32391 matches found
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the cookieRewritePolicies process. An attacker can execute arbitrary code within the Envoy proxy by crafting a malicious value in the pathRewrite.value field of HTTPProxy resources, potentially allowing acce...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the paired-device pairing management process. An attacker can gain unauthorized access to approve or operate on unrelated pending device requests by leveraging...
Incorrect Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the assistant-media route. An attacker can access protected media files and metadata by bypassing HTTP authentication path scope validation. Remediation Upgrad...
Memory Allocation with Excessive Size Value
Overview OpenTelemetry.Exporter.OpenTelemetryProtocol is an OTLP Exporter for OpenTelemetry .NET. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the grpc-status-details-bin parsing process during OTLP/gRPC retry handling. An attacker can cause...
Memory Allocation with Excessive Size Value
Overview OpenTelemetry.Exporter.OpenTelemetryProtocol is an OTLP Exporter for OpenTelemetry .NET. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the OTLP exporter. An attacker can cause memory exhaustion by configuring a malicious back-end or...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the parseActions function. An attacker can execute arbitrary code by sending crafted input to the affected process. Remediation A fix was pushed into the master branch but not yet published. Referenc...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the parseActions function. An attacker can execute arbitrary code by sending crafted input to the affected process. Remediation Upgrade heckel.io/ntfy/v2/server to version 2.21.0 or higher. Reference...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the parseActions function. An attacker can execute arbitrary code by sending crafted input to the affected process. Remediation Upgrade github.com/binwiederhier/ntfy/v2/server to version 2.21.0 or...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection through the SQLManager.validateJdbcUrl logic in SQLManager. An attacker can trigger unsafe JDBC connection handling by supplying a PostgreSQL URL with dangerous parameters such as socketFactory, sslfactory, or...
Out-of-bounds Write
Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the gcrypkdecrypt function when processing crafted ECDH ciphertext. An attacker can cause a heap-based buffer overflow and potentially achieve denial of service or impact integrity and availability by supplying...
Server-side Request Forgery (SSRF)
Overview @astrojs/cloudflare is a Deploy your site to Cloudflare Workers/Pages Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch function in image-binding-transform endpoint. An attacker can cause the server to make unauthorized requests to arbitra...
Memory Allocation with Excessive Size Value
Overview OpenTelemetry.Api is a package that application developers and library authors use to instrument their application/library. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the processing of propagation headers such as baggage, B3, and...
Memory Allocation with Excessive Size Value
Overview OpenTelemetry.Extensions.Propagators is a package containing propagator formats for OpenTelemetry .NET. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the processing of propagation headers such as baggage, B3, and Jaeger. An attacker ca...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the ResFileDecoder.java process. An attacker can overwrite arbitrary files on the filesystem by embedding directory traversal sequences in crafted APK files, potentially leading to execution of malicious code or...
Missing Authorization
Overview @actual-app/sync-server is an actual syncing server Affected versions of this package are vulnerable to Missing Authorization via the change-password endpoint, which lacks proper authorization checks. An attacker can gain administrative privileges by overwriting the password hash for the...
Deserialization of Untrusted Data
Overview pipecat-ai is an An open source framework for voice and multimodal assistants Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialize function of the LivekitFrameSerializer class, which uses pickle.loads on untrusted data received from...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the options/set endpoint. An attacker can set rc.NoAuth=true and override default AuthRequired: true which can lead to unauthorized access to sensitive administrative functionality,...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the options/set endpoint. An attacker can set rc.NoAuth=true and override default AuthRequired: true which can lead to unauthorized access to sensitive administrative functionality,...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the /agents/:id update endpoint and adapterConfig.workspaceStrategy.provisionCommand. An attacker can execute arbitrary OS commands by updating their agent’s configuration with a crafted provisionCommand, which is...
Incomplete List of Disallowed Inputs
Overview pyspector is an A high-performance, security-focused static analysis tool for Python, powered by Rust. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the PluginSecurity.validateplugincode validation logic. An attacker can achieve arbitrary co...
Missing Authorization
Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to Missing Authorization via import flow. An attacker can gain remote code execution using company creation endpoint that improperly checks for admin rights in authenticated mode...
Directory Traversal
Overview psitransfer is a Simple open source self-hosted file sharing solution Affected versions of this package are vulnerable to Directory Traversal through the Store.getFilename path resolution in the upload storage component. An attacker can escape the upload jail and read or overwrite files...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via import flow. An attacker can gain remote code execution using company creation endpoint that improperly checks for admin rights in authenticated mode deployment with default configuration. Remediation Upgrade...
DNS Rebinding
Overview copilot-api is a Turn GitHub Copilot into OpenAI/Anthropic API compatible server. Usable with Claude Code! Affected versions of this package are vulnerable to DNS Rebinding in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header...
Improper Neutralization
Overview Affected versions of this package are vulnerable to Improper Neutralization of inline in the BaseCookie.jsoutput function. An attacker can inject arbitrary script content by supplying specially crafted input containing HTML parser-sensitive sequences. Remediation A fix was pushed into th...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the Untar and Unzip functions in pkg/archive/archive.go. An attacker can overwrite arbitrary files on the filesystem by crafting a malicious tar or zip archive containing directory traversal sequences and trickin...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the invokefunction process. An attacker can execute arbitrary PHP code by sending specially crafted requests to the index.php endpoint with malicious function parameters. Remediation...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the AdvancedSearch module. An attacker can execute arbitrary JavaScript code in the context of a user's browser by submitting specially crafted input. Details Cross-site scripting or XSS is a code...
Use of Web Browser Cache Containing Sensitive Information
Overview @astrojs/node is a Deploy your site to a Node.js server Affected versions of this package are vulnerable to Use of Web Browser Cache Containing Sensitive Information via the serve-static.ts component. An attacker can cause legitimate users to receive persistent error responses for static...
Insertion of Sensitive Information into Log File
Overview n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol MCP Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the POST /mcp endpoint. An attacker can cause sensitive information such as bearer tokens, API...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the put function. An attacker can overwrite or create arbitrary files in the webroot by enticing a user to visit a malicious website, which then issues crafted PUT requests through the victim's browse...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the put function. An attacker can overwrite or create arbitrary files in the webroot by enticing a user to visit a malicious website, which then issues crafted PUT requests through the victim's browse...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the put function. An attacker can overwrite or create arbitrary files in the webroot by enticing a user to visit a malicious website, which then issues crafted PUT requests through the victim's browse...
Execution with Unnecessary Privileges
Overview openc3 is a Python support for OpenC3 COSMOS Affected versions of this package are vulnerable to Execution with Unnecessary Privileges through the runscript.py and runscript.rb script execution paths in the script runner components. An attacker can read sensitive credentials by running a...
Execution with Unnecessary Privileges
Overview Affected versions of this package are vulnerable to Execution with Unnecessary Privileges through the runscript.py and runscript.rb script execution paths in the script runner components. An attacker can read sensitive credentials by running a script that prints the process environment,...
SQL Injection
Overview openc3 is a Python support for OpenC3 COSMOS Affected versions of this package are vulnerable to SQL Injection via the query construction in the TSDB access code. An attacker can execute arbitrary TSDB queries by supplying crafted starttime, endtime, or column/table-related values that a...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection via the query construction in the TSDB access code. An attacker can execute arbitrary TSDB queries by supplying crafted starttime, endtime, or column/table-related values that are interpolated directly into SQL strings. Th...
Malicious Package
Overview chai-as-optimized is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Missing Critical Step in Authentication
Overview org.apache.httpcomponents.client5:httpclient5 is a HttpClient component of the Apache HttpComponents project. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the AuthenticationHandler's handleResponse method. The client may accept...
Malicious Package
Overview json-dec is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview json-spacer is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Malicious Package
Overview @nklkas/hyperliquid is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview changelog-cli-logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview changelog-utils-structured-logger is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...
Malicious Package
Overview separadordeinfocc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview undicy-http is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Malicious Package
Overview vime-azl is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview ts-bing is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview rollup-plugin-polyfill-route is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @amsterdam-local/forms-component-library is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organizati...