Lucene search
K
SnykMost viewed

35355 matches found

Snyk
Snyk
added 2026/05/08 7:52 p.m.9 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization through the importmodels process. An attacker can overwrite existing models owned by other users, modify their configuration, and escalate access by submitting crafted payloads to the...

7.1CVSS5.8AI score0.0029EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 7:45 p.m.9 views

Missing Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authorization through the /responses endpoint, which fails to enforce per-model access control. An attacker can interact with any configured model, including those restricted by administrators, by...

7.1CVSS5.9AI score0.00306EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/08 7:44 p.m.9 views

Exposure of Resource to Wrong Sphere

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere in the handling of Redis cache keys for toolservers and terminalservers when multiple instances share a Redis backend. An attacker can overwrite or inject malicious tool...

8.7CVSS5.8AI score0.00305EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/08 6:43 p.m.9 views

Arbitrary Argument Injection

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Arbitrary Argument Injection via the openFileWithEditor process. An attacker can execute arbitrary commands on the user's system by crafting a malicious filename...

8.8CVSS6.1AI score0.00167EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/08 6:37 p.m.9 views

Cleartext Storage of Sensitive Information

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the getConstants process, which serializes the entire process.env object and exposes it to the renderer context as...

7.1CVSS5.8AI score0.00103EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 4:31 p.m.9 views

Arbitrary Code Injection

Overview dash-uploader is an Upload large files using resumable.js Affected versions of this package are vulnerable to Arbitrary Code Injection via improper handling of the Upload function and the maxfilesize parameter in the affected components. An attacker can execute arbitrary code remotely by...

9.2CVSS6.2AI score0.02643EPSS
Exploits5References2
Snyk
Snyk
added 2026/05/08 5:19 a.m.9 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the pdfContext.setOption process. An attacker can access arbitrary files readable by the PHP worker by uploading a crafted PDF invoice template that triggers the embedding of file contents into the generated PDF...

5.1CVSS6.3AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 12:31 a.m.9 views

Directory Traversal

Overview short-video-maker is a Creates short videos for TikTok, Instagram Reels, and YouTube Shorts using the Model Context Protocol MCP and a REST API. Affected versions of this package are vulnerable to Directory Traversal via the req.params.tmpFile parameter in the REST API. An attacker can...

6.9CVSS6.3AI score0.00575EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 12:0 a.m.9 views

Prompt Injection

Overview org.springframework.ai:spring-ai-advisors-vector-store is a Chat client advisors for Spring AI Affected versions of this package are vulnerable to Prompt Injection via conversation memory handling in the affected advisor. An attacker can inject crafted input in conversation memory that i...

8.2CVSS5.7AI score0.00218EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/08 12:0 a.m.9 views

Prompt Injection

Overview org.springframework.ai:spring-ai-client-chat is a Spring AI Chat Client AI programming Affected versions of this package are vulnerable to Prompt Injection via conversation memory handling in the affected advisor. An attacker can inject crafted input in conversation memory that is later...

8.2CVSS5.7AI score0.00218EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 9:34 p.m.9 views

Improper Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the token revocation process. An attacker can maintain unauthorized access by using a stolen access token that was issued with no expiration, as the token cannot be invalidated through...

9.1CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/07 9:30 p.m.9 views

Improper Use of Validation Framework

Overview Affected versions of this package are vulnerable to Improper Use of Validation Framework in the parseAndValidateClientRedirect process. An attacker can obtain OAuth exchange codes intended for other users by crafting a redirecturi that matches an allowed scheme and host but specifies a...

8CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/07 9:21 p.m.9 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the PUT /api/echo/like/:id endpoint. An attacker can manipulate engagement metrics by sending repeated unauthenticated requests to the like endpoint, resulting in arbitrary inflation of the favcount value...

6.9CVSS5.6AI score
Exploits0References2
Snyk
Snyk
added 2026/05/07 9:16 p.m.9 views

Exposure of Private Personal Information to an Unauthorized Actor

Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor via the Email field in the Comment model exposed through unauthenticated public API endpoints. An attacker can obtain the email addresses of all guest commenters by makin...

6.9CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/07 7:21 p.m.9 views

Improper Encoding or Escaping of Output

Overview std/html/template is a Go standard library package std/html/template Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output. Go Vulnerability Report: If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type'...

6.1CVSS5.9AI score0.00371EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 7:21 p.m.9 views

Information Exposure

Overview std/net/http/httputil is a Go standard library package std/net/http/httputil Affected versions of this package are vulnerable to Information Exposure. Go Vulnerability Report: ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrit...

6.9CVSS5.8AI score0.0039EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 7:21 p.m.9 views

Infinite loop

Overview golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go. Affected versions of this package are vulnerable to Infinite loop. Go Vulnerability Report: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receiv...

8.7CVSS5.8AI score0.00781EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 7:21 p.m.9 views

Resources Downloaded over Insecure Protocol

Overview Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol. Go Vulnerability Report: A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any...

7.5CVSS5.8AI score0.00231EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/07 5:35 p.m.9 views

Cross-site Scripting (XSS)

Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized input in th...

6.1CVSS5.8AI score0.0021EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 4:39 p.m.9 views

Symlink Attack

Overview bentoml is a BentoML: Build Production-Grade AI Applications Affected versions of this package are vulnerable to Symlink Attack via the build packaging workflow. An attacker can access sensitive files from the build host by introducing crafted symlinks in the build context, which are...

6.7CVSS5.8AI score0.00284EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 6:41 a.m.9 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview mathjs is a math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with diff. Affected versions of this package are...

8.8CVSS7.6AI score0.00577EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 5:14 a.m.9 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of size limits applied to the Properties section during the decoding process. An attacker can cause excessive CPU and memory consumption by sending MQTT messages with...

7.5CVSS5.8AI score0.00455EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 4:33 a.m.9 views

Symlink Attack

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Symlink Attack via the isPathAllowed path check in lib/resolver-compat.js. An attacker can execute code outside the configured require.root by placin...

8.5CVSS6.5AI score0.00722EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:8 a.m.9 views

Arbitrary Code Injection

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through lib/builtin.js. An attacker can execute host code when the allowlist includes -X or uses and then...

9.9CVSS6.1AI score0.00974EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 4:7 a.m.9 views

Arbitrary Code Injection

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the BaseHandler write traps in lib/bridge.js. An attacker can mutate host Object.prototype,...

10CVSS6AI score0.00842EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 3:34 a.m.9 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the RSL policy validation. An attacker can revert the system to a previous trusted state by creating a new Reference State Log entry that references an older policy, provided it i...

6CVSS5.8AI score0.00198EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 2:57 a.m.9 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in JWT validation middleware. An attacker can maintain unauthorized access to user accounts by reusing previously issued JSON Web Tokens even after a password change, as the tokens are not invalidated or...

6.3CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/05/07 1:23 a.m.9 views

Directory Traversal

Overview github.com/rancher/rancher/pkg/nodeconfig is a complete container management platform Affected versions of this package are vulnerable to Directory Traversal via the compressedEndpoint field in a UIPlugin deployment. An attacker can overwrite binaries or configuration files, tamper with...

9.3CVSS6.3AI score0.00368EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/07 1:15 a.m.9 views

Server-side Request Forgery (SSRF)

Overview github.com/gotenberg/gotenberg/v7/pkg/modules/chromium is a Docker-powered stateless API for PDF files. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the downloadFrom and webhook processes. An attacker can access internal network resources and...

9.4CVSS5.8AI score0.00352EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 1:0 a.m.9 views

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition due to improper synchronization in the webhook process. An attacker can cause the application to crash and become unavailable by sending concurrent requests that exploit the reuse of echo.Context objects, leading to a pan...

8.7CVSS5.8AI score0.00348EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 12:57 a.m.9 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the libreoffice process when uploaded files containing external references are passed directly for conversion without content inspection. An attacker can cause the server to make arbitrary outbound HT...

8.8CVSS6AI score0.00245EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 12:55 a.m.9 views

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the metadata process. An attacker can rename, move, or create links to files within the container by submitting specially crafted metadata values that bypass the intended blocklist. This may also...

8.8CVSS5.8AI score0.0029EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/07 12:6 a.m.9 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the SNS HTTP/HTTPS notification endpoints due to missing signature verification. An attacker can cause the application to process arbitrary payloads as legitimate notifications, auto-confi...

6.3CVSS5.9AI score0.00179EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 11:49 p.m.9 views

HTML Injection

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to HTML Injection via the jsx element tag. An attacker can inject unintended HTML elements or attributes, corrupt the HTML structure, or execute scripts by supplying malicious tag names as...

6.1CVSS5.9AI score0.0014EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 11:16 p.m.9 views

Improper Verification of Cryptographic Signature

Overview @axonflow/sdk is an AxonFlow SDK - Add invisible AI governance to your applications in 3 lines of code Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the lack of exposure of the HMAC-SHA256 signing key in the SDK's typed API,...

8.2CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/06 9:56 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview python-multipart is an A streaming multipart parser for Python Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when parsing multipart headers in MultipartParser, which can hang without failing in the following states:...

8.7CVSS5.8AI score0.00549EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 9:21 p.m.9 views

Directory Traversal

Overview org.openmrs.web:openmrs-web is a patient-based medical record system focusing on giving providers a free customizable electronic medical record system EMR. Affected versions of this package are vulnerable to Directory Traversal via the WebModuleUtil.startModule function in POST...

9.4CVSS6.4AI score0.00853EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/06 8:53 p.m.9 views

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop in the SnappyStreamDecompressor class, when decompressing malformed framed-format input. An attacker can cause the application to exhaust system resources by providing malicious stream data as small as 15 bytes PoC using...

8.7CVSS5.8AI score0.00263EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:45 p.m.9 views

Incorrect Authorization

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Incorrect Authorization via the getFaqBySolutionId process. An attacker can access restricted FAQ metadata, including titles, categories, internal IDs,...

8.7CVSS5.8AI score0.00259EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:40 p.m.9 views

Directory Traversal

Overview magic-wormhole is a Securely transfer data between computers Affected versions of this package are vulnerable to Directory Traversal via the receive process when the --output parameter is set to an existing directory. An attacker can overwrite files outside the intended directory by...

5.1CVSS6.3AI score0.00197EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:37 p.m.9 views

Incorrect Authorization

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Incorrect Authorization in the admin-api routes due to insufficient authorization checks. An attacker can access backend operational information by...

5.3CVSS5.8AI score0.00168EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:16 p.m.9 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the SUSE Virtualization Harvester Rancher integration mechanism. An attacker can intercept sensitive information and cause a crash of the registration controller by exploiting insecure TLS certificate...

8.8CVSS5.8AI score0.00208EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:16 p.m.9 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the SUSE Virtualization Harvester Rancher integration mechanism. An attacker can intercept sensitive information and cause a crash of the registration controller by exploiting insecure TLS certificate...

8.8CVSS5.8AI score0.00208EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:11 p.m.9 views

Incorrect Authorization

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Incorrect Authorization in the userHasPermission process. An attacker can gain unauthorized access to sensitive administrative data by sending requests ...

7.1CVSS5.8AI score0.00303EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 7:48 p.m.9 views

CSV Injection

Overview Affected versions of this package are vulnerable to CSV Injection via the export function. An attacker can execute arbitrary spreadsheet formulas in the context of an administrator's local machine by injecting formula payloads into profile fields, which are then exported and opened in...

8.2CVSS6.4AI score
Exploits0References2
Snyk
Snyk
added 2026/05/06 6:13 p.m.9 views

Incomplete Filtering of Special Elements

Overview dssrf is a SSRF defense library for Node.js with safe URL validation utilities. Affected versions of this package are vulnerable to Incomplete Filtering of Special Elements via the isurlsafe function. An attacker can access internal network resources by supplying specially crafted IPv6...

8.7CVSS5.8AI score0.00349EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 5:54 p.m.9 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the actionShowInFolder process. An attacker can access sensitive asset filenames and complete folder structures, including volume handles and URIs, by supplying...

7.1CVSS5.9AI score0.00324EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 5:49 p.m.9 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the Address GraphQL resolver, which does not enforce schema scope filtering on top-level queries. An attacker can access sensitive address information belonging to...

7.1CVSS5.8AI score0.00338EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 5:34 p.m.9 views

Prototype Pollution

Overview icu-minify is an ICU message format compiler with a 1KB runtime bundle footprint Affected versions of this package are vulnerable to Prototype Pollution in the setNestedProperty function when processing translation catalog keys containing reserved properties such as proto, constructor, o...

6.6CVSS6.3AI score
Exploits0References2
Snyk
Snyk
added 2026/05/06 5:32 p.m.9 views

Prototype Pollution

Overview icu-minify is an ICU message format compiler with a 1KB runtime bundle footprint Affected versions of this package are vulnerable to Prototype Pollution via the formatSelect function. An attacker can cause the application to crash and trigger a server error by supplying specially crafted...

8.2CVSS6.3AI score
Exploits0References2
Total number of security vulnerabilities5000