Lucene search
K
SnykMost viewed

35412 matches found

Snyk
Snyk
added 2026/04/23 4:24 a.m.9 views

Malicious Package

Overview @nklkas/hyperliquid is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:32 p.m.9 views

Origin Validation Error

Overview locize is a This package adds the incontext editor to your i18next setup. Affected versions of this package are vulnerable to Origin Validation Error in the window.addEventListener message handler due to missing validation of the event.origin property. An attacker can execute arbitrary...

7.5CVSS6AI score0.00101EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/22 5:41 p.m.9 views

Directory Traversal

Overview org.webjars.npm:i18next-http-backend is an i18next-http-backend is a backend layer for i18next using in Node.js, in the browser and for Deno. Affected versions of this package are vulnerable to Directory Traversal or other URL manipulation, via unsanitized interpolation of lng and ns...

9.1CVSS6.3AI score0.00251EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.9 views

Out-of-bounds Read

Overview cudaq is a Python bindings for the CUDA-Q toolkit for heterogeneous quantum-classical workflows. Affected versions of this package are vulnerable to Out-of-bounds Read via the endpoint process. An attacker can access sensitive information and cause a denial of service by sending a...

8.8CVSS5.8AI score0.0032EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview @next-ai-drawio/mcp-server is a MCP server for Next AI Draw.io - AI-powered diagram generation with real-time browser preview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the handleStateApi, handleRestoreApi, and...

8.7CVSS5.8AI score0.00146EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.9 views

Server-side Request Forgery (SSRF)

Overview bagisto/bagisto is a hand tailored E-Commerce framework designed on some opensource technologies such as Laravel a PHP framework, Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the copy function of the...

6.5CVSS6.6AI score0.00201EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 2:52 p.m.9 views

Insecure Default Initialization of Resource

Overview engramx is a The context spine for AI coding agents. 9 built-in providers + mcpConfig plugin contract wrap any MCP server in 10 lines, generic MCP-client aggregator stdio, pre-mortem mistake-guard, bi-temporal mistake memory, Anthropic Auto-Memory bridge, SSE stre Affected versions of th...

8.6CVSS5.8AI score
Exploits0References5
Snyk
Snyk
added 2026/04/22 12:26 p.m.9 views

Access Control Bypass

Overview org.springframework.security:spring-security-config is a security configuration package for Spring Framework. Affected versions of this package are vulnerable to Access Control Bypass in the securityMatchers component when a PathPatternRequestMatcher.Builder bean is used to prepend a...

8.7CVSS5.5AI score0.00248EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 1:34 a.m.9 views

Malicious Package

Overview js-logger-pack is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/21 6:31 p.m.9 views

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the Twig sandbox security policy, which permits database write operations even when safe mode is enabled. An attacker with Developer permissions can modify, insert, or delete data in any database...

7.5CVSS5.8AI score0.00229EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/21 3:16 p.m.9 views

Access Control Bypass

Overview @gitlawb/openclaude is an OpenClaude opens coding-agent workflows to any LLM — OpenAI, Gemini, DeepSeek, Ollama, and 200+ models Affected versions of this package are vulnerable to Access Control Bypass via the bashToolHasPermission function. An attacker can access or modify files outsid...

8.4CVSS5.8AI score0.00232EPSS
Exploits2References3
Snyk
Snyk
added 2026/04/20 6:14 a.m.9 views

Server-side Request Forgery (SSRF)

Overview agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the processaudioblock function. An attacker can make unauthorized requests to internal or external systems by supplying crafte...

7.5CVSS7.3AI score0.00284EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/20 6:13 a.m.9 views

Arbitrary Code Injection

Overview agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform. Affected versions of this package are vulnerable to Arbitrary Code Injection via the executeshellcommand function. An attacker can execute arbitrary code by supplying crafted input remotely. Remediation There is no...

7.5CVSS7.9AI score0.00311EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/20 6:13 a.m.9 views

Server-side Request Forgery (SSRF)

Overview agentscope is an AgentScope: A Flexible yet Robust Multi-Agent Platform. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the getbytesfromweburl function. An attacker can access internal resources or sensitive information by sending crafted request...

7.5CVSS7.5AI score0.00326EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/19 9:0 p.m.9 views

Cross-site Scripting (XSS)

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS leading to cross-site scripting, via custom elements. When CUSTOMELEMENTHANDLING is not enabled, and an attacker has already polluted the prototype...

6.9CVSS5.3AI score0.00225EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 1:9 a.m.9 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through improper validation of user-supplied paths in the prefixed function. An attacker can read or write arbitrary files, create directories, and enumerate files outside the intended root directory by sending...

9.6CVSS6.3AI score0.00393EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/17 10:31 p.m.9 views

Arbitrary Code Injection

Overview math-codegen is a Generates code from mathematical expressions Affected versions of this package are vulnerable to Arbitrary Code Injection via the parse function. An attacker can execute arbitrary code by supplying crafted input that is injected directly into a dynamically created...

9.8CVSS6.2AI score0.00393EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 10:31 p.m.9 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the advertisedReferences function. The headers - including Authorization headers - from an initial /info/refs request are forwarded to redirect targets. An attacker can obtain authentication...

7.4CVSS5.8AI score0.00259EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 10:14 p.m.9 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via host=node override in the routing execution. An attacker can bypass intended sandbox restrictions and execute code on a remote node by manipulating the routing...

9.9CVSS6AI score0.00347EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:34 p.m.9 views

Authorization Bypass Through User-Controlled Key

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the createDocumentStore, updateDocumentStore, and upsertDocStore paths in documentstore/index.ts and documentstore/index.ts. An attacker can create o...

8.8CVSS5.8AI score0.00333EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/17 9:0 p.m.9 views

XML Injection

Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection due to unvalidated comment serialization. When an application uses the package to create an XML...

8.7CVSS5.4AI score0.00365EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 8:8 p.m.9 views

Missing Authentication for Critical Function

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the sandbox noVNC helper route. An attacker can gain unauthorized access to interactive browser session credentials by bypassing bridge...

9.8CVSS5.7AI score0.00401EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 3:31 p.m.9 views

Cross-site Request Forgery (CSRF)

Overview org.pac4j:pac4j-core is a pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF d...

7.1CVSS5.8AI score0.00165EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 11:0 a.m.9 views

Malicious Package

Overview koa-v3 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:51 p.m.9 views

SQL Injection

Overview @saltcorn/server is a Server app for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to SQL Injection via the getSyncRows and getDelRows functions. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify or delete database...

9.9CVSS6.1AI score0.00264EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:48 p.m.9 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the decidedByUserId field in approval-related endpoints. An attacker can forge decision attribution by supplying an arbitrary user identifier in the request body, causing the system to...

5.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:45 p.m.9 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can access sensitive files on the host filesystem by supplying...

6CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:45 p.m.9 views

External Control of File Name or Path

Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can acce...

6CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:45 p.m.9 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can access sensitive files on the host filesystem by supplying...

6CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:34 p.m.9 views

Arbitrary Code Injection

Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Arbitrary Code Injection through the handling of user-supplied protobuf definitions, specifically via the Type's name field. An attacker can execute arbitrary JavaScript code ...

9.8CVSS6.4AI score0.00745EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 9:44 p.m.9 views

Arbitrary Code Injection

Overview flowise-ui is a Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization. This is only...

9.9CVSS6.2AI score0.0145EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 9:30 p.m.9 views

Excessive Iteration

Overview PyPDF2 is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Excessive Iteration in the incremental mode for PDF processing. An attacker can cause excessive resource consumption and...

6.5CVSS5.7AI score0.00214EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:25 p.m.9 views

Command Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Command Injection in the cloneServer.json.php endpoint of the CloneSite plugin, where user-controlled input is concatenated into a shell command without proper...

9.8CVSS6AI score0.02221EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 9:21 p.m.9 views

Use of a Broken or Risky Cryptographic Algorithm

Overview flowise-ui is a Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting valid JWTs usin...

5.6CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 9:18 p.m.9 views

Command Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Command Injection via the Custom MCP configuration in http://localhost:3000/canvas. An attacker can execute arbitrary commands on the underlying operating system by supplying crafted argument...

9.9CVSS6.3AI score0.01987EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/15 7:45 p.m.9 views

Excessive Iteration

Overview python-multipart is an A streaming multipart parser for Python Affected versions of this package are vulnerable to Excessive Iteration in the parsing performed by multipart.py. An attacker can degrade performance by sending multipart requests with very large preamble or epilogue sections...

6.9CVSS5.8AI score0.00351EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 7:30 p.m.9 views

Insufficient Granularity of Access Control

Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in namespace validation for the ImageUpdater resources. An attacker can perform unauthorized image updates on applications in other namespaces by creating or modifying ImageUpdater resources,...

9.1CVSS5.8AI score0.00357EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 7:19 p.m.9 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the DSF FHIR and BPE Servers with enabled OIDC authentication due to the lack of session timeout enforcement in OIDC browser sessions. An attacker can gain unauthorized access to a user's session by...

6.8CVSS5.8AI score0.00154EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 11:15 a.m.9 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the authentication process. An attacker can modify a user's authentication method by tricking the user into visiting a malicious page. Remediation Upgrade...

8.1CVSS5.8AI score0.00129EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 10:13 a.m.9 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the verifybyte expected function in JcaContentVerifierProviderBuilder. An attacker can forge a protected CMP/PKI message by supplying an empty composite signature sequence that...

9.2CVSS5.7AI score0.00392EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/14 11:36 p.m.9 views

Server-side Request Forgery (SSRF)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the actionResourceJs process. An attacker can cause the server to make arbitrary HTTP requests by supplying a malicious Host header when the trustedHosts...

7CVSS5.9AI score0.0026EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:32 p.m.9 views

Missing Release of Memory after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime in the PNG encoder when writing an MNG image. An attacker can cause resource exhaustion by repeatedly triggering failures during image encoding. Remediation A fix was pushed into the...

6.3CVSS5.7AI score0.00284EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:32 p.m.9 views

Missing Release of Memory after Effective Lifetime

Overview Magick.NET-Q8-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.3CVSS5.8AI score0.00284EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:32 p.m.9 views

Missing Release of Memory after Effective Lifetime

Overview Magick.NET-Q16-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.3CVSS5.8AI score0.00284EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:32 p.m.9 views

Missing Release of Memory after Effective Lifetime

Overview Magick.NET-Q16-HDRI-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

6.3CVSS5.8AI score0.00284EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:32 p.m.9 views

Out-of-bounds Write

Overview Magick.NET-Q16-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

7.8CVSS5.8AI score0.00121EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/14 11:32 p.m.9 views

Out-of-bounds Write

Overview Magick.NET-Q16-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

7.8CVSS5.8AI score0.00121EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/14 11:32 p.m.9 views

Heap-based Buffer Overflow

Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

4.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:32 p.m.9 views

Heap-based Buffer Overflow

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

4.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/14 11:31 p.m.9 views

Off-by-one Error

Overview Magick.NET-Q16-HDRI-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

7.1CVSS5.8AI score0.00128EPSS
Exploits0References3
Total number of security vulnerabilities5000