32391 matches found
Malicious Package
Overview spr-i18n-labels is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview shenxun162938 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview ts-moduler is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Eval Injection
Overview verl is a verl: Volcano Engine Reinforcement Learning for LLM Affected versions of this package are vulnerable to Eval Injection via the mathequal function. An attacker can execute arbitrary code by supplying crafted input that is processed by an unsafe evaluation mechanism. Remediation...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the operations/fsinfo endpoint in the RC server process. An attacker can execute arbitrary local commands by sending crafted requests to an exposed RC server that is running without...
Improper Validation of Certificate with Host Mismatch
Overview Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to establishing SSL connections to Cassandra without verifying that the hostname in the server's SSL certificate actually matched the hostname of the server being connected to...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization causing web security to be ineffective and allowing unauthorized access to all endpoints. Note: This is only exploitable if the following conditions are met: - the application is servlet-based; - the application ha...
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Overview Affected versions of this package are vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator PRNG for the property source for $random.value as well as $random.int and $random.long. Standard PRNGs like java.util.Random use deterministic mathematical algorithms starting...
Insecure Temporary File
Overview Affected versions of this package are vulnerable to Insecure Temporary File due to the ApplicationTemp mechanism creating a temporary directory using a predictable name. Because the name can be easily guessed, a local attacker on the same server can maliciously pre-create this directory...
Timing Attack
Overview Affected versions of this package are vulnerable to Timing Attack in DevTool due to comparing the user-provided "remote secret" against the actual secret using standard string comparison logic like String.equals or ==. Standard string comparisons are not constant-time. They evaluate...
Improper Validation of Certificate with Host Mismatch
Overview Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when using an SSL bundle. This effectively weakens TLS by allowing connections without verifying the server identity classic MITM risk. Remediation Upgrade...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack due to insecure handling of Process ID PID files. When an application uses the ApplicationPidFileWriter, it writes its PID to a predictable file system path. A local attacker with write access to the PID file's directory...
Improper Validation of Certificate with Host Mismatch
Overview Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch during the TLS handshake. When Spring Boot is configured to connect to Elasticsearch using an SSL bundle, the auto-configuration fails to verify that the hostname in the server's SSL...
Relative Path Traversal
Overview Affected versions of this package are vulnerable to Relative Path Traversal via the ToolConfigModel tool and config name handling in the Ruby and Python models. An attacker can write or delete arbitrary files within the shared /plugins directory by supplying tool or config names containi...
Relative Path Traversal
Overview openc3 is a Python support for OpenC3 COSMOS Affected versions of this package are vulnerable to Relative Path Traversal via the ToolConfigModel tool and config name handling in the Ruby and Python models. An attacker can write or delete arbitrary files within the shared /plugins directo...
Unverified Password Change
Overview Affected versions of this package are vulnerable to Unverified Password Change via the verifynoservice process in openc3/lib/openc3/models/authmodel.rb and openc3-cosmos-cmd-tlm-api/app/controllers/authcontroller.rb. An attacker can change a password by supplying a valid session token to...
Infinite loop
Overview OpenMcdf is a fully .NET / C library to manipulate Compound File Binary File Format files, also known as Structured Storage. Affected versions of this package are vulnerable to Infinite loop through the MoveNext traversal logic in the directory tree enumeration code. An attacker can...
Directory Traversal
Overview @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol GEP for auditable, reusable evolution assets. Affected versions of this package are vulnerable to Directory Traversal via the --out flag in the fetch cal...
Command Injection
Overview @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol GEP for auditable, reusable evolution assets. Affected versions of this package are vulnerable to Command Injection via the extractLLM function. An...
Prototype Pollution
Overview @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol GEP for auditable, reusable evolution assets. Affected versions of this package are vulnerable to Prototype Pollution via the Object.assign process in...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization due to improper network binding in the ListenAndServe function. An attacker can gain unauthorized remote access and execute arbitrary database queries by connecting to the exposed Bolt server interface over the...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization due to improper network binding in the ListenAndServe function. An attacker can gain unauthorized remote access and execute arbitrary database queries by connecting to the exposed Bolt server interface over the...
Embedded Malicious Code
Overview @bitwarden/cli is an A secure and free password manager for all of your devices. Affected versions of this package are vulnerable to Embedded Malicious Code included in a compromised release that is suspected to be part of the Checkmarx April compromise. The payload is delivered via...
Infinite loop
Overview justhtml is an A pure Python HTML5 parser that just works. Affected versions of this package are vulnerable to Infinite loop via custom sanitization policies or programmatic DOM manipulation. An attacker can inject and execute arbitrary scripts, cause resource loading, or trigger externa...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the serveExport process. An attacker can access and exfiltrate sensitive files, including databases and logs, by sending specially crafted requests with double URL encoding to bypass path validation. Details A...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the serveExport process. An attacker can access and exfiltrate sensitive files, including databases and logs, by sending specially crafted requests with double URL encoding to bypass path validation. Details A...
Directory Traversal
Overview @samanhappy/mcphub is an A hub server for mcp servers Affected versions of this package are vulnerable to Directory Traversal in the uploadMcpbFile process when the name field from the uploaded manifest.json is concatenated directly into file system paths without sanitization or...
SQL Injection
Overview github.com/jackc/pgx/v5/internal/sanitize is a PostgreSQL driver and toolkit Affected versions of this package are vulnerable to SQL Injection when using the simple protocol with dollar quoted string literals. An attacker can execute arbitrary SQL commands by crafting input that is...
SQL Injection
Overview github.com/jackc/pgx/internal/sanitize is a PostgreSQL driver and toolkit Affected versions of this package are vulnerable to SQL Injection when using the simple protocol with dollar quoted string literals. An attacker can execute arbitrary SQL commands by crafting input that is...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection when using the simple protocol with dollar quoted string literals. An attacker can execute arbitrary SQL commands by crafting input that is interpreted as a placeholder within a dollar quoted string literal. Note: This is...
SQL Injection
Overview github.com/jackc/pgx/v5 is a pure Go driver and toolkit for PostgreSQL Affected versions of this package are vulnerable to SQL Injection when using the simple protocol with dollar quoted string literals. An attacker can execute arbitrary SQL commands by crafting input that is interpreted...
Insecure Default Initialization of Resource
Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to insecure default SSH server configuration, which advertises weak or deprecated key exchange, MAC, and host key algorithms. An attacker can compromise the confidentiality and integrity o...
Insecure Default Initialization of Resource
Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to insecure default SSH server configuration, which advertises weak or deprecated key exchange, MAC, and host key algorithms. An attacker can compromise the confidentiality and integrity o...
Insecure Default Initialization of Resource
Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to insecure default SSH server configuration, which advertises weak or deprecated key exchange, MAC, and host key algorithms. An attacker can compromise the confidentiality and integrity o...
Server-side Request Forgery (SSRF)
Overview flarum/core is a simple discussion platform for your website. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the interpolation of unvalidated LESS config variables during CSS compilation. An attacker can access arbitrary files on the server or...
Origin Validation Error
Overview locize is a This package adds the incontext editor to your i18next setup. Affected versions of this package are vulnerable to Origin Validation Error in the window.addEventListener message handler due to missing validation of the event.origin property. An attacker can execute arbitrary...
Directory Traversal
Overview i18next-locize-backend is an i18next-locize-backend is a backend layer for i18next to use locize service which can be used in node.js, in the browser and for deno. Affected versions of this package are vulnerable to Directory Traversal via the lng, ns, projectId, or version parameters,...
HTTP Response Splitting
Overview i18next-http-middleware is an i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Affected versions of this package are vulnerable to HTTP Response Splitting via the lng parameter, which is passed through to the...
Uncontrolled Recursion
Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related operations, including...
Uncontrolled Recursion
Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to Uncontrolled...
Uncontrolled Recursion
Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related...
XML Injection
Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection in...
XML Injection
Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection in the serialization of DocumentType nodes when attacker-controlled values are provided to the publicId, systemId, ...
XML Injection
Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection in the serialization of DocumentType nodes when attacker-controlled values are provided to the...
XML Injection
Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection vi...
XML Injection
Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection via the createProcessingInstruction function. An attacker can inject arbitrary XML nodes into the serialized output...
XML Injection
Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection via the createProcessingInstruction function. An attacker can inject arbitrary XML nodes into the...
SQL Injection
Overview @nocobase/database is a Affected versions of this package are vulnerable to SQL Injection via the queryParentSQL function. An attacker can execute arbitrary SQL commands, extract sensitive data, modify or delete database records, and potentially cause denial of service by injecting...
SQL Injection
Overview @nocobase/plugin-collection-sql is a Provides SQL collection template Affected versions of this package are vulnerable to SQL Injection through the update handler in the collection SQL resource. An attacker can submit a malicious sql value while updating a SQL-backed collection and have ...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass in the require process. An attacker can access sensitive local .js and .json files by supplying malicious JavaScript templates that exploit the module loader to bypass file access restrictions. This is only...