Lucene search
K

32441 matches found

Snyk
Snyk
added 2026/04/19 9:0 p.m.6 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting XSS leading to cross-site scripting, via custom elements. When CUSTOMELEMENTHANDLING is not enabled, and an attacker has already pollut...

6.9CVSS5.3AI score0.00205EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 9:0 p.m.6 views

Improper Validation of Specified Index, Position, or Offset in Input

Overview uuid is a RFC4122 v1, v4, and v5 compliant UUID library. Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input due to accepting external output buffers but not rejecting out-of-range writes small buf or large offset. This...

9.3CVSS5.3AI score0.00337EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 9:0 p.m.8 views

Improper Validation of Specified Index, Position, or Offset in Input

Overview Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input due to accepting external output buffers but not rejecting out-of-range writes small buf or large offset. This inconsistency allows silent partial writes into...

9.3CVSS5.8AI score0.00337EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 3:34 p.m.6 views

Cross-site Request Forgery (CSRF)

Overview apache-airflow-providers-keycloak is a Provider package apache-airflow-providers-keycloak for Apache Airflow Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the login authentication process due to missing generation and validation of the OAuth 2.0...

5.4CVSS5.8AI score0.00328EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 9:30 a.m.4 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper XCom value handling. An attacker that is a Dag Author who normally should not be able to execute code in the webserver context can execute arbitrary code by crafting malicious XCom...

7.2CVSS6.1AI score0.00822EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 8:15 a.m.6 views

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound due to improper validation in the CubeSize function in cmslut.c. An attacker can cause an integer overflow by providing crafted input that triggers the multiplication before the overflow check, potentially...

7.5CVSS5.4AI score0.00365EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 3:23 a.m.4 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the tga.c process of decoding TGA images using RLE compression, specifically when handling the raw-packet path, due to missing bounds checks. An attacker can achieve arbitrary code execution or cause a denial of...

9.8CVSS6.4AI score0.00314EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 3:22 a.m.5 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the XWD decoder when there is a type confusion between bitsperpixel and pixmapdepth during the byte-swap process. An attacker can achieve arbitrary code execution or cause a denial of service by providing a crafte...

9.8CVSS6.4AI score0.00332EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 3:22 a.m.4 views

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the PSD decoding process due to a mismatch between the computed bytes-per-pixel from the image header and the allocated pixel buffer size in LAB 16-bit mode. An attacker can achieve arbitrary code execution or cau...

9.8CVSS6.7AI score0.00367EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 1:25 a.m.7 views

Buffer Over-read

Overview Affected versions of this package are vulnerable to Buffer Over-read via the ptpunpackEOSFocusInfoEx function. An attacker can cause a crash and potentially access sensitive memory contents by supplying specially crafted input from a malicious USB device. Remediation A fix was pushed int...

4.6CVSS5.8AI score0.00187EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 1:25 a.m.6 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the ptpunpackOI function when processing a malicious PTP ObjectInfo response. An attacker can cause the application to read memory beyond the intended buffer by supplying specially crafted data, potentially leading...

6.1CVSS5.9AI score0.00218EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 1:25 a.m.6 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the ptpunpackSonyDPD function when parsing the FormFlag field due to missing bounds checking before reading data. An attacker can cause information disclosure or application instability by supplying crafted input...

5.2CVSS5.8AI score0.00198EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 1:25 a.m.6 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the ptpunpackSonyDPD function when parsing the enumeration count from a buffer without verifying sufficient data remains. An attacker can cause information disclosure or application instability by providing a craft...

6.1CVSS5.9AI score0.00198EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 1:25 a.m.4 views

Server-side Request Forgery (SSRF)

Overview @nocobase/utils is a Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the workflow HTTP request and custom request plugins, which make server-side HTTP requests to user-supplied URLs without proper validation. An attacker can access internal networ...

9.6CVSS5.7AI score0.00384EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:25 a.m.4 views

Server-side Request Forgery (SSRF)

Overview @nocobase/plugin-action-custom-request is a Sending a request to any HTTP service supports sending context data to the target service. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the workflow HTTP request and custom request plugins, which make...

9.6CVSS5.7AI score0.00384EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:25 a.m.5 views

Server-side Request Forgery (SSRF)

Overview @nocobase/plugin-workflow-request is a Send HTTP requests to any HTTP service for data interaction in workflow. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the workflow HTTP request and custom request plugins, which make server-side HTTP...

9.6CVSS5.7AI score0.00384EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:25 a.m.2 views

Server-side Request Forgery (SSRF)

Overview @nocobase/plugin-ai is a Create AI employees with diverse skills to collaborate with humans, build systems, and handle business operations. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the workflow HTTP request and custom request plugins, which...

9.6CVSS5.7AI score0.00384EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:13 a.m.4 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the internal stream buffers SmtpStream, ImapStream, and Pop3Stream not being flushed during the STARTTLS upgrade process. An attacker c...

7.1CVSS5.8AI score0.00223EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:13 a.m.3 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the internal stream buffers SmtpStream, ImapStream, and Pop3Stream not being flushed during the STARTTLS upgrade process. An attacker c...

7.1CVSS5.8AI score0.00223EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:11 a.m.3 views

Cross-site Scripting (XSS)

Overview pretalx is a Conference organisation: CfPs, scheduling, much more Affected versions of this package are vulnerable to Cross-site Scripting XSS in the organizer search. An attacker can execute arbitrary JavaScript code in the context of an organizer's browser by injecting malicious payloa...

8.7CVSS5.8AI score0.00166EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 1:11 a.m.10 views

Improper Encoding or Escaping of Output

Overview pretalx is a Conference organisation: CfPs, scheduling, much more Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via unescaped user-controlled placeholders in mail templates. An attacker can inject arbitrary HTML content into outgoing emails b...

6.1CVSS5.9AI score0.00154EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/18 1:9 a.m.2 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through improper validation of user-supplied paths in the prefixed function. An attacker can read or write arbitrary files, create directories, and enumerate files outside the intended root directory by sending...

9.6CVSS6.3AI score0.00393EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:9 a.m.9 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through improper validation of user-supplied paths in the prefixed function. An attacker can read or write arbitrary files, create directories, and enumerate files outside the intended root directory by sending...

9.6CVSS6.3AI score0.00393EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:9 a.m.6 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through improper validation of user-supplied paths in the prefixed function. An attacker can read or write arbitrary files, create directories, and enumerate files outside the intended root directory by sending...

9.6CVSS6.3AI score0.00393EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:7 a.m.10 views

SQL Injection

Overview dagster is a Dagster is an orchestration platform for the development, production, and observation of data assets. Affected versions of this package are vulnerable to SQL Injection via the construction of SQL WHERE clauses in database I/O manager integrations. An attacker can execute...

8.7CVSS6.1AI score0.00265EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:7 a.m.4 views

SQL Injection

Overview dagster-gcp is a Package for GCP-specific Dagster framework op and resource components. Affected versions of this package are vulnerable to SQL Injection via the construction of SQL WHERE clauses in database I/O manager integrations. An attacker can execute arbitrary SQL commands by...

8.7CVSS6.1AI score0.00265EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:7 a.m.5 views

SQL Injection

Overview dagster-deltalake is a Package for Deltalake-specific Dagster framework op and resource components. Affected versions of this package are vulnerable to SQL Injection via the construction of SQL WHERE clauses in database I/O manager integrations. An attacker can execute arbitrary SQL...

8.7CVSS6.1AI score0.00265EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:7 a.m.4 views

SQL Injection

Overview dagster-snowflake-polars is a Package for integrating Snowflake and Polars with Dagster. Affected versions of this package are vulnerable to SQL Injection via the construction of SQL WHERE clauses in database I/O manager integrations. An attacker can execute arbitrary SQL commands by...

8.7CVSS6.1AI score0.00265EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:7 a.m.6 views

SQL Injection

Overview dagster-snowflake is a Package for Snowflake Dagster framework components. Affected versions of this package are vulnerable to SQL Injection via the construction of SQL WHERE clauses in database I/O manager integrations. An attacker can execute arbitrary SQL commands by creating speciall...

8.7CVSS6.1AI score0.00265EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:7 a.m.4 views

SQL Injection

Overview dagster-duckdb is a Package for DuckDB-specific Dagster framework op and resource components. Affected versions of this package are vulnerable to SQL Injection via the construction of SQL WHERE clauses in database I/O manager integrations. An attacker can execute arbitrary SQL commands b...

8.7CVSS6.1AI score0.00265EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:7 a.m.4 views

Arbitrary Argument Injection

Overview Affected versions of this package are vulnerable to Arbitrary Argument Injection via unsanitized volumeHandle and mounttargetip fields. An attacker can inject unauthorized mount options by supplying specially crafted values to these fields when creating a PersistentVolume, resulting in...

7.7CVSS5.9AI score0.00424EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 1:5 a.m.4 views

Allocation of Resources Without Limits or Throttling

Overview OpenTelemetry.Exporter.Jaeger is a Jaeger exporter for OpenTelemetry .NET Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the span and tag conversion. An attacker can drive sustained memory pressure and denial of service by...

8.2CVSS5.7AI score0.00222EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 1:0 a.m.6 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the formatDataBeforeSave process. An attacker can execute arbitrary SQL commands by supplying crafted input to the idfiche parameter, which is concatenated directly into a SQL query without sanitization. Remediation...

8.8CVSS6.1AI score0.00342EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 1:0 a.m.4 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the providerFlowSignIn process. An attacker can gain unauthorized access to another user's account by exploiting improper handling of email verification status from OAuth providers. This allows the attacker to...

9.8CVSS5.8AI score0.00809EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:0 a.m.5 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the providerFlowSignIn process. An attacker can gain unauthorized access to another user's account by exploiting improper handling of email verification status from OAuth providers. This allows the attacker to...

9.8CVSS5.8AI score0.00809EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:0 a.m.7 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the providerFlowSignIn process. An attacker can gain unauthorized access to another user's account by exploiting improper handling of email verification status from OAuth providers. This allows the attacker to...

9.8CVSS5.8AI score0.00809EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 1:0 a.m.5 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication in the providerFlowSignIn process. An attacker can gain unauthorized access to another user's account by exploiting improper handling of email verification status from OAuth providers. This allows the attacker to...

9.8CVSS5.8AI score0.00809EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 12:59 a.m.5 views

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection via the settingsToParameters process. An attacker can execute arbitrary code and alter configuration by injecting newline characters into PHP INI values that are forwarded to child processes. This is only exploitable if t...

8.5CVSS6.3AI score0.00191EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/18 12:55 a.m.5 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the SubFileSystem method. An attacker can access directories outside the intended confinement by supplying specially crafted paths containing unresolved .. segments. This is only exploitable if the input path is...

4.8CVSS6.4AI score
Exploits0References3
Snyk
Snyk
added 2026/04/18 12:47 a.m.4 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the webhook process. An attacker can exhaust system memory by sending oversized POST payloads before signature validation. This is only exploitable if Stripe webhooks are enabled a...

8.2CVSS5.5AI score0.00446EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 12:47 a.m.5 views

Improper Null Termination

Overview Affected versions of this package are vulnerable to Improper Null Termination due to improper null termination in the ptpunpackCanonFE function. An attacker can cause out-of-bounds reads by supplying crafted data that fills the filename buffer exactly, leading to unintended memory access...

3.5CVSS5.9AI score0.00187EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 12:47 a.m.6 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the ptpunpackEOSImageFormat and ptpunpackEOSCustomFuncEx functions due to missing length validation for input buffers. An attacker can cause the application to read out-of-bounds memory by supplying crafted data to...

6.1CVSS5.8AI score0.00218EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 12:46 a.m.2 views

Incomplete List of Disallowed Inputs

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the run method of the AirtableAgents class, which evaluates LLM-generated Python scripts in a non-sandboxed environment. An attacker can execute...

9.8CVSS6.3AI score0.00464EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 12:46 a.m.4 views

Incomplete List of Disallowed Inputs

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the run method of the AirtableAgents class, which evaluates LLM-generated Python scripts in a non-sandboxed environment. An attacker can execute arbitrary code on the...

9.8CVSS6.3AI score0.00464EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 12:46 a.m.6 views

Incomplete List of Disallowed Inputs

Overview flowise-ui is a Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the run method of the AirtableAgents class, which evaluates LLM-generated Python scripts in a non-sandboxed environment. An attacker can execute arbitrary code on the server by...

9.8CVSS6.3AI score0.00464EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/18 12:45 a.m.5 views

Missing Release of Memory after Effective Lifetime

Overview Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime in the ptpunpackSonyDPD function. An attacker can cause increased memory consumption and potential denial of service by repeatedly triggering property descriptor parsing that leads to...

4.3CVSS5.7AI score0.00181EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/18 12:45 a.m.7 views

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the ptpunpackDPV function when handling UINT128 and INT128 types. An attacker can cause sensitive information disclosure or application crash by providing a crafted buffer that does not contain enough bytes, leadin...

5.2CVSS5.9AI score0.00198EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 11:40 p.m.7 views

Integer Underflow (Wrap or Wraparound)

Overview Affected versions of this package are vulnerable to Integer Underflow Wrap or Wraparound in the ParseHttpHeaders process. An attacker can cause the application to read memory outside the bounds of the allocated HTTP request buffer by sending a specially crafted SOAPAction header containi...

9.1CVSS5.9AI score0.00674EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 10:42 p.m.10 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...

6.1CVSS5.5AI score0.00209EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 10:42 p.m.5 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the GitHub OAuth callback handler when the refreshInterval query parameter is embedded verbatim into an error message and rendered unescaped into HTML. An attacker can execute arbitrary JavaScript in the...

6.1CVSS5.5AI score0.00209EPSS
Exploits0References2
Total number of security vulnerabilities32441