32851 matches found
Interpretation Conflict
Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the propagation of middleware paths to child plugin scopes due to incorrect re-prefixing. An attacker can gain unauthorized access to protected routes by...
Interpretation Conflict
Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the resolveNormalizationOptions function's deprecated ignoreDuplicateSlashes configuration option. An attacker can bypass middleware by crafting URLs with...
Improper Handling of Missing Values
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improper Handling of Missing Values password reset flow in account.service.ts. An attacker can reset another user’s password by supplying a crafted reset request with an invalid or missing temporary token a...
Improper Neutralization of Special Elements in Data Query Logic
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic through the GraphCypherQAChain request handling and graph.query execution path in GraphCypherQAChain.ts. An attacker can force...
Cleartext Transmission of Sensitive Information
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information through the AccountService in account.service.ts. An attacker can cause password reset, verification, registration, and invite emails to contain http:// links...
Missing Authentication for Critical Function
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the public-chatbotConfig and oauth2-credential/refresh endpoints. An attacker can obtain OAuth 2.0 access tokens for third-party services by retrieving...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via postCore.ts. An attacker can cause the server to make arbitrary HTTP requests to internal or external systems by injecting malicious prompt templates that...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the secureAxiosRequest and secureFetch functions. An attacker can gain unauthorized access to internal services and potentially exfiltrate sensitive data ...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the getHttpDenyList process in httpSecurity.ts. An attacker can reach internal or otherwise denied HTTP endpoints by supplying requests that rely on t...
Server-side Request Forgery (SSRF)
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the getHttpDenyList process in httpSecurity.ts. An attacker can reach internal or otherwise denied HTTP endpoints by supplying requests that rely on the HTTP deny li...
Arbitrary File Upload
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary File Upload in the createAttachment in Chatflow. An attacker can upload and persistently store malicious JavaScript files on the server by bypassing MIME type validation, which may...
Arbitrary File Upload
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Arbitrary File Upload in the createAttachment in Chatflow. An attacker can upload and persistently store malicious JavaScript files on the server by bypassing MIME type validation, which may lead to the...
Partial String Comparison
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Partial String Comparison due to the replaceInputsWithConfig logic in packages/server/src/utils/index.ts. An attacker can override flow parameters by supplying a crafted override configuratio...
Partial String Comparison
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Partial String Comparison due to the replaceInputsWithConfig logic in packages/server/src/utils/index.ts. An attacker can override flow parameters by supplying a crafted override configuration in a predicti...
Missing Authorization
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Missing Authorization in the /api/v1/public-chatbotConfig/:id endpoint in chatbotConfig. An attacker can access sensitive credentials, including API keys and authorization headers, by sending unauthenticate...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper...
Arbitrary Code Injection
Overview flowise-ui is a Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization. This is only...
Arbitrary Code Injection
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection through the pythonCodeValidator and the Python execution paths in AirtableAgent.ts and CSVAgent.ts. An attacker can supply LLM-generated Python code that smuggles in...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the jwksUri field of the RequestAuthentication resource. An attacker can access internal network resources by specifying a URL pointing to an internal service, causing the system to make unauthenticat...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the jwksUri field of the RequestAuthentication resource. An attacker can access internal network resources by specifying a URL pointing to an internal service, causing the system to make unauthenticat...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the jwksUri field of the RequestAuthentication resource. An attacker can access internal network resources by specifying a URL pointing to an internal service, causing the system to make unauthenticat...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the jwksUri field of the RequestAuthentication resource. An attacker can access internal network resources by specifying a URL pointing to an internal service, causing the system to make unauthenticat...
Allocation of Resources Without Limits or Throttling
Overview basic-ftp is a FTP client for Node.js, supports FTPS over TLS, IPv6, Async/Await, and Typescript. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the StringWriter method. An attacker can cause excessive memory consumption and...
Insufficiently Protected Credentials
Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the apiCall executor. An attacker can obtain sensitive credentials by sending crafted HTTP requests to endpoints controlled by the attacker, causing the automatic forwarding of the ServiceAccount...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the ConfigMap context loader due to missing validation of the namespace value. An attacker can access sensitive data from ConfigMaps in unauthorized namespaces by creating a policy that references another...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the mcajaxmcjsaction function. An attacker can access sensitive event data from other sub-sites or cause a denial of service by sending crafted requests to the unauthenticated endpoin...
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' via the CDNResourceHandler when a wildcard CDN mapping is configured. An attacker can execute arbitrary code, disclose...
Memory Allocation with Excessive Size Value
Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the FlateDecode image processing when handling images with large size values. An...
Memory Allocation with Excessive Size Value
Overview PyPDF2 is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the FlateDecode image processing when handling images with large size values. An...
Excessive Iteration
Overview PyPDF2 is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Excessive Iteration in the incremental mode for PDF processing. An attacker can cause excessive resource consumption and...
Excessive Iteration
Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Excessive Iteration in the incremental mode for PDF processing. An attacker can cause excessive resource consumption and...
Memory Allocation with Excessive Size Value
Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the FlateDecode method when handling streams with a /Predictor value not equal to ...
Memory Allocation with Excessive Size Value
Overview PyPDF2 is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the FlateDecode method when handling streams with a /Predictor value not equal to...
Improper Neutralization of Special Elements Used in a Template Engine
Overview homeassistant-cli is a Command-line tool for Home Assistant. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the handling of user-supplied Jinja2 templates. An attacker can execute arbitrary code by convincing ...
Incorrect Authorization
Overview @clerk/shared is an Internal package utils used by the Clerk SDKs Affected versions of this package are vulnerable to Incorrect Authorization via the createPathMatcher function in @clerk/shared used by downstream createRouteMatcher. An attacker can gain unauthorized access to protected...
Incorrect Authorization
Overview @clerk/nextjs is a Clerk SDK for NextJS Affected versions of this package are vulnerable to Incorrect Authorization via the createPathMatcher function in @clerk/shared used by downstream createRouteMatcher. An attacker can gain unauthorized access to protected routes by crafting requests...
Incorrect Authorization
Overview @clerk/astro is a Clerk SDK for Astro Affected versions of this package are vulnerable to Incorrect Authorization via the createPathMatcher function in @clerk/shared used by downstream createRouteMatcher. An attacker can gain unauthorized access to protected routes by crafting requests...
Incorrect Authorization
Overview @clerk/nuxt is a Clerk SDK for Nuxt Affected versions of this package are vulnerable to Incorrect Authorization via the createPathMatcher function in @clerk/shared used by downstream createRouteMatcher. An attacker can gain unauthorized access to protected routes by crafting requests tha...
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Overview Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via unsafe method invocation during query value resolution. An attacker can cause destruction of data, assets, and user accounts by manipulating query...
Command Injection
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Command Injection in the cloneServer.json.php endpoint of the CloneSite plugin, where user-controlled input is concatenated into a shell command without proper...
Command Injection
Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Command Injection via the runMac and runLinux functions. An attacker can execute arbitrary system commands and compromise the system by supplying malicious remote...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via ExecuteFlow.ts. An attacker can cause the server to initiate HTTP requests to internal network addresses, potentially accessing sensitive management...
Server-side Request Forgery (SSRF)
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the URL-fetching tool in ExecuteFlow.ts, APILoader.ts, FireCrawl.ts, SpiderApp.ts, AzureRerank.ts, Jira/core.ts, MCP/core.ts, OpenAPIToolkit.ts, and...
Directory Traversal
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Directory Traversal via the vector store path handling in Faiss.ts and SimpleStore.ts. An attacker can read from or write to unintended filesystem locations by supplying a crafted basePath wh...
Use of Hard-coded Credentials
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of Hard-coded Credentials via the weak default TOKENHASHSECRET. An attacker can access sensitive internal identifiers by decrypting the meta field in JWT tokens when the default secret is used,...
Use of Hard-coded Credentials
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of Hard-coded Credentials due to the use of a weak default value for the secret parameter in session management when the EXPRESSSESSIONSECRET environment variable is not set. An attacker can impersonate...
Use of a Broken or Risky Cryptographic Algorithm
Overview flowise-ui is a Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting valid JWTs usin...
Use of a Broken or Risky Cryptographic Algorithm
Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting...
Use of a Broken or Risky Cryptographic Algorithm
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators...