Lucene search
K

35547 matches found

Snyk
Snyk
added 2026/07/07 1:51 p.m.3 views

Malicious Package

Overview brunomenozzi-test-pkg is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:35 p.m.2 views

Malicious Package

Overview @apexcraft/nano-key is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:2 p.m.3 views

External Control of File Name or Path

Overview egroupware/egroupware is a library that extends a classic groupware with an integrated CRM-system, a secure file-server and Collabora Online Office. Affected versions of this package are vulnerable to External Control of File Name or Path via the processURL2InlineImages process. An...

7.1CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:2 p.m.5 views

NULL Pointer Dereference

Overview onnx is an Open Neural Network Exchange Affected versions of this package are vulnerable to NULL Pointer Dereference in the adaptupsample67 function when processing a model containing an Upsample node with zero inputs. An attacker can cause a crash and denial of service by submitting a...

6.8CVSS6AI score0.0017EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/07 1:1 p.m.5 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the GET /api/oauth/email/bind and GET /api/oauth/wechat/bind endpoints. An attacker can alter account binding state by tricking a logged-in user into visiting a crafted link, potentially allowing the...

6CVSS5.9AI score0.00187EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:1 p.m.5 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the GET /api/oauth/email/bind and GET /api/oauth/wechat/bind endpoints. An attacker can alter account binding state by tricking a logged-in user into visiting a crafted link, potentially allowing the...

6CVSS5.9AI score0.00187EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:1 p.m.4 views

Eval Injection

Overview egroupware/egroupware is a library that extends a classic groupware with an integrated CRM-system, a secure file-server and Collabora Online Office. Affected versions of this package are vulnerable to Eval Injection via the expandname function. An attacker can execute arbitrary OS comman...

8.6CVSS6.3AI score
Exploits0References3
Snyk
Snyk
added 2026/07/07 1:1 p.m.6 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal in the /skin/ action endpoint when running on Jetty 12 or later. An attacker can access arbitrary files on the server by crafting a URL containing encoded directory traversal sequences. This is only exploitable if th...

8.2CVSS6.5AI score
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:1 p.m.7 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal in the /skin/ action endpoint when running on Jetty 12 or later. An attacker can access arbitrary files on the server by crafting a URL containing encoded directory traversal sequences. This is only exploitable if th...

8.2CVSS6.5AI score
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:1 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...

7.7CVSS6AI score0.00437EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:1 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...

7.7CVSS6AI score0.00437EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:1 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...

7.7CVSS6AI score0.00437EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:1 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...

7.7CVSS6AI score0.00437EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 1:1 p.m.5 views

Authorization Bypass Through User-Controlled Key

Overview egroupware/egroupware is a library that extends a classic groupware with an integrated CRM-system, a secure file-server and Collabora Online Office. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper authorization checks in t...

9.3CVSS6.3AI score
Exploits0References4
Snyk
Snyk
added 2026/07/07 12:41 p.m.5 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the BaseSerialization.deserialize process. An attacker can execute arbitrary code on the API Server or Scheduler by embedding a malicious trigger into a serialized DAG, which is then deserialized and...

9.8CVSS6.7AI score0.01649EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 12:41 p.m.4 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration via the dep.source and dep.target fields in the scheduling graph endpoint. An attacker can obtain identifiers of resources they are not authorized to access by inspecting dependency information exposed...

6.9CVSS6AI score0.00636EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 12:41 p.m.5 views

Improper Removal of Sensitive Information Before Storage or Transfer

Overview Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the Bulk Variables API due to the redact function being called without the variable key, which prevents the shouldhidevalueforkey check from triggering on...

6.9CVSS6AI score0.00664EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 12:41 p.m.5 views

Improper Removal of Sensitive Information Before Storage or Transfer

Overview apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the Config API when per-key secrets backend overrides are configured via...

6.9CVSS6AI score0.00664EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 12:40 p.m.5 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GET /api/v2/dagSources/dagid endpoint, which returns the entire source file containing multiple DAGs without redacting those the user is not authorized to access. An attacker can...

7.1CVSS6AI score0.00601EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 12:36 p.m.5 views

Improper Removal of Sensitive Information Before Storage or Transfer

Overview Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the REST API task-instance detail and list endpoints, which returned deferred task trigger keyword arguments without masking sensitive data. An attacker can access...

6.9CVSS6AI score0.00664EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 6:27 a.m.4 views

Malicious Package

Overview chai-spycore is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/07 6:27 a.m.7 views

Malicious Package

Overview express-deflect is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/07 6:27 a.m.7 views

Malicious Package

Overview express-firegate is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/07/07 12:33 a.m.4 views

Improper Restriction of Rendered UI Layers or Frames

Overview ajenti is a Linux & BSD web admin panel. Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames through the lack of anti-framing protections in the HTTP response process. An attacker can trick users into interacting with a maliciously...

5.4CVSS6AI score0.00159EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 12:33 a.m.7 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:showdown is a JavaScript Markdown to HTML converter. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the parseHeaders function. An attacker can execute arbitrary scripts in the context of users viewing rendered markdown by injecting special...

6.1CVSS6.1AI score0.00198EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 12:33 a.m.8 views

Cross-site Scripting (XSS)

Overview showdown is a JavaScript Markdown to HTML converter. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the parseHeaders function. An attacker can execute arbitrary scripts in the context of users viewing rendered markdown by injecting specially crafted table...

6.1CVSS6.1AI score0.00198EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/07 12:0 a.m.2 views

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the query completion process. An attacker can cause memory corruption and application crash by sending crafted DNS responses that manipulate the sequence of query completions, such as forcing an EDNS-downgrade retry an...

8.7CVSS6.1AI score
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:40 p.m.4 views

Uncaught Exception

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Uncaught Exception through the rejection sampler process. An attacker can cause the engine worker to crash and abort concurrent requests by sending...

8.7CVSS5.9AI score0.00343EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/06 10:40 p.m.4 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the ForwardAuth process when trustForwardHeader is set to false. An attacker can bypass port-based authorization checks by injecting a crafted X-Forwarded-Proto header over an unencrypte...

6.9CVSS6AI score0.0029EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:40 p.m.3 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the ForwardAuth process when trustForwardHeader is set to false. An attacker can bypass port-based authorization checks by injecting a crafted X-Forwarded-Proto header over an unencrypte...

6.9CVSS6AI score0.0029EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:40 p.m.4 views

Insufficient Verification of Data Authenticity

Overview github.com/traefik/traefik/v2/pkg/middlewares/auth is a Cloud Native Application Proxy. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the ForwardAuth process when trustForwardHeader is set to false. An attacker can bypass port-based...

6.9CVSS6AI score0.0029EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:40 p.m.5 views

Allocation of Resources Without Limits or Throttling

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the request.file.read process. An attacker can exhaust system memory or cause process...

7.1CVSS6AI score0.00289EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.4 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the handling of HTTP headers in authentication middlewares. An attacker can impersonate users or escalate privileges by injecting underscore-variant headers that bypass canonical header strippin...

10CVSS6AI score0.00256EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.5 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the handling of HTTP headers in authentication middlewares. An attacker can impersonate users or escalate privileges by injecting underscore-variant headers that bypass canonical header strippin...

10CVSS6AI score0.00256EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.4 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the handling of HTTP headers in authentication middlewares. An attacker can impersonate users or escalate privileges by injecting underscore-variant headers that bypass canonical header strippin...

10CVSS6AI score0.00256EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.5 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the handling of HTTP headers in authentication middlewares. An attacker can impersonate users or escalate privileges by injecting underscore-variant headers that bypass canonical header strippin...

10CVSS6AI score0.00256EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.3 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the handling of HTTP headers in authentication middlewares. An attacker can impersonate users or escalate privileges by injecting underscore-variant headers that bypass canonical header strippin...

10CVSS6AI score0.00256EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.4 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the handling of HTTP headers in authentication middlewares. An attacker can impersonate users or escalate privileges by injecting underscore-variant headers that bypass canonical header strippin...

10CVSS6AI score0.00256EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.4 views

Improper Handling of Case Sensitivity

Overview github.com/traefik/traefik/v2/pkg/server is a server package for traefik, a cloud native edge router. Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the handling of HTTP headers in authentication middlewares. An attacker can impersonate user...

10CVSS6AI score0.00256EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.4 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the handling of HTTP headers in authentication middlewares. An attacker can impersonate users or escalate privileges by injecting underscore-variant headers that bypass canonical header strippin...

10CVSS6AI score0.00256EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.4 views

Improper Handling of Case Sensitivity

Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity via the handling of HTTP headers in authentication middlewares. An attacker can impersonate users or escalate privileges by injecting underscore-variant headers that bypass canonical header strippin...

10CVSS6AI score0.00256EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.4 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the backendRef filters process. An attacker can manipulate the filter context applied to requests by creating an accepted HTTPRoute that shares the same backend Service:port, potentially causing their route's...

9.6CVSS5.9AI score0.00346EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.4 views

Reachable Assertion

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Reachable Assertion via the /v1/completions endpoint when processing pure prompt embeds with M-RoPE models. An attacker can cause the server to cras...

7.1CVSS6AI score0.0037EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.5 views

Regular Expression Denial of Service (ReDoS)

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the structuredoutputs.regex parameter, which allows user-supplied regular expressions to be passed...

8.7CVSS5.9AI score0.00324EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:39 p.m.3 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the users.getUser method in the JSON-RPC API. An attacker can retrieve sensitive credential information, such as password hashes, TOTP secrets, and session tokens, by supplying...

8.6CVSS6.1AI score0.0025EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:36 p.m.4 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the verifyState function. An attacker can hijack user sessions by crafting malicious callback URLs with attacker-controlled authorization codes, causing victims to be logged in as the attacker...

8.6CVSS5.9AI score0.00153EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:36 p.m.6 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:showdown is a JavaScript Markdown to HTML converter. Affected versions of this package are vulnerable to Cross-site Scripting XSS in metadata title handling, which inserts markdown frontmatter metadata into the HTML element without escaping the less-than and greater-than...

6.1CVSS5.8AI score0.00187EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 10:36 p.m.7 views

Cross-site Scripting (XSS)

Overview showdown is a JavaScript Markdown to HTML converter. Affected versions of this package are vulnerable to Cross-site Scripting XSS in metadata title handling, which inserts markdown frontmatter metadata into the HTML element without escaping the less-than and greater-than characters. An...

6.1CVSS5.8AI score0.00187EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/06 9:52 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the agentConn.apiClient process. An attacker can gain unauthorized access to sensitive files or execute arbitrary commands as another workspace user by redirecting API requests to a victim's agent,...

8.7CVSS6.1AI score
Exploits0References3
Snyk
Snyk
added 2026/07/06 9:52 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the agentConn.apiClient process. An attacker can gain unauthorized access to sensitive files or execute arbitrary commands as another workspace user by redirecting API requests to a victim's agent,...

8.7CVSS6.1AI score
Exploits0References3
Total number of security vulnerabilities35547