Lucene search
K

32391 matches found

Snyk
Snyk
added 2026/04/22 7:58 p.m.7 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the require process. An attacker can access sensitive local .js and .json files by supplying malicious JavaScript templates that exploit the module loader to bypass file access restrictions. This is only...

6.8CVSS5.8AI score0.00114EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 7:58 p.m.4 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the require process. An attacker can access sensitive local .js and .json files by supplying malicious JavaScript templates that exploit the module loader to bypass file access restrictions. This is only...

6.8CVSS5.8AI score0.00114EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 7:57 p.m.7 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /api/lunchflow/link endpoint, which insufficiently validates user-supplied URLs and fails to restrict access to internal or sensitive network addresses. An attacker can cause the server to...

8.5CVSS5.9AI score0.00331EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/22 7:57 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /api/lunchflow/link endpoint, which insufficiently validates user-supplied URLs and fails to restrict access to internal or sensitive network addresses. An attacker can cause the server to...

8.5CVSS5.9AI score0.00331EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/22 7:57 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /api/lunchflow/link endpoint, which insufficiently validates user-supplied URLs and fails to restrict access to internal or sensitive network addresses. An attacker can cause the server to...

8.5CVSS5.9AI score0.00331EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/22 7:57 p.m.3 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /api/lunchflow/link endpoint, which insufficiently validates user-supplied URLs and fails to restrict access to internal or sensitive network addresses. An attacker can cause the server to...

8.5CVSS5.9AI score0.00331EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/22 7:57 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /api/lunchflow/link endpoint, which insufficiently validates user-supplied URLs and fails to restrict access to internal or sensitive network addresses. An attacker can cause the server to...

8.5CVSS5.9AI score0.00331EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/22 7:55 p.m.8 views

Cross-site Scripting (XSS)

Overview marko is an UI Components + streaming, async, high performance, HTML templating for Node.js and the browser. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of interpolated values within or tags due to improper case-insensitive detection of...

6.4CVSS5.8AI score0.00195EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 7:55 p.m.7 views

Cross-site Scripting (XSS)

Overview @marko/runtime-tags is an Optimized runtime for Marko templates. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of interpolated values within or tags due to improper case-insensitive detection of closing tags. An attacker can execute arbitrar...

6.4CVSS5.8AI score0.00195EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:43 p.m.7 views

External Control of File Name or Path

Overview i18next-fs-backend is an i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Affected versions of this package are vulnerable to External Control of File Name or Path that leads to raw interpolation of lng and ns value...

8.8CVSS5.9AI score0.00292EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/22 5:41 p.m.6 views

Directory Traversal

Overview i18next-http-backend is an i18next-http-backend is a backend layer for i18next using in Node.js, in the browser and for Deno. Affected versions of this package are vulnerable to Directory Traversal or other URL manipulation, via unsanitized interpolation of lng and ns values in the...

6.9CVSS6.3AI score0.00251EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:41 p.m.9 views

Directory Traversal

Overview org.webjars.npm:i18next-http-backend is an i18next-http-backend is a backend layer for i18next using in Node.js, in the browser and for Deno. Affected versions of this package are vulnerable to Directory Traversal or other URL manipulation, via unsanitized interpolation of lng and ns...

9.1CVSS6.3AI score0.00251EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:40 p.m.9 views

Prototype Pollution

Overview i18next-http-middleware is an i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Affected versions of this package are vulnerable to Prototype Pollution via the lng or ns parameters handled by the getResourcesHandler...

8.8CVSS6.3AI score0.0031EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:38 p.m.4 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the aggregate API endpoint when unvalidated user input is passed to the goqu.L function. An attacker can execute arbitrary SQL commands and access sensitive database information by supplying crafted values to the colum...

8.7CVSS6.1AI score0.00345EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:29 p.m.3 views

Directory Traversal

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Directory Traversal via the upload function. An attacker can write arbitrary files to the filesystem and execute remote code by uploading a crafted ZIP archive containing...

9.9CVSS6.8AI score0.00484EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:28 p.m.6 views

Directory Traversal

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Directory Traversal in the restore process. An attacker can write arbitrary files to the filesystem and execute code by uploading a specially crafted ZIP archive containin...

9.9CVSS6.6AI score0.00528EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:27 p.m.5 views

Cross-site Scripting (XSS)

Overview ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms Affected versions of this package are vulnerable to Cross-site Scripting XSS through the filename field in the backup management module. An attacker can gain unauthorized access to user accounts and escalate privileges by...

9.1CVSS5AI score0.00331EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.7 views

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions via the PolicyDataSubsToNotifyPost process. An attacker can create unintended notification subscriptions with invalid, empty, or partially processed input by sending malformed or...

6.9CVSS5.8AI score0.09955EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.4 views

Allocation of Resources Without Limits or Throttling

Overview github.com/free5gc/pcf/internal/sbi/processor is a None Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. via repeated HTTP requests to the OAM endpoint, which trigger the router.Use process. An attacker can exhaust system memory an...

8.7CVSS5.8AI score0.00515EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.2 views

Expected Behavior Violation

Overview Affected versions of this package are vulnerable to Expected Behavior Violation in the HTTPUEContextTransfer process when an unsupported Content-Type is received. An attacker can cause the processor to operate on an uninitialized object by sending a request with an unexpected Content-Typ...

6.9CVSS5.4AI score0.00282EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.5 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication due to the SkipClientIDCheck configuration in the OIDC authentication provider, which disables audience claim validation. An attacker can gain unauthorized access by presenting a token issued for a different...

9.2CVSS5.5AI score0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.5 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the trustedCertPool function, which only parses the first PEM block from CA certificate files. An attacker can bypass certificate chain validation by providing a multi-certificate PEM bundle where only...

6.9CVSS5.5AI score0.0016EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.3 views

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in the heartbeat process. An attacker can cause the server to crash or become unresponsive by triggering concurrent session heartbeat and closure operations, leading to a panic or deadlock due to improper synchronization...

8.7CVSS5.5AI score0.00202EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.5 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the HTTP vhost routing process when routeByHTTPUser is used for access control. An attacker can gain unauthorized access to protected backend services by sending proxy-style requests that use a known or guesse...

9.1CVSS5.5AI score0.00269EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.3 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the HTTP vhost routing process when routeByHTTPUser is used for access control. An attacker can gain unauthorized access to protected backend services by sending proxy-style requests that use a known or guesse...

9.1CVSS5.5AI score0.00269EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.5 views

Guessable CAPTCHA

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Guessable CAPTCHA through the objects/getCaptcha.php process. An attacker can bypass CAPTCHA protections by manipulating the ql parameter to generate trivially sho...

6.9CVSS5.4AI score0.00218EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.3 views

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the commentDelete.json.php process. An attacker can cause unauthorized deletion of comments by tricking an authenticated user...

5.4CVSS5.4AI score0.00113EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.7 views

Authorization Bypass Through User-Controlled Key

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the list.json.php endpoint. An attacker can access sensitive stream keys and OAuth tokens belonging to other...

7.1CVSS5.4AI score0.00269EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via improper validation in the sanitizePath function. An attacker can access or modify files outside the intended directory boundary by crafting paths that bypass prefix-based checks. Details A Directory Traversal...

8.8CVSS6.3AI score0.00439EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.4 views

Unsafe Dependency Resolution

Overview Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the artifact creation process. An attacker can gain unauthorized access to sensitive credentials by extracting workflow artifacts containing the GITHUBTOKEN. Remediation Upgrade...

9.3CVSS5.5AI score0.00245EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.4 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the GET routes that change state. An attacker can cause authenticated users to unintentionally delete files or create directories by tricking them into visiting a crafted URL, as there is no validatio...

8.1CVSS5.4AI score0.00143EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via improper validation in the sanitizePath function. An attacker can access or modify files outside the intended directory boundary by crafting paths that bypass prefix-based checks. Details A Directory Traversal...

8.8CVSS6.4AI score0.00439EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.3 views

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the collaborator websocket feed, which broadcasts raw request headers, including sensitive authorization data, before access control is enforced. An attacker can gain unauthorized...

8.8CVSS5.5AI score0.00311EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.7 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the SFTP authentication process when the server is configured with an empty username and a password using the -b ':pass' flag together with -sftp. An attacker can gain unauthorized access...

9.8CVSS5.8AI score0.00478EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.5 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the SFTP authentication process when the server is configured with an empty username and a password using the -b ':pass' flag together with -sftp. An attacker can gain unauthorized access...

9.8CVSS5.6AI score0.00478EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.4 views

Unsafe Dependency Resolution

Overview Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the artifact creation process. An attacker can gain unauthorized access to sensitive credentials by extracting workflow artifacts containing the GITHUBTOKEN. Remediation Upgrade...

9.3CVSS5.8AI score0.00245EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.3 views

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the collaborator websocket feed, which broadcasts raw request headers, including sensitive authorization data, before access control is enforced. An attacker can gain unauthorized...

8.8CVSS5.8AI score0.00311EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.3 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the GET routes that change state. An attacker can cause authenticated users to unintentionally delete files or create directories by tricking them into visiting a crafted URL, as there is no validatio...

8.1CVSS5.8AI score0.00143EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.5 views

Active Debug Code

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Active Debug Code via the git.json.php file. An attacker can obtain sensitive information, including developer email addresses, deployed commit hashes, and commit...

6.9CVSS5.5AI score0.0025EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.9 views

Out-of-bounds Read

Overview cudaq is a Python bindings for the CUDA-Q toolkit for heterogeneous quantum-classical workflows. Affected versions of this package are vulnerable to Out-of-bounds Read via the endpoint process. An attacker can access sensitive information and cause a denial of service by sending a...

8.8CVSS5.8AI score0.0032EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.8 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the endpoint process. An attacker can access sensitive information and cause a denial of service by sending a maliciously crafted request. Remediation A fix was pushed into the master branch but not yet published...

8.8CVSS5.8AI score0.0032EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.7 views

Allocation of Resources Without Limits or Throttling

Overview @next-ai-drawio/mcp-server is a MCP server for Next AI Draw.io - AI-powered diagram generation with real-time browser preview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the handleStateApi, handleRestoreApi, and...

8.7CVSS5.8AI score0.00146EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.6 views

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

Overview Affected versions of this package are vulnerable to Reliance on Undefined, Unspecified, or Implementation-Defined Behavior via the decodesigned32 function in src/bacnet/bacint.c that reconstructs a 32-bit signed integer from four APDU bytes using signed left shifts. When any of the four...

6.3CVSS5.4AI score0.00242EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.9 views

Server-side Request Forgery (SSRF)

Overview bagisto/bagisto is a hand tailored E-Commerce framework designed on some opensource technologies such as Laravel a PHP framework, Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the copy function of the...

6.5CVSS6.6AI score0.00201EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 5:6 p.m.8 views

Cross-site Scripting (XSS)

Overview bagisto/bagisto is a hand tailored E-Commerce framework designed on some opensource technologies such as Laravel a PHP framework, Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Custom Scripts interface. An...

5.4CVSS5.5AI score0.00191EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 3:31 p.m.6 views

Inclusion of Functionality from Untrusted Control Sphere

Overview instructlab is a Core package for interacting with InstructLab Affected versions of this package are vulnerable to Inclusion of Functionality from Untrusted Control Sphere via default trustremotecode=True for loading models from HuggingFacein in linuxtrain.py file. An attacker can execut...

8.8CVSS6.1AI score0.00417EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/22 3:3 p.m.4 views

Malicious Package

Overview @stlm/common-ui is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Snyk
Snyk
added 2026/04/22 2:56 p.m.5 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the settingsToParameters process. An attacker can execute arbitrary code and alter the configuration of child processes by injecting newline characters into PHP INI values that are forwarded to child processes. This...

8.5CVSS6.3AI score0.00191EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/22 2:52 p.m.9 views

Insecure Default Initialization of Resource

Overview engramx is a The context spine for AI coding agents. 9 built-in providers + mcpConfig plugin contract wrap any MCP server in 10 lines, generic MCP-client aggregator stdio, pre-mortem mistake-guard, bi-temporal mistake memory, Anthropic Auto-Memory bridge, SSE stre Affected versions of th...

8.6CVSS5.8AI score
Exploits0References5
Snyk
Snyk
added 2026/04/22 2:49 p.m.3 views

Malicious Package

Overview sparkling-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score
Exploits0References2
Total number of security vulnerabilities32391