Lucene search
K

35575 matches found

Snyk
Snyk
added 6 days ago6 views

Malicious Package

Overview nodemon-node is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago6 views

Malicious Package

Overview ts-await is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 6 days ago5 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the TTGetVarDesign process. An attacker can cause the application to access memory outside the intended buffer by providing crafted input to the affected process. Remediation A fix was pushed into the master branch...

8.8CVSS6.2AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Stack-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Stack-based Buffer Overflow in the opensslverifycallback process during a DTLS handshake. An attacker can cause a process crash and disrupt service availability by sending a certificate with an oversized Subject Distinguished Name that...

8.7CVSS6.2AI score0.0031EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago3 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the rfbsrc process when connecting to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates. An attacker can cause a process crash or potentially corrupt memory by...

7.1CVSS6.2AI score0.00247EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago3 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the gorch service when unproxied orchestrator and detector metrics ports are exposed on the cluster network. An attacker can gain unauthorized access to sensitive metrics by directly...

7CVSS6.1AI score0.00184EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago3 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via exposed HTTP endpoints in the cluster network. An attacker can gain unauthorized access to sensitive data and potentially manipulate AI models by sending requests from any co-located pod without authentication...

7CVSS6.1AI score0.0017EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago3 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the gorch service when unproxied orchestrator and detector metrics ports are exposed on the cluster network. An attacker can gain unauthorized access to sensitive metrics by directly...

7CVSS6.1AI score0.00184EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago3 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via exposed HTTP endpoints in the cluster network. An attacker can gain unauthorized access to sensitive data and potentially manipulate AI models by sending requests from any co-located pod without authentication...

7CVSS6.1AI score0.0017EPSS
Exploits0References2
Snyk
Snyk
added last week5 views

Server-side Request Forgery (SSRF)

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the URL validation. An attacker can access internal network resources by submitting specially crafted UR...

8.2CVSS6.1AI score0.00291EPSS
Exploits0References2
Snyk
Snyk
added last week3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through loadFromGitRevision. An attacker can force the loader to fetch an internal URL or read a local file by supplying a rev:path OpenAPI source whose schema contains an external $ref, even when the...

6CVSS6.1AI score
Exploits0References4
Snyk
Snyk
added last week5 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the escapePostgreConnectionParameter function. An attacker can inject arbitrary PostgreSQL connection parameters by supplying specially crafted values containing non-space whitespace or backslash characters, which are...

6.9CVSS6.2AI score
Exploits0References3
Snyk
Snyk
added last week4 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the escapePostgreConnectionParameter function. An attacker can inject arbitrary PostgreSQL connection parameters by supplying specially crafted values containing non-space whitespace or backslash characters, which are...

6.9CVSS6.2AI score
Exploits0References3
Snyk
Snyk
added last week4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the webauthnverifyresponse process. An attacker can gain unauthorized access to sensitive operations by submitting a valid WebAuthn assertion for their own credential within a victim's authenticated session,...

5.4CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added last week3 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal in the fileDiff process. An attacker can access sensitive files on both the local host and all managed remote servers by supplying crafted directory traversal sequences in the filePath parameter. This is only...

7.7CVSS6.5AI score
Exploits0References2
Snyk
Snyk
added last week4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal in the fileDiff process. An attacker can access sensitive files on both the local host and all managed remote servers by supplying crafted directory traversal sequences in the filePath parameter. This is only...

7.7CVSS6.5AI score
Exploits0References2
Snyk
Snyk
added last week4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal in the fileDiff process. An attacker can access sensitive files on both the local host and all managed remote servers by supplying crafted directory traversal sequences in the filePath parameter. This is only...

7.7CVSS6.5AI score
Exploits0References2
Snyk
Snyk
added last week3 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal in the fileDiff process. An attacker can access sensitive files on both the local host and all managed remote servers by supplying crafted directory traversal sequences in the filePath parameter. This is only...

7.7CVSS6.5AI score
Exploits0References2
Snyk
Snyk
added last week4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through improper authorization checks in the AddFile, EditFile, RemoveFile, and Edit handlers. An attacker can gain unauthorized access to read, modify, or delete files and project metadata across different...

9.6CVSS6.5AI score
Exploits0References3
Snyk
Snyk
added last week6 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through improper authorization checks in the AddFile, EditFile, RemoveFile, and Edit handlers. An attacker can gain unauthorized access to read, modify, or delete files and project metadata across different...

9.6CVSS6.5AI score
Exploits0References3
Snyk
Snyk
added last week6 views

Cross-site Request Forgery (CSRF)

Overview ha-mcp is a Home Assistant MCP Server - Complete control of Home Assistant through MCP Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the exposed api/settings routes when accessed at the bare root path without authentication. An attacker can modify...

6.9CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added last week3 views

CRLF Injection

Overview aiosmtplib is an aiosmtplib is an asynchronous SMTP client for use with asyncio. Affected versions of this package are vulnerable to CRLF Injection via the SMTPProtocol.executecommand path in src/aiosmtplib/protocol.py. An attacker can inject extra SMTP verbs by supplying a sender or...

7.5CVSS6.2AI score
Exploits0References3
Snyk
Snyk
added last week3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the GetOverview handler in pkg/system/handler.go. An attacker can retrieve aggregate inventory and capacity data for a cluster they are not allowed to access by sending GET /api/v1/overview with x-cluster-name...

5.3CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added last week3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the GetOverview handler in pkg/system/handler.go. An attacker can retrieve aggregate inventory and capacity data for a cluster they are not allowed to access by sending GET /api/v1/overview with x-cluster-name...

5.3CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added last week3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the GetOverview handler in pkg/system/handler.go. An attacker can retrieve aggregate inventory and capacity data for a cluster they are not allowed to access by sending GET /api/v1/overview with x-cluster-name...

5.3CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added last week3 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the SimpleFakeCredentialGenerator constructor in src/webauthn/src/SimpleFakeCredentialGenerator.php. An attacker can defeat username-enumeration protection by supplying a username and comparing the server’s deco...

6.3CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added last week6 views

Missing Authorization

Overview @actual-app/sync-server is an actual syncing server Affected versions of this package are vulnerable to Missing Authorization via the requireFileAccess check in the sync-server handlers for /delete-user-file, /reset-user-file, and /user-create-key. An attacker can delete, reset, or rekey...

8.1CVSS6.2AI score0.00246EPSS
Exploits0References2
Snyk
Snyk
added last week6 views

Missing Authorization

Overview cognee is a Cognee - is a library for enriching LLM context with a semantic layer for better understanding and reasoning. Affected versions of this package are vulnerable to Missing Authorization via the settings endpoint. An attacker can modify the global LLM provider configuration by...

9.3CVSS6.1AI score0.00372EPSS
Exploits0References2
Snyk
Snyk
added last week2 views

Cleartext Transmission of Sensitive Information

Overview std/crypto/tls is a Go standard library package std/crypto/tls Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information. Go Vulnerability Report:Handshakes which used Encrypted Client Hello could be de-anonymized by a passive network observer du...

6.9CVSS6.1AI score0.00419EPSS
Exploits0References3
Snyk
Snyk
added last week4 views

Symlink Attack

Overview std/os is a Go standard library package std/os Affected versions of this package are vulnerable to Symlink Attack. Go Vulnerability Report:On Unix systems, opening a file in an os.Root improperly follows symlinks to locations outside of the Root when the final path component of the a pat...

8.5CVSS6.1AI score0.00181EPSS
Exploits0References3
Snyk
Snyk
added last week6 views

Missing Authorization

Overview @better-auth/scim is a SCIM plugin for Better Auth Affected versions of this package are vulnerable to Missing Authorization in the management of non-organization SCIM providers when owner binding is not enforced. An attacker can gain unauthorized access to another user's provider,...

7.7CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added last week6 views

Operation on a Resource after Expiration or Release

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release in the deleteUser method when secondaryStorage is configured and session.storeSessionInDatabase is unset ...

5.9CVSS6.2AI score
Exploits0References4
Snyk
Snyk
added last week6 views

Operation on a Resource after Expiration or Release

Overview @better-auth/scim is a SCIM plugin for Better Auth Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release in the deleteUser method when secondaryStorage is configured and session.storeSessionInDatabase is unset or set to false. An attacker...

5.9CVSS6.2AI score
Exploits0References4
Snyk
Snyk
added last week4 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview @better-auth/oauth-provider is an An oauth provider plugin for Better Auth Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition through a race condition in the authorizationcode grant handler. An attacker can obtain multiple valid access,...

7.6CVSS6.2AI score0.00029EPSS
Exploits0References4
Snyk
Snyk
added last week5 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition through a race condition in the authorizationcode grant handler. An attacker can obtain multiple valid access...

7.6CVSS6.2AI score0.00029EPSS
Exploits0References4
Snyk
Snyk
added last week4 views

Server-side Request Forgery (SSRF)

Overview @better-auth/sso is a SSO plugin for Better Auth Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /sso/register and POST /sso/update-provider endpoints when attacker-controlled OIDC endpoint URLs are accepted without proper validation if...

8.4CVSS6.2AI score0.00025EPSS
Exploits0References3
Snyk
Snyk
added last week3 views

Insufficient Session Expiration

Overview @better-auth/oauth-provider is an An oauth provider plugin for Better Auth Affected versions of this package are vulnerable to Insufficient Session Expiration through the POST /oauth2/token endpoint during the refresh token granting. An attacker can gain unauthorized access by exploiting...

7.6CVSS6.1AI score0.00029EPSS
Exploits0References5
Snyk
Snyk
added last week5 views

Insufficient Session Expiration

Overview @better-auth/memory-adapter is a Memory adapter for Better Auth Affected versions of this package are vulnerable to Insufficient Session Expiration through the POST /oauth2/token endpoint during the refresh token granting. An attacker can gain unauthorized access by exploiting a race...

7.6CVSS6.1AI score0.00029EPSS
Exploits0References5
Snyk
Snyk
added last week6 views

Insecure Default Initialization of Resource

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in the oidcProvider. An attacker can gain unauthorized access or impersonate users by exploiting insecure...

8.9CVSS6.1AI score
Exploits0References4
Snyk
Snyk
added last week3 views

Open Redirect

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Open Redirect via the redirectURI value returned from the consent response in the authorization flow. An attacker can execute arbitrary JavaScript in the...

8.5CVSS6.3AI score
Exploits0References3
Snyk
Snyk
added last week3 views

Authentication Bypass Using an Alternate Path or Channel

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the handleOAuthUserInfo. An attacker can gain unauthorized access to user accounts by...

8CVSS6.1AI score0.00019EPSS
Exploits0References2
Snyk
Snyk
added last week5 views

Authentication Bypass Using an Alternate Path or Channel

Overview @better-auth/core is a The most comprehensive authentication framework for TypeScript. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the handleOAuthUserInfo. An attacker can gain unauthorized access to user accounts by...

8CVSS6.1AI score0.00019EPSS
Exploits0References2
Snyk
Snyk
added last week5 views

Missing Authorization

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Missing Authorization in the acceptInvitation function of the organization plugin when the system relies solely on an unverified email-string equality check ...

7.6CVSS6.1AI score0.00016EPSS
Exploits0References3
Snyk
Snyk
added last week5 views

Incorrect Authorization

Overview @better-auth/oauth-provider is an An oauth provider plugin for Better Auth Affected versions of this package are vulnerable to Incorrect Authorization due to the OAuth token and refresh flows in packages/oauth-provider/src/token.ts, packages/oauth-provider/src/authorize.ts, and...

6.4CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added last week3 views

Malicious Package

Overview tailwind-animator-scroll is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added last week5 views

Malicious Package

Overview tailwindcss-effector is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added last week4 views

Incorrect Authorization

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Incorrect Authorization in the refreshtoken grant process of the legacy oidcProvider and mcp plugins, where confidential clients are not required to...

8.2CVSS6.1AI score0.00013EPSS
Exploits0References3
Snyk
Snyk
added last week4 views

Improper Output Neutralization for Logs

Overview Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the readDomain parser in dns/dns.go. An attacker can write attacker-controlled domain labels into logs by supplying a DNS name containing disallowed characters, because the parser accepted eac...

3.1CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added last week5 views

Missing Release of Memory after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime due to improper cleanup of pointers when entries are removed from the LRU cache. An attacker can cause increased memory usage by repeatedly triggering cache evictions. Remediation Upgra...

5.1CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added last week4 views

Protection Mechanism Failure

Overview Affected versions of this package are vulnerable to Protection Mechanism Failure in the DNS request handling process. An attacker can bypass domain name filtering by crafting a DNS request containing multiple questions, where the first question appears legitimate but subsequent questions...

5.9CVSS6.1AI score
Exploits0References3
Total number of security vulnerabilities35575