35669 matches found
Malicious Package
Overview base58-cli is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview solana-address-codec is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview base58-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...
Malicious Package
Overview @sqlite-list/schema-generator is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @sqlite-list/sql-creator is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @sqlite-access/nodesql is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...
Malicious Package
Overview @sqlite-list/createsql is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...
XML External Entity (XXE) Injection
Overview ebookmeta is a Read/write ebook metadata for fb2, epub2 and epub3 files Affected versions of this package are vulnerable to XML External Entity XXE Injection in the ebookmeta.getmetadata function via lxml dependency allows attackers to access sensitive information or cause a Denial of...
Malicious Package
Overview ollama-helpers is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview openai-agents-helpers is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview mcp-server-pg is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @langgraphjs/toolkit is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview anthropic-toolkit is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @aspect-security/argon2 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...
Malicious Package
Overview ai-sdk-helpers is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @engagehub/core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @engagehub/test-claim is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview brunomenozzi-test-pkg is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @43uh3ig43/telemetry-client is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview harmony-enablers-test-2026 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @apexcraft/nano-key is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
External Control of File Name or Path
Overview egroupware/egroupware is a library that extends a classic groupware with an integrated CRM-system, a secure file-server and Collabora Online Office. Affected versions of this package are vulnerable to External Control of File Name or Path via the processURL2InlineImages process. An...
NULL Pointer Dereference
Overview onnx is an Open Neural Network Exchange Affected versions of this package are vulnerable to NULL Pointer Dereference in the adaptupsample67 function when processing a model containing an Upsample node with zero inputs. An attacker can cause a crash and denial of service by submitting a...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the GET /api/oauth/email/bind and GET /api/oauth/wechat/bind endpoints. An attacker can alter account binding state by tricking a logged-in user into visiting a crafted link, potentially allowing the...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the GET /api/oauth/email/bind and GET /api/oauth/wechat/bind endpoints. An attacker can alter account binding state by tricking a logged-in user into visiting a crafted link, potentially allowing the...
Eval Injection
Overview egroupware/egroupware is a library that extends a classic groupware with an integrated CRM-system, a secure file-server and Collabora Online Office. Affected versions of this package are vulnerable to Eval Injection via the expandname function. An attacker can execute arbitrary OS comman...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal in the /skin/ action endpoint when running on Jetty 12 or later. An attacker can access arbitrary files on the server by crafting a URL containing encoded directory traversal sequences. This is only exploitable if th...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal in the /skin/ action endpoint when running on Jetty 12 or later. An attacker can access arbitrary files on the server by crafting a URL containing encoded directory traversal sequences. This is only exploitable if th...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...
Authorization Bypass Through User-Controlled Key
Overview egroupware/egroupware is a library that extends a classic groupware with an integrated CRM-system, a secure file-server and Collabora Online Office. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper authorization checks in t...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the BaseSerialization.deserialize process. An attacker can execute arbitrary code on the API Server or Scheduler by embedding a malicious trigger into a serialized DAG, which is then deserialized and...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration via the dep.source and dep.target fields in the scheduling graph endpoint. An attacker can obtain identifiers of resources they are not authorized to access by inspecting dependency information exposed...
Improper Removal of Sensitive Information Before Storage or Transfer
Overview Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the Bulk Variables API due to the redact function being called without the variable key, which prevents the shouldhidevalueforkey check from triggering on...
Improper Removal of Sensitive Information Before Storage or Transfer
Overview apache-airflow is a platform to programmatically author, schedule, and monitor workflows. Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the Config API when per-key secrets backend overrides are configured via...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GET /api/v2/dagSources/dagid endpoint, which returns the entire source file containing multiple DAGs without redacting those the user is not authorized to access. An attacker can...
Improper Removal of Sensitive Information Before Storage or Transfer
Overview Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the REST API task-instance detail and list endpoints, which returned deferred task trigger keyword arguments without masking sensitive data. An attacker can access...
Malicious Package
Overview chai-spycore is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview express-firegate is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview express-deflect is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Improper Restriction of Rendered UI Layers or Frames
Overview ajenti is a Linux & BSD web admin panel. Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames through the lack of anti-framing protections in the HTTP response process. An attacker can trick users into interacting with a maliciously...
Cross-site Scripting (XSS)
Overview org.webjars.npm:showdown is a JavaScript Markdown to HTML converter. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the parseHeaders function. An attacker can execute arbitrary scripts in the context of users viewing rendered markdown by injecting special...
Cross-site Scripting (XSS)
Overview showdown is a JavaScript Markdown to HTML converter. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the parseHeaders function. An attacker can execute arbitrary scripts in the context of users viewing rendered markdown by injecting specially crafted table...
Use After Free
Overview Affected versions of this package are vulnerable to Use After Free in the query completion process. An attacker can cause memory corruption and application crash by sending crafted DNS responses that manipulate the sequence of query completions, such as forcing an EDNS-downgrade retry an...
Uncaught Exception
Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Uncaught Exception through the rejection sampler process. An attacker can cause the engine worker to crash and abort concurrent requests by sending...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the ForwardAuth process when trustForwardHeader is set to false. An attacker can bypass port-based authorization checks by injecting a crafted X-Forwarded-Proto header over an unencrypte...
Insufficient Verification of Data Authenticity
Overview github.com/traefik/traefik/v2/pkg/middlewares/auth is a Cloud Native Application Proxy. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the ForwardAuth process when trustForwardHeader is set to false. An attacker can bypass port-based...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the ForwardAuth process when trustForwardHeader is set to false. An attacker can bypass port-based authorization checks by injecting a crafted X-Forwarded-Proto header over an unencrypte...