Lucene search
K
SnykMost viewed

35340 matches found

Snyk
Snyk
added 2026/05/05 1:35 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the voice-call realtime WebSocket path when oversized WebSocket frames are accepted without proper validation. An attacker can cau...

8.2CVSS5.8AI score0.00417EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 9:26 a.m.9 views

Origin Validation Error

Overview org.webjars.npm:thrift is a lightweight, language-independent software stack with an associated code generation mechanism for point-to-point RPC. Affected versions of this package are vulnerable to Origin Validation Error in the webserver.js component. An attacker can access unauthorized...

8.6CVSS5.9AI score0.00394EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 12:18 a.m.9 views

Prototype Pollution

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Prototype Pollution when the Object.prototype has been polluted via a different exploit. The following properties in the HTTP adapter configuration may be...

9.1CVSS6.3AI score0.00715EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 11:24 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the TLS handshake process. An attacker can cause worker connection handling to block by opening a connection to the authentication listener and delaying or withholding the client...

7.5CVSS5.8AI score0.002EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 10:8 p.m.9 views

Server-side Request Forgery (SSRF)

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the setconfigvalue function. An attacker can intercept all outbound HTTP traffic, steal credentials, and inject...

8.7CVSS6AI score0.00396EPSS
Exploits1References4
Snyk
Snyk
added 2026/05/04 10:7 p.m.9 views

Incorrect Authorization

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Incorrect Authorization in the setconfigvalue process. An attacker can disable outbound TLS peer verification by setting the sslverify configuration to 'off...

7.6CVSS5.7AI score0.00174EPSS
Exploits1References4
Snyk
Snyk
added 2026/05/04 9:28 p.m.9 views

Missing Authentication for Critical Function

Overview github.com/0xJacky/Nginx-UI/api/system is a yet another Nginx Web UI Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the api/install endpoint during the initial setup process. An attacker can gain unauthorized administrative access by...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 9:19 p.m.9 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the cleanUpString function. An attacker can execute arbitrary code, disclose internal API keys, or disrupt service operation by supplying crafted input to the remote relay password field, which is processed...

8.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/05/04 9:15 p.m.9 views

Expression Language Injection

Overview Affected versions of this package are vulnerable to Expression Language Injection when dynamically loading classes, which allows server-side template injection that crosses the intended sandbox boundary. An attacker can execute unauthorized expressions with the privileges of the server b...

9.1CVSS5.9AI score0.00427EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/04 8:57 p.m.9 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition through a race condition in the write process. An attacker can cause unauthorized file writes outside the intended sandbox mount root by...

9.6CVSS5.8AI score0.02442EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 8:20 p.m.9 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the setimage functions in encode.c and decode.c, which are exploitable via Image.open. An attacker can execute arbitrary code by supplying a malicious PSD image file with tile dimensions that trigger integer...

8.6CVSS7.2AI score0.00367EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/04 8:11 p.m.9 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the JoinWorkflowSpec process. An attacker can gain unauthorized access to host networking, override service account assignments, modify pod security contexts, add tolerations, or enable service account token...

8.6CVSS5.5AI score0.00424EPSS
Exploits2References2
Snyk
Snyk
added 2026/05/04 8:11 p.m.9 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the JoinWorkflowSpec process. An attacker can gain unauthorized access to host networking, override service account assignments, modify pod security contexts, add tolerations, or enable service account token...

8.6CVSS5.8AI score0.00424EPSS
Exploits2References2
Snyk
Snyk
added 2026/05/04 7:58 p.m.9 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the process for managing user avatars due to insufficient authorization checks. An attacker can gain unauthorized access to create, replace, or delete user avatars by leveraging file permissions without the...

5.3CVSS5.8AI score0.00237EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 7:50 p.m.9 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the authorization process. An attacker can gain unauthorized access to sensitive site, user, and role information by sending authenticated requests as a Panel user. This is only exploitable if the site is...

7.1CVSS5.8AI score0.00231EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 7:46 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the io.Copy process that handles binary import requests. An attacker can exhaust disk space on the host system by continuously streaming large amounts of data to the affected...

5.3CVSS5.8AI score0.00333EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 7:29 p.m.9 views

Missing Authentication for Critical Function

Overview arelle-release is an An open source XBRL platform. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the plugins parameter in the /rest/configure endpoint, which is processed without authentication or authorization. An attacker can execu...

9.8CVSS6.2AI score0.00732EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 7:29 p.m.9 views

Memory Allocation with Excessive Size Value

Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the nbcolors field of the BMP file header during the loadbmp process. An attacker can cause an out-of-memory condition and crash the application by supplying a crafted BMP file with a large...

6.8CVSS5.8AI score0.00119EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 6:27 p.m.9 views

Arbitrary Code Injection

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the vm2.run function. An attacker can execute arbitrary commands on the host system by escaping the...

9.8CVSS6.3AI score0.00921EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 6:26 p.m.9 views

Improper Encoding or Escaping of Output

Overview org.apache.polaris:polaris-core is an a catalog for data lakes. It provides new levels of choice, flexibility and control over data, with full enterprise security and Apache Iceberg interoperability across a multitude of engines and infrastructure Affected versions of this package are...

9.9CVSS5.8AI score0.00424EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 5:20 p.m.9 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization when handling HTTP request paths that have had normalizedPath applied. An attacker can gain unauthorized access to protected resources by appending a semicolon and arbitrary text to the request URL, exploiting...

8.8CVSS6AI score0.00444EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/04 5:20 p.m.9 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization when handling HTTP request paths that have had normalizedPath applied. An attacker can gain unauthorized access to protected resources by appending a semicolon and arbitrary text to the request URL, exploiting...

8.8CVSS6AI score0.00444EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/04 5:20 p.m.9 views

Incorrect Authorization

Overview io.quarkus:quarkus-vertx-http is a Cloud Native, Linux Container First framework for writing Java applications. Affected versions of this package are vulnerable to Incorrect Authorization when handling HTTP request paths that have had normalizedPath applied. An attacker can gain...

8.8CVSS6AI score0.00444EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/04 4:53 p.m.9 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the imgPostURLInfo function. An attacker can cause the server to initiate outbound HTTP HEAD requests to arbitrary endpoints by supplying a crafted URL during the image import preflight stage. This c...

5.3CVSS5.9AI score0.00271EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 4:29 p.m.9 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read through the MeshGeometry process in FBXMeshGeometry.cpp. An attacker can cause the application to crash or become unresponsive by providing specially crafted input files. Remediation There is no fixed version for...

8.8CVSS5.8AI score0.00238EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 4:29 p.m.9 views

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the lookupGetter method and improper context isolation. An attacker can execute arbitrary commands on the host syste...

9.8CVSS6.3AI score0.00917EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 4:29 p.m.9 views

Arbitrary Code Injection

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the lookupGetter method and improper context isolation. An attacker can execute arbitrary commands o...

9.8CVSS6.3AI score0.00917EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/04 3:31 p.m.9 views

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection in the XML parsing process. An attacker can access sensitive files or execute arbitrary code by supplying crafted XML data containing external entity references. Details XXE Injection is a type of attac...

5.3CVSS6.2AI score0.00232EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 3:29 p.m.9 views

Buffer Overflow

Overview Affected versions of this package are vulnerable to Buffer Overflow in the AddBinaryProperty function of the FBX Importer, where a property key string from a crafted FBX file is copied into a fixed-size heap buffer using strcpy without runtime length validation. An attacker can achieve...

9.8CVSS6.4AI score0.0034EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 9:31 a.m.9 views

Directory Traversal

Overview @puchunjie/doc-tools-mcp is a Word 文档处理 MCP 服务器 - 基于 TypeScript 的文档处理工具 Affected versions of this package are vulnerable to Directory Traversal via the createdocument or opendocument functions in the MCP Interface component when processing the filePath argument. An attacker can access or...

6.5CVSS7AI score0.00288EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 4:13 a.m.9 views

Improper Authentication

Overview prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest. Affected versions of this package are vulnerable to Improper...

6.9CVSS5.8AI score0.00453EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/04 3:2 a.m.9 views

Malicious Package

Overview @tw-models/storage is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/04 3:2 a.m.9 views

Malicious Package

Overview @apple-pay-trust/start is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/04 3:2 a.m.9 views

Malicious Package

Overview @b2bblocker/hideactivationerror is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and th...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/04 1:43 a.m.9 views

Malicious Package

Overview tinfoil-shops is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/04 12:0 a.m.9 views

Malicious Package

Overview @bcs-adapters/keycloak-api-adapter is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/02 3:31 a.m.9 views

Arbitrary Command Injection

Overview yii2-mcp-server is a MCP Server for Yii2 Framework - Database schema inspection, command execution, and project management Affected versions of this package are vulnerable to Arbitrary Command Injection via the yiicommandhelp or yiiexecutecommand functions in the MCP Interface. An attack...

6.5CVSS6.1AI score0.0111EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/01 5:32 p.m.9 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the ReadLine process of the VRML parser due to improper bounds checking in the quoted-string escape handler, which accesses memory beyond the end of a fixed-size stack buffer. An attacker can trigger a denial of...

6.8CVSS5.8AI score0.00098EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/01 10:27 a.m.9 views

Malicious Package

Overview @apple-pay-trust/cancelled is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/30 8:55 p.m.9 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing authorization checks in the RegisterTemplates process. An attacker can access sensitive environment variables and configuration data by sending unauthenticated GET requests to the affected API...

8.7CVSS5.8AI score0.00309EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/30 5:28 p.m.9 views

Server-side Request Forgery (SSRF)

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the ProjectBackup restore path in the backup import code. An attacker can supply a crafted project...

8.1CVSS5.8AI score0.00371EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/30 5:25 p.m.9 views

Open Redirect

Overview notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text. Affected versions of this package are vulnerable to Open Redirect in the CommandLinker class. An attacker can steal authentication tokens a...

8.8CVSS6AI score0.00476EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/30 5:24 p.m.9 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the FilterDeadline function. An attacker can force the application to make arbitrary outbound HTTP POST requests to internal or external destinations by supplying a crafted URL in the...

7.2CVSS6AI score0.00236EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/30 5:24 p.m.9 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the FilterDeadline function. An attacker can force the application to make arbitrary outbound HTTP POST requests to internal or external destinations by supplying a crafted URL in the...

7.2CVSS6AI score0.00236EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/30 12:39 p.m.9 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the VectorImage component when a user is tricked into loading a specially crafted SVG file. An attacker can execute arbitrary QML or JavaScript code by embedding malicious payloads within the SVG, potentiall...

9.3CVSS6.1AI score0.00224EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/30 6:18 a.m.9 views

Relative Path Traversal

Overview org.jenkins-ci.plugins:credentials-binding is a plugin that allows credentials to be bound to environment variables for use from miscellaneous build steps. Affected versions of this package are vulnerable to Relative Path Traversal due to not sanitizing file names for file and zip file...

7.7CVSS6AI score0.00411EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/30 12:28 a.m.9 views

Command Injection

Overview @burtthecoder/mcp-dnstwist is a MCP server for dnstwist - DNS fuzzing to detect typosquatting, phishing and corporate espionage Affected versions of this package are vulnerable to Command Injection via the fuzzdomain MCP tool. An attacker can execute arbitrary operating system commands b...

7.5CVSS6AI score0.01378EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/29 9:54 p.m.9 views

Cross-site Request Forgery (CSRF)

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the preferences.php process. An attacker can trigger unauthorized server-side actions, such as...

4.8CVSS5.8AI score0.00117EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/29 9:31 p.m.9 views

Directory Traversal

Overview mcpo-simple-server is a Python-based LLM server that implements the Model Context Protocol MCP Affected versions of this package are vulnerable to Directory Traversal via the deletesharedprompt function in the file src/mcposimpleserver/services/promptmanager/basemanager.py when processin...

7.5CVSS7.5AI score0.00512EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/29 9:27 p.m.9 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the command-auth.ts process. An attacker can gain unauthorized access to owner-enforced commands by sending commands from a non-owner sender when a channel plugi...

5.3CVSS5.8AI score0.00237EPSS
Exploits0References2
Total number of security vulnerabilities5000