Lucene search
K

32851 matches found

Snyk
Snyk
added 2026/04/17 10:0 p.m.3 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization through the operator.write configuration. An attacker can modify and persist unauthorized profile configurations by sending crafted HTTP requests to affected...

6.5CVSS5.8AI score0.00218EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/17 9:59 p.m.8 views

Binding to an Unrestricted IP Address

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Binding to an Unrestricted IP Address via the CDP relay. An attacker can gain unauthorized access to the Chrome DevTools Protocol by connecting from outside the intended local or sandboxe...

9.6CVSS5.8AI score0.00214EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:58 p.m.4 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization in the channel setup. An attacker can gain unauthorized access to privileged plugin functionality by introducing untrusted workspace plugin shadows that are resolved...

8.8CVSS5.8AI score0.00386EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:58 p.m.5 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via improper validation of the outPath parameter in the screen recording. An attacker can write files outside the intended workspace boundary by specifying a path...

7.1CVSS5.8AI score0.0022EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/17 9:58 p.m.3 views

DNS Rebinding

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to DNS Rebinding via improper hostname validation in the browser navigation policy. An attacker can access internal network resources or sensitive endpoints by exploiting DNS rebinding...

8.3CVSS5.7AI score0.00199EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:56 p.m.8 views

External Control of System or Configuration Setting

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to External Control of System or Configuration Setting via the loading of workspace .env files. An attacker can manipulate runtime-control variables by crafting a malicious .env file that se...

8.8CVSS5.7AI score0.00203EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:56 p.m.6 views

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal in the handling of Discord event cover image parameters, which could bypass the intended media normalization. An attacker can access host-local media references by...

7.7CVSS6.4AI score0.00259EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:55 p.m.4 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization in the approval authorization. An attacker can gain unauthorized approval rights by exploiting empty approver lists, allowing them to resolve pending approvals if th...

7.6CVSS5.7AI score0.00244EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:55 p.m.5 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' in the agent hook event processing. An attacker can escalate privileges by supplying craft...

9.8CVSS5.8AI score0.0019EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:54 p.m.10 views

Incomplete List of Disallowed Inputs

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs due to insufficient filtering of high-risk interpreter startup environment variables in the execution environment policy. An attacker can influence...

9.1CVSS5.9AI score0.00392EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:53 p.m.4 views

Command Injection

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Command Injection via improper handling of environment variable assignments in argv forms during shell-wrapper detection. An attacker can execute arbitrary commands by injecting specially...

9.2CVSS6AI score0.00407EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:53 p.m.10 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the /dreaming path in the operator.write. An attacker can modify persistent memory dreaming settings by sending write-scoped gateway requests, resulting in...

7.1CVSS5.7AI score0.00213EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/17 9:50 p.m.6 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization in the delivery queue recovery. An attacker can bypass group tool-policy enforcement for media replay by replaying recovered queued outbound media without the origin...

6.5CVSS5.7AI score0.00214EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:48 p.m.4 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition due to missed detection of local async exec completion events during heartbeat owner downgrade. An attacker can maintain a process in a mor...

9.1CVSS5.7AI score0.00288EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:48 p.m.6 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization due to the heartbeat owner downgrade not properly handling untrusted webhook wake events. An attacker can maintain elevated privileges by sending specially crafted...

9.8CVSS5.8AI score0.00423EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:47 p.m.8 views

Improper Removal of Sensitive Information Before Storage or Transfer

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the sourceConfig and runtimeConfig alias fields, which were not properly redacted. An attacker can obtain sensitive...

7.1CVSS5.8AI score0.00333EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:35 p.m.4 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization when handling collect-mode queue batches, where messages from different senders could be processed together using the authorization context of the final sender. An...

8.1CVSS5.7AI score0.0022EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:35 p.m.4 views

Authorization Bypass Through User-Controlled Key

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the generateTextToSpeech handler in text-to-speech/index.ts. An attacker can retrieve text-to-speech settings from a chatflow in another workspace by...

8.2CVSS5.7AI score0.00261EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/17 9:34 p.m.9 views

Insertion of Sensitive Information Into Sent Data

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the getSinglePublicChatflow handler in chatflows/index.ts. An attacker can retrieve sensitive flow configuration by requesting a public chatflow and...

8.7CVSS5.7AI score0.00421EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/17 9:34 p.m.6 views

Authorization Bypass Through User-Controlled Key

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the createDocumentStore, updateDocumentStore, and upsertDocStore paths in documentstore/index.ts and documentstore/index.ts. An attacker can create o...

8.8CVSS5.8AI score0.00333EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/17 9:32 p.m.5 views

Symlink Attack

Overview compressing is an Everything you need for compressing and uncompressing Affected versions of this package are vulnerable to Symlink Attack via the isPathWithinParent function. An attacker can overwrite arbitrary files outside the intended extraction directory by supplying a malicious...

8.6CVSS5.9AI score0.00334EPSS
Exploits2References2
Snyk
Snyk
added 2026/04/17 9:31 p.m.2 views

Not Failing Securely ('Failing Open')

Overview openviking is an An Agent-native context database Affected versions of this package are vulnerable to Not Failing Securely 'Failing Open' via the VikingBot OpenAPI HTTP route when the apikey configuration value is unset or empty. An attacker can invoke privileged bot-control functionalit...

9.1CVSS5.5AI score0.00571EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/17 9:30 p.m.5 views

Insufficient Granularity of Access Control

Overview mcp-neo4j-cypher is an A simple Neo4j MCP server Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the readonly mode in CALL procedures. An attacker can perform unauthorized actions and potentially access internal resources by bypassing...

4.9CVSS5.4AI score0.00264EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:0 p.m.8 views

XML Injection

Overview org.webjars.npm:xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection due to unvalidated comment serialization. When an application uses the package to create an XML...

8.7CVSS5.4AI score0.00365EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:0 p.m.14 views

XML Injection

Overview xmldom is an A pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. Affected versions of this package are vulnerable to XML Injection due to unvalidated comment serialization. When an application uses the package to create an XML comment from...

8.7CVSS5.4AI score0.00365EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:0 p.m.6 views

Cross-site Scripting (XSS)

Overview i18nextify is an enables localization of any page with zero effort Affected versions of this package are vulnerable to Cross-site Scripting XSS via replaceInside, used by the translateProps function in src/localize.js when untrusted translation values containing dangerous URL schemes suc...

4.7CVSS5.6AI score0.00144EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/17 9:0 p.m.7 views

Generation of Error Message Containing Sensitive Information

Overview Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information due to exposing exception/stack trace of errors even if api/exposestacktraces was set to false. That could lead to exposing additional information to potential attacker...

7.5CVSS5.3AI score0.00449EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:0 p.m.7 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to allowing users with asset materialize permissions to trigger DAGs outside of their permissions. Remediation Upgrade apache-airflow-core to version 3.2.0b2 or higher. References - Apache Mailing List - GitH...

8.7CVSS5.3AI score0.00426EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 9:0 p.m.8 views

XML Injection

Overview Affected versions of this package are vulnerable to XML Injection in fxb.js, which does not properly handle closing delimiters for comment and CDATA values. The -- sequence in comment content and the sequence in CDATA sections can be coopted to close their respective sections early and...

6.1CVSS5.8AI score0.00238EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/17 9:0 p.m.8 views

XML Injection

Overview @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection du...

8.7CVSS5.5AI score0.00365EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 8:8 p.m.8 views

Missing Authentication for Critical Function

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the sandbox noVNC helper route. An attacker can gain unauthorized access to interactive browser session credentials by bypassing bridge...

9.8CVSS5.7AI score0.00401EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 3:36 p.m.4 views

LDAP Injection

Overview Affected versions of this package are vulnerable to LDAP Injection in the LdapProfileService class, which accepts ID-based search parameters in multiple methods. A privileged attacker can execute unauthorized LDAP queries and perform arbitrary directory operations. Remediation Upgrade...

8.8CVSS5.9AI score0.00608EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 3:31 p.m.8 views

Cross-site Request Forgery (CSRF)

Overview org.pac4j:pac4j-core is a pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web applications and web services. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF d...

7.1CVSS5.8AI score0.00165EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 3:31 p.m.2 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the Connected Workspaces API. An attacker can change the displayed status of local users by connecting a malicious remote server using the Connected Workspaces feature. Remediation Upgrade...

5.1CVSS5.8AI score0.00167EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 3:31 p.m.5 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the Connected Workspaces API. An attacker can change the displayed status of local users by connecting a malicious remote server using the Connected Workspaces feature. Remediation Upgrade...

5.1CVSS5.8AI score0.00167EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 3:31 p.m.5 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the authentication process. An attacker can gain unauthorized access to multiple authenticated...

6.9CVSS5.8AI score0.00145EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 2:21 p.m.14 views

Malicious Package

Overview value-slider is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/04/17 2:11 p.m.5 views

Malicious Package

Overview @than-xs/libsignal-node is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/04/17 2:8 p.m.6 views

Malicious Package

Overview @than1st/baileys is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/04/17 11:30 a.m.6 views

Malicious Package

Overview node-red-contrib-yolo-object-detection is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/04/17 11:0 a.m.7 views

Malicious Package

Overview koa-v3 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

9.8CVSS5.7AI score
Exploits0References2
Snyk
Snyk
added 2026/04/17 6:31 a.m.3 views

Allocation of Resources Without Limits or Throttling

Overview github.com/hashicorp/vault/http is an a tool for securely accessing secrets. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the HandlerFunc and ReKey related operations in http/handler.go and vault/core.go. An attacker can...

8.7CVSS5.7AI score0.00718EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 6:31 a.m.7 views

Allocation of Resources Without Limits or Throttling

Overview github.com/hashicorp/vault/vault is a tool for securely accessing secrets. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the HandlerFunc and ReKey related operations in http/handler.go and vault/core.go. An attacker can start...

8.7CVSS5.7AI score0.00718EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 6:31 a.m.7 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the kvv2 process. An attacker can cause unauthorized deletion of secrets by exploiting policy configurations containing a glob pattern, which may result in service disruption...

8.1CVSS5.8AI score0.00376EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 6:31 a.m.6 views

Insertion of Sensitive Information Into Sent Data

Overview github.com/hashicorp/vault/vault is a tool for securely accessing secrets. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data through the CheckToken request handling in vault/requesthandling.go. An attacker can cause Vault to forward a...

8.9CVSS5.9AI score0.00406EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 6:31 a.m.5 views

Authentication Bypass Using an Alternate Path or Channel

Overview github.com/hashicorp/vault/vault is a tool for securely accessing secrets. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the kvv2 process. An attacker can cause unauthorized deletion of secrets by exploiting policy...

8.1CVSS5.8AI score0.00376EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 6:31 a.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the ValidateHTTP01Challenge and ValidateTLSALPN01Challenge validation paths in builtin/logical/pki/acmechallenges.go. An attacker can make the ACME validator connect to loopback, link-local,...

8.6CVSS5.7AI score0.00332EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 1:40 a.m.5 views

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack via the login process. An attacker can obtain sensitive information about valid usernames by measuring response times and leveraging timing discrepancies. Remediation Upgrade github.com/enchant97/note-mark/backend/services...

6.3CVSS5.3AI score0.002EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 1:40 a.m.3 views

Timing Attack

Overview Affected versions of this package are vulnerable to Timing Attack via the login process. An attacker can obtain sensitive information about valid usernames by measuring response times and leveraging timing discrepancies. Remediation Upgrade github.com/enchant97/note-mark/backend/db to...

6.3CVSS5.3AI score0.002EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 1:38 a.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the asset download process. An attacker can access the full contents of private note assets by sending unauthenticated requests to the /api/notes/noteID/assets/assetID endpoint when valid note and asset IDs are...

8.2CVSS5.5AI score0.00409EPSS
Exploits0References2
Total number of security vulnerabilities32851