Lucene search
K
SnykMost viewed

35355 matches found

Snyk
Snyk
added 2026/05/14 8:18 p.m.9 views

Server-side Request Forgery (SSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the validateurl function in the URL validation component. An attacker can bypass private-address checks by supplying a hostname that resolves to a private IPv6 address...

8.5CVSS5.8AI score0.00286EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 8:18 p.m.9 views

Cross-site Request Forgery (CSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the getuserprofileimagebyid and getmodelprofileimage handlers in the profile image endpoints. An attacker can supply an external https profile image URL, causing the...

5.1CVSS5.8AI score0.00165EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 8:18 p.m.9 views

Incorrect Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Incorrect Authorization via the pinnotebyid process. An attacker can modify the ispinned status of a shared note without proper authorization by sending a POST request to the relevant endpoint while only havi...

5.1CVSS5.8AI score0.00218EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 7:4 p.m.9 views

Cross-site Scripting (XSS)

Overview ethyca-fides is an Open-source ecosystem for data privacy as code. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the fides.js script's override mechanism for the banner description field when HTML-formatted descriptions are enabled. An attacker can...

8.7CVSS5.9AI score0.00297EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 6:27 p.m.9 views

Improper Encoding or Escaping of Output

Overview launder is an A sanitize module for the people. Built for ApostropheCMS. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the linkHref field handling. An attacker can execute arbitrary JavaScript by supplying a javascript: URL in an image...

7.3CVSS6.1AI score0.00211EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/14 6:25 p.m.9 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal due to insufficient path sanitization in the osfs.ChrootOS component. An attacker can gain unauthorized access to unintended filesystem locations by supplying crafted paths containing directory traversal sequences...

8.6CVSS6.3AI score0.0031EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 6:25 p.m.9 views

Insertion of Sensitive Information Into Sent Data

Overview dbt-mcp is an A MCP Model Context Protocol server for interacting with dbt resources. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the emittoolcalledevent process, which serializes and transmits all tool arguments, including...

3.1CVSS5.8AI score0.00042EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 6:24 p.m.9 views

Insertion of Sensitive Information into Log File

Overview dbt-mcp is an A MCP Model Context Protocol server for interacting with dbt resources. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the calltool process when file logging is enabled via the DBTMCPSERVERFILELOGGING setting. An...

2.5CVSS5.9AI score0.00012EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 6:24 p.m.9 views

Arbitrary Argument Injection

Overview dbt-mcp is an A MCP Model Context Protocol server for interacting with dbt resources. Affected versions of this package are vulnerable to Arbitrary Argument Injection via the nodeselection or resourcetype parameters in the rundbtcommand process. An attacker can override configuration fil...

7.2CVSS6AI score0.00018EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 5:16 p.m.9 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the chromium/convert/url endpoint due to insufficient validation of redirect destinations against the deny-list. An attacker can access internal network resources and sensitive endpoints by supplying ...

8.7CVSS5.8AI score0.00313EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 4:24 p.m.9 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the kubeClientMiddleware process. An attacker can gain unauthorized access to Kubernetes resources by sending requests with a valid session but insufficient permissions, which are incorrectly forwarded to the...

8.1CVSS5.8AI score0.00335EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 4:17 p.m.9 views

Arbitrary Argument Injection

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Arbitrary Argument Injection in a push operation. A user with permission to create or modify workflows can read arbitrary files on the server by injecting CLI flags during workflow creation or...

8.3CVSS6.1AI score0.00632EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 4:16 p.m.9 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the logs and stats API actions in the RoutineViewSet process. An attacker can access another user's private workout session notes, exercise history, and training statistics by enumerating public template routin...

8.7CVSS5.8AI score0.00051EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 3:49 p.m.9 views

Malicious Package

Overview mrgn-common is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 3:49 p.m.9 views

Malicious Package

Overview viem-helpers is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 3:49 p.m.9 views

Malicious Package

Overview mrgn-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 3:49 p.m.9 views

Malicious Package

Overview web3-utils-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 3:48 p.m.9 views

Malicious Package

Overview foundry-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 3:23 p.m.9 views

Use of Externally-Controlled Format String

Overview Affected versions of this package are vulnerable to Use of Externally-Controlled Format String in the timeofday function when processing crafted timezone zones. An attacker can access portions of server memory by supplying specially crafted input to the timeofday function. Remediation...

5.3CVSS5.8AI score0.00208EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 3:23 p.m.9 views

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following via the pgbasebackup or pgrewind process. An attacker can overwrite arbitrary files on the local system by leveraging symlink following, potentially hijacking the operating system account. This is on...

8.8CVSS7.5AI score0.00324EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 3:23 p.m.9 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the CREATE TYPE process. An attacker can execute arbitrary SQL functions of their choice by hijacking queries that use searchpath to locate user-defined types, including those defined by extensions. Remediation...

5.4CVSS6.3AI score0.00159EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 3:22 p.m.9 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the pgcreatesubscriber process. An attacker can execute arbitrary SQL commands with superuser privileges by supplying a crafted subscription name. Remediation A fix was pushed into the master branch but not yet...

7.2CVSS6.1AI score0.00287EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 2:57 p.m.9 views

Arbitrary Code Injection

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Arbitrary Code Injection via the node-custom-function endpoint when user-supplied JavaScript is executed in a NodeVM sandbox without sufficient route-level authorization. A user can execute commands on the...

9.9CVSS6AI score0.0082EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/14 1:18 p.m.9 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the escapeandappend function in the document-builder API when processing very large input strings on platforms with limited sizet width. An attacker can cause out-of-bounds memory reads, potentially...

6.9CVSS5.8AI score0.00279EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 1:16 p.m.9 views

Uncontrolled Recursion

Overview org.apache.commons:commons-configuration2 is a group of tools to assist in the reading of configuration/preferences files in various formats. Affected versions of this package are vulnerable to Uncontrolled Recursion when processing untrusted YAML configuration files containing cyclic...

7.5CVSS5.8AI score0.00487EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/14 1:12 p.m.9 views

Arbitrary File Upload

Overview @strapi/upload is a Makes it easy to upload images and files to your Strapi Application. Affected versions of this package are vulnerable to Arbitrary File Upload via the Content API uploadFiles and replaceFile handlers, which bypass administrator-configured MIME type restrictions. An...

5.4CVSS5.9AI score0.00195EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/13 3:57 p.m.9 views

Malicious Package

Overview github.com/BufferZoneCorp/log-core is a malicious package. This package contains malicious code designed to compromise developer systems and CI environments, specifically targeting GitHub Actions. The threat actor, operating under the GitHub account BufferZoneCorp, published a cluster of...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/05/13 3:57 p.m.9 views

Malicious Package

Overview github.com/BufferZoneCorp/net-helper is a malicious package. This package contains malicious code designed to compromise developer systems and CI environments, specifically targeting GitHub Actions. The threat actor, operating under the GitHub account BufferZoneCorp, published a cluster ...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/05/13 3:57 p.m.9 views

Malicious Package

Overview github.com/BufferZoneCorp/go-retryablehttp is a malicious package. This package contains malicious code designed to compromise developer systems and CI environments, specifically targeting GitHub Actions. The threat actor, operating under the GitHub account BufferZoneCorp, published a...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/05/13 3:30 p.m.9 views

Server-side Request Forgery (SSRF)

Overview nautobot is a Source of truth and network automation platform. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Webhook process. An attacker can access internal or restricted network resources by configuring webhooks to send requests to...

8.5CVSS5.8AI score0.00235EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/13 3:30 p.m.9 views

Missing Authorization

Overview nautobot is a Source of truth and network automation platform. Affected versions of this package are vulnerable to Missing Authorization in the GenericForeignKey process. An attacker can associate objects with unauthorized resources by supplying the UUIDs of objects they do not have...

5.4CVSS5.8AI score0.00177EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 9:20 p.m.9 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via the exec2 process. An attacker can access or modify arbitrary files on the client host by exploiting symbolic link handling. Remediation Upgrade github.com/hashicorp/nomad-driver-exec2/pkg/shim to version 0.1.2 or...

6.7CVSS5.9AI score0.00129EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 9:20 p.m.9 views

Incorrect Authorization

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Incorrect Authorization via the authorization process. An attacker can gain unauthorized write access by bypassing security measures. Remediation Upgrade...

8.7CVSS5.8AI score0.00411EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 9:20 p.m.9 views

Denial of Service (DoS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Denial of Service DoS through the handling of resource requests. An attacker can cause the application to become unresponsive by sending specially crafted requests that...

8.7CVSS5.8AI score0.15933EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 9:0 p.m.9 views

Prototype Pollution

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Prototype Pollution via the pagination parameter in the HTTP Request node. An attacker can execute arbitrary code on the instance by achieving global prototype pollution and chaining this with other...

9.9CVSS6.6AI score0.00632EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/12 7:22 p.m.9 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to improper validation of user-supplied input in the authentication process. An attacker can gain elevated privileges by providing crafted input during local interaction. Remediation Upgrade...

8.3CVSS5.8AI score0.00662EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 6:30 p.m.9 views

Deserialization of Untrusted Data

Overview ludwig is a Declarative machine learning: End-to-end machine learning pipelines using data-driven configurations. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the predict method. An attacker can execute arbitrary code by supplying a maliciousl...

9.8CVSS6.1AI score0.006EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 5:22 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebDAV LOCK and PROPFIND XML request bodies. An attacker can cause...

8.7CVSS5.8AI score0.0078EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 5:22 p.m.9 views

Improper Authentication

Overview org.apache.tomcat:catalina is a Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown username, as t...

9.8CVSS5.8AI score0.01233EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/12 5:22 p.m.9 views

Timing Attack

Overview org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack to determine whether a guessed secret ...

6.3CVSS5.8AI score0.00352EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 5:21 p.m.9 views

Improper Handling of Case Sensitivity

Overview org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the LockOutRealm function. An attacker can bypass account lockout protections by submitting usernames with different...

7.5CVSS5.8AI score0.00467EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:23 p.m.9 views

Stack-based Buffer Overflow

Overview Magick.NET-Q8-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.7CVSS5.8AI score0.0013EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:23 p.m.9 views

Stack-based Buffer Overflow

Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...

6.7CVSS5.8AI score0.0013EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:23 p.m.9 views

Stack-based Buffer Overflow

Overview Magick.NET-Q16-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.7CVSS5.8AI score0.0013EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:6 p.m.9 views

Arbitrary Code Injection

Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted schema names that are incorporated into generated...

8.8CVSS6.3AI score0.00395EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:6 p.m.9 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted schema names that are incorporated into generated JavaScript output, which is then executed or imported by the...

8.8CVSS6.2AI score0.00395EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:6 p.m.9 views

Arbitrary Code Injection

Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted...

8.8CVSS6.2AI score0.00395EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:1 p.m.9 views

Prototype Pollution

Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Prototype Pollution in the process of copying enumerable properties from a user-supplied object to a generated message instance without filtering the proto property. An attack...

6.3CVSS6.5AI score0.00264EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:1 p.m.9 views

Prototype Pollution

Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Prototype Pollution via schema option path handling. An attacker can perform prototype pollution by supplying a crafted protobuf schema or JSON descriptor whose option paths...

7.5CVSS6.4AI score0.00374EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/12 3:0 p.m.9 views

Improper Handling of Unicode Encoding

Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in the decoding of overlong UTF-8 strings. An attacker can bypass application-level byte filtering or validation by sending malicious...

6.9CVSS5.9AI score0.00301EPSS
Exploits0References2
Total number of security vulnerabilities5000