Lucene search
K

32391 matches found

Snyk
Snyk
added 2026/04/24 2:31 a.m.3 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the cookieRewritePolicies process. An attacker can execute arbitrary code within the Envoy proxy by crafting a malicious value in the pathRewrite.value field of HTTPProxy resources, potentially allowing acce...

8.1CVSS6AI score0.00481EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 2:29 a.m.4 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the paired-device pairing management process. An attacker can gain unauthorized access to approve or operate on unrelated pending device requests by leveraging...

5.4CVSS5.4AI score0.00171EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 2:29 a.m.5 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the assistant-media route. An attacker can access protected media files and metadata by bypassing HTTP authentication path scope validation. Remediation Upgrad...

6.5CVSS5.5AI score0.00222EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 2:29 a.m.6 views

Memory Allocation with Excessive Size Value

Overview OpenTelemetry.Exporter.OpenTelemetryProtocol is an OTLP Exporter for OpenTelemetry .NET. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the grpc-status-details-bin parsing process during OTLP/gRPC retry handling. An attacker can cause...

6CVSS5.5AI score0.00192EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 2:29 a.m.6 views

Memory Allocation with Excessive Size Value

Overview OpenTelemetry.Exporter.OpenTelemetryProtocol is an OTLP Exporter for OpenTelemetry .NET. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the OTLP exporter. An attacker can cause memory exhaustion by configuring a malicious back-end or...

6CVSS5.5AI score0.00304EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 2:26 a.m.2 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the parseActions function. An attacker can execute arbitrary code by sending crafted input to the affected process. Remediation A fix was pushed into the master branch but not yet published. Referenc...

9.8CVSS6AI score0.0041EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 2:26 a.m.6 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the parseActions function. An attacker can execute arbitrary code by sending crafted input to the affected process. Remediation Upgrade heckel.io/ntfy/v2/server to version 2.21.0 or higher. Reference...

9.8CVSS6.2AI score0.0041EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 2:26 a.m.6 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the parseActions function. An attacker can execute arbitrary code by sending crafted input to the affected process. Remediation Upgrade github.com/binwiederhier/ntfy/v2/server to version 2.21.0 or...

9.8CVSS6AI score0.0041EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/24 2:1 a.m.7 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection through the SQLManager.validateJdbcUrl logic in SQLManager. An attacker can trigger unsafe JDBC connection handling by supplying a PostgreSQL URL with dangerous parameters such as socketFactory, sslfactory, or...

9.8CVSS7.2AI score0.00938EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/24 12:51 a.m.3 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the gcrypkdecrypt function when processing crafted ECDH ciphertext. An attacker can cause a heap-based buffer overflow and potentially achieve denial of service or impact integrity and availability by supplying...

7.5CVSS6AI score0.0018EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 9:52 p.m.10 views

Server-side Request Forgery (SSRF)

Overview @astrojs/cloudflare is a Deploy your site to Cloudflare Workers/Pages Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch function in image-binding-transform endpoint. An attacker can cause the server to make unauthorized requests to arbitra...

7.2CVSS5.6AI score0.00773EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 9:43 p.m.10 views

Memory Allocation with Excessive Size Value

Overview OpenTelemetry.Api is a package that application developers and library authors use to instrument their application/library. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the processing of propagation headers such as baggage, B3, and...

6.9CVSS5.5AI score0.00458EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 9:43 p.m.6 views

Memory Allocation with Excessive Size Value

Overview OpenTelemetry.Extensions.Propagators is a package containing propagator formats for OpenTelemetry .NET. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the processing of propagation headers such as baggage, B3, and Jaeger. An attacker ca...

6.9CVSS5.5AI score0.00458EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 9:24 p.m.8 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the ResFileDecoder.java process. An attacker can overwrite arbitrary files on the filesystem by embedding directory traversal sequences in crafted APK files, potentially leading to execution of malicious code or...

8.4CVSS6.3AI score0.00182EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 9:23 p.m.6 views

Missing Authorization

Overview @actual-app/sync-server is an actual syncing server Affected versions of this package are vulnerable to Missing Authorization via the change-password endpoint, which lacks proper authorization checks. An attacker can gain administrative privileges by overwriting the password hash for the...

8.8CVSS5.6AI score0.00472EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/23 9:15 p.m.9 views

Deserialization of Untrusted Data

Overview pipecat-ai is an An open source framework for voice and multimodal assistants Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialize function of the LivekitFrameSerializer class, which uses pickle.loads on untrusted data received from...

9.8CVSS6.2AI score0.00701EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.6 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the options/set endpoint. An attacker can set rc.NoAuth=true and override default AuthRequired: true which can lead to unauthorized access to sensitive administrative functionality,...

9.8CVSS5.7AI score0.34734EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.5 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the options/set endpoint. An attacker can set rc.NoAuth=true and override default AuthRequired: true which can lead to unauthorized access to sensitive administrative functionality,...

9.8CVSS5.7AI score0.34734EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.4 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the /agents/:id update endpoint and adapterConfig.workspaceStrategy.provisionCommand. An attacker can execute arbitrary OS commands by updating their agent’s configuration with a crafted provisionCommand, which is...

8.8CVSS6AI score0.00591EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.3 views

Incomplete List of Disallowed Inputs

Overview pyspector is an A high-performance, security-focused static analysis tool for Python, powered by Rust. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the PluginSecurity.validateplugincode validation logic. An attacker can achieve arbitrary co...

7.8CVSS6.4AI score0.00185EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.7 views

Missing Authorization

Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to Missing Authorization via import flow. An attacker can gain remote code execution using company creation endpoint that improperly checks for admin rights in authenticated mode...

10CVSS6.5AI score0.01972EPSS
Exploits4References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.6 views

Directory Traversal

Overview psitransfer is a Simple open source self-hosted file sharing solution Affected versions of this package are vulnerable to Directory Traversal through the Store.getFilename path resolution in the upload storage component. An attacker can escape the upload jail and read or overwrite files...

7.7CVSS6.3AI score0.00307EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.6 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via import flow. An attacker can gain remote code execution using company creation endpoint that improperly checks for admin rights in authenticated mode deployment with default configuration. Remediation Upgrade...

10CVSS6.5AI score0.01972EPSS
Exploits4References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.5 views

DNS Rebinding

Overview copilot-api is a Turn GitHub Copilot into OpenAI/Anthropic API compatible server. Usable with Claude Code! Affected versions of this package are vulnerable to DNS Rebinding in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header...

5.3CVSS5.4AI score0.00257EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.5 views

Improper Neutralization

Overview Affected versions of this package are vulnerable to Improper Neutralization of inline in the BaseCookie.jsoutput function. An attacker can inject arbitrary script content by supplying specially crafted input containing HTML parser-sensitive sequences. Remediation A fix was pushed into th...

6.8CVSS5.6AI score0.00229EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.3 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the Untar and Unzip functions in pkg/archive/archive.go. An attacker can overwrite arbitrary files on the filesystem by crafting a malicious tar or zip archive containing directory traversal sequences and trickin...

9.1CVSS6.4AI score0.00418EPSS
Exploits3References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.5 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the invokefunction process. An attacker can execute arbitrary PHP code by sending specially crafted requests to the index.php endpoint with malicious function parameters. Remediation...

9.8CVSS5.9AI score0.0089EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the AdvancedSearch module. An attacker can execute arbitrary JavaScript code in the context of a user's browser by submitting specially crafted input. Details Cross-site scripting or XSS is a code...

6.1CVSS5.5AI score0.00188EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 2:36 p.m.4 views

Use of Web Browser Cache Containing Sensitive Information

Overview @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Use of Web Browser Cache Containing Sensitive Information via the serve-static.ts component. An attacker can cause legitimate users to receive persistent error responses for static...

6.9CVSS5.4AI score0.00238EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 2:31 p.m.4 views

Insertion of Sensitive Information into Log File

Overview n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol MCP Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the POST /mcp endpoint. An attacker can cause sensitive information such as bearer tokens, API...

6CVSS5.4AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 2:28 p.m.4 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the put function. An attacker can overwrite or create arbitrary files in the webroot by enticing a user to visit a malicious website, which then issues crafted PUT requests through the victim's browse...

7.1CVSS5.5AI score0.00165EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 2:28 p.m.2 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the put function. An attacker can overwrite or create arbitrary files in the webroot by enticing a user to visit a malicious website, which then issues crafted PUT requests through the victim's browse...

7.1CVSS5.9AI score0.00165EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 2:28 p.m.6 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the put function. An attacker can overwrite or create arbitrary files in the webroot by enticing a user to visit a malicious website, which then issues crafted PUT requests through the victim's browse...

7.1CVSS5.9AI score0.00165EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 2:17 p.m.4 views

Execution with Unnecessary Privileges

Overview openc3 is a Python support for OpenC3 COSMOS Affected versions of this package are vulnerable to Execution with Unnecessary Privileges through the runscript.py and runscript.rb script execution paths in the script runner components. An attacker can read sensitive credentials by running a...

9.6CVSS5.9AI score0.00341EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 2:17 p.m.6 views

Execution with Unnecessary Privileges

Overview Affected versions of this package are vulnerable to Execution with Unnecessary Privileges through the runscript.py and runscript.rb script execution paths in the script runner components. An attacker can read sensitive credentials by running a script that prints the process environment,...

9.6CVSS5.9AI score0.00341EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 2:12 p.m.4 views

SQL Injection

Overview openc3 is a Python support for OpenC3 COSMOS Affected versions of this package are vulnerable to SQL Injection via the query construction in the TSDB access code. An attacker can execute arbitrary TSDB queries by supplying crafted starttime, endtime, or column/table-related values that a...

9.6CVSS6.1AI score0.00323EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 2:12 p.m.5 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the query construction in the TSDB access code. An attacker can execute arbitrary TSDB queries by supplying crafted starttime, endtime, or column/table-related values that are interpolated directly into SQL strings. Th...

9.6CVSS6.2AI score0.00323EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 12:15 p.m.7 views

Malicious Package

Overview chai-as-optimized is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 8:39 a.m.4 views

Missing Critical Step in Authentication

Overview org.apache.httpcomponents.client5:httpclient5 is a HttpClient component of the Apache HttpComponents project. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the AuthenticationHandler's handleResponse method. The client may accept...

7.3CVSS5.4AI score0.00456EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 4:42 a.m.6 views

Malicious Package

Overview json-dec is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 4:42 a.m.5 views

Malicious Package

Overview json-spacer is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 4:24 a.m.6 views

Malicious Package

Overview @nklkas/hyperliquid is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 4:24 a.m.4 views

Malicious Package

Overview changelog-cli-logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 4:24 a.m.2 views

Malicious Package

Overview changelog-utils-structured-logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 3:59 a.m.4 views

Malicious Package

Overview separadordeinfocc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 3:59 a.m.5 views

Malicious Package

Overview undicy-http is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 3:56 a.m.12 views

Malicious Package

Overview vime-azl is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 3:56 a.m.4 views

Malicious Package

Overview ts-bing is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 3:54 a.m.4 views

Malicious Package

Overview rollup-plugin-polyfill-route is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 3:52 a.m.3 views

Malicious Package

Overview @amsterdam-local/forms-component-library is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organizati...

9.8CVSS5.4AI score
Exploits0References2
Total number of security vulnerabilities32391