Lucene search
K
SnykMost viewed

34996 matches found

Snyk
Snyk
added 2026/06/16 2:32 p.m.8 views

Improperly Implemented Security Check for Standard

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard in the Lambda@Edge adapter that truncates repeated request headers. An attacker can bypass access restrictions or affect auditing...

6.3CVSS5.8AI score0.00114EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/16 2:15 p.m.8 views

Permissive Cross-domain Policy with Untrusted Domains

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains in the CORS middleware. An attacker can access sensitive information and perform unauthorized actions by sending cross-origin request...

7.1CVSS6AI score0.00248EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/16 2:5 p.m.8 views

Infinite loop

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Infinite loop via the processing outlines or bookmarks in writer. An attacker can cause the application to enter an infinite loop ...

6.9CVSS5.9AI score0.00123EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/16 2:5 p.m.8 views

Infinite loop

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Infinite loop via the font retrieving. An attacker can cause the application to enter an infinite loop by crafting a specially...

6.9CVSS5.9AI score0.00123EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/16 6:12 a.m.8 views

Malicious Package

Overview hot-validation-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 6:9 a.m.8 views

Malicious Package

Overview pampipes is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 6:9 a.m.8 views

Malicious Package

Overview fabric-graphics is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 12:36 a.m.8 views

Malicious Package

Overview bodega-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 12:5 a.m.8 views

Malicious Package

Overview sp-api-dev-assistant-mcp-server is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and th...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/16 12:5 a.m.8 views

Malicious Package

Overview worker-build is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 11:56 p.m.8 views

Malicious Package

Overview vemos-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 11:45 p.m.8 views

Malicious Package

Overview prettierv2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 11:34 p.m.8 views

Malicious Package

Overview ect-472839 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 11:34 p.m.8 views

Malicious Package

Overview ect-839201 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 11:33 p.m.8 views

Malicious Package

Overview vite-configu-react is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:41 p.m.8 views

Inefficient Algorithmic Complexity

Overview markdown-it is a modern pluggable markdown parser. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the replaceAt function in the smartquotes rule when processing markdown input with a large number of consecutive quotation marks and the...

6.9CVSS5.9AI score0.00306EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/15 8:38 p.m.8 views

Use of Incorrectly-Resolved Name or Reference

Overview starlette is a The little ASGI library that shines. Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference in the reconstruction of request.url when the HTTP request path does not begin with /. An attacker can mislead the application into trusti...

8.3CVSS5.3AI score0.00187EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:36 p.m.8 views

Incorrect Authorization

Overview @nestjs/platform-fastify is a Nest - modern, fast, powerful node.js web framework @platform-fastify Affected versions of this package are vulnerable to Incorrect Authorization via the MiddlewareConsumer.forRoutes API on the Fastify adapter. An attacker can gain unauthorized access to...

8.7CVSS5.9AI score0.00285EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:19 p.m.8 views

Improper Handling of Highly Compressed Data (Data Amplification)

Overview tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification in the AsyncHTTPClient. An attacker can cause excessive memory...

7.5CVSS5.9AI score0.00052EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:11 p.m.8 views

Improper Validation of Certificate with Host Mismatch

Overview Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch in the serverhostname parameter handling during HTTPS connection reuse. An attacker can bypass intended TLS SNI checks by reusing an existing connection with a different...

7.5CVSS5.3AI score0.00266EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:9 p.m.8 views

Improper Handling of Highly Compressed Data (Data Amplification)

Overview Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification during cleanup. An attacker can exhaust system memory by sending a specially crafted compressed payload that is decompressed into memory in a single chunk. Remediation Upgra...

8.7CVSS5.3AI score0.00279EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:9 p.m.8 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the DigestAuthMiddleware class when authentication responses are sent after following cross-origin redirects. An attacker can obtain authentication digests by leveraging an open redirect or simil...

6.3CVSS5.9AI score0.00178EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 8:2 p.m.8 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the SAFEFORTEMPLATES function. An attacker can inject template expressions that survive sanitization inside element content by...

6.1CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 7:56 p.m.8 views

Trust Boundary Violation

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Trust Boundary Violation in the sanitize function when handling DOM nodes from a different same-origin realm due to improper realm-bound instanceof checks. ...

6.1CVSS5.4AI score0.00055EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 7:53 p.m.8 views

Prototype Pollution

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Prototype Pollution in the INPLACE function when sanitizing a root element that is a with event handler attributes and a descendant element whose name...

6.1CVSS6.5AI score0.00042EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 5:39 p.m.8 views

Incomplete Cleanup

Overview Affected versions of this package are vulnerable to Incomplete Cleanup in the diskStorage function. An attacker can exhaust disk space by repeatedly initiating and aborting multipart uploads, causing orphaned partial files to accumulate on disk. Remediation Upgrade multer to version 2.2....

7.5CVSS5.3AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 5:39 p.m.8 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview org.webjars.npm:webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via permissive user proxy...

7.1CVSS5.9AI score0.00163EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 5:35 p.m.8 views

Missing Authorization

Overview org.webjars.npm:nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to Missing Authorization in the jsonTransport message, which fails to enforce file and URL access restrictions during message normalization. An...

6.4CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/06/15 5:27 p.m.8 views

Improper Check for Unusual or Exceptional Conditions

Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the schema-derived names that collide with runtime-significant...

6.9CVSS5.6AI score0.00238EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 5:24 p.m.8 views

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the formatDate function when processing an excessively long or attacker-controlled date format string. An attacker can cause high CPU and memory consumption, leading to application...

8.2CVSS5.8AI score0.00331EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 5:21 p.m.8 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of namespaced elements and attributes during template compilation and sanitization. An attacker can execute arbitrary JavaScript in the user's browser by injecting specially crafted templat...

9.3CVSS5.9AI score0.00206EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 5:21 p.m.8 views

Cross-site Scripting (XSS)

Overview @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this...

9.3CVSS5.9AI score0.00206EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 5:19 p.m.8 views

Interpretation Conflict

Overview tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of PAX extended header size overrides in intermediary metadata headers. An attacker can cause inconsistent archive parsing results between differen...

6.9CVSS5.3AI score0.00107EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/15 5:18 p.m.8 views

External Control of File Name or Path

Overview launch-editor is a launch editor from node.js Affected versions of this package are vulnerable to External Control of File Name or Path in the handling of UNC paths on Windows systems. An attacker can obtain NTLMv2 password hashes by tricking a user into accessing a malicious SMB server...

8.3CVSS5.4AI score0.00322EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 4:52 p.m.8 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the formatNumber function when the digitsInfo parameter is controlled by untrusted user input. An attacker can exhaust system resources and cause application unavailability by...

8.2CVSS5.9AI score0.00161EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 4:39 p.m.8 views

Server-side Request Forgery (SSRF)

Overview @angular/platform-server is an Angular - library for using Angular in Node.js Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parse...

8.8CVSS6AI score0.00193EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/15 4:34 p.m.8 views

Asymmetric Resource Consumption (Amplification)

Overview ws is a simple to use websocket client, server and console for node.js. Affected versions of this package are vulnerable to Asymmetric Resource Consumption Amplification when handling a large number of very small fragments and data chunks. An attacker can cause excessive memory allocatio...

8.7CVSS5.9AI score0.00782EPSS
Exploits1References3
Snyk
Snyk
added 2026/06/15 3:32 p.m.8 views

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via deeply nested field names in multipart form data. An attacker can exhaust CPU and memory resources by sending a single HTTP request with a crafted multipart body containing excessively nested field names...

8.7CVSS5.3AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/15 3:16 p.m.8 views

Modification of Assumed-Immutable Data

Overview @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this...

8.6CVSS6.1AI score0.00179EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/13 9:0 p.m.8 views

Malicious Package

Overview @array-util/nodepull is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the "Contagio...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/13 9:0 p.m.8 views

Malicious Package

Overview @antoncarlos1/nodelamp is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/13 9:0 p.m.8 views

Malicious Package

Overview xnder-sdk-js is a malicious package. that installs "socket io" as a remote access trojan RAT, then fetch a second-stage payload 0001.dat from the same command-and-control C2 server and execute it. The C2 is linked to FAMOUS CHOLLIMA, a North Korean DPRK group behind the "Contagious...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/06/12 11:8 p.m.8 views

Incomplete List of Disallowed Inputs

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the PowerShell encoded-command handling process. An attacker can execute arbitrary commands by leveraging unrecognized encoded-command alias forms...

8.8CVSS6.2AI score0.00451EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/12 10:9 p.m.8 views

Cross-site Scripting (XSS)

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

5.4CVSS5AI score0.00286EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/12 10:9 p.m.8 views

Server-side Request Forgery (SSRF)

Overview apostrophe is a content management system CMS for Node.js. It supports in-context editing, schema-driven content types, flexible widgets and a great deal more. This module contains everything necessary to build a website with ApostropheCMS. Affected versions of this package are vulnerabl...

6.3CVSS5.4AI score0.00226EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/12 9:0 p.m.8 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the DeleteWithPathPrefix process. An attacker can delete share-link records belonging to other users, including administrators, by issuing a legitimate delete operation on a file...

8.1CVSS6AI score0.00411EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/12 9:0 p.m.8 views

Improper Encoding or Escaping of Output

Overview fabric is an Object model for HTML5 canvas, and SVG-to-canvas parser. Backed by jsdom and node-canvas. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the toSVG and getSvgStyles/getSvgSpanStyles paths in the gradient, object, and text SVG...

6.1CVSS5.5AI score0.00194EPSS
Exploits1References3
Snyk
Snyk
added 2026/06/12 6:16 p.m.8 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via mysqlrealescapestring when used with the text protocol and the Big5 character set. An attacker can execute arbitrary SQL queries by supplying specially crafted input that bypasses escaping performed by...

9.8CVSS6.2AI score0.00419EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/12 3:13 p.m.8 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity through the getRouteRules function in the route rules matcher. An attacker can evade prerender, SSR, or redirect rules by sending a request with a path that uses different letter casing from the...

8.8CVSS5.4AI score0.00294EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/12 2:32 p.m.8 views

Malicious Package

Overview @malwguy/ecto-corsair-whisper-3d2a7c is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization a...

9.8CVSS5.4AI score
Exploits0References2
Total number of security vulnerabilities5000