Lucene search
K
SnykMost viewed

35355 matches found

Snyk
Snyk
added 2026/04/01 8:58 p.m.9 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the way the server’s middleware processes "Share Tokens." While these tokens are intended to grant temporary, restricted access to a single file, the BasicAuthMiddleware...

8.5CVSS5.9AI score0.00392EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/01 12:2 a.m.9 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization due to over-trusting of positional carrier executables in the src/infra/exec-approvals-allowlist.ts process. An attacker can gain unauthorized access to privileged...

7.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/03/30 5:19 p.m.9 views

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error in the ManagedWebAccessUtils.getServer function. An attacker can obtain authentication credentials by leveraging improper URL prefix matching during HTTP redirects, causing sensitive headers such as Bearer tokens...

9.1CVSS5.9AI score0.00158EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/27 5:22 p.m.9 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the systemd.credential process. An attacker can overwrite arbitrary files on the host system by crafting credential names that traverse directories. This can lead to privilege escalation or denial of service by...

9.9CVSS6.5AI score0.00447EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/27 5:17 p.m.9 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine through improper implementation of the chroot isolation mechanism in the pongo2 template processing. An attacker can gain unauthorized access to read and write...

9.9CVSS6AI score0.00481EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/27 5:17 p.m.9 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine through improper implementation of the chroot isolation mechanism in the pongo2 template processing. An attacker can gain unauthorized access to read and write...

9.9CVSS6AI score0.00481EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/26 9:57 p.m.9 views

Infinite loop

Overview node-forge is a JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities. Affected versions of this package are vulnerable to Infinite loop via the modInverse function. An attacker can cause the application to hang indefinitely...

8.7CVSS5.9AI score0.00596EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/26 9:42 p.m.9 views

User Impersonation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to User Impersonation via the gateway.trustedProxies process. An attacker can impersonate the client origin by sending spoofed loopback hops in forwarding headers, which may weaken downstrea...

6.5CVSS5.9AI score0.00314EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/26 7:14 p.m.9 views

Out-of-bounds Write

Overview Magick.NET-Q16-HDRI-OpenMP-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

5.9CVSS6.4AI score0.00128EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/26 7:14 p.m.9 views

Out-of-bounds Write

Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...

5.9CVSS6.4AI score0.00128EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/26 6:35 p.m.9 views

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions due to missing timestamp validation in the Zoom webhook handler. An attacker can corrupt meeting state by replaying webhook requests. Remediation Upgrade...

2.2CVSS5.9AI score0.00291EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/26 6:6 p.m.9 views

Missing Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization in the list.json.php endpoints of the Scheduler plugin, which lack authentication checks. An attacker can access sensitive information such a...

6.9CVSS5.8AI score0.00382EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/25 6:45 p.m.9 views

SQL Injection

Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to SQL Injection via the search parameter. An attacker can manipulate database queries and extract sensitive information by injecting malicious SQL code through crafted GET requests to the produc...

8.8CVSS6AI score0.00338EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/25 3:3 p.m.9 views

Malicious Package

Overview omaronsec is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/03/24 2:33 a.m.9 views

Glob Injection

Overview Affected versions of this package are vulnerable to Glob Injection via the DiskServicedeleteprefixed function. An attacker can delete unintended files from the storage directory by supplying blob keys containing glob metacharacters that are passed unescaped to Dir.glob. Remediation Upgra...

9.1CVSS5.8AI score0.00646EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/24 2:32 a.m.9 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the ggmlnbytes function. An attacker can achieve memory corruption and potentially execute arbitrary code by supplying a specially crafted GGUF file with manipulated tensor dimensions that trigger an intege...

8.5CVSS6.3AI score0.00477EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/23 10:34 p.m.9 views

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management in the IPC API process when spurious data is provided by an unprivileged local user. An attacker can cause the system to freeze or overwrite the stack by sending crafted IPC API calls. Remediation A fix was...

7.8CVSS5.9AI score0.00121EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/23 9:48 p.m.9 views

Open Redirect

Overview h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to Open Redirect via the redirectBack function. An attacker can cause users to be redirected to an external, attacker-controlled domain by crafting a URL with a...

5.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/23 6:14 p.m.9 views

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the ULNASTransport message handler when processing malformed messages that lack a Request Type. An attacker can cause the application to panic and potentially disrupt service by sending specially crafted...

7.5CVSS5.9AI score0.00365EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/23 1:47 p.m.9 views

Malicious Package

Overview pulse-shop-section is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/20 10:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released on NPM. They contain malicious code, and its content was NOT yet...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/20 8:46 p.m.9 views

Improper Cleanup on Thrown Exception

Overview Affected versions of this package are vulnerable to Improper Cleanup on Thrown Exception when cleaning up tmp files. Temporary storage can be exhausted during the scanning process by an attacker providing large or highly compressed artifacts, leading to the accumulation of temporary file...

6.9CVSS5.8AI score0.00408EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/20 8:45 p.m.9 views

Cross-site Scripting (XSS)

Overview @pdfme/schemas is a TypeScript base PDF generator and React base UI. Open source, developed by the community, and completely free to use under the MIT license! Affected versions of this package are vulnerable to Cross-site Scripting XSS in the multiVariableText property panel when...

5.5CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/03/20 4:45 a.m.9 views

Malicious Package

Overview kyxhiagent is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/20 4:42 a.m.9 views

Malicious Package

Overview mtpdb is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/20 4:40 a.m.9 views

Malicious Package

Overview nodex-db is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/20 4:35 a.m.9 views

Malicious Package

Overview spstargm is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/20 4:33 a.m.9 views

Malicious Package

Overview llmstash is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/19 11:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released on NPM. They contain malicious code, and its content was NOT yet...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/19 11:0 p.m.9 views

Embedded Malicious Code

Overview @emilgroup/commission-sdk-node is an A new version of the package Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/19 10:45 p.m.9 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication through the certificate issuance via SCEP UpdateReq MessageType=18. Note: Limited Disclosure — Full Details Pending. Full details of this vulnerability will be published smallstep/certificates security advisory o...

10CVSS5.8AI score0.00296EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/19 3:16 p.m.9 views

Malicious Package

Overview tokenshower is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/03/18 8:49 p.m.9 views

Information Exposure

Overview Glances is an A cross-platform curses-based monitoring tool Affected versions of this package are vulnerable to Information Exposure via the /api/4/serverslist endpoint in Central Browser mode. An attacker can obtain reusable credentials for downstream servers by accessing unauthenticate...

9.3CVSS5.8AI score0.00472EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/18 6:31 p.m.9 views

UNIX Symbolic Link (Symlink) Following

Overview org.jenkins-ci.main:jenkins-core is an open source automation server. Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following during the extraction of .tar and .tar.gz archives when symbolic links are present. An attacker can create or overwrite arbitrary...

8.8CVSS5.9AI score0.01161EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/18 4:41 a.m.9 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the proxy module due to blindly trusting ExternalIPs/LoadBalancer IPs. An attacker can redirect cluster-wide network traffic or disrupt DNS services by assigning arbitrary external IPs or loadBalancer IPs withou...

7.1CVSS6AI score0.00297EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/18 12:14 a.m.9 views

Malicious Package

Overview @atticuss-sra/test-pkg-x4 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/03/18 12:14 a.m.9 views

Malicious Package

Overview winderlingz is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/03/17 5:7 p.m.9 views

Improper Encoding or Escaping of Output

Overview jspdf is a PDF Document creation from JavaScript Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the createAnnotation method, whose color parameter can be injected with script objects. An attacker can inject PDF objects as freetext...

8.1CVSS5.8AI score0.00356EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/17 3:29 p.m.9 views

Missing Origin Validation in WebSockets

Overview next is a react framework. Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets in the internal dev endpoint when the Origin header is set to null. An attacker can interact with internal development websocket traffic by connecting from...

5.4CVSS5.8AI score0.00171EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/17 12:48 p.m.9 views

Incorrect Permission Assignment for Critical Resource

Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the /ui/dependencies endpoint, which returns the complete DAG dependency graph without verifying authorized DAG IDs. An attacker can gain unauthorized access to information about...

5.3CVSS5.8AI score0.0044EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/17 12:46 p.m.9 views

Exposure of Resource to Wrong Sphere

Overview apache-airflow-providers-keycloak is a Provider package apache-airflow-providers-keycloak for Apache Airflow Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere due to improper handling of the session token cookie path. An attacker can gain unauthoriz...

9.3CVSS5.8AI score0.00677EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/16 8:27 p.m.9 views

Out-of-bounds Read

Overview github.com/shamaton/msgpack/v3/time is a None Affected versions of this package are vulnerable to Out-of-bounds Read. via the Unmarshal, UnmarshalAsMap, UnmarshalAsArray, and Marshal functions, which invoke Decode. An attacker can cause a panic with truncated fixext data that triggers an...

8.7CVSS6.7AI score0.01036EPSS
Exploits2References3
Snyk
Snyk
added 2026/03/16 6:13 p.m.9 views

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via the ElementIndexesController and FieldsController components. An attacker can execute arbitrary code by...

8.6CVSS6.2AI score0.00515EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/13 8:39 p.m.9 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow when parsing Huffman tables in JPEG files. An attacker can execute arbitrary code by supplying a specially crafted JPEG file. Remediation Upgrade gstreamer to version 1.28.1 or higher. References - GitLab Comm...

8.4CVSS7.5AI score0.00787EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/13 8:3 p.m.9 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...

9.3CVSS5.9AI score0.00258EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/13 6:56 p.m.9 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the chunked upload completion. An attacker can exhaust server storage and circumvent administrative resource policies by uploading files exceeding the configured per-request size...

5.3CVSS5.8AI score0.00253EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/13 6:55 p.m.9 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through a discrepancy in path normalization between protocol handlers and internal routing. An attacker can bypass folder-level permissions or escape the boundaries of a configured virtual folder by crafting specific...

8.1CVSS6.3AI score0.00521EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/12 10:39 p.m.9 views

Stack-based Buffer Overflow

Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

6.7CVSS5.8AI score0.00096EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/12 8:17 p.m.9 views

CRLF Injection

Overview org.webjars.npm:undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to CRLF Injection via the upgrade option of the client.request function. An attacker can inject malicious data into HTTP headers or prematurely terminate HTT...

6.5CVSS5.8AI score0.00256EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/12 4:23 p.m.9 views

Malicious Package

Overview jam3 is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior The package uses...

9.8CVSS5.9AI score
Exploits0References3
Total number of security vulnerabilities5000