Lucene search
K

32391 matches found

Snyk
Snyk
added 2026/04/23 3:52 a.m.4 views

Malicious Package

Overview spr-i18n-labels is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 3:50 a.m.4 views

Malicious Package

Overview shenxun162938 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 3:49 a.m.6 views

Malicious Package

Overview ts-moduler is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/23 12:31 a.m.6 views

Eval Injection

Overview verl is a verl: Volcano Engine Reinforcement Learning for LLM Affected versions of this package are vulnerable to Eval Injection via the mathequal function. An attacker can execute arbitrary code by supplying crafted input that is processed by an unsafe evaluation mechanism. Remediation...

6.3CVSS6.5AI score0.00333EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 12:3 a.m.4 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the operations/fsinfo endpoint in the RC server process. An attacker can execute arbitrary local commands by sending crafted requests to an exposed RC server that is running without...

9.8CVSS5.9AI score0.09199EPSS
Exploits2References2
Snyk
Snyk
added 2026/04/23 12:0 a.m.5 views

Improper Validation of Certificate with Host Mismatch

Overview Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to establishing SSL connections to Cassandra without verifying that the hostname in the server's SSL certificate actually matched the hostname of the server being connected to...

9.8CVSS5.5AI score0.00182EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 12:0 a.m.4 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization causing web security to be ineffective and allowing unauthorized access to all endpoints. Note: This is only exploitable if the following conditions are met: - the application is servlet-based; - the application ha...

9.3CVSS5.4AI score0.00489EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 12:0 a.m.6 views

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Overview Affected versions of this package are vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator PRNG for the property source for $random.value as well as $random.int and $random.long. Standard PRNGs like java.util.Random use deterministic mathematical algorithms starting...

8.2CVSS5.5AI score0.00312EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 12:0 a.m.4 views

Insecure Temporary File

Overview Affected versions of this package are vulnerable to Insecure Temporary File due to the ApplicationTemp mechanism creating a temporary directory using a predictable name. Because the name can be easily guessed, a local attacker on the same server can maliciously pre-create this directory...

7.3CVSS5.4AI score0.00136EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 12:0 a.m.5 views

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack in DevTool due to comparing the user-provided "remote secret" against the actual secret using standard string comparison logic like String.equals or ==. Standard string comparisons are not constant-time. They evaluate...

7.7CVSS5.5AI score0.00262EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 12:0 a.m.14 views

Improper Validation of Certificate with Host Mismatch

Overview Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when using an SSL bundle. This effectively weakens TLS by allowing connections without verifying the server identity classic MITM risk. Remediation Upgrade...

9.2CVSS5.4AI score0.00157EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 12:0 a.m.12 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack due to insecure handling of Process ID PID files. When an application uses the ApplicationPidFileWriter, it writes its PID to a predictable file system path. A local attacker with write access to the PID file's directory...

6.7CVSS5.4AI score0.00112EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/23 12:0 a.m.4 views

Improper Validation of Certificate with Host Mismatch

Overview Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch during the TLS handshake. When Spring Boot is configured to connect to Elasticsearch using an SSL bundle, the auto-configuration fails to verify that the hostname in the server's SSL...

6.8CVSS5.4AI score0.00136EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 10:22 p.m.6 views

Relative Path Traversal

Overview Affected versions of this package are vulnerable to Relative Path Traversal via the ToolConfigModel tool and config name handling in the Ruby and Python models. An attacker can write or delete arbitrary files within the shared /plugins directory by supplying tool or config names containi...

5.3CVSS5.9AI score0.00313EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 10:22 p.m.7 views

Relative Path Traversal

Overview openc3 is a Python support for OpenC3 COSMOS Affected versions of this package are vulnerable to Relative Path Traversal via the ToolConfigModel tool and config name handling in the Ruby and Python models. An attacker can write or delete arbitrary files within the shared /plugins directo...

5.3CVSS5.9AI score0.00313EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 10:13 p.m.7 views

Unverified Password Change

Overview Affected versions of this package are vulnerable to Unverified Password Change via the verifynoservice process in openc3/lib/openc3/models/authmodel.rb and openc3-cosmos-cmd-tlm-api/app/controllers/authcontroller.rb. An attacker can change a password by supplying a valid session token to...

8.6CVSS5.8AI score0.00305EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 10:9 p.m.7 views

Infinite loop

Overview OpenMcdf is a fully .NET / C library to manipulate Compound File Binary File Format files, also known as Structured Storage. Affected versions of this package are vulnerable to Infinite loop through the MoveNext traversal logic in the directory tree enumeration code. An attacker can...

6.9CVSS5.8AI score0.00187EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 10:6 p.m.5 views

Directory Traversal

Overview @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol GEP for auditable, reusable evolution assets. Affected versions of this package are vulnerable to Directory Traversal via the --out flag in the fetch cal...

8.1CVSS6.3AI score0.00567EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 10:6 p.m.7 views

Command Injection

Overview @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol GEP for auditable, reusable evolution assets. Affected versions of this package are vulnerable to Command Injection via the extractLLM function. An...

9.8CVSS6.1AI score0.01305EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 10:5 p.m.5 views

Prototype Pollution

Overview @evomap/evolver is an A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol GEP for auditable, reusable evolution assets. Affected versions of this package are vulnerable to Prototype Pollution via the Object.assign process in...

7CVSS6.3AI score0.00109EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 10:3 p.m.4 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization due to improper network binding in the ListenAndServe function. An attacker can gain unauthorized remote access and execute arbitrary database queries by connecting to the exposed Bolt server interface over the...

9.8CVSS6.1AI score0.0044EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 10:3 p.m.4 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization due to improper network binding in the ListenAndServe function. An attacker can gain unauthorized remote access and execute arbitrary database queries by connecting to the exposed Bolt server interface over the...

9.8CVSS6.1AI score0.0044EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 10:0 p.m.6 views

Embedded Malicious Code

Overview @bitwarden/cli is an A secure and free password manager for all of your devices. Affected versions of this package are vulnerable to Embedded Malicious Code included in a compromised release that is suspected to be part of the Checkmarx April compromise. The payload is delivered via...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/22 9:25 p.m.4 views

Infinite loop

Overview justhtml is an A pure Python HTML5 parser that just works. Affected versions of this package are vulnerable to Infinite loop via custom sanitization policies or programmatic DOM manipulation. An attacker can inject and execute arbitrary scripts, cause resource loading, or trigger externa...

7.7CVSS5.8AI score
Exploits0References5
Snyk
Snyk
added 2026/04/22 8:51 p.m.6 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the serveExport process. An attacker can access and exfiltrate sensitive files, including databases and logs, by sending specially crafted requests with double URL encoding to bypass path validation. Details A...

7.1CVSS6.3AI score0.00313EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:51 p.m.6 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the serveExport process. An attacker can access and exfiltrate sensitive files, including databases and logs, by sending specially crafted requests with double URL encoding to bypass path validation. Details A...

7.1CVSS6.3AI score0.00313EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:50 p.m.7 views

Directory Traversal

Overview @samanhappy/mcphub is an A hub server for mcp servers Affected versions of this package are vulnerable to Directory Traversal in the uploadMcpbFile process when the name field from the uploaded manifest.json is concatenated directly into file system paths without sanitization or...

8.1CVSS6.3AI score
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:46 p.m.5 views

SQL Injection

Overview github.com/jackc/pgx/v5/internal/sanitize is a PostgreSQL driver and toolkit Affected versions of this package are vulnerable to SQL Injection when using the simple protocol with dollar quoted string literals. An attacker can execute arbitrary SQL commands by crafting input that is...

9.8CVSS6.3AI score0.00356EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:46 p.m.3 views

SQL Injection

Overview github.com/jackc/pgx/internal/sanitize is a PostgreSQL driver and toolkit Affected versions of this package are vulnerable to SQL Injection when using the simple protocol with dollar quoted string literals. An attacker can execute arbitrary SQL commands by crafting input that is...

9.8CVSS6.3AI score0.00356EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:46 p.m.5 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection when using the simple protocol with dollar quoted string literals. An attacker can execute arbitrary SQL commands by crafting input that is interpreted as a placeholder within a dollar quoted string literal. Note: This is...

9.8CVSS6.1AI score0.00356EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:46 p.m.7 views

SQL Injection

Overview github.com/jackc/pgx/v5 is a pure Go driver and toolkit for PostgreSQL Affected versions of this package are vulnerable to SQL Injection when using the simple protocol with dollar quoted string literals. An attacker can execute arbitrary SQL commands by crafting input that is interpreted...

9.8CVSS6.3AI score0.00356EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:37 p.m.2 views

Insecure Default Initialization of Resource

Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to insecure default SSH server configuration, which advertises weak or deprecated key exchange, MAC, and host key algorithms. An attacker can compromise the confidentiality and integrity o...

6.3CVSS5.6AI score
Exploits0References3
Snyk
Snyk
added 2026/04/22 8:37 p.m.4 views

Insecure Default Initialization of Resource

Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to insecure default SSH server configuration, which advertises weak or deprecated key exchange, MAC, and host key algorithms. An attacker can compromise the confidentiality and integrity o...

6.3CVSS5.6AI score
Exploits0References3
Snyk
Snyk
added 2026/04/22 8:37 p.m.6 views

Insecure Default Initialization of Resource

Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to insecure default SSH server configuration, which advertises weak or deprecated key exchange, MAC, and host key algorithms. An attacker can compromise the confidentiality and integrity o...

6.3CVSS5.6AI score
Exploits0References3
Snyk
Snyk
added 2026/04/22 8:34 p.m.4 views

Server-side Request Forgery (SSRF)

Overview flarum/core is a simple discussion platform for your website. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the interpolation of unvalidated LESS config variables during CSS compilation. An attacker can access arbitrary files on the server or...

6.9CVSS5.8AI score0.00404EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/22 8:32 p.m.8 views

Origin Validation Error

Overview locize is a This package adds the incontext editor to your i18next setup. Affected versions of this package are vulnerable to Origin Validation Error in the window.addEventListener message handler due to missing validation of the event.origin property. An attacker can execute arbitrary...

7.5CVSS6AI score0.00101EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/22 8:28 p.m.5 views

Directory Traversal

Overview i18next-locize-backend is an i18next-locize-backend is a backend layer for i18next to use locize service which can be used in node.js, in the browser and for deno. Affected versions of this package are vulnerable to Directory Traversal via the lng, ns, projectId, or version parameters,...

6.9CVSS6.3AI score0.00224EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/22 8:25 p.m.8 views

HTTP Response Splitting

Overview i18next-http-middleware is an i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Affected versions of this package are vulnerable to HTTP Response Splitting via the lng parameter, which is passed through to the...

8.8CVSS5.6AI score0.00327EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:23 p.m.16 views

Uncontrolled Recursion

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related operations, including...

8.7CVSS5.4AI score0.00643EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:23 p.m.8 views

Uncontrolled Recursion

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to Uncontrolled...

8.7CVSS5.5AI score0.00643EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:23 p.m.8 views

Uncontrolled Recursion

Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related...

8.7CVSS5.4AI score0.00643EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:19 p.m.8 views

XML Injection

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection in...

8.7CVSS5.8AI score0.00457EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:19 p.m.4 views

XML Injection

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection in the serialization of DocumentType nodes when attacker-controlled values are provided to the publicId, systemId, ...

8.7CVSS5.8AI score0.00457EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:19 p.m.7 views

XML Injection

Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection in the serialization of DocumentType nodes when attacker-controlled values are provided to the...

8.7CVSS5.8AI score0.00457EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:17 p.m.6 views

XML Injection

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection vi...

8.7CVSS5.7AI score0.00408EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:17 p.m.11 views

XML Injection

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection via the createProcessingInstruction function. An attacker can inject arbitrary XML nodes into the serialized output...

8.7CVSS5.7AI score0.00408EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:17 p.m.10 views

XML Injection

Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection via the createProcessingInstruction function. An attacker can inject arbitrary XML nodes into the...

8.7CVSS5.7AI score0.00408EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 8:9 p.m.9 views

SQL Injection

Overview @nocobase/database is a Affected versions of this package are vulnerable to SQL Injection via the queryParentSQL function. An attacker can execute arbitrary SQL commands, extract sensitive data, modify or delete database records, and potentially cause denial of service by injecting...

8.8CVSS6.1AI score0.01875EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 8:7 p.m.7 views

SQL Injection

Overview @nocobase/plugin-collection-sql is a Provides SQL collection template Affected versions of this package are vulnerable to SQL Injection through the update handler in the collection SQL resource. An attacker can submit a malicious sql value while updating a SQL-backed collection and have ...

8.6CVSS5.9AI score0.01833EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 7:58 p.m.3 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the require process. An attacker can access sensitive local .js and .json files by supplying malicious JavaScript templates that exploit the module loader to bypass file access restrictions. This is only...

6.8CVSS5.8AI score0.00114EPSS
Exploits0References2
Total number of security vulnerabilities32391