Lucene search
K

32851 matches found

Snyk
Snyk
added 2026/04/17 1:38 a.m.4 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the asset download process. An attacker can access the full contents of private note assets by sending unauthenticated requests to the /api/notes/noteID/assets/assetID endpoint when valid note and asset IDs are...

8.2CVSS5.5AI score0.00409EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 1:37 a.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the asset delivery process. An attacker can execute arbitrary JavaScript in the context of another user's session by uploading a crafted HTML or SVG file as an asset, which is then rendered by a victim's...

8.7CVSS5.5AI score0.00309EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 12:17 a.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS through incomplete sanitization of the README rendering process in the marketplace UI. An attacker can execute arbitrary scripts in the Electron context with full application privileges by embedding an iframe ta...

6.4CVSS5.5AI score0.00261EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/17 12:0 a.m.6 views

Incomplete Cleanup

Overview org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Incomplete Cleanup via multipart request...

7.1CVSS5.5AI score0.00344EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 12:0 a.m.10 views

HTTP Request Smuggling

Overview org.springframework:spring-webmvc is a package that provides Model-View-Controller MVC architecture and ready components that can be used to develop flexible and loosely coupled web applications. Affected versions of this package are vulnerable to HTTP Request Smuggling via the static...

5.9CVSS5.7AI score0.00236EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 12:0 a.m.11 views

HTTP Request Smuggling

Overview org.springframework:spring-webflux is a Spring Framework module that contains support for reactive HTTP and WebSocket clients as well as for reactive server web applications including REST, HTML browser, and WebSocket style interactions. Affected versions of this package are vulnerable t...

5.9CVSS5.7AI score0.00236EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/17 12:0 a.m.10 views

Allocation of Resources Without Limits or Throttling

Overview org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via static resource resolution. An attacker can cause denia...

6.9CVSS5.5AI score0.00341EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 11:38 p.m.4 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization in the handler for creating or updating Traffic Influence Subscriptions due to improper validation of the influenceId path segment. An attacker can create or overwrite arbitrary Traffic Influence Subscriptions,...

8.7CVSS5.7AI score0.00427EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 11:38 p.m.3 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization in the handler responsible for reading Traffic Influence Subscriptions. An attacker can access sensitive subscription data, including SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs, by supplying arbitrary values f...

8.7CVSS5.6AI score0.00493EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 11:0 p.m.6 views

Open Redirect

Overview @saltcorn/server is a Server app for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to Open Redirect via the isrelativeurl function. An attacker can redirect users to an external, attacker-controlled domain by crafting a malicious URL that exploit...

7.1CVSS5.8AI score0.00339EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 11:0 p.m.4 views

Server-side Request Forgery (SSRF)

Overview langchain-openai is an An integration package connecting OpenAI and LangChain Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the image token counting urltosize function. An attacker can access internal network resources by exploiting a DNS...

3.1CVSS5.8AI score0.00158EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:53 p.m.6 views

Server-side Request Forgery (SSRF)

Overview langchain-text-splitters is a LangChain text splitting utilities Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the splittextfromurl function. An attacker can access internal network resources and potentially exfiltrate sensitive data by supplying...

6.5CVSS5.8AI score0.0026EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:51 p.m.8 views

SQL Injection

Overview @saltcorn/mobile-app is a Saltcorn mobile app for Android and iOS Affected versions of this package are vulnerable to SQL Injection via the getSyncRows and getDelRows functions. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify or delete database contents,...

9.9CVSS6.1AI score0.00264EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:51 p.m.9 views

SQL Injection

Overview @saltcorn/server is a Server app for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to SQL Injection via the getSyncRows and getDelRows functions. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify or delete database...

9.9CVSS6.1AI score0.00264EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:51 p.m.5 views

SQL Injection

Overview @saltcorn/data is a Data models for Saltcorn, open-source no-code platform Affected versions of this package are vulnerable to SQL Injection via the getSyncRows and getDelRows functions. An attacker can execute arbitrary SQL commands, exfiltrate sensitive data, modify or delete database...

9.9CVSS6.1AI score0.00264EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:50 p.m.4 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the MappingEngine.TryMapCollectionOntoExisting object through Mapsrc call. An attacker can exhaust system resources and cause application downtime by submitting large collection...

8.7CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:50 p.m.6 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the MappingEngine.TryMapCollectionOntoExisting object through Mapsrc call. An attacker can exhaust system resources and cause application downtime by submitting large collection...

8.7CVSS5.5AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:49 p.m.14 views

Cross-site Scripting (XSS)

Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the MarkdownBody class, where user-supplied markdown content is rendered without proper URL sanitization due to an overridden urlTransform function. An...

5.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:49 p.m.14 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the MarkdownBody class, where user-supplied markdown content is rendered without proper URL sanitization due to an overridden urlTransform function. An attacker can execute arbitrary JavaScript in the context...

5.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:49 p.m.13 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the MarkdownBody class, where user-supplied markdown content is rendered without proper URL sanitization due to an overridden urlTransform function. An attacker can execute arbitrary JavaScript in the context...

5.4CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:48 p.m.8 views

Insufficient Verification of Data Authenticity

Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the decidedByUserId field in approval-related endpoints. An attacker can forge decision attribution by supplying an arbitrary us...

5.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:48 p.m.12 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the decidedByUserId field in approval-related endpoints. An attacker can forge decision attribution by supplying an arbitrary user identifier in the request body, causing the system to...

5.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:48 p.m.9 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the decidedByUserId field in approval-related endpoints. An attacker can forge decision attribution by supplying an arbitrary user identifier in the request body, causing the system to...

5.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:48 p.m.10 views

Insufficient Granularity of Access Control

Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control inadequate authorization checks in the POST /api/agents/:id/keys, GET /api/agents/:id/keys, and DELETE /api/agents/:id/keys/:keyId routes. An attacker can gain unauthorized access to sensitive...

8.5CVSS5.8AI score
Exploits0References4
Snyk
Snyk
added 2026/04/16 10:48 p.m.11 views

Insufficient Granularity of Access Control

Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to Insufficient Granularity of Access Control inadequate authorization checks in the POST /api/agents/:id/keys, GET /api/agents/:id/keys, and DELETE /api/agents/:id/keys/:keyId route...

8.5CVSS5.8AI score
Exploits0References4
Snyk
Snyk
added 2026/04/16 10:48 p.m.6 views

Insufficient Granularity of Access Control

Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control inadequate authorization checks in the POST /api/agents/:id/keys, GET /api/agents/:id/keys, and DELETE /api/agents/:id/keys/:keyId routes. An attacker can gain unauthorized access to sensitive...

8.5CVSS5.8AI score
Exploits0References4
Snyk
Snyk
added 2026/04/16 10:48 p.m.9 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the cleanupCommand field in the PATCH /api/execution-workspaces/:id endpoint, which is stored and later executed by the server without input validation or sanitization. An attacker can execute arbitrary system...

9.2CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:47 p.m.9 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in several API endpoints that lack proper authentication checks. An attacker can access sensitive data, perform state-changing operations, and obtain internal configuration details by sending...

8.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:47 p.m.9 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in several API endpoints that lack proper authentication checks. An attacker can access sensitive data, perform state-changing operations, and obtain internal configuration details by sending...

8.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:47 p.m.9 views

Missing Authentication for Critical Function

Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in several API endpoints that lack proper authentication checks. An attacker can access sensitive data, perform state-changing...

8.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:46 p.m.12 views

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the spawn function. An attacker can execute arbitrary shell commands on the server and access sensitive environment variables, including API keys, authentication secrets, and database credentials, by...

8.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:46 p.m.10 views

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the spawn function. An attacker can execute arbitrary shell commands on the server and access sensitive environment variables, including API keys, authentication secrets, and database credentials, by...

8.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:46 p.m.8 views

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the spawn function. An attacker can execute arbitrary shell commands on the server and access sensitive environment variables, including API keys, authentication secrets, and database credentials, by...

8.8CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:45 p.m.9 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can access sensitive files on the host filesystem by supplying...

6CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:45 p.m.7 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can access sensitive files on the host filesystem by supplying...

6CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:45 p.m.9 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can access sensitive files on the host filesystem by supplying...

6CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:45 p.m.7 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can access sensitive files on the host filesystem by supplying...

6CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:45 p.m.9 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can access sensitive files on the host filesystem by supplying...

6CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:45 p.m.8 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can access sensitive files on the host filesystem by supplying...

6CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:45 p.m.8 views

External Control of File Name or Path

Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to External Control of File Name or Path via the adapterConfig.instructionsFilePath configuration field, which is processed by the server during agent execution. An attacker can acce...

6CVSS6AI score
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:44 p.m.7 views

Incorrect Authorization

Overview @better-auth/oauth-provider is an An oauth provider plugin for Better Auth Affected versions of this package are vulnerable to Incorrect Authorization via the createOAuthClientEndpoint endpoint. An attacker can gain unauthorized access to register OAuth clients by bypassing the intended...

8.5CVSS5.4AI score0.00212EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:41 p.m.4 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of validation on attacker-controlled counts and lengths in the SPDY/3 frame parser. An attacker can exhaust process memory and cause an out-of-memory crash by sending ...

8.7CVSS5.4AI score0.00656EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:41 p.m.2 views

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of validation on attacker-controlled counts and lengths in the SPDY/3 frame parser. An attacker can exhaust process memory and cause an out-of-memory crash by sending ...

8.7CVSS5.8AI score0.00656EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:40 p.m.5 views

Missing Authentication for Critical Function

Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the authenticated middleware, which uses unanchored regular expressions to match public endpoint...

9.1CVSS5.8AI score0.00445EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 10:38 p.m.5 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview mathjs is a math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with diff. Affected versions of this package are...

9.9CVSS7.6AI score0.00551EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:38 p.m.4 views

Cross-site Request Forgery (CSRF)

Overview authlib is a library in building OAuth and OpenID Connect servers. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the Client integrations due to the lack of CSRF protection for cash parameters. An attacker can perform unauthorized actions on behalf...

5.9CVSS5.5AI score0.00106EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 10:36 p.m.7 views

Server-side Request Forgery (SSRF)

Overview @angular/platform-server is an Angular - library for using Angular in Node.js Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the URL parsing during Server-Side Rendering SSR. An attacker can cause the server to make arbitrary HTTP requests to...

8.7CVSS6AI score0.00256EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/16 10:34 p.m.4 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection through the handling of user-supplied protobuf definitions, specifically via the Type's name field. An attacker can execute arbitrary JavaScript code by injecting malicious payloads into the protobuf definition,...

9.8CVSS6.3AI score0.00745EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 10:34 p.m.8 views

Arbitrary Code Injection

Overview @apollo/protobufjs is a language-neutral, platform-neutral, extensible way of serializing structured data for use in communications protocols, data storage, and more, originally designed at Google Affected versions of this package are vulnerable to Arbitrary Code Injection through the...

9.8CVSS6.4AI score0.00745EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/16 10:34 p.m.7 views

Arbitrary Code Injection

Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Arbitrary Code Injection through the handling of user-supplied protobuf definitions, specifically via the Type's name field. An attacker can execute arbitrary JavaScript code ...

9.8CVSS6.4AI score0.00745EPSS
Exploits1References2
Total number of security vulnerabilities32851