Malicious Package

Overview muenxo is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview honcho-theme is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview pi-exa-mcp is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview temhe-dev is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview shopify-draggable is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview pos-next-react-native is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview @killssh/bootstrap is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Deserialization of Untrusted Data

Overview MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the pickle.loads function in the Pickle Handler component. An attacker can execute arbitrary code by...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the VQLResponse result-set writer. An attacker can cause the server to exhaust available memory and crash by sending specially crafted messages through the standard client...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the VQLResponse result-set writer. An attacker can cause the server to exhaust available memory and crash by sending specially crafted messages through the standard client...

Malicious Package

Overview forge-jsx is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Access Control Bypass

Overview MindsDB is a MindsDB server, provides server capabilities to mindsdb native python library Affected versions of this package are vulnerable to Access Control Bypass via the exec function in the mindsdb/integrations/handlers/byomhandler/procwrapper.py component. An attacker can gain...

Malicious Package

Overview @w3m-app/switchnetwork is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

Malicious Package

Overview @w3m-app/isconnected is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview @w3m-frame/sessionupdate is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview @w3m-app/getchainid is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview @taxmoninor/taxmon is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview @pyme-web/ui-base is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview @pyme-web/ui-widget is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview @bcs-react-ui/select is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview @bcs-ui/theme is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview @pyme-web/web-api is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview @bcs-mi/store is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview @bcs-bank-react-ui/swiper-slider is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

Malicious Package

Overview @bcs-bank/init is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview @bcs-bank/common-constants is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview @bcs-react-ui/context-menu is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview @bcs-adapters/keycloak-api-adapter is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

Malicious Package

Overview @bcs-adapters/core-adapter is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Arbitrary Code Injection

Overview lfx is a lfx is a command-line tool for running Langflow workflows. It provides two main commands: serve and run. Affected versions of this package are vulnerable to Arbitrary Code Injection via the eval function in the LambdaFilterComponent component. An attacker can execute arbitrary...

Insufficient Verification of Data Authenticity

Overview dolibarr/dolibarr is a modern and easy to use web software to manage your business. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the dolverifyHash function of the Online Signature Module. An attacker can bypass signature verificati...

Arbitrary Command Injection

Overview lfx is a lfx is a command-line tool for running Langflow workflows. It provides two main commands: serve and run. Affected versions of this package are vulnerable to Arbitrary Command Injection via the parsecallabledetails function in codeparser.py. An attacker can execute arbitrary syst...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview sglang is a SGLang is a fast serving framework for large language models and vision language models. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the gettokenizer function in the...

Directory Traversal

Overview sublinear-time-solver is a The Ultimate Mathematical & AI Toolkit: Sublinear algorithms, consciousness exploration, psycho-symbolic reasoning, chaos analysis, and temporal prediction in one unified MCP interface. WASM-accelerated with Lyapunov exponents and attractor dynamics. Affected...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the exportstate function in the MCP Interface component. An attacker can overwrite or access arbitrary files by supplying crafted input to manipulate file paths remotely. Details A Directory Traversal attack also...

Arbitrary Command Injection

Overview mcp-server-rijksmuseum is a Affected versions of this package are vulnerable to Arbitrary Command Injection via the openimageinbrowser function. An attacker can execute arbitrary operating system commands by manipulating the imageUrl argument remotely. Remediation There is no fixed versi...

Arbitrary Command Injection

Overview yii2-mcp-server is a MCP Server for Yii2 Framework - Database schema inspection, command execution, and project management Affected versions of this package are vulnerable to Arbitrary Command Injection via the yiicommandhelp or yiiexecutecommand functions in the MCP Interface. An attack...

Improper Removal of Sensitive Information Before Storage or Transfer

Overview Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer via the ServerSideDiff process. An attacker can access sensitive Kubernetes Secret data in cleartext by leveraging this process with appropriate permissions. Remediati...

Deserialization of Untrusted Data

Overview mem0ai is a Long-term memory for AI Agents Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the pickle.load or pickle.dump functions in the mem0/vectorstores/faiss.py file. An attacker can execute arbitrary code by providing crafted input to these...

Directory Traversal

Overview mcp-game-asset-gen is a MCP server for asset generation - image, video, audio, and 3D APIs for game development Affected versions of this package are vulnerable to Directory Traversal via the imageto3dasync function when processing the statusFile argument. An attacker can access or modif...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the userauthpassword function in userauth.c. An attacker can cause memory corruption or potentially execute arbitrary code by sending specially crafted values for usernamelen or passwordlen remotely...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview astro-mcp-server is a MCP server for Astro ASO App Store Optimization data - Access keyword rankings, historical data, and app metrics Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' in t...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the RWStlReader::ReadAscii process when buffers returned by StandardReadLineBuffer::ReadLine are not properly length-validated before being used in strncasecmp or accessed directly. An attacker can cause denial of...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the read process of the OBJ file parser when handling crafted OBJ files. An attacker can cause a denial of service or obtain sensitive information by persuading a victim to open a specially crafted OBJ file that...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read through the TShape process in the VRML parser when coordIndex values from parsed input are used as direct array indices without validation against the size of the coordinate array during geometry processing. An attack...

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference in the TShape process. An attacker can cause the application to crash or become unresponsive by submitting a specially crafted VRML file that triggers dereference of a corrupt or unvalidated pointer during shape...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the ReadLine process of the VRML parser due to improper bounds checking in the quoted-string escape handler, which accesses memory beyond the end of a fixed-size stack buffer. An attacker can trigger a denial of...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the IGES and STEP file parsing process. An attacker can cause a denial of service or access unintended memory contents by submitting specially crafted IGES or STEP files that trigger out-of-bounds reads or infinit...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the unserialize process. An attacker can execute arbitrary code by sending a crafted serialized PHP closure to the TCP server, which is then deserialized and executed without authentication or...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the unserialize function in the sync-invoke client when processing data received from a server response. An attacker can execute arbitrary code by sending crafted serialized data from a malicious...