Lucene search
K
SnykMost viewed

35340 matches found

Snyk
Snyk
added 2026/05/18 3:31 p.m.9 views

Integer Underflow (Wrap or Wraparound)

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

5.1CVSS5.8AI score0.0012EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/18 2:51 p.m.9 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the buildexclusiveurl function. An attacker can redirect requests to an attacker-controlled host while preserving sensitive connection-scoped headers such as Authorization by supplying a...

6.9CVSS5.8AI score0.00351EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/18 1:26 p.m.9 views

Insertion of Sensitive Information Into Sent Data

Overview n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol MCP Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the telemetry sanitization process in event-validator.ts. An operator with access to the...

6.5CVSS5.7AI score0.00262EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 1:26 p.m.9 views

Symlink Attack

Overview apm-cli is a MCP configuration tool Affected versions of this package are vulnerable to Symlink Attack during the integration when symbolic links under certain directories are dereferenced and their target file contents are copied into project deployment directories. An attacker can acce...

7.5CVSS5.5AI score0.00654EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 11:47 a.m.9 views

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the support packet generation process. An attacker can access sensitive credentials in plaintext by downloading a support packet from the System Console. This is only exploitable if t...

8.7CVSS5.8AI score0.0029EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:45 a.m.9 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the post update and patch API endpoints. An attacker can modify existing posts despite lacking posting privileges by sending crafted API requests. Remediation Upgrade...

5.3CVSS5.8AI score0.00152EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 9:10 a.m.9 views

Malicious Package

Overview secure-env-loader is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/18 5:31 a.m.9 views

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the UERadioCapabilityCheckResponse function in the dispatcher.go file. An attacker can cause a denial of service by sending specially crafted remote requests that trigger a null pointer dereference...

5.3CVSS5.8AI score0.00398EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 3:47 a.m.9 views

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the file ngap/handler.go of the component NGAP Message Handler. This manipulation causes null pointer dereference. Remote exploitation of the attack is possible. The exploit has been made available to the...

5.3CVSS5.4AI score0.00303EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 3:47 a.m.9 views

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the file ngap/handler.go of the component NGAP Message Handler. This manipulation causes null pointer dereference. Remote exploitation of the attack is possible. The exploit has been made available to the...

5.3CVSS5.4AI score0.00303EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 3:45 a.m.9 views

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the function RANConfiguration of the file ngap/handler.go. The manipulation results in null pointer dereference. The attack may be launched remotely. The exploit has been released to the public and may be us...

5.3CVSS5.5AI score0.00303EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 1:32 a.m.9 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the order of operations in the validateDownloadUrl implementation in download-blob.ts and download.ts. The fetch operation called before applying validateDownloadUrl follows redirects by default...

7.5CVSS7.2AI score0.00385EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/17 9:0 p.m.9 views

Malicious Package

Overview period-newline is a malicious package. This package contains malicious code designed to steal sensitive credentials and establish remote access. While these packages might attempt to impersonate legitimate organizations and popular open-source libraries, there is no connection between...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/17 9:0 p.m.9 views

Malicious Package

Overview redeem-onchain-sdk is a malicious package. This package contains malicious code designed to steal sensitive credentials and establish remote access. While these packages might attempt to impersonate legitimate organizations and popular open-source libraries, there is no connection betwee...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/17 1:36 p.m.9 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the importBinaryModel function in the JAR Handler component. An attacker can execute arbitrary code or manipulate application behavior by providing specially crafted JAR with embedded into a model...

9.8CVSS6AI score0.00409EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/16 12:0 a.m.9 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via improper path resolution during extraction of OCI image layer tarballs. An attacker can write arbitrary files to locations outside the intended extraction root by crafting a layer with a symlink pointing to an absolut...

9.6CVSS5.9AI score0.00482EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/16 12:0 a.m.9 views

Improper Isolation or Compartmentalization

Overview boxlite is a Python bindings for Boxlite runtime Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the mounting of host directories in read-only mode into VM. An attacker can gain unauthorized write access to the host filesystem by remounti...

10CVSS5.8AI score0.00289EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/15 6:25 p.m.9 views

External Control of File Name or Path

Overview apm-cli is a MCP configuration tool Affected versions of this package are vulnerable to External Control of File Name or Path through the tar.extractall function in legacy-bundle probing on Windows systems running Python versions earlier than 3.12. An attacker can overwrite arbitrary fil...

7.4CVSS5.6AI score0.0061EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/15 6:17 p.m.9 views

Weak Authentication

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Weak Authentication in the uploadRecordedVideo.json.php process. An attacker can gain unauthorized access to any user account, including administrative accounts, b...

9.2CVSS5.8AI score0.00295EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/15 6:7 p.m.9 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the FileSystemTicketStore process. An attacker can read and unserialize files outside the intended directory, and conditionally delete files, by supplying crafted path traversal sequences in public CAS validation...

8.8CVSS6.3AI score0.00422EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/15 5:30 p.m.9 views

Improper Validation of Array Index

Overview Affected versions of this package are vulnerable to Improper Validation of Array Index through the CertVerifier.Verify function. An attacker can cause the process to panic and exit with a success code by providing a CMS/PKCS7 signed message containing an empty certificate set, which lead...

5.4CVSS5.8AI score0.00111EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/15 5:29 p.m.9 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the verify process. An attacker can cause trust confusion by submitting a commit object with duplicate tree headers, resulting in different interpretations between git-core and go-git,...

6CVSS5.8AI score0.00119EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/15 5:14 p.m.9 views

Cross-site Scripting (XSS)

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Cross-site Scripting XSS in the search preview process. An attacker can execute arbitrary HTML or CSS in the authenticated editor interface ...

5.1CVSS5.8AI score0.00208EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/15 4:45 p.m.9 views

Cross-site Scripting (XSS)

Overview nukeviet/nukeviet is a the first opensource CMS in Vietnam. Affected versions of this package are vulnerable to Cross-site Scripting XSS via insufficient server-side input sanitization in the Request class. An attacker can execute arbitrary scripts in the context of another user's browse...

8.7CVSS5.8AI score0.00349EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/15 11:24 a.m.9 views

Malicious Package

Overview dowloadebokthetestamentofsolomonbykingsolomonfrederickcornwallisconybeare5201c is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 11:24 a.m.9 views

Malicious Package

Overview dowloadebokstalkingjacktheripperbykerrimaniscalcojamespattersonb529t is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 10:40 a.m.9 views

Malicious Package

Overview apple-internal-pki-trust-v5 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 10:40 a.m.9 views

Malicious Package

Overview apple-infra-network-v2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 10:40 a.m.9 views

Malicious Package

Overview npm-global-util is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 10:40 a.m.9 views

Malicious Package

Overview apple-internal-auth-v3 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 10:40 a.m.9 views

Malicious Package

Overview apple-cktool-api-v2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/15 6:17 a.m.9 views

Authentication Bypass by Primary Weakness

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the...

8.8CVSS7.8AI score0.01502EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 9:30 p.m.9 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via spoofed X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a shared token. An attacker can gain unauthorized access to owner or organization-scoped lease operations by injecting malicious...

8.8CVSS5.3AI score0.00361EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 9:25 p.m.9 views

Inadequate Encryption Strength

Overview Affected versions of this package are vulnerable to Inadequate Encryption Strength due to insufficient enforcement of length and entropy requirements for the JWTSECRET configuration value. An attacker can gain unauthorized access to user accounts by forging authentication tokens using we...

10CVSS5.8AI score0.00124EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 9:25 p.m.9 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the HEIF decoder due to a subimage metadata mismatch. An attacker can achieve memory corruption and potentially execute arbitrary code by supplying a specially crafted image file. Remediation Upgrade...

8.5CVSS6.2AI score0.00188EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 9:24 p.m.9 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation due to the reliance on client-supplied IP address headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. An attacker can circumvent per-IP rate limiting by supplying arbitrary values in these headers, causing...

7.5CVSS5.7AI score0.00276EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 9:24 p.m.9 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation due to the reliance on client-supplied IP address headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. An attacker can circumvent per-IP rate limiting by supplying arbitrary values in these headers, causing...

7.5CVSS5.7AI score0.00276EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 9:22 p.m.9 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the SwapRGBABytes process. An attacker can trigger out-of-bounds memory access by supplying a specially crafted kABGR DPX image with large dimensions, leading to potential reading from or writing to unintended...

8.8CVSS5.8AI score0.00371EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 9:21 p.m.9 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the QueryRGBBufferSizeInternal function when processing crafted DPX image files. An attacker can cause a heap-based out-of-bounds write by supplying a specially crafted DPX file that triggers an integer...

8.3CVSS6.3AI score0.0037EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 8:56 p.m.9 views

Command Injection

Overview utcp-cli is an UTCP communication protocol plugin for wrapping local command-line tools. Affected versions of this package are vulnerable to Command Injection via the substituteutcpargs function. An attacker can execute arbitrary shell commands by supplying crafted input to the toolargs...

9.8CVSS6AI score0.00272EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:29 p.m.9 views

Regular Expression Denial of Service (ReDoS)

Overview svelte is a package for building web applications. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS through the svelte:element tag validation process. An attacker can cause significant performance degradation by supplying specially crafted ta...

5.9CVSS5.8AI score0.00421EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:27 p.m.9 views

Authorization Bypass Through User-Controlled Key

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the GET /api/v1/notes/noteid endpoint due to missing authorization checks. An attacker can access and retrieve notes belonging to other users by manipulatin...

7.1CVSS5.8AI score0.00277EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 8:27 p.m.9 views

Server-side Request Forgery (SSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through getcontentfromurl in retrieval/utils.py, SafeWebBaseLoader in web/base.py, and imageedits in routers/images.py. An attacker can cause the server to fetch internal...

8.5CVSS5.8AI score0.003EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 8:27 p.m.9 views

Server-side Request Forgery (SSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the validateurl function in the URL parsing and request-routing path. An attacker can reach internal or loopback targets by supplying a URL containing a backslash, tab...

8.5CVSS5.8AI score0.00292EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 8:26 p.m.9 views

Missing Authentication for Critical Function

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the getstatus function. An attacker can access sensitive configuration details by sending an unauthenticated HTTP GET request to the affected endpoint...

6.9CVSS5.8AI score0.0072EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 8:25 p.m.9 views

Authorization Bypass Through User-Controlled Key

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the pinchannelmessage process. An attacker can modify the ispinned, pinnedby, and pinnedat fields of messages by sending API requests with only read-level...

5.3CVSS5.8AI score0.00204EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 8:23 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the parse function. An attacker can cause...

8.7CVSS5.8AI score0.00393EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:19 p.m.9 views

Server-side Request Forgery (SSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the OAuthManager profile picture fetch path in the OAuth handling code. An attacker can make the server send outbound requests to arbitrary URLs by supplying a malicio...

7.7CVSS5.9AI score0.00381EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 8:19 p.m.9 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of attributes using spread syntax from untrusted data, which includes event handler properties in the HTML output. An attacker...

7.7CVSS5.8AI score0.00168EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:18 p.m.9 views

Server-side Request Forgery (SSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the validateurl function in the URL validation component. An attacker can bypass private-address checks by supplying a hostname that resolves to a private IPv6 address...

8.5CVSS5.8AI score0.00286EPSS
Exploits1References2
Total number of security vulnerabilities5000