31960 matches found
Improper Encoding or Escaping of Output
Overview std/html/template is a Go standard library package std/html/template Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output. Go Vulnerability Report: If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type'...
Cross-site Scripting (XSS)
Overview std/html/template is a Go standard library package std/html/template Affected versions of this package are vulnerable to Cross-site Scripting XSS. Go Vulnerability Report: CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the UR...
Information Exposure
Overview std/net/http/httputil is a Go standard library package std/net/http/httputil Affected versions of this package are vulnerable to Information Exposure. Go Vulnerability Report: ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrit...
Resources Downloaded over Insecure Protocol
Overview Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol. Go Vulnerability Report: A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal. Go Vulnerability Report: The "go tool pack" subcommand usually used only by the compiler as an internal tool with known-good inputs does not sanitize output filenames. Extracting a malicious archive file with the...
Allocation of Resources Without Limits or Throttling
Overview std/net/mail is a Go standard library package std/net/mail Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: Pathological inputs could cause DoS through consumePhrase when parsing an email address according ...
Infinite loop
Overview golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go. Affected versions of this package are vulnerable to Infinite loop. Go Vulnerability Report: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receiv...
Double Free
Overview std/net is a Go standard library package std/net Affected versions of this package are vulnerable to Double Free. Go Vulnerability Report: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. Remediation Upgrade...
Infinite loop
Overview std/net/http is a Go standard library package std/net/http Affected versions of this package are vulnerable to Infinite loop. Go Vulnerability Report: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a...
Allocation of Resources Without Limits or Throttling
Overview std/net/mail is a Go standard library package std/net/mail Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. Go Vulnerability Report: Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger...
Uncaught Exception
Overview std/net is a Go standard library package std/net Affected versions of this package are vulnerable to Uncaught Exception. Go Vulnerability Report: The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL 0. Remediation Upgrade std/net to version...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack. Go Vulnerability Report: The "go bug" command writes to two files with predictable names in the system temporary directory for example, "/tmp". An attacker with access to the temporary directory can create a symlink in o...
Allocation of Resources Without Limits or Throttling
Overview youtube-regex is a The correct Youtube video id regex! Regex done right! Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the regex param. An attacker can cause excessive resource consumption by supplying crafted input that...
Prototype Pollution
Overview parse-ini is a Parse ini file to get the content and variables of the ini file as node object. Affected versions of this package are vulnerable to Prototype Pollution via the index.js file. An attacker can manipulate object properties and potentially execute arbitrary code or alter...
Prototype Pollution
Overview query-string-parser is a Rack style query string parser for Node.js. Affected versions of this package are vulnerable to Prototype Pollution via the fillValue function. An attacker can modify the prototype of built-in objects by supplying crafted query parameters. Details Prototype...
Cross-site Scripting (XSS)
Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized input in th...
Origin Validation Error
Overview cinny is a Yet another matrix client Affected versions of this package are vulnerable to Origin Validation Error in the process that handles emoji pack avatar URLs in the service worker. An attacker can obtain a victim's access token by crafting a malicious emote pack with an...
Symlink Attack
Overview bentoml is a BentoML: Build Production-Grade AI Applications Affected versions of this package are vulnerable to Symlink Attack via the build packaging workflow. An attacker can access sensitive files from the build host by introducing crafted symlinks in the build context, which are...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering process in cron.erb. An attacker can execute arbitrary JavaScript in the context of the user's browser by supplying a crafted URL. Details Cross-site scripting or XSS is a code vulnerability th...
Command Injection
Overview node-ts-ocr is an A simple wrapper around command-line utils to assist in PDF / Image OCR Optical Character Recognition processing using Tesseract. Affected versions of this package are vulnerable to Command Injection via the invokeImageOcr function. An attacker can execute arbitrary...
Improper Certificate Validation
Overview Affected versions of this package are vulnerable to Improper Certificate Validation via incorrect handling of name constraints during certificate validation. An attacker can bypass critical certificate validation checks by presenting a certificate chain where permitted name constraints a...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication due to the improper handling of usernames containing a NUL character when server is configured with RSA-PSK. An attacker can gain unauthorized access by sending a specially crafted username that causes the server...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the process handling incoming requests. An attacker can perform unauthorized actions on behalf of an authenticated user by tricking them into submitting a crafted request. Remediation Upgrade...
Deserialization of Untrusted Data
Overview org.hyperledger.fabric-sdk-java:fabric-sdk-java is a Java SDK for Hyperledger Fabric. Deprecated as of Fabric v2.5, replaced by org.hyperledger.fabric:fabric-gateway. Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the deSerializeChannel...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview mathjs is a math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with diff. Affected versions of this package are...
Integer Overflow or Wraparound
Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the readVariableLengthInteger function. An attacker can trigger undefined behavior and potentially execute arbitrary code by providing specially crafted EXR input that causes excessive left shifts...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the IDManifest::init process during prefix expansion. An attacker can trigger an out-of-bounds read by providing a crafted prefix-compressed string where the code attempts to access bytes that do not exist in the...
Integer Overflow or Wraparound
Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the resize function in ImageChannel through the OpenEXRUtil public API. An attacker can cause a heap out-of-bounds write by supplying crafted input that triggers an integer overflow. Remediation Upgrad...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of size limits applied to the Properties section during the decoding process. An attacker can cause excessive CPU and memory consumption by sending MQTT messages with...
Improper Isolation or Compartmentalization
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the NodeVM constructor in lib/nodevm.js. An attacker can run host commands when the VM is set up...
Improper Isolation or Compartmentalization
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the NodeVM constructor in lib/nodevm.js. An attacker can run host commands when th...
Symlink Attack
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Symlink Attack via the isPathAllowed path check in lib/resolver-compat.js. An attacker can execute code outside the configured require.root by placin...
Symlink Attack
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Symlink Attack via the isPathAllowed path check in lib/resolver-compat.js. An attacker can execute code outside the configured...
Improper Isolation or Compartmentalization
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the transformer fast-path in the source instrumentation logic. An attacker can expose the internal...
Improper Isolation or Compartmentalization
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the transformer fast-path in the source instrumentation logic. An attacker can...
Information Exposure
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Information Exposure via the sandbox CallSite handling. An attacker can leak absolute host filesystem paths by causing error.stack or getEvalOrigin t...
Information Exposure
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Information Exposure via the sandbox CallSite handling. An attacker can leak absolute host filesystem paths by causing error.stack or...
Improper Isolation or Compartmentalization
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the globalPromise.prototype.then onFulfilled wrapper in the Promise bridge. An attacker can supply...
Improper Isolation or Compartmentalization
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the globalPromise.prototype.then onFulfilled wrapper in the Promise bridge. An...
Allocation of Resources Without Limits or Throttling
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the Buffer.alloc family in lib/setup-sandbox.js. An attacker can crash the host process ...
Allocation of Resources Without Limits or Throttling
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the Buffer.alloc family in lib/setup-sandbox.js. An attacker can crash t...
Uncaught Exception
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Uncaught Exception through the Promise constructor when an unhandled rejection propagates from the sandboxed environment to the host process. An...
Uncaught Exception
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Uncaught Exception through the Promise constructor when an unhandled rejection propagates from the sandboxed environment to the host...
Arbitrary Code Injection
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through lib/builtin.js. An attacker can execute host code when the allowlist includes -X or uses and then calls...
Arbitrary Code Injection
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through lib/builtin.js. An attacker can execute host code when the allowlist includes -X or uses and then...
Arbitrary Code Injection
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the BaseHandler write traps in lib/bridge.js. An attacker can mutate host Object.prototype, Array.prototype,...
Arbitrary Code Injection
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the BaseHandler write traps in lib/bridge.js. An attacker can mutate host Object.prototype,...
Arbitrary Code Injection
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the lib/bridge.js value-conversion paths. An attacker can extract the host Symbol.for'nodejs.util.inspect.custom' or...
Arbitrary Code Injection
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the lib/bridge.js value-conversion paths. An attacker can extract the host...
Arbitrary Code Injection
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the proxy trap methods in createBridge in the bridge handler code. An attacker can leak a handler using...