Lucene search
K
SnykMost viewed

35355 matches found

Snyk
Snyk
•added 2026/04/29 12:39 p.m.•17 views

Malicious Package

Overview chai-str is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/29 12:27 p.m.•17 views

Malicious Package

Overview chai-as-inserted is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/25 11:49 p.m.•17 views

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the browser profile creation process. An attacker can cause unauthorized requests to internal network resources by storing a profile with a cdpUrl...

5CVSS5.5AI score0.00246EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/25 4:18 p.m.•17 views

SQL Injection

Overview showdoc/showdoc is a tool for an IT team to share documents online. Affected versions of this package are vulnerable to SQL Injection via the pages argument in the API Page Sort Endpoint process. An attacker can execute arbitrary SQL commands by sending crafted requests to the affected...

6.5CVSS7AI score0.00241EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/22 8:23 p.m.•17 views

Uncontrolled Recursion

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related operations, including...

8.7CVSS5.4AI score0.00643EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/17 9:47 p.m.•17 views

Improper Removal of Sensitive Information Before Storage or Transfer

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the sourceConfig and runtimeConfig alias fields, which were not properly redacted. An attacker can obtain sensitive...

7.1CVSS5.8AI score0.00333EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/17 9:0 p.m.•17 views

XML Injection

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection due to unvalidated comment serialization. When an application uses the package to create an XML comment from...

8.7CVSS5.4AI score0.00365EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 10:48 p.m.•17 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the decidedByUserId field in approval-related endpoints. An attacker can forge decision attribution by supplying an arbitrary user identifier in the request body, causing the system to...

5.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/10 12:8 a.m.•17 views

Improper Validation of Integrity Check Value

Overview Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value via the PKCS7 CBC decryption process. An attacker can recover plaintext data by sending repeated decryption queries with modified ciphertext, exploiting improper validation of interior paddin...

6.3CVSS5.8AI score0.00111EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/07 2:11 p.m.•17 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing access-control validation in the AJAX endpoint used for downloading saved model artifacts. An attacker can gain unauthorized access to model artifacts by directly querying this endpoint without prope...

5.3CVSS5.9AI score0.00362EPSS
Exploits1References2
Snyk
Snyk
•added 2026/03/20 4:47 a.m.•17 views

Malicious Package

Overview cryptopapi is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/03/10 8:44 p.m.•17 views

Directory Traversal

Overview @appium/support is a Support libs used across Appium packages Affected versions of this package are vulnerable to Directory Traversal in the extractAllTo function. An attacker can write arbitrary files outside the intended extraction directory by supplying a crafted ZIP archive containin...

6.9CVSS6.3AI score0.00388EPSS
Exploits1References2
Snyk
Snyk
•added 2026/03/06 7:14 a.m.•17 views

Malicious Package

Overview tannucolingboys is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
•added 2026/03/03 8:3 p.m.•17 views

Incomplete List of Disallowed Inputs

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the unsafeglobals function. An attacker can execute arbitrary code by crafting a malicious pickle that...

10CVSS6.4AI score
Exploits0References2
Snyk
Snyk
•added 2026/02/28 2:1 a.m.•17 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in which the non-blocking async JSON parser can be made to bypass the maxNumberLength constraint default: 1000 characters defined in StreamReadConstraints. An attacker can cause...

8.7CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/02/18 6:5 a.m.•17 views

Infinite loop

Overview jsrsasign is a free pure JavaScript cryptographic library. Affected versions of this package are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the...

8.7CVSS5.8AI score0.00554EPSS
Exploits1References2
Snyk
Snyk
•added 2026/01/28 4:33 p.m.•17 views

Malicious Package

Overview cml-tt-sets is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
•added 2025/12/10 9:30 p.m.•17 views

Missing Release of Memory after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime due to improper cleanup of threads in multithreaded environments. An attacker can cause resource exhaustion and degrade application performance by repeatedly initiating requests in a...

6CVSS6.6AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
•added 2025/10/23 11:46 a.m.•17 views

Brute Force

Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to Brute Force via the authentication endpoints for the mobile client and authwebservice. An attacker can repeatedly attempt to guess user credentials by sending multiple authentication requests withou...

8.7CVSS6.9AI score0.00385EPSS
Exploits0References2
Snyk
Snyk
•added 2026/07/03 8:18 a.m.•16 views

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data due to the improper clearing of the CURLOPTREFERER option. An attacker can cause sensitive information to be disclosed by forcing the reuse and transmission of a previous referer header ...

7.5CVSS5.9AI score0.00652EPSS
Exploits1References2
Snyk
Snyk
•added 2026/06/29 4:53 p.m.•16 views

Malicious Package

Overview @fed-sofia/jetify is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/06/27 12:13 a.m.•16 views

Directory Traversal

Overview pnpm is a Fast, disk space efficient package manager Affected versions of this package are vulnerable to Directory Traversal via the configDependencies process. An attacker can create symlinks outside the intended directory by supplying crafted package names with traversal components in...

8.2CVSS6.5AI score0.00257EPSS
Exploits1References2
Snyk
Snyk
•added 2026/06/24 9:0 p.m.•16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code linked to a variant of the "Miasma" supply chain attack targeting the LeoPlatform npm ecosystem. A malicious actor compromised a legitimate maintainer account and used it to publish infected versions of this...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
•added 2026/06/24 1:7 a.m.•16 views

Prototype Pollution

Overview style-dictionary is a Style once, use everywhere. A build system for creating cross-platform styles. Affected versions of this package are vulnerable to Prototype Pollution via the convertTokenData function. An attacker can modify the prototype of built-in objects by supplying crafted...

8.8CVSS6.3AI score0.00132EPSS
Exploits0References2
Snyk
Snyk
•added 2026/06/23 11:6 p.m.•16 views

Improper Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Improper Authorization in the file deletion process. An attacker can remove files attached to any asset, regardless of ownership or company assignment, by leveraging generic...

5.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/06/15 8:9 p.m.•16 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the C HTTP parser when the maxlinesize check is bypassed for fragmented lines. An attacker can cause excessive memory consumption by sending oversized HTTP request lines, potential...

8.7CVSS5.3AI score0.00322EPSS
Exploits0References2
Snyk
Snyk
•added 2026/06/15 4:44 p.m.•16 views

Use of Cache Containing Sensitive Information

Overview @angular/service-worker is an Angular - service worker tooling! Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information in the request reconstruction. An attacker can access sensitive session-restricted data or expose credentials by exploiting...

6.1CVSS5.9AI score0.00165EPSS
Exploits0References3
Snyk
Snyk
•added 2026/06/11 3:20 p.m.•16 views

Directory Traversal

Overview keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Directory Traversal via the filtersafetarinfos and filtersafezipinfos functions in the archive extraction utilities. An attacker can write arbitrary files outside the...

8.6CVSS6.2AI score0.00518EPSS
Exploits1References2
Snyk
Snyk
•added 2026/06/10 11:10 p.m.•16 views

Infinite loop

Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.5CVSS5.4AI score0.00092EPSS
Exploits0References2
Snyk
Snyk
•added 2026/06/05 8:7 p.m.•16 views

Malicious Package

Overview moustick is a malicious package. This package contains malicious code that fetches and eval a remote payload from attacker-controlled URL https://www.jsonkeeper.com/b/MYUKZ on require in moustick/index.js. The payload is designed to extract RELAYERPRIVATEKEY and JWTSECRET from the victim...

9.8CVSS5.6AI score
Exploits0References2
Snyk
Snyk
•added 2026/06/02 9:0 p.m.•16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
Snyk
Snyk
•added 2026/06/02 9:0 p.m.•16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...

9.8CVSS5.6AI score
Exploits0References2
Snyk
Snyk
•added 2026/06/01 9:0 p.m.•16 views

Malicious Package

Overview captainindia is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/06/01 9:0 p.m.•16 views

Malicious Package

Overview nottuff4 is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate advertising...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/06/01 9:0 p.m.•16 views

Malicious Package

Overview abuden223 is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate advertisin...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/06/01 9:0 p.m.•16 views

Malicious Package

Overview nottuff28 is a malicious package. This package is part of a malicious npm campaign that abused the registry to distribute ad-supported web proxy applications disguised as educational websites. The package contains web assets intended to bypass network restrictions and generate advertisin...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/05/29 11:52 p.m.•16 views

Malicious Package

Overview @t-in-one/onlydifferencepayload is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and th...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/05/29 10:54 p.m.•16 views

Malicious Package

Overview @cloudplatform-single-spa/svp-baas is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/05/29 10:54 p.m.•16 views

Malicious Package

Overview @cloudplatform-single-spa/svp-s3-storage is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organizati...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/05/29 10:3 p.m.•16 views

Malicious Package

Overview tailwindcss-basic-animation is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/05/29 5:22 p.m.•16 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization through the registerPairCommand and resolvePairingCommandAuthState paths in the device-pair command handler. An attacker can generate pairing setup codes, inspect...

8.7CVSS5.8AI score0.0023EPSS
Exploits0References2
Snyk
Snyk
•added 2026/05/29 12:52 p.m.•16 views

Malicious Package

Overview buffer-util-extend is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/05/28 1:39 p.m.•16 views

Malicious Package

Overview @polka-ui/recoc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/05/27 11:20 p.m.•16 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the check field in metadata files due to unsafe execution using /bin/bash -c. An attacker can craft malicious metadata that executes arbitrary shell commands on the victim’s system when common uniget operations suc...

8.6CVSS6AI score0.00715EPSS
Exploits0References2
Snyk
Snyk
•added 2026/05/27 5:33 p.m.•16 views

Allocation of Resources Without Limits or Throttling

Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the date filter in filters/date.ts and the strftime formatter in...

8.7CVSS5.9AI score0.00385EPSS
Exploits0References2
Snyk
Snyk
•added 2026/05/27 1:25 p.m.•16 views

Malicious Package

Overview verify-mycommand is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/05/27 12:47 a.m.•16 views

HTTP Request Smuggling

Overview starlette is a The little ASGI library that shines. Affected versions of this package are vulnerable to HTTP Request Smuggling via the request.url reconstruction process. An attacker can bypass path-based security checks by supplying a malformed Host header that causes request.url.path t...

6.9CVSS5.5AI score0.01438EPSS
Exploits2References2
Snyk
Snyk
•added 2026/05/26 12:4 p.m.•16 views

Malicious Package

Overview fastjsonlog is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/05/25 8:20 a.m.•16 views

Malicious Package

Overview explorhub-mcp-server is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/05/25 8:11 a.m.•16 views

Malicious Package

Overview mobile-international is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Total number of security vulnerabilities5000