32391 matches found
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the HTTP resolver process. An attacker can cause excessive memory consumption and termination of the tekton-pipelines-resolvers pod by directing it to retrieve a very large HT...
Arbitrary Argument Injection
Overview Affected versions of this package are vulnerable to Arbitrary Argument Injection via the ResolutionRequest process. An attacker can execute arbitrary code on the resolver pod and exfiltrate cluster-wide secrets by injecting malicious commands into the revision parameter of the git...
Cross-site Scripting (XSS)
Overview astro is an Astro is a modern site builder with web best practices, performance, and DX front-of-mind. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the defineScriptVars function due to incomplete sanitization of closing tags within injected variables. A...
XML External Entity (XXE) Injection
Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection via the iterparse or ETCompatXMLParser functions when resolveentities is set to allow external entities. An attacker can access local files by providing crafted XML input containing external entity...
Incomplete List of Disallowed Inputs
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the run function of the CSVAgents class when evaluating LLM-generated Python scripts in a pyodide environment without sufficient sandboxing. An attack...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the commentable field in the API, which allows access to all commentable resources without permission checks. An attacker can retrieve sensitive information by sending unauthenticated requests to the /api...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the commentable field in the API, which allows access to all commentable resources without permission checks. An attacker can retrieve sensitive information by sending unauthenticated requests to the /api...
Infinite loop
Overview org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are...
Uncontrolled Recursion
Overview org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are...
Use of a Broken or Risky Cryptographic Algorithm
Overview Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the cryptographic algorithm implementation. An attacker can compromise the confidentiality of sensitive information by exploiting weak or insufficient cryptographic algorithms...
Cleartext Transmission of Sensitive Information
Overview org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are...
XML External Entity (XXE) Injection
Overview org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are...
Use of a Broken or Risky Cryptographic Algorithm
Overview org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are...
Use of a Broken or Risky Cryptographic Algorithm
Overview Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the key generation. An attacker can compromise the confidentiality of generated cryptographic keys by exploiting weak or predictable key material. Remediation A fix was pushed into the...
Uncontrolled Recursion
Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via certificate chain validation logic. An attacker can cause a denial of service by supplying a crafted certificate chain that triggers excessive recursion or stack usage during validation, resulting in a stack...
XML External Entity (XXE) Injection
Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection via the XML parsing. An attacker can access sensitive information by submitting a specially crafted XML input that is processed without proper external entity restrictions. Details XXE Injection is a ty...
Out-of-bounds Read
Overview org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are...
Use of a Broken or Risky Cryptographic Algorithm
Overview org.graalvm.sdk:graal-sdk is a high-performance JDK distribution designed to accelerate the execution of applications written in Java and other JVM languages along with support for JavaScript, Ruby, Python, and a number of other popular languages. Affected versions of this package are...
Cleartext Transmission of Sensitive Information
Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information in the Kerberos credentialing. An attacker can intercept sensitive information by capturing unencrypted credentials during transmission. Remediation A fix was pushed into the master branch...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the Zip file reading. An attacker can cause a denial of service by providing a specially crafted zip file that triggers an out-of-bounds read. Remediation A fix was pushed into the master branch but not yet...
Heap-based Buffer Overflow
Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the Arena memory allocation. An attacker can cause unintended modification of data by providing specially crafted input that manipulates memory allocation boundaries. Remediation A fix was pushed into the...
Infinite loop
Overview Affected versions of this package are vulnerable to Infinite loop via the Java networking APIs. An unauthenticated attacker can cause repeated crashes or hangs by sending crafted network input to applications using the affected networking components, leading to denial of service...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the Webroot HTTP-01 challenge provider. An attacker can write arbitrary files to the filesystem by supplying crafted challenge tokens containing directory traversal sequences. Details A Directory Traversal attack...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the Webroot HTTP-01 challenge provider. An attacker can write arbitrary files to the filesystem by supplying crafted challenge tokens containing directory traversal sequences. Details A Directory Traversal attack...
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the JdbcOneTimeTokenService component. An attacker can gain...
Incorrect Authorization
Overview github.com/oauth2-proxy/oauth2-proxy/v7 is a reverse proxy that provides authentication with Google, Github or other providers. Affected versions of this package are vulnerable to Incorrect Authorization in the email domain validation. An attacker can gain unauthorized access by submitti...
Incorrect Authorization
Overview github.com/oauth2-proxy/oauth2-proxy is a reverse proxy that provides authentication with Google, Github or other providers. Affected versions of this package are vulnerable to Incorrect Authorization in the email domain validation. An attacker can gain unauthorized access by submitting ...
Memory Allocation with Excessive Size Value
Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value through the source.view path in font/sfnt. An attacker can force the parser to allocate a large read buffer by supplying a corrupt or malicious font file that advertises data beyond the file's...
Memory Allocation with Excessive Size Value
Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value through the source.view path in font/sfnt. An attacker can force the parser to allocate a large read buffer by supplying a corrupt or malicious font file that advertises data beyond the file's...
Memory Allocation with Excessive Size Value
Overview golang.org/x/image/webp is a Package webp implements a decoder for WEBP images. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value. An attacker can cause a crash by supplying a WEBP image with an invalid, very large declared size, triggering a...
UNIX Symbolic Link (Symlink) Following
Overview @anthropic-ai/claude-code is an Use Claude, Anthropic's AI assistant, right from your terminal. Claude can understand your codebase, edit files, run terminal commands, and handle entire workflows for you. Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the asset and blueprint file operations in the CMS and Tailor editor extensions. An attacker can gain unauthorized access to perform file operations such as create, delete, rename, move, or upload on theme...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the DataTable widget when a query parameter is rendered without proper output escaping. An attacker can execute arbitrary scripts in the context of the user's browser by tricking a user into visiting a craft...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the handling of CSS preprocessor files. An attacker can access arbitrary files from the server by leveraging the import functionality in .less, .sass, or .scss files, even when cms.safemode is enabled. This is...
Incomplete List of Disallowed Inputs
Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the Twig sandbox security policy, which permits database write operations even when safe mode is enabled. An attacker with Developer permissions can modify, insert, or delete data in any database...
Out-of-bounds Write
Overview Affected versions of this package are vulnerable to Out-of-bounds Write through asyncio.AbstractEventLoop.sockrecvfrominto in the Windows ProactorEventLoop datagram receive path. An attacker can trigger a ValueError-free out-of-bounds receive by supplying an nbytes value larger than the...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the /index.php/Speciaal:GefacetteerdZoeken parameter. An attacker can execute arbitrary JavaScript in a victim's browser by crafting a malicious URL and tricking the user into visiting it, potentially leadin...
Regular Expression Denial of Service (ReDoS)
Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the contextMatcher and pathMatcher functions. An attacker can cause the server to become unresponsive and exhaust CPU...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the serverURL parameter when it is set to an attacker-controlled endpoint. An attacker can obtain sensitive API tokens by crafting a resource that omits the Git API token parameter, causing the...
Permissive Regular Expression
Overview Affected versions of this package are vulnerable to Permissive Regular Expression in the VerificationPolicy module when matchin refSource.URITekton. An attacker can alter verification modes or keys and potentially compromise the integrity of CI/CD pipelines by supplying resources source...
SQL Injection
Overview Glances is an A cross-platform curses-based monitoring tool Affected versions of this package are vulnerable to SQL Injection via unsanitized configuration values in the Cassandra export module. An attacker can redirect monitoring data to an unauthorized Cassandra keyspace and exfiltrate...
Server-side Request Forgery (SSRF)
Overview Glances is an A cross-platform curses-based monitoring tool Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the publicapi configuration parameter of the IP plugin. An attacker can cause the application to send unauthorized HTTP requests to arbitrar...
Access Control Bypass
Overview @gitlawb/openclaude is an OpenClaude opens coding-agent workflows to any LLM — OpenAI, Gemini, DeepSeek, Ollama, and 200+ models Affected versions of this package are vulnerable to Access Control Bypass via the bashToolHasPermission function. An attacker can access or modify files outsid...
Permissive Cross-domain Policy with Untrusted Domains
Overview Glances is an A cross-platform curses-based monitoring tool Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the REST API when a permissive CORS policy is configured, allowing unauthenticated cross-origin requests to access...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the loadimage and encodeimagebase64 functions in LMDeploy's vision-language module, which fetch URLs without validating whether the destination is an internal or private address. An attacker can acce...
Remote Code Execution (RCE)
Overview Affected versions of this package are vulnerable to Remote Code Execution RCE via ExpectedArtifactExpressionEvaluationPostProcessor, which may accept and process SpEL expressions that reference and load arbitrary classes. An attacker can execute code by supplying malicious strings as inp...
Remote Code Execution (RCE)
Overview Affected versions of this package are vulnerable to Remote Code Execution RCE via insufficient sanitization of user inputs to reference, path, and branch parameters when handling git resources in GitJobExecutor. An attacker can inject commands, exposing credentials, removing files, or...
Malicious Package
Overview com.tencent.puerts.agent is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview internalinsightsenabled is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...
Cleartext Storage of Sensitive Information
Overview typo3/cms-core is a free open source enterprise content management system. Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to the SetupModuleController module merging entity data with user-interface settings before storing them in DB. An...