Lucene search
K
SnykMost viewed

35255 matches found

Snyk
Snyk
added 2026/05/07 9:30 p.m.9 views

Improper Use of Validation Framework

Overview Affected versions of this package are vulnerable to Improper Use of Validation Framework in the parseAndValidateClientRedirect process. An attacker can obtain OAuth exchange codes intended for other users by crafting a redirecturi that matches an allowed scheme and host but specifies a...

8CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/07 9:16 p.m.9 views

Exposure of Private Personal Information to an Unauthorized Actor

Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor via the Email field in the Comment model exposed through unauthenticated public API endpoints. An attacker can obtain the email addresses of all guest commenters by makin...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/07 8:26 p.m.9 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the SWnentries function in the file SWapi.c. An attacker can achieve arbitrary code execution or cause a denial of service by providing a specially crafted HDF-EOS file with DimensionName argument that...

7.8CVSS6.7AI score0.00237EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 7:21 p.m.9 views

Improper Encoding or Escaping of Output

Overview std/html/template is a Go standard library package std/html/template Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output. Go Vulnerability Report: If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type'...

6.1CVSS5.9AI score0.00371EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 7:21 p.m.9 views

Information Exposure

Overview std/net/http/httputil is a Go standard library package std/net/http/httputil Affected versions of this package are vulnerable to Information Exposure. Go Vulnerability Report: ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrit...

6.9CVSS5.8AI score0.0039EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 7:21 p.m.9 views

Uncaught Exception

Overview std/net is a Go standard library package std/net Affected versions of this package are vulnerable to Uncaught Exception. Go Vulnerability Report: The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL 0. Remediation Upgrade std/net to version...

8.7CVSS5.8AI score0.00588EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 7:21 p.m.9 views

Resources Downloaded over Insecure Protocol

Overview Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol. Go Vulnerability Report: A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any...

7.5CVSS5.8AI score0.00231EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 5:35 p.m.9 views

Cross-site Scripting (XSS)

Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized input in th...

6.1CVSS5.8AI score0.0021EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 4:39 p.m.9 views

Symlink Attack

Overview bentoml is a BentoML: Build Production-Grade AI Applications Affected versions of this package are vulnerable to Symlink Attack via the build packaging workflow. An attacker can access sensitive files from the build host by introducing crafted symlinks in the build context, which are...

6.7CVSS5.8AI score0.00284EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 6:41 a.m.9 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview mathjs is a math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with diff. Affected versions of this package are...

8.8CVSS7.6AI score0.00577EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 5:55 a.m.9 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the readVariableLengthInteger function. An attacker can trigger undefined behavior and potentially execute arbitrary code by providing specially crafted EXR input that causes excessive left shifts...

9.8CVSS6.2AI score0.00393EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 5:14 a.m.9 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of size limits applied to the Properties section during the decoding process. An attacker can cause excessive CPU and memory consumption by sending MQTT messages with...

7.5CVSS5.8AI score0.00455EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 4:33 a.m.9 views

Symlink Attack

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Symlink Attack via the isPathAllowed path check in lib/resolver-compat.js. An attacker can execute code outside the configured require.root by placin...

8.5CVSS6.5AI score0.00722EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:8 a.m.9 views

Arbitrary Code Injection

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through lib/builtin.js. An attacker can execute host code when the allowlist includes -X or uses and then...

9.9CVSS6.1AI score0.00974EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:7 a.m.9 views

Arbitrary Code Injection

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the BaseHandler write traps in lib/bridge.js. An attacker can mutate host Object.prototype,...

10CVSS6AI score0.00842EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 3:34 a.m.9 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the RSL policy validation. An attacker can revert the system to a previous trusted state by creating a new Reference State Log entry that references an older policy, provided it i...

6CVSS5.8AI score0.00198EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 2:57 a.m.9 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in JWT validation middleware. An attacker can maintain unauthorized access to user accounts by reusing previously issued JSON Web Tokens even after a password change, as the tokens are not invalidated or...

6.3CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/07 2:34 a.m.9 views

Missing Origin Validation in WebSockets

Overview Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via inadequate validation of the Origin header during WebSocket connection upgrades. An attacker can gain unauthorized access to sensitive log data by convincing an authenticated user to visit a...

6.9CVSS5.8AI score0.0017EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 1:23 a.m.9 views

Directory Traversal

Overview github.com/rancher/rancher/pkg/nodeconfig is a complete container management platform Affected versions of this package are vulnerable to Directory Traversal via the compressedEndpoint field in a UIPlugin deployment. An attacker can overwrite binaries or configuration files, tamper with...

9.3CVSS6.3AI score0.00368EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 1:15 a.m.9 views

Server-side Request Forgery (SSRF)

Overview github.com/gotenberg/gotenberg/v7/pkg/modules/chromium is a Docker-powered stateless API for PDF files. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the downloadFrom and webhook processes. An attacker can access internal network resources and...

9.4CVSS5.8AI score0.00352EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 12:55 a.m.9 views

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the metadata process. An attacker can rename, move, or create links to files within the container by submitting specially crafted metadata values that bypass the intended blocklist. This may also...

8.8CVSS5.8AI score0.0029EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 12:24 a.m.9 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection in the RedisEncoder component. An attacker can inject arbitrary Redis commands or forge responses by supplying input containing CRLF sequences, which are not properly sanitized before being written to the network output...

8.5CVSS5.9AI score0.00198EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 12:6 a.m.9 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the SNS HTTP/HTTPS notification endpoints due to missing signature verification. An attacker can cause the application to process arbitrary payloads as legitimate notifications, auto-confi...

6.3CVSS5.9AI score0.00179EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 11:49 p.m.9 views

HTML Injection

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTML Injection via the jsx element tag. An attacker can inject unintended HTML elements or attributes, corrupt the HTML structure, or execute scripts by supplying malicious tag names as...

6.1CVSS5.9AI score0.0014EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 11:16 p.m.9 views

Improper Verification of Cryptographic Signature

Overview @axonflow/sdk is an AxonFlow SDK - Add invisible AI governance to your applications in 3 lines of code Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the lack of exposure of the HMAC-SHA256 signing key in the SDK's typed API,...

8.2CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/06 9:59 p.m.9 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the GET /api/v1/stable/dags/tasks endpoint via improper tenant checks in the listTasksByDAGIds function. An attacker can access sensitive task metadata belonging to other tenants by...

6.5CVSS5.8AI score0.00181EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 9:56 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview python-multipart is an A streaming multipart parser for Python Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when parsing multipart headers in MultipartParser, which can hang without failing in the following states:...

8.7CVSS5.8AI score0.00549EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 9:21 p.m.9 views

Directory Traversal

Overview org.openmrs.web:openmrs-web is a patient-based medical record system focusing on giving providers a free customizable electronic medical record system EMR. Affected versions of this package are vulnerable to Directory Traversal via the WebModuleUtil.startModule function in POST...

9.4CVSS6.4AI score0.00853EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/06 8:54 p.m.9 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the forgot password process. An attacker can determine whether an email address is registered by submitting requests and analyzing the responses. Remediation Upgrade statamic/cms to version 5.73.21, 6.15.0 or...

6.9CVSS5.8AI score0.00206EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:53 p.m.9 views

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in the SnappyStreamDecompressor class, when decompressing malformed framed-format input. An attacker can cause the application to exhaust system resources by providing malicious stream data as small as 15 bytes PoC using...

8.7CVSS5.8AI score0.00263EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:40 p.m.9 views

Directory Traversal

Overview magic-wormhole is a Securely transfer data between computers Affected versions of this package are vulnerable to Directory Traversal via the receive process when the --output parameter is set to an existing directory. An attacker can overwrite files outside the intended directory by...

5.1CVSS6.3AI score0.00197EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:37 p.m.9 views

Incorrect Authorization

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Incorrect Authorization in the admin-api routes due to insufficient authorization checks. An attacker can access backend operational information by...

5.3CVSS5.8AI score0.00168EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:16 p.m.9 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the SUSE Virtualization Harvester Rancher integration mechanism. An attacker can intercept sensitive information and cause a crash of the registration controller by exploiting insecure TLS certificate...

8.8CVSS5.8AI score0.00208EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:16 p.m.9 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the SUSE Virtualization Harvester Rancher integration mechanism. An attacker can intercept sensitive information and cause a crash of the registration controller by exploiting insecure TLS certificate...

8.8CVSS5.8AI score0.00208EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:11 p.m.9 views

Incorrect Authorization

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Incorrect Authorization in the userHasPermission process. An attacker can gain unauthorized access to sensitive administrative data by sending requests ...

7.1CVSS5.8AI score0.00303EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 7:48 p.m.9 views

CSV Injection

Overview Affected versions of this package are vulnerable to CSV Injection via the export function. An attacker can execute arbitrary spreadsheet formulas in the context of an administrator's local machine by injecting formula payloads into profile fields, which are then exported and opened in...

8.2CVSS6.4AI score
Exploits0References2
Snyk
Snyk
added 2026/05/06 6:13 p.m.9 views

Incomplete Filtering of Special Elements

Overview dssrf is a SSRF defense library for Node.js with safe URL validation utilities. Affected versions of this package are vulnerable to Incomplete Filtering of Special Elements via the isurlsafe function. An attacker can access internal network resources by supplying specially crafted IPv6...

8.7CVSS5.8AI score0.00349EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 5:54 p.m.9 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the actionShowInFolder process. An attacker can access sensitive asset filenames and complete folder structures, including volume handles and URIs, by supplying...

7.1CVSS5.9AI score0.00324EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 5:49 p.m.9 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the Address GraphQL resolver, which does not enforce schema scope filtering on top-level queries. An attacker can access sensitive address information belonging to...

7.1CVSS5.8AI score0.00338EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 5:34 p.m.9 views

Prototype Pollution

Overview icu-minify is an ICU message format compiler with a 1KB runtime bundle footprint Affected versions of this package are vulnerable to Prototype Pollution in the setNestedProperty function when processing translation catalog keys containing reserved properties such as proto, constructor, o...

6.6CVSS6.3AI score
Exploits0References2
Snyk
Snyk
added 2026/05/06 6:4 a.m.9 views

Improper Validation of Specified Quantity in Input

Overview exifreader is a Library that parses Exif metadata in images. Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input. A crafted image containing an ICC mluc tag can set an attacker-controlled record count together with a zero record size...

8.7CVSS5.8AI score0.00528EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 4:12 a.m.9 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GetUserRoles API endpoint. An attacker can access ACL policies for any user across all organizations by supplying specific Name and Org parameters in a network request. Remediatio...

7.7CVSS5.8AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 4:12 a.m.9 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GetUserRoles API endpoint. An attacker can access ACL policies for any user across all organizations by supplying specific Name and Org parameters in a network request. Remediatio...

7.7CVSS5.8AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 9:36 p.m.9 views

Cross-site Scripting (XSS)

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the admin/pages/ endpoint due to insufficient sanitization of user-supplied input in the detectXss function. An...

8.9CVSS6.3AI score0.003EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/05 9:21 p.m.9 views

Arbitrary Code Injection

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Arbitrary Code Injection in the directInstall process. An attacker can execute arbitrary code on the server by uploading a specially crafted Z...

9.1CVSS6.3AI score0.03934EPSS
Exploits4References2
Snyk
Snyk
added 2026/05/05 9:16 p.m.9 views

External Control of File Name or Path

Overview changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to External Control of File Name or Path through the backup restoration. An attacker can access arbitrary local files by supplying a crafted backup archive containing ...

8.7CVSS5.9AI score0.00354EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/05 9:12 p.m.9 views

Inefficient Algorithmic Complexity

Overview Twisted is an event-based network programming and multi-protocol integration framework. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the decode function in the DNS name decompression process. An attacker can cause the server to hang and...

8.7CVSS5.8AI score0.00433EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/05 8:51 p.m.9 views

Server-side Request Forgery (SSRF)

Overview open-websearch is a web search the internet Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchWebContent process. An attacker can access internal network resources and retrieve sensitive information by supplying specially crafted URLs that...

8.8CVSS5.8AI score0.00215EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/05 8:32 p.m.9 views

Improper Enforcement of Behavioral Workflow

Overview YAFNET.Core is an Open Source Forum solution! The YAF.NET project is an international collaboration of like-minded, skilled, and creative individuals who are striving to make YAF.NET the most robust and malleable forum solutions available. Affected versions of this package are vulnerable...

9.9CVSS5.8AI score0.00488EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 7:15 p.m.9 views

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the plugin/Meet/iframe.php process when unescaped user and pass parameters are reflected into a JavaScript string literal. An attacker...

6.1CVSS5.8AI score0.00225EPSS
Exploits0References2
Total number of security vulnerabilities5000