Lucene search
K

35669 matches found

Snyk
Snyk
added 6 days ago4 views

Allocation of Resources Without Limits or Throttling

Overview @libp2p/gossipsub is an A typescript implementation of gossipsub Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the defaultDecodeRpcLimits in which maxIhaveMessageIDs and maxIwantMessageIDs are set to Infinity, allowing...

8.7CVSS6.1AI score0.00446EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Directory Traversal

Overview @appium/storage-plugin is a Server-side storage plugin for Appium Affected versions of this package are vulnerable to Directory Traversal via the POST /storage/delete handler, which passes user-supplied input directly into path.join and fs.rimraf without proper path sanitization. An...

9.1CVSS6.5AI score0.00345EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago7 views

Cross-site Scripting (XSS)

Overview @appium/base-driver is a Base driver class for Appium drivers Affected versions of this package are vulnerable to Cross-site Scripting XSS via compileLodashTemplate. An attacker can execute arbitrary JavaScript in the context of the server origin by injecting malicious input into the...

9.6CVSS6.2AI score0.00285EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Incomplete List of Disallowed Inputs

Overview RestrictedPython is a RestrictedPython is a defined subset of the Python language which allows to provide a program input into a trusted environment. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the checkfunctionargumentnames process. An...

8.4CVSS6.1AI score0.00226EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the aroundrender. An attacker can execute arbitrary scripts in the context of the application by injecting malicious input that is not properly escaped. This can occur when user-controlled data is included i...

9.3CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the renderin. An attacker can access sensitive information or perform unauthorized actions by exploiting stale render context, which may include helpers, controller, request, viewflow, format/variant details, an...

8.6CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Cross-site Request Forgery (CSRF)

Overview serena-agent is an A powerful MCP toolkit for coding, providing semantic retrieval and editing capabilities - the IDE for your agent Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the unauthenticated Flask dashboard API, which is exposed on a fixed...

8.3CVSS6.3AI score0.00237EPSS
Exploits0References3
Snyk
Snyk
added 6 days ago4 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the submitTaakV2 process. An attacker can access and modify another user's task data, including marking tasks as completed and overwriting submitted information, by submitting request...

8.6CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization in the GraphQL API's getDocumentContent and besluiten operations. An attacker can access sensitive personal data belonging to other users by querying these endpoints without proper authorization checks. This is...

7.1CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization in the GraphQL API's getDocumentContent and besluiten operations. An attacker can access sensitive personal data belonging to other users by querying these endpoints without proper authorization checks. This is...

7.1CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to improper enforcement of the Certificate Revocation List on the gRPC listener when separate listeners are configured for HTTP and gRPC client endpoints. An attacker can gain unauthorized access and...

8.5CVSS6.1AI score0.00364EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to improper enforcement of the Certificate Revocation List on the gRPC listener when separate listeners are configured for HTTP and gRPC client endpoints. An attacker can gain unauthorized access and...

8.5CVSS6.1AI score0.00364EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to improper enforcement of the Certificate Revocation List on the gRPC listener when separate listeners are configured for HTTP and gRPC client endpoints. An attacker can gain unauthorized access and...

8.5CVSS6.1AI score0.00364EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago10 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to improper enforcement of the Certificate Revocation List on the gRPC listener when separate listeners are configured for HTTP and gRPC client endpoints. An attacker can gain unauthorized access and...

8.5CVSS6.1AI score0.00364EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to improper enforcement of the Certificate Revocation List on the gRPC listener when separate listeners are configured for HTTP and gRPC client endpoints. An attacker can gain unauthorized access and...

8.5CVSS6.1AI score0.00364EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to improper enforcement of the Certificate Revocation List on the gRPC listener when separate listeners are configured for HTTP and gRPC client endpoints. An attacker can gain unauthorized access and...

8.5CVSS6.1AI score0.00364EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Embedded Malicious Code

Overview @injectivelabs/sdk-ts is a SDK in TypeScript for building Injective applications in a browser, node, and react native environment. Affected versions of this package are vulnerable to Embedded Malicious Code. The compromised version of this package contains a malicious trackKeyDerivation...

9.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago6 views

Open Redirect

Overview waku is a ⛩️ The minimal React framework Affected versions of this package are vulnerable to Open Redirect via the unstableredirect function. An attacker can cause a user to be redirected to an arbitrary external domain by supplying crafted input that is reflected into the HTTP Location...

3.1CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 6 days ago6 views

Cross-site Request Forgery (CSRF)

Overview waku is a ⛩️ The minimal React framework Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the request process. An attacker can execute unauthorized server actions by sending cross-origin POST requests with CORS-safelisted content types, causing...

7.1CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Permissive Cross-domain Policy with Untrusted Domains

Overview Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains through the unauthenticated local API exposed in proxy mode, which accepts cross-origin requests due to a permissive CORS policy and lack of authentication. An attacker can achieve...

9.6CVSS6.3AI score
Exploits0References5
Snyk
Snyk
added 6 days ago4 views

Permissive Cross-domain Policy with Untrusted Domains

Overview Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains through the unauthenticated local API exposed in proxy mode, which accepts cross-origin requests due to a permissive CORS policy and lack of authentication. An attacker can achieve...

9.6CVSS6.3AI score
Exploits0References5
Snyk
Snyk
added 6 days ago5 views

Directory Traversal

Overview org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to Directory Traversal through the handleCurationTask process in dspace-api/src/main/java/org/dspace/core/LDN.java. An attacker with DSpace administrator credentials can...

5.9CVSS6.5AI score
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Improper Restriction of Names for Files and Other Resources

Overview org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to Improper Restriction of Names for Files and Other Resources via the OREIngestionCrosswalk.ingest process in...

5.9CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Directory Traversal

Overview org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to Directory Traversal through the initCurator reporter output handling in dspace-api/src/main/java/org/dspace/curate/Curation.java. An attacker can overwrite or create...

7CVSS6.5AI score
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Arbitrary Code Injection

Overview org.dspace:dspace-api is a DSpace core data model and service APIs. Affected versions of this package are vulnerable to Arbitrary Code Injection through the Velocity template processing in org.dspace.core.LDN and org.dspace.core.Email. An attacker with DSpace administrator credentials ca...

8CVSS6.3AI score
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Uncontrolled Recursion

Overview trapster is a Trapster Daemon Affected versions of this package are vulnerable to Uncontrolled Recursion through the decodelabels function. An attacker can cause the application to crash and disrupt service by sending specially crafted UDP packets containing malformed DNS compression...

6.9CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago3 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via improper handling of user-supplied input in the generateCronTriggerCronJobSpec process. An attacker can execute arbitrary shell commands with root privileges in the CronJob pod by injecting malicious content into...

9.8CVSS6.3AI score
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

HTTP Request Smuggling

Overview Affected versions of this package are vulnerable to HTTP Request Smuggling via the ExtractHttpBodyOptionally helper in filters/openpolicyagent/openpolicyagent.go. An attacker can bypass opaAuthorizeRequestWithBody policy checks by sending a chunked HTTP/1.1 request or an HTTP/2 request...

10CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Incomplete List of Disallowed Inputs

Overview lxml-html-clean is a HTML cleaner from lxml project Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the Cleaner process when handling namespaced URL attributes such as xlink:href with the safeattrsonly=False configuration. An attacker can execu...

8.2CVSS6.3AI score
Exploits0References3
Snyk
Snyk
added 6 days ago8 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the handling of protocol length headers in draft versions of the WebSocket protocol. An attacker can cause excessive memory consumption by sending a continuous sequence of byt...

6.9CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago7 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the permessage-deflate extension. An attacker can cause the application to process messages that exceed the intended resource limits by sending compressed messages that, when...

6.3CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago6 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the HTTP header parser process. An attacker can cause excessive memory consumption by sending an HTTP request or response with an unbounded number of headers, leading to memory...

6.3CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago3 views

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception in the server process when handling a malformed Host header. An attacker can cause the server to crash by sending a specially crafted Host header that is not a valid host:port string, resulting in an uncaught exceptio...

8.9CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago6 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free via the aggregate function callbacks in Databasecreateaggregate, createaggregatehandler, and Databasedefineaggregator. An attacker can trigger an invalid memory read and segmentation fault by keeping a prepared statement...

4.4CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in Databasedefinefunction and Databasecreatefunction through the custom function registry in lib/sqlite3/database.rb. An attacker can trigger a segmentation fault by redefining the same SQLite function name with a differe...

4.4CVSS6.2AI score
Exploits0References2
Snyk
Snyk
added 6 days ago7 views

Directory Traversal

Overview copier is an A library for rendering project templates. Affected versions of this package are vulnerable to Directory Traversal via the trust process. An attacker can execute arbitrary commands by supplying a template reference that textually matches a trusted prefix but includes .. path...

8.8CVSS6.6AI score0.00189EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Prototype Pollution

Overview engine.io is a realtime engine behind Socket.IO. It provides the foundation of a bidirectional connection between client and server Affected versions of this package are vulnerable to Prototype Pollution through the WebTransport upgrade handling in packages/engine.io/lib/server.ts. An...

8.7CVSS6.5AI score0.00339EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago7 views

Inefficient Algorithmic Complexity

Overview js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the merge key handling during YAML parsing, where each mapping in a chain re-enumerates the keys inherited from the previous mapping. An...

8.2CVSS6.5AI score0.0035EPSS
Exploits2References2
Snyk
Snyk
added 6 days ago4 views

Inefficient Algorithmic Complexity

Overview org.webjars.npm:js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in merge key handling during YAML parsing, where each mapping in a chain re-enumerates the keys inherited from the previous...

8.7CVSS6.1AI score0.0035EPSS
Exploits1References2
Snyk
Snyk
added 6 days ago4 views

Inefficient Algorithmic Complexity

Overview js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in merge key handling during YAML parsing, where each mapping in a chain re-enumerates the keys inherited from the previous mapping. An attacker...

8.7CVSS6.1AI score0.0035EPSS
Exploits1References2
Snyk
Snyk
added 6 days ago16 views

Prototype Pollution

Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Prototype Pollution through the textformat file. An attacker can modify the prototype of the returned map object by supplying a specially crafted map entry with the key proto...

8.3CVSS6.5AI score0.00221EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago2 views

Uncaught Exception

Overview tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Uncaught Exception through improper handling of NUL bytes in the src/pax.ts file. An attacker can cause the application to terminate unexpectedly by providing a crafted archive containing NUL byte...

6.9CVSS6.1AI score0.00291EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago6 views

Prototype Pollution

Overview protobufjs-cli is a Translates between file formats and generates static code as well as TypeScript definitions. Affected versions of this package are vulnerable to Prototype Pollution through the textformat file. An attacker can modify the prototype of the returned map object by supplyi...

8.3CVSS6.4AI score0.00221EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago3 views

Uncaught Exception

Overview org.webjars.npm:tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Uncaught Exception through improper handling of NUL bytes in the src/pax.ts file. An attacker can cause the application to terminate unexpectedly by providing a crafted archive...

6.9CVSS6.1AI score0.00291EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Allocation of Resources Without Limits or Throttling

Overview tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforced upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such ...

9.2CVSS6.1AI score0.00358EPSS
Exploits1References2
Snyk
Snyk
added 6 days ago5 views

Directory Traversal

Overview bbot is an OSINT automation for hackers. Affected versions of this package are vulnerable to Directory Traversal via the githubworkflows process. An attacker can write files outside the intended output directory by supplying a crafted CODEREPOSITORY URL containing directory traversal...

3.1CVSS6.5AI score0.00198EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago6 views

Symlink Attack

Overview bbot is an OSINT automation for hackers. Affected versions of this package are vulnerable to Symlink Attack in the unarchive process when extracting zip or 7z archives containing symlink entries with a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. An...

3.1CVSS6.2AI score0.00291EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Inefficient Algorithmic Complexity

Overview js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the omapTag.addItem function of src/tag/sequence/omap.ts, which performs a linear scan for duplicate keys on every insertion into an ordered...

7.5CVSS6.5AI score0.00358EPSS
Exploits1References2
Snyk
Snyk
added 6 days ago1 views

Prototype Pollution

Overview cyberchef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. Affected versions of this package are vulnerable to Prototype Pollution leading to cross-site scripting in the Series Chart operation and the objToTable function in...

5CVSS6.5AI score0.00094EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago7 views

Server-side Request Forgery (SSRF)

Overview repomix is an A tool to pack repository contents to single file for AI consumption Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the processRemoteRepo path in POST /api/pack and its repository URL handling before git clone. An attacker can...

9.3CVSS6.2AI score0.00324EPSS
Exploits0References2
Total number of security vulnerabilities35669