Lucene search
K

32851 matches found

Snyk
Snyk
•added 2026/04/16 10:29 p.m.•3 views

Interpretation Conflict

Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the propagation of middleware paths to child plugin scopes due to incorrect re-prefixing. An attacker can gain unauthorized access to protected routes by...

9.3CVSS5.7AI score0.00498EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 10:28 p.m.•4 views

Interpretation Conflict

Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the resolveNormalizationOptions function's deprecated ignoreDuplicateSlashes configuration option. An attacker can bypass middleware by crafting URLs with...

9.1CVSS5.7AI score0.00278EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:55 p.m.•3 views

Improper Handling of Missing Values

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Improper Handling of Missing Values password reset flow in account.service.ts. An attacker can reset another user’s password by supplying a crafted reset request with an invalid or missing temporary token a...

9.8CVSS5.7AI score0.0687EPSS
Exploits1References3
Snyk
Snyk
•added 2026/04/16 9:54 p.m.•8 views

Improper Neutralization of Special Elements in Data Query Logic

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic through the GraphCypherQAChain request handling and graph.query execution path in GraphCypherQAChain.ts. An attacker can force...

9.8CVSS5.9AI score0.00504EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:53 p.m.•5 views

Cleartext Transmission of Sensitive Information

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information through the AccountService in account.service.ts. An attacker can cause password reset, verification, registration, and invite emails to contain http:// links...

7.5CVSS5.7AI score0.00192EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:52 p.m.•8 views

Missing Authentication for Critical Function

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the public-chatbotConfig and oauth2-credential/refresh endpoints. An attacker can obtain OAuth 2.0 access tokens for third-party services by retrieving...

10CVSS5.5AI score0.00308EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:52 p.m.•7 views

Server-side Request Forgery (SSRF)

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via postCore.ts. An attacker can cause the server to make arbitrary HTTP requests to internal or external systems by injecting malicious prompt templates that...

8.3CVSS5.9AI score0.00233EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:51 p.m.•5 views

Server-side Request Forgery (SSRF)

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the secureAxiosRequest and secureFetch functions. An attacker can gain unauthorized access to internal services and potentially exfiltrate sensitive data ...

7.6CVSS5.8AI score0.00232EPSS
Exploits1References3
Snyk
Snyk
•added 2026/04/16 9:50 p.m.•5 views

Server-side Request Forgery (SSRF)

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the getHttpDenyList process in httpSecurity.ts. An attacker can reach internal or otherwise denied HTTP endpoints by supplying requests that rely on t...

8.3CVSS5.7AI score0.00234EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:50 p.m.•5 views

Server-side Request Forgery (SSRF)

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the getHttpDenyList process in httpSecurity.ts. An attacker can reach internal or otherwise denied HTTP endpoints by supplying requests that rely on the HTTP deny li...

8.3CVSS5.7AI score0.00234EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:49 p.m.•5 views

Arbitrary File Upload

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary File Upload in the createAttachment in Chatflow. An attacker can upload and persistently store malicious JavaScript files on the server by bypassing MIME type validation, which may...

8.8CVSS6.2AI score0.00472EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:49 p.m.•6 views

Arbitrary File Upload

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Arbitrary File Upload in the createAttachment in Chatflow. An attacker can upload and persistently store malicious JavaScript files on the server by bypassing MIME type validation, which may lead to the...

8.8CVSS6.2AI score0.00472EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:46 p.m.•5 views

Partial String Comparison

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Partial String Comparison due to the replaceInputsWithConfig logic in packages/server/src/utils/index.ts. An attacker can override flow parameters by supplying a crafted override configuratio...

9.8CVSS5.9AI score0.13789EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:46 p.m.•5 views

Partial String Comparison

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Partial String Comparison due to the replaceInputsWithConfig logic in packages/server/src/utils/index.ts. An attacker can override flow parameters by supplying a crafted override configuration in a predicti...

9.8CVSS5.9AI score0.13789EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:44 p.m.•4 views

Missing Authorization

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Missing Authorization in the /api/v1/public-chatbotConfig/:id endpoint in chatbotConfig. An attacker can access sensitive credentials, including API keys and authorization headers, by sending unauthenticate...

8.6CVSS5.8AI score0.00346EPSS
Exploits1References3
Snyk
Snyk
•added 2026/04/16 9:44 p.m.•5 views

Arbitrary Code Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper...

9.9CVSS6.2AI score0.0145EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:44 p.m.•8 views

Arbitrary Code Injection

Overview flowise-ui is a Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization. This is only...

9.9CVSS6.2AI score0.0145EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:44 p.m.•5 views

Arbitrary Code Injection

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization...

9.9CVSS6.2AI score0.0145EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:43 p.m.•3 views

Arbitrary Code Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection through the pythonCodeValidator and the Python execution paths in AirtableAgent.ts and CSVAgent.ts. An attacker can supply LLM-generated Python code that smuggles in...

8.8CVSS6.1AI score0.00603EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:38 p.m.•1 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the jwksUri field of the RequestAuthentication resource. An attacker can access internal network resources by specifying a URL pointing to an internal service, causing the system to make unauthenticat...

7.7CVSS5.8AI score0.00329EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:38 p.m.•29 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the jwksUri field of the RequestAuthentication resource. An attacker can access internal network resources by specifying a URL pointing to an internal service, causing the system to make unauthenticat...

7.7CVSS5.8AI score0.00329EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:38 p.m.•7 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the jwksUri field of the RequestAuthentication resource. An attacker can access internal network resources by specifying a URL pointing to an internal service, causing the system to make unauthenticat...

7.7CVSS5.8AI score0.00329EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:38 p.m.•5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the jwksUri field of the RequestAuthentication resource. An attacker can access internal network resources by specifying a URL pointing to an internal service, causing the system to make unauthenticat...

7.7CVSS5.8AI score0.00329EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:37 p.m.•5 views

Allocation of Resources Without Limits or Throttling

Overview basic-ftp is a FTP client for Node.js, supports FTPS over TLS, IPv6, Async/Await, and Typescript. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the StringWriter method. An attacker can cause excessive memory consumption and...

8.7CVSS5.5AI score0.00332EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:37 p.m.•7 views

Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the apiCall executor. An attacker can obtain sensitive credentials by sending crafted HTTP requests to endpoints controlled by the attacker, causing the automatic forwarding of the ServiceAccount...

9.1CVSS5.8AI score0.0056EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:35 p.m.•7 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the ConfigMap context loader due to missing validation of the namespace value. An attacker can access sensitive data from ConfigMaps in unauthorized namespaces by creating a policy that references another...

7.7CVSS5.7AI score0.00266EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:34 p.m.•3 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the mcajaxmcjsaction function. An attacker can access sensitive event data from other sub-sites or cause a denial of service by sending crafted requests to the unauthenticated endpoin...

8.8CVSS5.9AI score0.00932EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:31 p.m.•9 views

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' via the CDNResourceHandler when a wildcard CDN mapping is configured. An attacker can execute arbitrary code, disclose...

9.2CVSS5.9AI score0.00382EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:30 p.m.•6 views

Memory Allocation with Excessive Size Value

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the FlateDecode image processing when handling images with large size values. An...

6.5CVSS5.7AI score0.00226EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:30 p.m.•6 views

Memory Allocation with Excessive Size Value

Overview PyPDF2 is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the FlateDecode image processing when handling images with large size values. An...

6.5CVSS5.7AI score0.00226EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:30 p.m.•7 views

Excessive Iteration

Overview PyPDF2 is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Excessive Iteration in the incremental mode for PDF processing. An attacker can cause excessive resource consumption and...

6.5CVSS5.7AI score0.00214EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:30 p.m.•3 views

Excessive Iteration

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Excessive Iteration in the incremental mode for PDF processing. An attacker can cause excessive resource consumption and...

6.5CVSS5.7AI score0.00214EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:30 p.m.•4 views

Memory Allocation with Excessive Size Value

Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the FlateDecode method when handling streams with a /Predictor value not equal to ...

6.5CVSS5.8AI score0.00226EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:30 p.m.•4 views

Memory Allocation with Excessive Size Value

Overview PyPDF2 is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via the FlateDecode method when handling streams with a /Predictor value not equal to...

6.5CVSS5.7AI score0.00226EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:28 p.m.•8 views

Improper Neutralization of Special Elements Used in a Template Engine

Overview homeassistant-cli is a Command-line tool for Home Assistant. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the handling of user-supplied Jinja2 templates. An attacker can execute arbitrary code by convincing ...

5.6CVSS6.2AI score0.00103EPSS
Exploits0References3
Snyk
Snyk
•added 2026/04/16 9:28 p.m.•6 views

Incorrect Authorization

Overview @clerk/shared is an Internal package utils used by the Clerk SDKs Affected versions of this package are vulnerable to Incorrect Authorization via the createPathMatcher function in @clerk/shared used by downstream createRouteMatcher. An attacker can gain unauthorized access to protected...

9.1CVSS5.5AI score0.00323EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:28 p.m.•4 views

Incorrect Authorization

Overview @clerk/nextjs is a Clerk SDK for NextJS Affected versions of this package are vulnerable to Incorrect Authorization via the createPathMatcher function in @clerk/shared used by downstream createRouteMatcher. An attacker can gain unauthorized access to protected routes by crafting requests...

9.1CVSS5.6AI score0.00323EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:28 p.m.•4 views

Incorrect Authorization

Overview @clerk/astro is a Clerk SDK for Astro Affected versions of this package are vulnerable to Incorrect Authorization via the createPathMatcher function in @clerk/shared used by downstream createRouteMatcher. An attacker can gain unauthorized access to protected routes by crafting requests...

9.1CVSS5.6AI score0.00323EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:28 p.m.•5 views

Incorrect Authorization

Overview @clerk/nuxt is a Clerk SDK for Nuxt Affected versions of this package are vulnerable to Incorrect Authorization via the createPathMatcher function in @clerk/shared used by downstream createRouteMatcher. An attacker can gain unauthorized access to protected routes by crafting requests tha...

9.1CVSS5.6AI score0.00323EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:25 p.m.•4 views

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via unsafe method invocation during query value resolution. An attacker can cause destruction of data, assets, and user accounts by manipulating query...

8.1CVSS5.8AI score0.00304EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:25 p.m.•9 views

Command Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Command Injection in the cloneServer.json.php endpoint of the CloneSite plugin, where user-controlled input is concatenated into a shell command without proper...

9.8CVSS6AI score0.02221EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:24 p.m.•5 views

Command Injection

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Command Injection via the runMac and runLinux functions. An attacker can execute arbitrary system commands and compromise the system by supplying malicious remote...

9.8CVSS6AI score0.01572EPSS
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:23 p.m.•4 views

Server-side Request Forgery (SSRF)

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via ExecuteFlow.ts. An attacker can cause the server to initiate HTTP requests to internal network addresses, potentially accessing sensitive management...

7.1CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:23 p.m.•6 views

Server-side Request Forgery (SSRF)

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the URL-fetching tool in ExecuteFlow.ts, APILoader.ts, FireCrawl.ts, SpiderApp.ts, AzureRerank.ts, Jira/core.ts, MCP/core.ts, OpenAPIToolkit.ts, and...

5.3CVSS6AI score0.00396EPSS
Exploits1References2
Snyk
Snyk
•added 2026/04/16 9:22 p.m.•6 views

Directory Traversal

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Directory Traversal via the vector store path handling in Faiss.ts and SimpleStore.ts. An attacker can read from or write to unintended filesystem locations by supplying a crafted basePath wh...

7.1CVSS6.4AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:22 p.m.•9 views

Use of Hard-coded Credentials

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of Hard-coded Credentials via the weak default TOKENHASHSECRET. An attacker can access sensitive internal identifiers by decrypting the meta field in JWT tokens when the default secret is used,...

5.6CVSS5.5AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:22 p.m.•5 views

Use of Hard-coded Credentials

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of Hard-coded Credentials due to the use of a weak default value for the secret parameter in session management when the EXPRESSSESSIONSECRET environment variable is not set. An attacker can impersonate...

6.8CVSS5.5AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:21 p.m.•7 views

Use of a Broken or Risky Cryptographic Algorithm

Overview flowise-ui is a Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting valid JWTs usin...

5.6CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:21 p.m.•8 views

Use of a Broken or Risky Cryptographic Algorithm

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators, by crafting...

5.6CVSS5.8AI score
Exploits0References2
Snyk
Snyk
•added 2026/04/16 9:21 p.m.•3 views

Use of a Broken or Risky Cryptographic Algorithm

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the process that handles JWT secret assignment. An attacker can gain unauthorized access and impersonate any user, including administrators...

5.6CVSS5.8AI score
Exploits0References2
Total number of security vulnerabilities32851