

Overview claude-code-cache-fix is a Cache optimization proxy and interceptor for Claude Code. Fixes prompt cache bugs, stabilizes prefix, reduces quota burn. Affected versions of this package are vulnerable to Arbitrary Code Injection via the tools/quota-statusline.sh process. An attacker can...

8.6CVSS6.1AI score0.00188EPSS
Exploits1References3
snyk
snyk
added 2026/05/13 3:30 p.m.10 views

Regular Expression Denial of Service (ReDoS)

Overview nautobot is a Source of truth and network automation platform. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the find field in combination with the useregex flag in the object bulk rename process. An attacker can cause the application ...

7.1CVSS5.7AI score0.00312EPSS
Exploits0References2
snyk
snyk
added 2026/05/13 3:29 p.m.10 views

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop through insufficient validation and missing safety mechanisms during symlink resolution. An attacker can cause infinite loops and resource exhaustion by providing crafted or malformed input that triggers uncontrolled...

7.5CVSS5.8AI score0.00295EPSS
Exploits0References3
snyk
snyk
added 2026/05/13 3:29 p.m.10 views

Deserialization of Untrusted Data

Overview langchain-classic is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Deserialization of Untrusted Data when fetching and processing prompt manifests from external sources. An attacker can execute arbitrary code or manipulate...

7.1CVSS6.2AI score0.00199EPSS
Exploits0References2
snyk
snyk
added 2026/05/13 2:14 p.m.10 views

Malicious Package

Overview load-bufferjs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
snyk
snyk
added 2026/05/12 10:23 p.m.10 views

Cross-site Scripting (XSS)

Overview sillytavern is a LLM Frontend for Power Users Affected versions of this package are vulnerable to Cross-site Scripting XSS in the corsProxy file. An attacker can execute arbitrary JavaScript in the victim's browser and in the victim's context by injecting malicious content into the url...

7.1CVSS5.8AI score0.00323EPSS
Exploits0References2
snyk
snyk
added 2026/05/12 10:23 p.m.10 views

Reliance on Untrusted Inputs in a Security Decision

Overview sillytavern is a LLM Frontend for Power Users Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the headerUserLogin function. An attacker can gain unauthorized access to any user account, including administrators, by injecting...

9.8CVSS5.8AI score0.00218EPSS
Exploits0References5
snyk
snyk
added 2026/05/12 9:20 p.m.10 views

Denial of Service (DoS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Denial of Service DoS through the handling of resource requests. An attacker can cause the application to become unresponsive by sending specially crafted requests that...

8.7CVSS5.8AI score0.15933EPSS
Exploits0References2
snyk
snyk
added 2026/05/12 9:20 p.m.10 views

Cross-site Scripting (XSS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the vulnerable form fields. An attacker can execute arbitrary JavaScript in the context of another user's browser by injecting malicious script...

4.8CVSS5.8AI score0.00368EPSS
Exploits0References2
snyk
snyk
added 2026/05/12 9:0 p.m.10 views

Prototype Pollution

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Prototype Pollution via the pagination parameter in the HTTP Request node. An attacker can execute arbitrary code on the instance by achieving global prototype pollution and chaining this with other...

9.9CVSS6.6AI score0.00632EPSS
Exploits1References2
snyk
snyk
added 2026/05/12 7:23 p.m.10 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow due to improper bounds checking in memory operations. An attacker can execute arbitrary code or escalate privileges by supplying crafted input to the affected process. Remediation Upgrade...

8.3CVSS6.2AI score0.00551EPSS
Exploits0References2
snyk
snyk
added 2026/05/12 7:22 p.m.10 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to improper validation of user-supplied input in the authentication process. An attacker can gain elevated privileges by providing crafted input during local interaction. Remediation Upgrade...

8.3CVSS5.8AI score0.00662EPSS
Exploits0References2
snyk
snyk
added 2026/05/12 6:30 p.m.10 views

Arbitrary Code Injection

Overview guardrails-ai is an Adding guardrails to large language models. Affected versions of this package are vulnerable to Arbitrary Code Injection via the subprocess.checkoutput function. An attacker can execute arbitrary code by publishing a malicious package to the Hub, which is then install...

9.8CVSS6.2AI score0.00635EPSS
Exploits0References2
snyk
snyk
added 2026/05/12 6:30 p.m.10 views

Deserialization of Untrusted Data

Overview snorkel is an A system for quickly generating training data with weak supervision Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the load function of the BaseLabeler class, which uses the pickle.load method on user-supplied file paths without...

8.8CVSS6.3AI score0.00392EPSS
Exploits0References2
snyk
snyk
added 2026/05/12 6:30 p.m.10 views

Deserialization of Untrusted Data

Overview snorkel is an A system for quickly generating training data with weak supervision Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the Trainer.load function. An attacker can execute arbitrary code by supplying a maliciously crafted model file that ...

8.8CVSS6.1AI score0.00392EPSS
Exploits0References2
snyk
snyk
added 2026/05/12 5:22 p.m.10 views

Improper Validation of Syntactic Correctness of Input

Overview org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the processing of HTTP/2 request headers. An attacker can cause unexpected behavior or potentially compromi...

9.8CVSS5.8AI score0.01339EPSS
Exploits0References2
snyk
snyk
added 2026/05/12 5:22 p.m.10 views

Improper Authentication

Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown...

9.8CVSS5.8AI score0.01233EPSS
Exploits1References2
snyk
snyk
added 2026/05/12 5:22 p.m.10 views

Improper Authentication

Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown username, as the system will...

9.8CVSS5.8AI score0.01233EPSS
Exploits1References2
snyk
snyk
added 2026/05/12 5:22 p.m.10 views

Improper Authorization

Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authorization in the processing of security constraints when multiple method constraints define an HTTP method for the same extension. An attacker can...

9.1CVSS5.8AI score0.01136EPSS
Exploits1References2
snyk
snyk
added 2026/05/12 5:22 p.m.10 views

Timing Attack

Overview org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack...

6.3CVSS5.8AI score0.00352EPSS
Exploits0References2
snyk
snyk
added 2026/05/12 3:23 p.m.10 views

Stack-based Buffer Overflow

Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

6.7CVSS5.8AI score0.0013EPSS
Exploits0References2
Total number of security vulnerabilities5000