32837 matches found
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal in the HTMLExporter.embedimages function. An attacker can access sensitive files on the conversion host by crafting malicious notebooks containing image references that perform path traversal, resulting in the files...
Improper Certificate Validation
Overview Affected versions of this package are vulnerable to Improper Certificate Validation in the certificate authentication process when disablebinding=true is set. An attacker can extend the lifetime of dynamic leases held by the original token by renewing tokens using a sibling certificate a...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the ExtractAttachmentsPreprocessor function. An attacker can write arbitrary files to locations outside the intended output directory by crafting cell attachment filenames containing path traversal sequences...
Improper Restriction of Security Token Assignment
Overview Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment via the token store process. An attacker can cause unauthorized renewal or revocation of tokens across namespaces by obtaining token accessors and leveraging privileged administrator...
Malicious Package
Overview apple-cloudkit-internal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...
Malicious Package
Overview ac-sasskit-internal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview cktool.core.internal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview apple-idms-internal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview cktool.config is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview cktool.api is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious Package
Overview apple-auth-internal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview apple-internal-security-poc-frank is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...
Malicious Package
Overview cktool.internal is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Cleartext Transmission of Sensitive Information
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information via the ws:// gateway endpoint. An attacker can intercept sensitive information by redirecting clients to malicious endpoints or forging...
Improper Verification of Cryptographic Signature
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the Nostr DM ingress path. An attacker can cause unauthorized pairing challenges to be issued and consume shared pairing capacity by...
Improper Input Validation
Overview Affected versions of this package are vulnerable to Improper Input Validation of certain client metadata fields when explicitly enabled. An attacker possessing a valid Initial Access Token can dynamically register a malicious client with crafted metadata. Depending on the metadata provid...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Group Replication Plugin. An attacker can cause the server to hang or crash repeatedly by sending crafted requests over the network. Remediation Upgrade libmysqlclient to...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Optimizer component. An attacker can cause the server to hang or crash repeatedly by sending crafted requests over the network while authenticated with high privileges...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the InnoDB component. An attacker can cause the server to hang or crash repeatedly by sending crafted requests over the network with high privileges. Remediation Upgrade...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Optimizer component. An attacker can cause the application to hang or crash by sending specially crafted requests over the network while authenticated with high privileges...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the JSON component. An attacker can cause the server to hang or crash repeatedly by sending specially crafted requests over the network. Remediation Upgrade libmysqlclient to versi...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Optimizer component. An attacker can cause the server to hang or crash repeatedly by sending crafted requests over the network while authenticated with high privileges...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Optimizer component. An attacker can cause the server to hang or crash repeatedly by sending crafted requests over the network. Remediation Upgrade libmysqlclient to version...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Optimizer component. An attacker can cause the server to hang or crash repeatedly by sending specially crafted requests over the network. This is only exploitable if the...
Missing Release of Resource after Effective Lifetime
Overview Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the DML component. An attacker can cause the server to hang or crash repeatedly by sending crafted requests over the network with high privileges. Remediation Upgrade libmysqlclie...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the InnoDB component. An attacker can cause the server to hang or repeatedly crash by sending specially crafted requests over the network. This is only exploitable if the attacker...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the InnoDB component. An attacker can cause the server to hang or crash repeatedly by sending specially crafted requests over the network. Remediation Upgrade libmysqlclient to...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the InnoDB component. An attacker can cause the server to hang or crash repeatedly by sending crafted requests over the network with high privileges. Remediation Upgrade...
Insertion of Sensitive Information Into Sent Data
Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the Information Schema component. An attacker can gain unauthorized access to sensitive data by sending crafted requests over the network. Remediation Upgrade libmysqlclient to versi...
Insertion of Sensitive Information into Externally-Accessible File or Directory
Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Externally-Accessible File or Directory via the Information Schema component. An attacker can gain unauthorized access to sensitive data by sending crafted requests over the network with high...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Optimizer component. An attacker can cause the server to hang or crash repeatedly by sending specially crafted requests over the network. Remediation Upgrade libmysqlclient to...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Optimizer component. An attacker can cause the server to hang or crash repeatedly by sending specially crafted requests over the network. Remediation Upgrade libmysqlclient to...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the InnoDB component. An attacker can cause the server to hang or repeatedly crash by sending crafted requests over the network with high privileges. Remediation Upgrade...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the DML component. An attacker can cause the server to hang or crash repeatedly by sending specially crafted requests over the network. Remediation Upgrade libmysqlclient to versio...
Missing Release of Resource after Effective Lifetime
Overview Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime in the Group Replication Plugin. An attacker can cause the server to hang or crash repeatedly by sending crafted requests over the network. Remediation Upgrade libmysqlclient to versi...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Optimizer component. An attacker can cause the server to hang or crash repeatedly by sending specially crafted requests over the network. Remediation Upgrade libmysqlclient to...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Group Replication Plugin. An attacker can cause the server to hang or crash repeatedly by sending crafted requests over the network. Remediation Upgrade libmysqlclient to...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass through the authentication process. An attacker can maintain unauthorized access to protected resources and perform actions such as reading, modifying, or creating new accounts by using previously issued bearer...
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass through the authentication process. An attacker can maintain unauthorized access to protected resources and perform actions such as reading, modifying, or creating new accounts by using previously issued bearer...
Missing Origin Validation in WebSockets
Overview Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via missing origin validation in all WebSocket endpoints. An attacker can gain unauthorized access to authenticated WebSocket sessions by tricking a logged-in administrator into visiting a malicio...
Missing Origin Validation in WebSockets
Overview Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via missing origin validation in all WebSocket endpoints. An attacker can gain unauthorized access to authenticated WebSocket sessions by tricking a logged-in administrator into visiting a malicio...
Missing Origin Validation in WebSockets
Overview Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via missing origin validation in all WebSocket endpoints. An attacker can gain unauthorized access to authenticated WebSocket sessions by tricking a logged-in administrator into visiting a malicio...
Command Injection
Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Command Injection via preview MCP server endpoints POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. An attacker can execute arbitrary commands by accessin...
Embedded Malicious Code
Overview pgserve is an Embedded PostgreSQL server with true concurrent connections - zero config, auto-provision databases Affected versions of this package are vulnerable to Embedded Malicious Code that injects a credential-harvesting script that runs via postinstall on every npm install. It...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the managed authenticated encryptor while computing HMAC validation tag. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Note: Shared framework...
Command Injection
Overview flowsint is an Add your description here Affected versions of this package are vulnerable to Command Injection via the orgtoasn transform process. An attacker can execute arbitrary operating system commands as root on the host machine by supplying shell metacharacters and escaping the...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Optimizer. Remediation Upgrade libmysqlclient to version 8.1.0 or higher. References - Oracle Security Advisory - Red Hat Bugzilla Bug...
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
Overview aws-encryption-sdk is an AWS Encryption SDK implementation for Python Affected versions of this package are vulnerable to Selection of Less-Secure Algorithm During Negotiation 'Algorithm Downgrade' via the shared key cache. An attacker can bypass key commitment policy enforcement by...
Symlink Attack
Overview Affected versions of this package are vulnerable to Symlink Attack via the setkey and unsetkey functions. An attacker can overwrite arbitrary files by creating a crafted symbolic link that is followed during a cross-device rename fallback. PoC python import os import sys import tempfile...
Directory Traversal
Overview openmage/magento-lts is a This repository is the home of an unofficial community-driven project. Affected versions of this package are vulnerable to Directory Traversal through the files request parameter in the dataflow import parsers. An attacker with administrative privileges can read...